Florida Senate - 2026 COMMITTEE AMENDMENT
Bill No. CS for CS for SB 540
Ì318308.Î318308
LEGISLATIVE ACTION
Senate . House
.
.
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Rules (Martin) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 149 - 1211
4 and insert:
5 (a) In accordance with s. 415.107, the department shall
6 provide copies of all suspected financial exploitation reports
7 received by the central abuse hotline pursuant to s. 415.1034
8 from any financial institution as defined in s. 655.005(1),
9 securities dealer as defined in s. 517.021(12), or investment
10 adviser as defined in s. 517.021(20) to the Office of Financial
11 Regulation within 15 days after receiving the report. The
12 department may provide copies of any records generated as a
13 result of such reports at the request of the Office of Financial
14 Regulation within 15 days after such request.
15 1. The Office of Financial Regulation may use the reports
16 or records obtained as required or authorized in this subsection
17 for any investigation, examination, or other action conducted
18 pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655.
19 2. Except as provided in this chapter and chapters 517 and
20 655, all confidentiality provisions that apply to the department
21 continue to apply to the records made available to the Office of
22 Financial Regulation and its officials, employees, and agents
23 under s. 415.107.
24 (b) The department and the Office of Financial Regulation
25 may enter into a memorandum of agreement that specifies how the
26 Office of Financial Regulation, in the agency’s role as the
27 regulator of financial services, may assist the department with
28 effectively and efficiently conducting a protective
29 investigation of any vulnerable adult financial exploitation
30 report received by the central abuse hotline and, if the
31 agencies enter into a memorandum of agreement, it must specify
32 how such assistance will be implemented.
33 Section 2. Paragraph (m) is added to subsection (3) of
34 section 415.107, Florida Statutes, to read:
35 415.107 Confidentiality of reports and records.—
36 (3) Access to all records, excluding the name of the
37 reporter which shall be released only as provided in subsection
38 (6), shall be granted only to the following persons, officials,
39 and agencies:
40 (m) Any appropriate officials, employees, or agents of the
41 Office of Financial Regulation who are responsible for
42 conducting investigations, examinations, or other actions
43 pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655.
44 Section 3. Section 494.00123, Florida Statutes, is created
45 to read:
46 494.00123 Information security programs.—
47 (1) DEFINITIONS.—As used in this section, the term:
48 (a) “Customer” means a person who seeks to obtain or who
49 obtains or has obtained a financial product or service from a
50 licensee.
51 (b) “Customer information” means any record containing
52 nonpublic personal information about a customer of a financial
53 transaction, whether on paper, electronic, or in other forms,
54 which is handled or maintained by or on behalf of the licensee
55 or its affiliates.
56 (c) “Cybersecurity event” means an event resulting in
57 unauthorized access to, or disruption or misuse of, an
58 information system or customer information stored on such
59 information system. The term does not include the unauthorized
60 acquisition of encrypted customer information if the encryption
61 process or key is not also acquired, released, or used without
62 authorization. The term does not include an event with regard to
63 which the licensee has determined that the customer information
64 accessed by an unauthorized person has not been used or released
65 and has been returned or destroyed.
66 (d) “Encrypted” means the transformation of data into a
67 form that results in a low probability of assigning meaning
68 without the use of a protective process or key.
69 (e) “Financial product or service” means any product or
70 service offered by a licensee under this chapter.
71 (f) “Information security program” means the
72 administrative, technical, or physical safeguards used to
73 access, collect, distribute, process, protect, store, use,
74 transmit, dispose of, or otherwise handle customer information.
75 (g) “Information system” means a discrete set of electronic
76 information resources organized for the collection, processing,
77 maintenance, use, sharing, dissemination, or disposition of
78 electronic information, as well as any specialized system such
79 as an industrial process control system, telephone switching and
80 private branch exchange system, or environmental control system,
81 which contain customer information or which are connected to a
82 system that contains customer information.
83 (h)1. “Nonpublic personal information” means:
84 a. Personally identifiable financial information; and
85 b. Any list, description, or other grouping of customers
86 which is derived using any personally identifiable financial
87 information that is not publicly available, such as account
88 numbers, including any list of individuals’ names and street
89 addresses which is derived, in whole or in part, using
90 personally identifiable financial information that is not
91 publicly available.
92 2. The term does not include:
93 a. Publicly available information, except as included on a
94 list, description, or other grouping of customers described in
95 sub-subparagraph 1.b.;
96 b. Any list, description, or other grouping of consumers,
97 or any publicly available information pertaining to such list,
98 description, or other grouping of consumers, which is derived
99 without using any personally identifiable financial information
100 that is not publicly available; or
101 c. Any list of individuals’ names and addresses which
102 contains only publicly available information, is not derived, in
103 whole or in part, using personally identifiable financial
104 information that is not publicly available, and is not disclosed
105 in a manner that indicates that any of the individuals on the
106 list is a customer of a licensee.
