Florida Senate - 2025 SB 1216
By Senator DiCeglie
18-01808-25 20251216__
1 A bill to be entitled
2 An act relating to cybersecurity of mortgage brokers
3 and lenders and money services businesses; creating
4 ss. 494.00170 and 560.1215, F.S.; defining terms;
5 requiring licensees to develop and maintain a
6 specified information security program; requiring that
7 such program meet certain criteria; requiring
8 licensees to establish a specified incident response
9 plan; providing requirements for such plan; providing
10 applicability; specifying that a licensee has a
11 specified timeframe to comply with certain provisions;
12 requiring the licensee to maintain a copy of the
13 information security program for a specified period of
14 time; requiring such program to be available upon
15 request or examination; requiring licensees to make a
16 prompt investigation of a cybersecurity event that has
17 occurred or may occur; specifying requirements for
18 such investigation; requiring licensees to complete an
19 investigation or confirm and document that a third
20 party service provider has completed an investigation
21 under certain circumstances; requiring the licensee to
22 maintain specified records and documentation for a
23 specified period of time; requiring the licensee to
24 produce such records and documentation to be available
25 upon request; requiring licensees to provide a
26 specified notice to the Office of Financial
27 Regulation; requiring the licensee to provide a
28 quarterly update of the investigation under certain
29 circumstances; providing construction; authorizing the
30 Financial Services Commission to adopt rules; amending
31 ss. 494.00255 and 560.114, F.S.; revising the actions
32 that constitute grounds for disciplinary actions for
33 mortgage brokers and lenders and grounds for the
34 issuance of a cease and desist order or removal order
35 or the denial, suspension, or revocation of a license
36 of a money service business, respectively; providing
37 an effective date.
38
39 Be It Enacted by the Legislature of the State of Florida:
40
41 Section 1. Section 494.00170, Florida Statutes, is created
42 to read:
43 494.00170 Cybersecurity.—
44 (1) As used in this section, the term:
45 (a) “Customer” means a person who seeks to obtain, obtains,
46 or has obtained a financial product or service from a licensee
47 covered under this chapter.
48 (b) “Customer information” means any record containing
49 nonpublic personal information about a customer of a financial
50 transaction, whether in paper, electronic, or other form, which
51 is handled or maintained by or on behalf of the licensee or its
52 affiliates.
53 (c) “Cybersecurity event” means an event resulting in
54 unauthorized access to, or disruption or misuse of, an
55 information system, information stored on such information
56 system, or customer information held in physical form.
57 (d) “Financial product or service” means any product or
58 service offered by a licensee under this chapter.
59 (e) “Information security program” means the
60 administrative, technical, or physical safeguards used to
61 access, collect, distribute, process, protect, store, use,
62 transmit, dispose of, or otherwise handle customer information.
63 (f) “Information system” means a discrete set of electronic
64 information resources organized for the collection, processing,
65 maintenance, use, sharing, dissemination, or disposition of
66 electronic information, as well as any specialized system such
67 as an industrial or process control system, telephone switching
68 and private branch exchange system, or environmental control
69 system which contains customer information or is connected to a
70 system that contains customer information.
71 (g)1. “Nonpublic personal information” includes all of the
72 following:
73 a. Personally identifiable financial information.
74 b. Any list, description, or grouping of customers derived
75 from personally identifiable financial information that is not
76 publicly available. The term includes lists of customers’ names
77 and street addresses which are derived, in whole or in part,
78 from personally identifiable information, such as account
79 numbers.
80 2. The term does not include any of the following:
81 a. Publicly available information, unless it is part of a
82 list described in sub-subparagraph 1.b.
83 b. Any list, description, or grouping of customers, along
84 with their publicly available information, if the list was
85 created without using any personally identifiable financial
86 information that is not publicly available. A list of customers’
87 names and addresses is not considered nonpublic personal
88 information if it contains only publicly available information,
89 is not derived in whole or in part from nonpublic personally
90 identifiable financial information, and is not disclosed in a
91 way that indicates any of the customers on the list are
92 customers of the licensee.
