Florida Senate - 2025                                    SB 1216
       
       
        
       By Senator DiCeglie
       
       
       
       
       
       18-01808-25                                           20251216__
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity of mortgage brokers
    3         and lenders and money services businesses; creating
    4         ss. 494.00170 and 560.1215, F.S.; defining terms;
    5         requiring licensees to develop and maintain a
    6         specified information security program; requiring that
    7         such program meet certain criteria; requiring
    8         licensees to establish a specified incident response
    9         plan; providing requirements for such plan; providing
   10         applicability; specifying that a licensee has a
   11         specified timeframe to comply with certain provisions;
   12         requiring the licensee to maintain a copy of the
   13         information security program for a specified period of
   14         time; requiring such program to be available upon
   15         request or examination; requiring licensees to make a
   16         prompt investigation of a cybersecurity event that has
   17         occurred or may occur; specifying requirements for
   18         such investigation; requiring licensees to complete an
   19         investigation or confirm and document that a third
   20         party service provider has completed an investigation
   21         under certain circumstances; requiring the licensee to
   22         maintain specified records and documentation for a
   23         specified period of time; requiring the licensee to
   24         produce such records and documentation to be available
   25         upon request; requiring licensees to provide a
   26         specified notice to the Office of Financial
   27         Regulation; requiring the licensee to provide a
   28         quarterly update of the investigation under certain
   29         circumstances; providing construction; authorizing the
   30         Financial Services Commission to adopt rules; amending
   31         ss. 494.00255 and 560.114, F.S.; revising the actions
   32         that constitute grounds for disciplinary actions for
   33         mortgage brokers and lenders and grounds for the
   34         issuance of a cease and desist order or removal order
   35         or the denial, suspension, or revocation of a license
   36         of a money service business, respectively; providing
   37         an effective date.
   38          
   39  Be It Enacted by the Legislature of the State of Florida:
   40  
   41         Section 1. Section 494.00170, Florida Statutes, is created
   42  to read:
   43         494.00170 Cybersecurity.—
   44         (1)As used in this section, the term:
   45         (a)“Customer” means a person who seeks to obtain, obtains,
   46  or has obtained a financial product or service from a licensee
   47  covered under this chapter.
   48         (b)“Customer information” means any record containing
   49  nonpublic personal information about a customer of a financial
   50  transaction, whether in paper, electronic, or other form, which
   51  is handled or maintained by or on behalf of the licensee or its
   52  affiliates.
   53         (c)“Cybersecurity event” means an event resulting in
   54  unauthorized access to, or disruption or misuse of, an
   55  information system, information stored on such information
   56  system, or customer information held in physical form.
   57         (d)“Financial product or service” means any product or
   58  service offered by a licensee under this chapter.
   59         (e)“Information security program” means the
   60  administrative, technical, or physical safeguards used to
   61  access, collect, distribute, process, protect, store, use,
   62  transmit, dispose of, or otherwise handle customer information.
   63         (f)“Information system” means a discrete set of electronic
   64  information resources organized for the collection, processing,
   65  maintenance, use, sharing, dissemination, or disposition of
   66  electronic information, as well as any specialized system such
   67  as an industrial or process control system, telephone switching
   68  and private branch exchange system, or environmental control
   69  system which contains customer information or is connected to a
   70  system that contains customer information.
   71         (g)1.“Nonpublic personal information” includes all of the
   72  following:
   73         a.Personally identifiable financial information.
   74         b.Any list, description, or grouping of customers derived
   75  from personally identifiable financial information that is not
   76  publicly available. The term includes lists of customers’ names
   77  and street addresses which are derived, in whole or in part,
   78  from personally identifiable information, such as account
   79  numbers.
   80         2.The term does not include any of the following:
   81         a.Publicly available information, unless it is part of a
   82  list described in sub-subparagraph 1.b.
   83         b.Any list, description, or grouping of customers, along
   84  with their publicly available information, if the list was
   85  created without using any personally identifiable financial
   86  information that is not publicly available. A list of customers
   87  names and addresses is not considered nonpublic personal
   88  information if it contains only publicly available information,
   89  is not derived in whole or in part from nonpublic personally
   90  identifiable financial information, and is not disclosed in a
   91  way that indicates any of the customers on the list are
   92  customers of the licensee.