107 3. As used in this paragraph, the term:
108 a.(I) “Personally identifiable financial information” means
109 any information that:
110 (A) A customer provides to a licensee to obtain a financial
111 product or service, such as information that a customer provides
112 to a licensee on an application to obtain a loan or other
113 financial product or service;
114 (B) A licensee receives about a consumer which is obtained
115 during or as a result of any transaction involving a financial
116 product or service between the licensee and the customer, such
117 as information collected through an information-collecting
118 device from a web server; or
119 (C) A licensee otherwise obtains about a customer in
120 connection with providing a financial product or service to the
121 customer, such as the fact that an individual is or has been one
122 of the licensee’s customers or has obtained a financial product
123 or service from the licensee.
124 (II) The term “personally identifiable financial
125 information” does not include:
126 (A) A list of names and addresses of customers of an entity
127 that is not a financial institution; or
128 (B) Information that does not identify a customer, such as
129 blind data or aggregate information that does not contain
130 personal identifiers such as account numbers, names, or
131 addresses.
132 b.(I) “Publicly available information” means any
133 information that a licensee has a reasonable basis to believe is
134 lawfully made available to the general public from:
135 (A) Federal, state, or local government records, such as
136 government real estate records or security interest filings;
137 (B) Widely distributed media, such as information from a
138 telephone records repository or directory, a television or radio
139 program, a newspaper, a social media platform, or a website that
140 is available to the general public on an unrestricted basis. A
141 website is not restricted merely because an Internet service
142 provider or a site operator requires a fee or a password, so
143 long as access is available to the general public; or
144 (C) Disclosures to the general public which are required to
145 be made by federal, state, or local law.
146 (II) As used in this sub-subparagraph, the term “reasonable
147 basis to believe is lawfully made available to the general
148 public” relating to any information means that the person has
149 taken steps to determine:
150 (A) That the information is of the type that is available
151 to the general public, such as information included on the
152 public record in the jurisdiction where the mortgage would be
153 recorded; and
154 (B) Whether an individual can direct that the information
155 not be made available to the general public and, if so, the
156 customer to whom the information relates has not done so, such
157 as when a telephone number is listed in a telephone directory
158 and the customer has informed the licensee that the telephone
159 number is not unlisted.
160 (i) “Third-party service provider” means a person, other
161 than a licensee, which contracts with a licensee to maintain,
162 process, or store nonpublic personal information, or is
163 otherwise permitted access to nonpublic personal information
164 through its provision of services to a licensee.
165 (2) INFORMATION SECURITY PROGRAM.—
166 (a) Each licensee shall develop, implement, and maintain a
167 comprehensive written information security program that contains
168 administrative, technical, and physical safeguards for the
169 protection of the licensee’s information system and nonpublic
170 personal information.
171 (b) Each licensee shall ensure that the information
172 security program meets all of the following criteria:
173 1. Be commensurate with the following measures:
174 a. Size and complexity of the licensee.
175 b. Nature and scope of the licensee’s activities, including
176 the licensee’s use of third-party service providers.
177 c. Sensitivity of nonpublic personal information that is
178 used by the licensee or that is in the licensee’s possession,
179 custody, or control.
180 2. Be designed to do all of the following:
181 a. Protect the security and confidentiality of nonpublic
182 personal information and the security of the licensee’s
183 information system.
184 b. Protect against threats or hazards to the security or
185 integrity of nonpublic personal information and the licensee’s
186 information system.
187 c. Protect against unauthorized access to or the use of
188 nonpublic personal information and minimize the likelihood of
189 harm to any customer.
190 3. Define and periodically reevaluate the retention
191 schedule and the mechanism for the destruction of nonpublic
192 personal information if retention is no longer necessary for the
193 licensee’s business operations or is no longer required by
194 applicable law.
195 4. Regularly test and monitor systems and procedures for
196 the detection of actual and attempted attacks on, or intrusions
197 into, the licensee’s information system.
198 5. Be monitored, evaluated, and adjusted, as necessary, to
199 meet all of the following requirements:
200 a. Determine whether the licensee’s information security
201 program is consistent with relevant changes in technology.
202 b. Confirm the licensee’s information security program
203 accounts for the sensitivity of nonpublic personal information.
204 c. Identify changes that may be necessary to the licensee’s
205 information system.
206 d. Mitigate any internal or external threats to nonpublic
207 personal information.
208 e. Amend the licensee’s information security program for
209 any material changes to the licensee’s business arrangements,
210 including, but not limited to, mergers and acquisitions,
211 alliances and joint ventures, and outsourcing arrangements.
212 (c)1. As part of a licensee’s information security program,
213 the licensee shall establish a written incident response plan
214 designed to promptly respond to, and recover from, a
215 cybersecurity event that compromises:
216 a. The confidentiality, integrity, or availability of
217 nonpublic personal information in the licensee’s possession;
218 b. The licensee’s information system; or
219 c. The continuing functionality of any aspect of the
220 licensee’s operations.
221 2. The written incident response plan must address all of
222 the following:
223 a. The licensee’s internal process for responding to a
224 cybersecurity event.
225 b. The goals of the licensee’s incident response plan.
226 c. The assignment of clear roles, responsibilities, and
227 levels of decisionmaking authority for the licensee’s personnel
228 that participate in the incident response plan.