93 (h)1. “Personally identifiable financial information” means
94 any information that:
95 a. A customer provides to a licensee to obtain a financial
96 product or service, such as information submitted on an
97 application for a loan or other financial product or service;
98 b. A licensee receives about a customer during or as a
99 result of any transaction involving a financial product or
100 service, including information collected through an Internet
101 cookie or from a web server; or
102 c. A licensee otherwise obtains about a customer in
103 connection with providing a financial product or service, such
104 as records indicating that a customer has previously engaged
105 with the licensee or obtained a financial product or service.
106 2. Personally identifiable financial information does not
107 include any of the following:
108 a. A list of names and addresses of customers of an entity
109 that is not a mortgage broker or lender.
110 b. Information that does not identify a customer, such as
111 aggregate information or anonymized data that does not contain
112 personal identifiers such as account numbers, names, or
113 addresses.
114 (i)1. “Publicly available information” means any
115 information that a licensee has a reasonable basis to believe is
116 lawfully made available to the general public from any of the
117 following:
118 a. Federal, state, or local government records, such as
119 real estate records or security interest filings.
120 b. Widely distributed media, including telephone
121 directories, television or radio programs, newspapers, or
122 websites that are available to the general public on an
123 unrestricted basis. A website is not restricted merely because
124 an Internet service provider or a site operator requires a fee
125 or a password, so long as access is available to the general
126 public.
127 c. Disclosures to the general public that are required to
128 be made by federal, state, or local law.
129 2. For the purpose of this paragraph, the term “reasonable
130 basis to believe is lawfully made available to the general
131 public” means that the licensee has taken steps to determine all
132 of the following:
133 a. That the information is of the type that is available to
134 the general public, such as information included on the public
135 record in the jurisdiction where the mortgage would be recorded.
136 b. Whether an individual can direct that the information
137 not be made available to the general public and, if so, whether
138 the customer to whom the information relates has so directed.
139 (j) “Third-party service provider” means a person, other
140 than a licensee, that contracts with a licensee to maintain,
141 process, or store nonpublic personal information or that is
142 otherwise permitted access to nonpublic personal information
143 through its provision of services to a licensee.
144 (2)(a) Each licensee shall develop, implement, and maintain
145 a comprehensive written information security program that
146 contains administrative, technical, and physical safeguards for
147 the protection of the licensee’s information system and
148 nonpublic personal information.
149 (b) A licensee must ensure the information security program
150 meets all of the following criteria:
151 1. Is commensurate with the following measures:
152 a. The size and complexity of the licensee.
153 b. The nature and scope of the licensee’s activities,
154 including its use of third-party service providers.
155 c. The sensitivity of the nonpublic personal information
156 used by the licensee or in the possession, custody, or control
157 of the licensee.
158 2. Is designed to:
159 a. Protect the security and confidentiality of nonpublic
160 personal information and the security of the licensee’s
161 information system;
162 b. Protect against threats or hazards to the security or
163 integrity of nonpublic personal information and the licensee’s
164 information system; and
165 c. Protect against unauthorized access to or use of
166 nonpublic personal information and minimize the likelihood of
167 harm to any customer.
168 3. Defines and periodically reevaluates the retention
169 schedule and the mechanism for the destruction of nonpublic
170 personal information if retention is no longer necessary for the
171 licensee’s business operations or required by applicable law.
172 4. Regularly tests and monitors systems and procedures for
173 the detection of actual and attempted attacks on, or intrusions
174 into, the information system.