   93         (h)1.“Personally identifiable financial information” means
   94  any information that:
   95         a.A customer provides to a licensee to obtain a financial
   96  product or service, such as information submitted on an
   97  application for a loan or other financial product or service;
   98         b.A licensee receives about a customer during or as a
   99  result of any transaction involving a financial product or
  100  service, including information collected through an Internet
  101  cookie or from a web server; or
  102         c.A licensee otherwise obtains about a customer in
  103  connection with providing a financial product or service, such
  104  as records indicating that a customer has previously engaged
  105  with the licensee or obtained a financial product or service.
  106         2.Personally identifiable financial information does not
  107  include any of the following:
  108         a.A list of names and addresses of customers of an entity
  109  that is not a mortgage broker or lender.
  110         b.Information that does not identify a customer, such as
  111  aggregate information or anonymized data that does not contain
  112  personal identifiers such as account numbers, names, or
  113  addresses.
  114         (i)1.“Publicly available information” means any
  115  information that a licensee has a reasonable basis to believe is
  116  lawfully made available to the general public from any of the
  117  following:
  118         a.Federal, state, or local government records, such as
  119  real estate records or security interest filings.
  120         b.Widely distributed media, including telephone
  121  directories, television or radio programs, newspapers, or
  122  websites that are available to the general public on an
  123  unrestricted basis. A website is not restricted merely because
  124  an Internet service provider or a site operator requires a fee
  125  or a password, so long as access is available to the general
  126  public.
  127         c.Disclosures to the general public that are required to
  128  be made by federal, state, or local law.
  129         2.For the purpose of this paragraph, the term “reasonable
  130  basis to believe is lawfully made available to the general
  131  public” means that the licensee has taken steps to determine all
  132  of the following:
  133         a.That the information is of the type that is available to
  134  the general public, such as information included on the public
  135  record in the jurisdiction where the mortgage would be recorded.
  136         b.Whether an individual can direct that the information
  137  not be made available to the general public and, if so, whether
  138  the customer to whom the information relates has so directed.
  139         (j)“Third-party service provider” means a person, other
  140  than a licensee, that contracts with a licensee to maintain,
  141  process, or store nonpublic personal information or that is
  142  otherwise permitted access to nonpublic personal information
  143  through its provision of services to a licensee.
  144         (2)(a)Each licensee shall develop, implement, and maintain
  145  a comprehensive written information security program that
  146  contains administrative, technical, and physical safeguards for
  147  the protection of the licensee’s information system and
  148  nonpublic personal information.
  149         (b)A licensee must ensure the information security program
  150  meets all of the following criteria:
  151         1.Is commensurate with the following measures:
  152         a.The size and complexity of the licensee.
  153         b.The nature and scope of the licensee’s activities,
  154  including its use of third-party service providers.
  155         c.The sensitivity of the nonpublic personal information
  156  used by the licensee or in the possession, custody, or control
  157  of the licensee.
  158         2.Is designed to:
  159         a.Protect the security and confidentiality of nonpublic
  160  personal information and the security of the licensee’s
  161  information system;
  162         b.Protect against threats or hazards to the security or
  163  integrity of nonpublic personal information and the licensee’s
  164  information system; and
  165         c.Protect against unauthorized access to or use of
  166  nonpublic personal information and minimize the likelihood of
  167  harm to any customer.
  168         3.Defines and periodically reevaluates the retention
  169  schedule and the mechanism for the destruction of nonpublic
  170  personal information if retention is no longer necessary for the
  171  licensee’s business operations or required by applicable law.
  172         4.Regularly tests and monitors systems and procedures for
  173  the detection of actual and attempted attacks on, or intrusions
  174  into, the information system.
