Florida Senate - 2024                                     SB 972
       By Senator Gruters
       22-00466-24                                            2024972__
    1                        A bill to be entitled                      
    2         An act relating to artificial intelligence; amending
    3         s. 282.0041, F.S.; defining terms; creating s. 282.32,
    4         F.S.; creating the Artificial Intelligence Advisory
    5         Council within the Department of Management Services;
    6         requiring the department to provide administrative
    7         support to the council; specifying the purpose of the
    8         council; providing duties of the council; providing
    9         for membership of the council; requiring members to be
   10         appointed to the council by a specified date;
   11         providing that certain members are to serve as co
   12         chairs of the council; providing for staggered terms;
   13         authorizing the appointing authority to remove a
   14         member and fill the vacancy; requiring that the
   15         appointing authority fill a vacancy in the same manner
   16         as the original appointment; providing that members
   17         may not receive compensation for service but may be
   18         reimbursed for per diem and travel expenses; requiring
   19         the council to meet by a specified date, and monthly
   20         thereafter; authorizing the co-chairs to call for a
   21         meeting at any time; requiring the council to submit
   22         quarterly reports to the Governor and the Legislature;
   23         providing requirements for the report; creating s.
   24         282.321, F.S.; requiring each state agency to prepare
   25         and submit, by a specified date and using money
   26         appropriated by the Legislature, an inventory report
   27         for all automated decision systems that are being
   28         developed, used, or procured by the agency; requiring
   29         the agencies to submit the report to the department,
   30         the council, and any applicable standing legislative
   31         committees; providing requirements for the report;
   32         requiring the department, by a specified date and in
   33         consultation with the council, to prescribe by rule a
   34         form, contents, and manner of submission for such
   35         reports; creating s. 282.323, F.S.; providing
   36         legislative intent; prohibiting a county or a
   37         municipality or a political subdivision thereof from
   38         regulating the private and public use of artificial
   39         intelligence systems; providing an effective date.
   41  Be It Enacted by the Legislature of the State of Florida:
   43         Section 1. Section 282.0041, Florida Statutes, is amended
   44  to read:
   45         282.0041 Definitions.—As used in this chapter, the term:
   46         (1) “Agency assessment” means the amount each customer
   47  entity must pay annually for services from the Department of
   48  Management Services and includes administrative and data center
   49  services costs.
   50         (2) “Agency data center” means agency space containing 10
   51  or more physical or logical servers.
   52         (3) Algorithm” means a computerized procedure consisting
   53  of a set of steps used to accomplish a determined task.
   54         (4)“Artificial intelligence system” means a system capable
   55  of all of the following:
   56         (a)Perceiving an environment through data acquisition and
   57  processing and interpreting the derived information to take an
   58  action or actions or to imitate intelligent behavior given a
   59  specific goal.
   60         (b)Learning and adapting behavior by analyzing how the
   61  environment is affected by prior actions.
   62         (5)“Automated decision system” means an algorithm,
   63  including an algorithm incorporating machine learning or other
   64  artificial intelligence techniques, that uses data-based
   65  analytics to make or support governmental decisions, judgments,
   66  or conclusions.
   67         (6)“Automated final decision system” means an automated
   68  decision system that makes final decisions, judgments, or
   69  conclusions without human intervention.
   70         (7)“Automated support decision system” means an automated
   71  decision system that provides information to inform the final
   72  decision, judgment, or conclusion of a human decisionmaker.
   73         (8) “Breach” has the same meaning as provided in s.
   74  501.171.
   75         (9)(4) “Business continuity plan” means a collection of
   76  procedures and information designed to keep an agency’s critical
   77  operations running during a period of displacement or
   78  interruption of normal operations.
   79         (10)(5) “Cloud computing” has the same meaning as provided
   80  in Special Publication 800-145 issued by the National Institute
   81  of Standards and Technology.
   82         (11)(6) “Computing facility” or “agency computing facility”
   83  means agency space containing fewer than a total of 10 physical
   84  or logical servers, but excluding single, logical-server
   85  installations that exclusively perform a utility function such
   86  as file and print servers.
   87         (12)“Council” means the Artificial Intelligence Advisory
   88  Council created in s. 282.32.
   89         (13)(7) “Customer entity” means an entity that obtains
   90  services from the Department of Management Services.
   91         (14)(8) “Cybersecurity” means the protection afforded to an
   92  automated information system in order to attain the applicable
   93  objectives of preserving the confidentiality, integrity, and
   94  availability of data, information, and information technology
   95  resources.
   96         (15)(9) “Data” means a subset of structured information in
   97  a format that allows such information to be electronically
   98  retrieved and transmitted.