175 5. Monitors, evaluates, and adjusts, as necessary, the
176 licensee’s information security program to:
177 a. Ensure the program remains consistent with relevant
178 changes in technology;
179 b. Confirm that the program accounts for the sensitivity of
180 nonpublic personal information;
181 c. Identify and address changes that may be necessary to
182 the licensee’s information system;
183 d. Eliminate any internal or external threats to nonpublic
184 personal information; and
185 e. Amend the licensee’s information security program for
186 any of the licensee’s changing business arrangements, including,
187 but not limited to, mergers and acquisitions, alliances and
188 joint ventures, and outsourcing arrangements.
189 (c) As part of a licensee’s information security program, a
190 licensee shall establish a written incident response plan
191 designed to promptly respond to, and recover from, a
192 cybersecurity event that compromises the confidentiality,
193 integrity, or availability of nonpublic personal information in
194 the licensee’s possession, the licensee’s information system, or
195 the continuing functionality of any aspect of the licensee’s
196 operations. The written incident response plan must address all
197 of the following:
198 1. The licensee’s internal process for responding to a
199 cybersecurity event.
200 2. The goals of the licensee’s incident response plan.
201 3. The assignment of clear roles, responsibilities, and
202 levels of decisionmaking authority for personnel that
203 participate in the incident response plan.
204 4. External communications, internal communications, and
205 information sharing related to a cybersecurity event.
206 5. The identification of remediation requirements for
207 weaknesses identified in information systems and associated
208 controls.
209 6. Documentation and reporting regarding cybersecurity
210 events and related incident response activities.
211 7. The evaluation and revision of the incident response
212 plan, as appropriate, following a cybersecurity event.
213 8. The process by which notice must be given as required
214 under subsection (4) and s. 501.171(3) and (4).
215 (d) This subsection does not apply to a licensee that:
216 1. Has fewer than 20 persons on its workforce, including
217 employees and independent contractors; or
218 2. Has fewer than 500 customers during a calendar year.
219 (e) A licensee has 180 calendar days from the date the
220 licensee no longer qualifies for exemption under paragraph (d)
221 to comply with this section.
222 (f) A licensee shall maintain a copy of the information
223 security program for a minimum of 5 years and shall make it
224 available to the office upon request or as part of an
225 examination.
226 (3)(a) If a licensee discovers that a cybersecurity event
227 has occurred, or that a cybersecurity event may have occurred,
228 the licensee, or the outside vendor or third-party service
229 provider the licensee has designated to act on its behalf, shall
230 conduct a prompt investigation of the event.
231 (b) During the investigation, the licensee, or the outside
232 vendor or third-party service provider the licensee has
233 designated to act on its behalf, shall, at a minimum, determine
234 all of the following, to the extent possible:
235 1. Whether a cybersecurity event has occurred.
236 2. The date the cybersecurity event first occurred.
237 3. The nature and scope of the cybersecurity event.
238 4. Any nonpublic personal information that may have been
239 compromised.
240 5. Reasonable measures to restore the security of
241 compromised information systems and prevent further unauthorized
242 access, disclosure, or use of nonpublic personal information in
243 the possession, custody, or control of the licensee, outside
244 vendor, or third-party service provider.
245 (c) If a licensee learns that a cybersecurity event has
246 occurred, or may have occurred, in an information system
247 maintained by a third-party service provider of the licensee,
248 the licensee must complete an investigation in compliance with
249 this section or confirm and document that the third-party
250 service provider has completed an investigation in compliance
251 with this section.
252 (d) A licensee shall maintain all records and documentation
253 related to the licensee’s investigation of a cybersecurity event
254 for a minimum of 5 years from the date of the event and shall
255 produce the records and documentation upon the office’s request.
256 (4)(a) A licensee shall provide notice to the office of any
257 breach of security affecting 500 or more persons in this state
258 at a time and in the manner prescribed by commission rule.
259 (b) A licensee shall, upon request by the office, provide a
260 quarterly update of the investigation undertaken pursuant to
261 subsection (3), until conclusion of the investigation.
262 (5) This section may not be construed to relieve a covered
263 entity from complying with s. 501.171. To the extent a licensee
264 is a covered entity, as that term is defined in s.