  175         5.Monitors, evaluates, and adjusts, as necessary, the
  176  licensee’s information security program to:
  177         a.Ensure the program remains consistent with relevant
  178  changes in technology;
  179         b.Confirm that the program accounts for the sensitivity of
  180  nonpublic personal information;
  181         c.Identify and address changes that may be necessary to
  182  the licensee’s information system;
  183         d.Eliminate any internal or external threats to nonpublic
  184  personal information; and
  185         e.Amend the licensee’s information security program for
  186  any of the licensee’s changing business arrangements, including,
  187  but not limited to, mergers and acquisitions, alliances and
  188  joint ventures, and outsourcing arrangements.
  189         (c)As part of a licensee’s information security program, a
  190  licensee shall establish a written incident response plan
  191  designed to promptly respond to, and recover from, a
  192  cybersecurity event that compromises the confidentiality,
  193  integrity, or availability of nonpublic personal information in
  194  the licensee’s possession, the licensee’s information system, or
  195  the continuing functionality of any aspect of the licensee’s
  196  operations. The written incident response plan must address all
  197  of the following:
  198         1.The licensee’s internal process for responding to a
  199  cybersecurity event.
  200         2.The goals of the licensee’s incident response plan.
  201         3.The assignment of clear roles, responsibilities, and
  202  levels of decisionmaking authority for personnel that
  203  participate in the incident response plan.
  204         4.External communications, internal communications, and
  205  information sharing related to a cybersecurity event.
  206         5.The identification of remediation requirements for
  207  weaknesses identified in information systems and associated
  208  controls.
  209         6.Documentation and reporting regarding cybersecurity
  210  events and related incident response activities.
  211         7.The evaluation and revision of the incident response
  212  plan, as appropriate, following a cybersecurity event.
  213         8.The process by which notice must be given as required
  214  under subsection (4) and s. 501.171(3) and (4).
  215         (d)This subsection does not apply to a licensee that:
  216         1.Has fewer than 20 persons on its workforce, including
  217  employees and independent contractors; or
  218         2.Has fewer than 500 customers during a calendar year.
  219         (e)A licensee has 180 calendar days from the date the
  220  licensee no longer qualifies for exemption under paragraph (d)
  221  to comply with this section.
  222         (f)A licensee shall maintain a copy of the information
  223  security program for a minimum of 5 years and shall make it
  224  available to the office upon request or as part of an
  225  examination.
  226         (3)(a)If a licensee discovers that a cybersecurity event
  227  has occurred, or that a cybersecurity event may have occurred,
  228  the licensee, or the outside vendor or third-party service
  229  provider the licensee has designated to act on its behalf, shall
  230  conduct a prompt investigation of the event.
  231         (b)During the investigation, the licensee, or the outside
  232  vendor or third-party service provider the licensee has
  233  designated to act on its behalf, shall, at a minimum, determine
  234  all of the following, to the extent possible:
  235         1.Whether a cybersecurity event has occurred.
  236         2.The date the cybersecurity event first occurred.
  237         3.The nature and scope of the cybersecurity event.
  238         4.Any nonpublic personal information that may have been
  239  compromised.
  240         5.Reasonable measures to restore the security of
  241  compromised information systems and prevent further unauthorized
  242  access, disclosure, or use of nonpublic personal information in
  243  the possession, custody, or control of the licensee, outside
  244  vendor, or third-party service provider.
  245         (c)If a licensee learns that a cybersecurity event has
  246  occurred, or may have occurred, in an information system
  247  maintained by a third-party service provider of the licensee,
  248  the licensee must complete an investigation in compliance with
  249  this section or confirm and document that the third-party
  250  service provider has completed an investigation in compliance
  251  with this section.
  252         (d)A licensee shall maintain all records and documentation
  253  related to the licensee’s investigation of a cybersecurity event
  254  for a minimum of 5 years from the date of the event and shall
  255  produce the records and documentation upon the office’s request.
  256         (4)(a)A licensee shall provide notice to the office of any
  257  breach of security affecting 500 or more persons in this state
  258  at a time and in the manner prescribed by commission rule.
  259         (b)A licensee shall, upon request by the office, provide a
  260  quarterly update of the investigation undertaken pursuant to
  261  subsection (3), until conclusion of the investigation.
  262         (5)This section may not be construed to relieve a covered
  263  entity from complying with s. 501.171. To the extent a licensee
  264  is a covered entity, as that term is defined in s.