   99         (16)(10) “Data governance” means the practice of
  100  organizing, classifying, securing, and implementing policies,
  101  procedures, and standards for the effective use of an
  102  organization’s data.
  103         (17)(11) “Department” means the Department of Management
  104  Services.
  105         (18)(12) “Disaster recovery” means the process, policies,
  106  procedures, and infrastructure related to preparing for and
  107  implementing recovery or continuation of an agency’s vital
  108  technology infrastructure after a natural or human-induced
  109  disaster.
  110         (19)(13) “Electronic” means technology having electrical,
  111  digital, magnetic, wireless, optical, electromagnetic, or
  112  similar capabilities.
  113         (20)(14) “Electronic credential” means an electronic
  114  representation of the identity of a person, an organization, an
  115  application, or a device.
  116         (21)(15) “Enterprise” means state agencies and the
  117  Department of Legal Affairs, the Department of Financial
  118  Services, and the Department of Agriculture and Consumer
  119  Services.
  120         (22)(16) “Enterprise architecture” means a comprehensive
  121  operational framework that contemplates the needs and assets of
  122  the enterprise to support interoperability.
  123         (23)(17) “Enterprise information technology service” means
  124  an information technology service that is used in all agencies
  125  or a subset of agencies and is established in law to be
  126  designed, delivered, and managed at the enterprise level.
  127         (24)(18) “Event” means an observable occurrence in a system
  128  or network.
  129         (25)(19) “Incident” means a violation or an imminent threat
  130  of violation, whether such violation is accidental or
  131  deliberate, of information technology resources, security,
  132  policies, or practices. An imminent threat of violation refers
  133  to a situation in which a state agency, county, or municipality
  134  has a factual basis for believing that a specific incident is
  135  about to occur.
  136         (26)(20) “Information technology” means equipment,
  137  hardware, software, firmware, programs, systems, networks,
  138  infrastructure, media, and related material used to
  139  automatically, electronically, and wirelessly collect, receive,
  140  access, transmit, display, store, record, retrieve, analyze,
  141  evaluate, process, classify, manipulate, manage, assimilate,
  142  control, communicate, exchange, convert, converge, interface,
  143  switch, or disseminate information of any kind or form.
  144         (27)(21) “Information technology policy” means a definite
  145  course or method of action selected from among one or more
  146  alternatives that guide and determine present and future
  147  decisions.
  148         (28)(22) “Information technology resources” has the same
  149  meaning as provided in s. 119.011.
  150         (29)(23) “Interoperability” means the technical ability to
  151  share and use data across and throughout the enterprise.
  152         (30)(24) “Open data” means data collected or created by a
  153  state agency, the Department of Legal Affairs, the Department of
  154  Financial Services, and the Department of Agriculture and
  155  Consumer Services, and structured in a way that enables the data
  156  to be fully discoverable and usable by the public. The term does
  157  not include data that are restricted from public disclosure
  158  based on federal or state laws and regulations, including, but
  159  not limited to, those related to privacy, confidentiality,
  160  security, personal health, business or trade secret information,
  161  and exemptions from state public records laws; or data for which
  162  a state agency, the Department of Legal Affairs, the Department
  163  of Financial Services, or the Department of Agriculture and
  164  Consumer Services is statutorily authorized to assess a fee for
  165  its distribution.
  166         (31)(25) “Performance metrics” means the measures of an
  167  organization’s activities and performance.
  168         (32)(26) “Project” means an endeavor that has a defined
  169  start and end point; is undertaken to create or modify a unique
  170  product, service, or result; and has specific objectives that,
  171  when attained, signify completion.
  172         (33)(27) “Project oversight” means an independent review
  173  and analysis of an information technology project that provides
  174  information on the project’s scope, completion timeframes, and
  175  budget and that identifies and quantifies issues or risks
  176  affecting the successful and timely completion of the project.
  177         (34)“Public or private institution of higher education”
  178  means:
  179         (a)A state university or a Florida College System
  180  institution as those terms are defined in s. 1000.21(8) and (5),
  181  respectively; or
  182         (b)An independent postsecondary educational institution as
  183  defined in s. 1005.02.
  184         (35)(28) “Ransomware incident” means a malicious
  185  cybersecurity incident in which a person or an entity introduces
  186  software that gains unauthorized access to or encrypts,
  187  modifies, or otherwise renders unavailable a state agency’s,
  188  county’s, or municipality’s data and thereafter the person or
  189  entity demands a ransom to prevent the publication of the data,
  190  restore access to the data, or otherwise remediate the impact of
  191  the software.