265 501.171(1)(b), such covered entity remains subject to s.
266 501.171.
267 (6) The commission may adopt rules to administer this
268 section, including rules that allow a licensee that is in full
269 compliance with 16 C.F.R part 314, Standards for Safeguarding
270 Customer Information, by the Federal Trade Commission, to be
271 deemed in compliance with this section.
272 Section 2. Paragraph (z) is added to subsection (1) of
273 section 494.00255, Florida Statutes, to read:
274 494.00255 Administrative penalties and fines; license
275 violations.—
276 (1) Each of the following acts constitutes a ground for
277 which the disciplinary actions specified in subsection (2) may
278 be taken against a person licensed or required to be licensed
279 under part II or part III of this chapter:
280 (z) Failure to comply with the notification requirements in
281 s. 494.00170(4).
282 Section 3. Section 560.1215, Florida Statutes, is created
283 to read:
284 560.1215 Cybersecurity.—
285 (1) As used in this section, the term:
286 (a) “Customer” means a person who seeks to obtain, obtains,
287 or has obtained a financial product or service from a licensee
288 covered under this chapter.
289 (b) “Customer information” means any record containing
290 nonpublic personal information about a customer of a financial
291 transaction, whether in paper, electronic, or other form, which
292 is handled or maintained by or on behalf of the licensee or its
293 affiliates.
294 (c) “Cybersecurity event” means an event resulting in
295 unauthorized access to, or disruption or misuse of, an
296 information system, information stored on such information
297 system, or customer information held in physical form.
298 (d) “Financial product or service” means any product or
299 service offered by a licensee under this chapter.
300 (e) “Information security program” means the
301 administrative, technical, or physical safeguards used to
302 access, collect, distribute, process, protect, store, use,
303 transmit, dispose of, or otherwise handle customer information.
304 (f) “Information system” means a discrete set of electronic
305 information resources organized for the collection, processing,
306 maintenance, use, sharing, dissemination, or disposition of
307 electronic information, as well as any specialized system, such
308 as an industrial or process control system, telephone switching
309 and private branch exchange system, or environmental control
310 system, which contains customer information or which is
311 connected to a system that contains customer information.
312 (g)1. “Nonpublic personal information” includes all of the
313 following:
314 a. Personally identifiable financial information.
315 b. Any list, description, or grouping of customers derived
316 from personally identifiable financial information that is not
317 publicly available. The term includes lists of customers’ names
318 and street addresses which are derived, in whole or in part,
319 from personally identifiable information, such as account
320 numbers.
321 2. The term does not include any of the following:
322 a. Publicly available information, unless it is part of a
323 list described in sub-subparagraph 1.b.
324 b. Any list, description, or grouping of customers, along
325 with their publicly available information, if the list was
326 created without using any personally identifiable financial
327 information that is not publicly available. A list of customers’
328 names and addresses is not considered nonpublic personal
329 information if it contains only publicly available information,
330 is not derived in whole or in part from nonpublic personally
331 identifiable financial information, and is not disclosed in a
332 way that indicates any of the customers on the list are
333 customers of the licensee.
334 (h)1. “Personally identifiable financial information” means
335 any information that:
336 a. A customer provides to a licensee to obtain a financial
337 product or service, such as information submitted on an
338 application for a loan or other financial product or service;
339 b. A licensee receives about a customer during or as a
340 result of any transaction involving a financial product or
341 service, including information collected through an internet
342 cookie or from a web server; or
343 c. A licensee otherwise obtains about a customer in
344 connection with providing a financial product or service, such
345 as records indicating that a customer has previously engaged
346 with the licensee or obtained a financial product or service.
347 2. Personally identifiable financial information does not
348 include any of the following:
349 a. A list of names and addresses of customers of an entity
350 that is not a money service business.
351 b. Information that does not identify a customer, such as
352 aggregate information or anonymized data that does not contain
353 personal identifiers such as account numbers, names, or
354 addresses.