  265  501.171(1)(b), such covered entity remains subject to s.
  266  501.171.
  267         (6)The commission may adopt rules to administer this
  268  section, including rules that allow a licensee that is in full
  269  compliance with 16 C.F.R part 314, Standards for Safeguarding
  270  Customer Information, by the Federal Trade Commission, to be
  271  deemed in compliance with this section.
  272         Section 2. Paragraph (z) is added to subsection (1) of
  273  section 494.00255, Florida Statutes, to read:
  274         494.00255 Administrative penalties and fines; license
  275  violations.—
  276         (1) Each of the following acts constitutes a ground for
  277  which the disciplinary actions specified in subsection (2) may
  278  be taken against a person licensed or required to be licensed
  279  under part II or part III of this chapter:
  280         (z) Failure to comply with the notification requirements in
  281  s. 494.00170(4).
  282         Section 3. Section 560.1215, Florida Statutes, is created
  283  to read:
  284         560.1215 Cybersecurity.—
  285         (1)As used in this section, the term:
  286         (a)“Customer” means a person who seeks to obtain, obtains,
  287  or has obtained a financial product or service from a licensee
  288  covered under this chapter.
  289         (b)“Customer information” means any record containing
  290  nonpublic personal information about a customer of a financial
  291  transaction, whether in paper, electronic, or other form, which
  292  is handled or maintained by or on behalf of the licensee or its
  293  affiliates.
  294         (c)“Cybersecurity event” means an event resulting in
  295  unauthorized access to, or disruption or misuse of, an
  296  information system, information stored on such information
  297  system, or customer information held in physical form.
  298         (d)“Financial product or service” means any product or
  299  service offered by a licensee under this chapter.
  300         (e)“Information security program” means the
  301  administrative, technical, or physical safeguards used to
  302  access, collect, distribute, process, protect, store, use,
  303  transmit, dispose of, or otherwise handle customer information.
  304         (f)“Information system” means a discrete set of electronic
  305  information resources organized for the collection, processing,
  306  maintenance, use, sharing, dissemination, or disposition of
  307  electronic information, as well as any specialized system, such
  308  as an industrial or process control system, telephone switching
  309  and private branch exchange system, or environmental control
  310  system, which contains customer information or which is
  311  connected to a system that contains customer information.
  312         (g)1.“Nonpublic personal information” includes all of the
  313  following:
  314         a.Personally identifiable financial information.
  315         b.Any list, description, or grouping of customers derived
  316  from personally identifiable financial information that is not
  317  publicly available. The term includes lists of customers’ names
  318  and street addresses which are derived, in whole or in part,
  319  from personally identifiable information, such as account
  320  numbers.
  321         2.The term does not include any of the following:
  322         a.Publicly available information, unless it is part of a
  323  list described in sub-subparagraph 1.b.
  324         b.Any list, description, or grouping of customers, along
  325  with their publicly available information, if the list was
  326  created without using any personally identifiable financial
  327  information that is not publicly available. A list of customers
  328  names and addresses is not considered nonpublic personal
  329  information if it contains only publicly available information,
  330  is not derived in whole or in part from nonpublic personally
  331  identifiable financial information, and is not disclosed in a
  332  way that indicates any of the customers on the list are
  333  customers of the licensee.
  334         (h)1.“Personally identifiable financial information” means
  335  any information that:
  336         a.A customer provides to a licensee to obtain a financial
  337  product or service, such as information submitted on an
  338  application for a loan or other financial product or service;
  339         b.A licensee receives about a customer during or as a
  340  result of any transaction involving a financial product or
  341  service, including information collected through an internet
  342  cookie or from a web server; or
  343         c.A licensee otherwise obtains about a customer in
  344  connection with providing a financial product or service, such
  345  as records indicating that a customer has previously engaged
  346  with the licensee or obtained a financial product or service.
  347         2.Personally identifiable financial information does not
  348  include any of the following:
  349         a.A list of names and addresses of customers of an entity
  350  that is not a money service business.
  351         b.Information that does not identify a customer, such as
  352  aggregate information or anonymized data that does not contain
  353  personal identifiers such as account numbers, names, or
  354  addresses.