  192         (36)(29) “Risk assessment” means the process of identifying
  193  security risks, determining their magnitude, and identifying
  194  areas needing safeguards.
  195         (37)(30) “Service level” means the key performance
  196  indicators (KPI) of an organization or service which must be
  197  regularly performed, monitored, and achieved.
  198         (38)(31) “Service-level agreement” means a written contract
  199  between the Department of Management Services or a provider of
  200  data center services and a customer entity which specifies the
  201  scope of services provided, the service level, the duration of
  202  the agreement, the responsible parties, and the service costs. A
  203  service-level agreement is not a rule pursuant to chapter 120.
  204         (39)(32) “Stakeholder” means a person, group, organization,
  205  or state agency involved in or affected by a course of action.
  206         (40)(33) “Standards” means required practices, controls,
  207  components, or configurations established by an authority.
  208         (41)(34) “State agency” means any official, officer,
  209  commission, board, authority, council, committee, or department
  210  of the executive branch of state government; the Justice
  211  Administrative Commission; and the Public Service Commission.
  212  The term does not include university boards of trustees or state
  213  universities. As used in part I of this chapter, except as
  214  otherwise specifically provided, the term does not include the
  215  Department of Legal Affairs, the Department of Agriculture and
  216  Consumer Services, or the Department of Financial Services.
  217         (42)(35) “SUNCOM Network” means the state enterprise
  218  telecommunications system that provides all methods of
  219  electronic or optical telecommunications beyond a single
  220  building or contiguous building complex and used by entities
  221  authorized as network users under this part.
  222         (43)(36) “Telecommunications” means the science and
  223  technology of communication at a distance, including electronic
  224  systems used in the transmission or reception of information.
  225         (44)(37) “Threat” means any circumstance or event that has
  226  the potential to adversely impact a state agency’s operations or
  227  assets through an information system via unauthorized access,
  228  destruction, disclosure, or modification of information or
  229  denial of service.
  230         (45)(38) “Variance” means a calculated value that
  231  illustrates how far positive or negative a projection has
  232  deviated when measured against documented estimates within a
  233  project plan.
  234         Section 2. Section 282.32, Florida Statutes, is created to
  235  read:
  236         282.32 Artificial Intelligence Advisory Council.—
  237         (1)The Artificial Intelligence Advisory Council, an
  238  advisory council as defined in s. 20.03, is created within the
  239  department. Except as otherwise provided in this section, the
  240  council shall operate in a manner consistent with s. 20.052. The
  241  department shall provide administrative support to the council.
  242  The purpose of the council is to study and monitor the
  243  development and deployment of artificial intelligence systems in
  244  state government. The council shall do all of the following:
  245         (a)Assess the need for legislative reform and the creation
  246  of a state code of ethics for the use of artificial intelligence
  247  systems in state government.
  248         (b)Study and monitor the effects of automated decision
  249  systems on the constitutional and legal rights, duties, and
  250  privileges of the residents of this state.
  251         (c)Study and monitor the potential benefits, liabilities,
  252  and risks that the state, private residents, and businesses
  253  could incur as a result of implemented automated decision
  254  systems.
  255         (d)Recommend administrative and legislative actions that
  256  state governmental agencies and the Legislature can use to
  257  promote the development of artificial intelligence in this
  258  state.
  259         (2)(a)The council shall be composed of the following
  260  members, whose appointments must be made by October 1, 2024:
  261         1.Two members of the Senate, appointed by the President of
  262  the Senate.
  263         2.Two members of the House of Representatives, appointed
  264  by the Speaker of the House of Representatives.
  265         3.An academic professional specializing in ethics who is
  266  employed by a public or private institution of higher education,
  267  appointed by the Governor.
  268         4.An academic professional specializing in artificial
  269  intelligence systems who is employed by a public or private
  270  institution of higher education, appointed by the Governor.
  271         5.An expert on law enforcement usage of artificial
  272  intelligence systems, appointed by the Governor.
  273         6.A policy expert, appointed by the Governor.
  274         7.A constitutional and legal rights expert, appointed by
  275  the Governor.
  276         (b)The members appointed pursuant to subparagraphs (a)1.
  277  and 2. shall serve as co-chairs of the council.
  278         (c)Each member of the council shall be appointed to a 4
  279  year term; however, for the purpose of providing staggered
  280  terms, of the initial appointments, the members appointed
  281  pursuant to subparagraphs (a)1. and 2. shall be appointed to 2
  282  year terms, and the other members shall be appointed to 4-year
  283  terms. A member of the council may be removed at any time by the
  284  member’s appointing authority, who shall fill the vacancy in the
  285  same manner as the original appointment for the remainder of the
  286  unexpired term.