355 (i)1. “Publicly available information” means any
356 information that a licensee has a reasonable basis to believe is
357 lawfully made available to the general public from any of the
358 following:
359 a. Federal, state, or local government records, such as
360 real estate records or security interest filings.
361 b. Widely distributed media, including telephone
362 directories, television or radio programs, newspapers, or
363 websites, that are available to the general public on an
364 unrestricted basis. A website is not restricted merely because
365 an Internet service provider or a site operator requires a fee
366 or a password, so long as access is available to the general
367 public.
368 c. Disclosures to the general public that are required to
369 be made by federal, state, or local law.
370 2. For the purpose of this paragraph, the term “reasonable
371 basis to believe is lawfully made available to the general
372 public” means that the licensee has taken steps to determine all
373 of the following:
374 a. That the information is of the type that is available to
375 the general public, such as information included on the public
376 record in the jurisdiction where the mortgage would be recorded.
377 b. Whether an individual can direct that the information
378 not be made available to the general public and, if so, the
379 customer to whom the information relates has not done so.
380 (j) “Third-party service provider” means a person, other
381 than a licensee, that contracts with a licensee to maintain,
382 process or store nonpublic personal information or that is
383 otherwise permitted access to nonpublic personal information
384 through its provision of services to a licensee.
385 (2)(a) Each licensee shall develop, implement, and maintain
386 a comprehensive written information security program that
387 contains administrative, technical, and physical safeguards for
388 the protection of the licensee’s information system and
389 nonpublic personal information.
390 (b) A licensee must ensure the information security program
391 meets all of the following criteria:
392 1. Is commensurate with the following measures:
393 a. The size and complexity of the licensee.
394 b. The nature and scope of the licensee’s activities,
395 including its use of third-party service providers.
396 c. The sensitivity of the nonpublic personal information
397 used by the licensee or in the possession, custody, or control
398 of the licensee.
399 2. Is designed to:
400 a. Protect the security and confidentiality of nonpublic
401 personal information and the security of the licensee’s
402 information system;
403 b. Protect against threats or hazards to the security or
404 integrity of nonpublic personal information and the licensee’s
405 information system; and
406 c. Protect against unauthorized access to or use of
407 nonpublic personal information and minimize the likelihood of
408 harm to any customer.
409 3. Defines and periodically reevaluates the retention
410 schedule and the mechanism for the destruction of nonpublic
411 personal information if retention is no longer necessary for the
412 licensee’s business operations or required by applicable law.
413 4. Regularly tests and monitors systems and procedures for
414 the detection of actual and attempted attacks on, or intrusions
415 into, the information system.
416 5. Monitors, evaluates, and adjusts, as necessary, the
417 licensee’s information security program to:
418 a. Ensure the program remains consistent with relevant
419 changes in technology;
420 b. Confirm that the program accounts for the sensitivity of
421 nonpublic personal information;
422 c. Identify and address changes that may be necessary to
423 the licensee’s information systems;
424 d. Eliminate any internal or external threats to nonpublic
425 personal information; and
426 e. Amend the licensee’s information security program for
427 any of the licensee’s changing business arrangements, including
428 but not limited to, mergers and acquisitions, alliances and
429 joint ventures, and outsourcing arrangements.
430 (c) As part of a licensee’s information security program, a
431 licensee shall establish a written incident response plan
432 designed to promptly respond to, and recover from, a
433 cybersecurity event that compromises the confidentiality,
434 integrity, or availability of nonpublic personal information in
435 the licensee’s possession, the licensee’s information systems,
436 or the continuing functionality of any aspect of the licensee’s
437 operations. The written incident response plan must address all
438 of the following:
439 1. The licensee’s internal process for responding to a
440 cybersecurity event.
441 2. The goals of the licensee’s incident response plan.
442 3. The assignment of clear roles, responsibilities, and
443 levels of decisionmaking authority for personnel that
444 participate in the incident response plan.