  355         (i)1.“Publicly available information” means any
  356  information that a licensee has a reasonable basis to believe is
  357  lawfully made available to the general public from any of the
  358  following:
  359         a.Federal, state, or local government records, such as
  360  real estate records or security interest filings.
  361         b.Widely distributed media, including telephone
  362  directories, television or radio programs, newspapers, or
  363  websites, that are available to the general public on an
  364  unrestricted basis. A website is not restricted merely because
  365  an Internet service provider or a site operator requires a fee
  366  or a password, so long as access is available to the general
  367  public.
  368         c.Disclosures to the general public that are required to
  369  be made by federal, state, or local law.
  370         2.For the purpose of this paragraph, the term “reasonable
  371  basis to believe is lawfully made available to the general
  372  public” means that the licensee has taken steps to determine all
  373  of the following:
  374         a.That the information is of the type that is available to
  375  the general public, such as information included on the public
  376  record in the jurisdiction where the mortgage would be recorded.
  377         b.Whether an individual can direct that the information
  378  not be made available to the general public and, if so, the
  379  customer to whom the information relates has not done so.
  380         (j)“Third-party service provider” means a person, other
  381  than a licensee, that contracts with a licensee to maintain,
  382  process or store nonpublic personal information or that is
  383  otherwise permitted access to nonpublic personal information
  384  through its provision of services to a licensee.
  385         (2)(a)Each licensee shall develop, implement, and maintain
  386  a comprehensive written information security program that
  387  contains administrative, technical, and physical safeguards for
  388  the protection of the licensee’s information system and
  389  nonpublic personal information.
  390         (b)A licensee must ensure the information security program
  391  meets all of the following criteria:
  392         1.Is commensurate with the following measures:
  393         a.The size and complexity of the licensee.
  394         b.The nature and scope of the licensee’s activities,
  395  including its use of third-party service providers.
  396         c.The sensitivity of the nonpublic personal information
  397  used by the licensee or in the possession, custody, or control
  398  of the licensee.
  399         2.Is designed to:
  400         a.Protect the security and confidentiality of nonpublic
  401  personal information and the security of the licensee’s
  402  information system;
  403         b.Protect against threats or hazards to the security or
  404  integrity of nonpublic personal information and the licensee’s
  405  information system; and
  406         c.Protect against unauthorized access to or use of
  407  nonpublic personal information and minimize the likelihood of
  408  harm to any customer.
  409         3.Defines and periodically reevaluates the retention
  410  schedule and the mechanism for the destruction of nonpublic
  411  personal information if retention is no longer necessary for the
  412  licensee’s business operations or required by applicable law.
  413         4.Regularly tests and monitors systems and procedures for
  414  the detection of actual and attempted attacks on, or intrusions
  415  into, the information system.
  416         5.Monitors, evaluates, and adjusts, as necessary, the
  417  licensee’s information security program to:
  418         a.Ensure the program remains consistent with relevant
  419  changes in technology;
  420         b.Confirm that the program accounts for the sensitivity of
  421  nonpublic personal information;
  422         c.Identify and address changes that may be necessary to
  423  the licensee’s information systems;
  424         d.Eliminate any internal or external threats to nonpublic
  425  personal information; and
  426         e.Amend the licensee’s information security program for
  427  any of the licensee’s changing business arrangements, including
  428  but not limited to, mergers and acquisitions, alliances and
  429  joint ventures, and outsourcing arrangements.
  430         (c)As part of a licensee’s information security program, a
  431  licensee shall establish a written incident response plan
  432  designed to promptly respond to, and recover from, a
  433  cybersecurity event that compromises the confidentiality,
  434  integrity, or availability of nonpublic personal information in
  435  the licensee’s possession, the licensee’s information systems,
  436  or the continuing functionality of any aspect of the licensee’s
  437  operations. The written incident response plan must address all
  438  of the following:
  439         1.The licensee’s internal process for responding to a
  440  cybersecurity event.
  441         2.The goals of the licensee’s incident response plan.
  442         3.The assignment of clear roles, responsibilities, and
  443  levels of decisionmaking authority for personnel that
  444  participate in the incident response plan.