  287         (d)A member of the council may not receive compensation
  288  for serving on the council but may be reimbursed for per diem
  289  and travel expenses in accordance with s. 112.061.
  290         (3)The council shall meet no later than November 1, 2024,
  291  and monthly thereafter, and at other times upon call of the co
  292  chairs.
  293         (4)The council shall submit quarterly reports to the
  294  Governor, the President of the Senate, and the Speaker of the
  295  House of Representatives. The reports must contain all of the
  296  following:
  297         (a)A summary of the council’s findings after reviewing the
  298  automated decision systems inventory reports submitted pursuant
  299  to s. 282.321.
  300         (b)A summary of the recommendations of any relevant
  301  national bodies on use of artificial intelligence systems in
  302  state government.
  303         (c)An assessment of the impact of using artificial
  304  intelligence systems on the liberty, finances, livelihood, and
  305  privacy interests of the residents of this state.
  306         (d)Recommendations of policies necessary to accomplish all
  307  of the following:
  308         1.Protecting the privacy and interests of the residents of
  309  this state from any negative effects caused by artificial
  310  intelligence systems.
  311         2.Ensuring that the residents of this state are free from
  312  unfair discrimination caused or compounded by artificial
  313  intelligence systems.
  314         3.Promoting the development and deployment of artificial
  315  intelligence in this state.
  316         (e)Any other information the council considers relevant.
  317         Section 3. Section 282.321, Florida Statutes, is created to
  318  read:
  319         282.321 Automated decision systems inventory report.—
  320         (1)Each state agency shall, using money appropriated to
  321  the agency by the Legislature, prepare an inventory report of
  322  all automated decision systems that are being developed, used,
  323  or procured by the agency. No later than July 1, 2025, each
  324  state agency shall submit such reports to the department, the
  325  council, and any standing committee of the Legislature which is
  326  responsible for overseeing the state’s information technology,
  327  and the inventory report must include all of the following:
  328         (a)The name and vendor of the automated decision system,
  329  if any.
  330         (b)The automated decision system’s general capabilities,
  331  including all of the following:
  332         1.Reasonably foreseeable capabilities outside the scope of
  333  the agency’s proposed use.
  334         2.Whether the automated decision system is used or may be
  335  used for independent decisionmaking powers and the impact or
  336  potential impact of those decisions on the residents of this
  337  state.
  338         (c)The types of data inputs that the automated decision
  339  system uses.
  340         (d)How the data described by paragraph (c) is or will be
  341  generated, collected, and processed.
  342         (e)The types of data the automated decision system
  343  generates or is reasonably likely to generate.
  344         (f)Whether the automated decision system has or has not
  345  been tested by an independent third party to determine if it has
  346  a known bias or is untested for bias.
  347         (g)The purpose and use or proposed use of the automated
  348  decision system, including all of the following:
  349         1.The decisions the automated decision system is or will
  350  be used to make or support.
  351         2.Whether the automated decision system is an automated
  352  final decision system or an automated support decision system.
  353         3.The automated decision system’s intended benefits,
  354  including any data or research relevant to the outcome of those
  355  benefits.
  356         (h)How automated decision system data is or will be
  357  securely stored and processed, and the reasons the agency does
  358  or does not share access to the automated decision system or
  359  data from the automated decision system with any other entity.
  360         (i)The fiscal impacts of the automated decision system or
  361  potential fiscal impacts on information technology, including
  362  all of the following:
  363         1.Initial acquisition costs and ongoing operating costs,
  364  such as maintenance, licensing, personnel, legal compliance, use
  365  auditing, data retention, and security costs.
  366         2.Any cost savings that have been or will be achieved
  367  through the use of the technology.
  368         3.Any current or potential sources of funding, including
  369  any subsidies or free products being offered by vendors or
  370  governmental entities.
  371         (2)No later than January 1, 2025, the department, in
  372  consultation with the council, shall prescribe by rule the form,
  373  contents, and manner of submission of the automated decision
  374  systems inventory report required under this section.
  375         Section 4. Section 282.323, Florida Statutes, is created to
  376  read:
  377         282.323Local government preemption.—
  378         (1)It is the intent of the Legislature to create a
  379  statewide uniform policy regulating the public and private use
  380  of artificial intelligence.
  381         (2)A county or a municipality or any political subdivision
  382  thereof may not regulate the private or public use of artificial
  383  intelligence systems.
  384         Section 5. This act shall take effect July 1, 2024.