445 4. External communications, internal communications, and
446 information sharing related to a cybersecurity event.
447 5. The identification of remediation requirements for
448 weaknesses identified in information systems and associated
449 controls.
450 6. Documentation and reporting regarding cybersecurity
451 events and related incident response activities.
452 7. The evaluation and revision of the incident response
453 plan, as appropriate, following a cybersecurity event.
454 8. The process by which notice must be given as required
455 under subsection (4) and s. 501.171(3) and (4).
456 (d) This subsection does not apply to a licensee that:
457 1. Has fewer than 20 persons on its workforce, including
458 employees and independent contractors; or
459 2. Has fewer than 500 customers during a calendar year.
460 (e) A licensee has 180 calendar days from the date the
461 licensee no longer qualifies for exemption under paragraph
462 (2)(d) to comply with this section.
463 (f) A licensee shall maintain a copy of the information
464 security program for a minimum of 5 years and shall make it
465 available to the office upon request or as part of an
466 examination.
467 (3)(a) If a licensee discovers that a cybersecurity event
468 has occurred, or that a cybersecurity event may have occurred,
469 the licensee, or the outside vendor or third-party service
470 provider the licensee has designated to act on its behalf, shall
471 conduct a prompt investigation of the event.
472 (b) During the investigation, the licensee, or outside
473 vendor or third-party service provider the licensee has
474 designated to act on its behalf, shall, at a minimum, determine
475 all of the following to the extent possible:
476 1. Whether a cybersecurity event has occurred.
477 2. The date the cybersecurity event first occurred.
478 3. The nature and scope of the cybersecurity event.
479 4. Any nonpublic personal information that may have been
480 compromised.
481 5. Reasonable measures to restore the security of
482 compromised information systems and prevent further unauthorized
483 access, disclosure, or use of nonpublic personal information in
484 the possession, custody, or control of the licensee, outside
485 vendor, or third-party service provider.
486 (c) If a licensee learns that a cybersecurity event has
487 occurred, or may have occurred, in an information system
488 maintained by a third-party service provider of the licensee,
489 the licensee must complete an investigation in compliance with
490 this section or confirm and document that the third-party
491 service provider has completed an investigation in compliance
492 with this section.
493 (d) A licensee shall maintain all records and documentation
494 related to the licensee’s investigation of a cybersecurity event
495 for a minimum of 5 years from the date of the event and shall
496 produce the records and documentation upon the office’s request.
497 (4)(a) A licensee shall provide notice to the office of any
498 breach of security affecting 500 or more persons in this state
499 at a time and in the manner prescribed by commission rule.
500 (b) A licensee, shall, upon request by the office, provide
501 a quarterly update of the investigation undertaken pursuant to
502 paragraph (3), until conclusion of the investigation.
503 (5) This section may not be construed to relieve a covered
504 entity from complying with the provisions of s. 501.171. To the
505 extent a licensee is a covered entity, as that term is defined
506 in s. 501.171(1)(b), such covered entity remains subject to the
507 provisions of s. 501.171.
508 (6) The commission may adopt rules to administer this
509 section including rules that allow a licensee that is in full
510 compliance with 16 C.F.R. part 314, Standards for Safeguarding
511 Customer Information, by the Federal Trade Commission, to be
512 deemed in compliance with subparagraph (2).
513 Section 4. Paragraph (dd) is added to subsection (1) of
514 section 560.114, Florida Statutes, to read:
515 560.114 Disciplinary actions; penalties.—
516 (1) The following actions by a money services business,
517 authorized vendor, or affiliated party constitute grounds for
518 the issuance of a cease and desist order; the issuance of a
519 removal order; the denial, suspension, or revocation of a
520 license; or taking any other action within the authority of the
521 office pursuant to this chapter:
522 (dd) Failure to comply with the notification requirements
523 in s. 560.1215(4).
524 Section 5. This act shall take effect July 1, 2025.