  445         4.External communications, internal communications, and
  446  information sharing related to a cybersecurity event.
  447         5.The identification of remediation requirements for
  448  weaknesses identified in information systems and associated
  449  controls.
  450         6.Documentation and reporting regarding cybersecurity
  451  events and related incident response activities.
  452         7.The evaluation and revision of the incident response
  453  plan, as appropriate, following a cybersecurity event.
  454         8.The process by which notice must be given as required
  455  under subsection (4) and s. 501.171(3) and (4).
  456         (d)This subsection does not apply to a licensee that:
  457         1.Has fewer than 20 persons on its workforce, including
  458  employees and independent contractors; or
  459         2.Has fewer than 500 customers during a calendar year.
  460         (e)A licensee has 180 calendar days from the date the
  461  licensee no longer qualifies for exemption under paragraph
  462  (2)(d) to comply with this section.
  463         (f)A licensee shall maintain a copy of the information
  464  security program for a minimum of 5 years and shall make it
  465  available to the office upon request or as part of an
  466  examination.
  467         (3)(a)If a licensee discovers that a cybersecurity event
  468  has occurred, or that a cybersecurity event may have occurred,
  469  the licensee, or the outside vendor or third-party service
  470  provider the licensee has designated to act on its behalf, shall
  471  conduct a prompt investigation of the event.
  472         (b)During the investigation, the licensee, or outside
  473  vendor or third-party service provider the licensee has
  474  designated to act on its behalf, shall, at a minimum, determine
  475  all of the following to the extent possible:
  476         1.Whether a cybersecurity event has occurred.
  477         2.The date the cybersecurity event first occurred.
  478         3.The nature and scope of the cybersecurity event.
  479         4.Any nonpublic personal information that may have been
  480  compromised.
  481         5.Reasonable measures to restore the security of
  482  compromised information systems and prevent further unauthorized
  483  access, disclosure, or use of nonpublic personal information in
  484  the possession, custody, or control of the licensee, outside
  485  vendor, or third-party service provider.
  486         (c)If a licensee learns that a cybersecurity event has
  487  occurred, or may have occurred, in an information system
  488  maintained by a third-party service provider of the licensee,
  489  the licensee must complete an investigation in compliance with
  490  this section or confirm and document that the third-party
  491  service provider has completed an investigation in compliance
  492  with this section.
  493         (d)A licensee shall maintain all records and documentation
  494  related to the licensee’s investigation of a cybersecurity event
  495  for a minimum of 5 years from the date of the event and shall
  496  produce the records and documentation upon the office’s request.
  497         (4)(a)A licensee shall provide notice to the office of any
  498  breach of security affecting 500 or more persons in this state
  499  at a time and in the manner prescribed by commission rule.
  500         (b)A licensee, shall, upon request by the office, provide
  501  a quarterly update of the investigation undertaken pursuant to
  502  paragraph (3), until conclusion of the investigation.
  503         (5)This section may not be construed to relieve a covered
  504  entity from complying with the provisions of s. 501.171. To the
  505  extent a licensee is a covered entity, as that term is defined
  506  in s. 501.171(1)(b), such covered entity remains subject to the
  507  provisions of s. 501.171.
  508         (6)The commission may adopt rules to administer this
  509  section including rules that allow a licensee that is in full
  510  compliance with 16 C.F.R. part 314, Standards for Safeguarding
  511  Customer Information, by the Federal Trade Commission, to be
  512  deemed in compliance with subparagraph (2).
  513         Section 4. Paragraph (dd) is added to subsection (1) of
  514  section 560.114, Florida Statutes, to read:
  515         560.114 Disciplinary actions; penalties.—
  516         (1) The following actions by a money services business,
  517  authorized vendor, or affiliated party constitute grounds for
  518  the issuance of a cease and desist order; the issuance of a
  519  removal order; the denial, suspension, or revocation of a
  520  license; or taking any other action within the authority of the
  521  office pursuant to this chapter:
  522         (dd) Failure to comply with the notification requirements
  523  in s. 560.1215(4).
  524         Section 5. This act shall take effect July 1, 2025.