229 d. External communications, internal communications, and
230 information sharing related to a cybersecurity event.
231 e. The identification of remediation requirements for
232 weaknesses identified in information systems and associated
233 controls.
234 f. The documentation and reporting regarding cybersecurity
235 events and related incident response activities.
236 g. The evaluation and revision of the incident response
237 plan, as appropriate, following a cybersecurity event.
238 h. The process by which notice must be given as required
239 under subsection (3) and s. 501.171(3) and (4).
240 (d)1. This section does not apply to a licensee that has
241 fewer than:
242 a. Twenty individuals on its workforce, including employees
243 and independent contractors; or
244 b. Five hundred customers during a calendar year.
245 2. A licensee that no longer qualifies for exemption under
246 subparagraph 1. has 180 calendar days to comply with this
247 section after the date of the disqualification.
248 (e) Each licensee shall maintain a copy of the information
249 security program for a minimum of 5 years and shall make it
250 available to the office upon request or as part of an
251 examination.
252 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
253 shall provide notice to the office of any breach of security, as
254 defined in s. 501.171, affecting 500 or more individuals in this
255 state at a time and in the manner prescribed by commission rule.
256 (4) CONSTRUCTION.—This section may not be construed to
257 relieve a covered entity from complying with s. 501.171. To the
258 extent a licensee is a covered entity, as defined in s.
259 501.171(1), the licensee remains subject to s. 501.171.
260 (5) RULES.—The commission shall adopt rules to administer
261 this section, including rules that allow a licensee that is in
262 compliance with the Federal Trade Commission’s Standards for
263 Safeguarding Customer Information, 16 C.F.R. part 314, to be
264 deemed in compliance with subsection (2).
265 Section 4. Paragraph (z) is added to subsection (1) of
266 section 494.00255, Florida Statutes, to read:
267 494.00255 Administrative penalties and fines; license
268 violations.—
269 (1) Each of the following acts constitutes a ground for
270 which the disciplinary actions specified in subsection (2) may
271 be taken against a person licensed or required to be licensed
272 under part II or part III of this chapter:
273 (z) Failure to comply with the notification requirements in
274 s. 501.171(3) and (4).
275 Section 5. Present subsections (28) through (36) of section
276 517.021, Florida Statutes, are redesignated as subsections (29)
277 through (37), respectively, a new subsection (28) is added to
278 that section, and subsection (20) of that section is amended, to
279 read:
280 517.021 Definitions.—When used in this chapter, unless the
281 context otherwise indicates, the following terms have the
282 following respective meanings:
283 (20)(a) “Investment adviser” means a person, other than an
284 associated person of an investment adviser or a federal covered
285 adviser, that receives compensation, directly or indirectly, and
286 engages for all or part of the person’s time, directly or
287 indirectly, or through publications or writings, in the business
288 of advising others as to the value of securities or as to the
289 advisability of investments in, purchasing of, or selling of
290 securities.
291 (b) The term does not include any of the following:
292 1. A dealer or an associated person of a dealer whose
293 performance of services in paragraph (a) is solely incidental to
294 the conduct of the dealer’s or associated person’s business as a
295 dealer and who does not receive special compensation for those
296 services.
297 2. A licensed practicing attorney or certified public
298 accountant whose performance of such services is solely
299 incidental to the practice of the attorney’s or accountant’s
300 profession.
301 3. A bank authorized to do business in this state.
302 4. A bank holding company as defined in the Bank Holding
303 Company Act of 1956, as amended, authorized to do business in
304 this state.
305 5. A trust company having trust powers, as defined in s.
306 658.12, which it is authorized to exercise in this state, which
307 trust company renders or performs investment advisory services
308 in a fiduciary capacity incidental to the exercise of its trust
309 powers.
310 6. A person that renders investment advice exclusively to
311 insurance or investment companies.
312 7. A person:
313 a. Without a place of business in this state if the person
314 has had that, during the preceding 12 months, has fewer than six
315 clients who are residents of this state.
316 b. With a place of business in this state if the person has
317 had, during the preceding 12 months, fewer than six clients who
318 are residents of this state and no clients who are not residents
319 of this state.
320
321 As used in this subparagraph, the term “client” has the same
322 meaning as provided in Securities and Exchange Commission Rule
323 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
324 8. A federal covered adviser.
325 9. The United States, a state, or any political subdivision
326 of a state, or any agency, authority, or instrumentality of any
327 such entity; a business entity that is wholly owned directly or
328 indirectly by such a governmental entity; or any officer, agent,
329 or employee of any such governmental or business entity who is
330 acting within the scope of his or her official duties.
331 10. A family office as defined in Securities and Exchange
332 Commission Rule 202(a)(11)(G)-1(b) under the Investment Advisers
333 Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b), as amended. In
334 determining whether a person meets the definition of a family
335 office under this subparagraph, the terms “affiliated family
336 office,” “control,” “executive officer,” “family client,”
337 “family entity,” “family member,” “former family member,” “key
338 employee,” and “spousal equivalent” have the same meaning as in
339 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
340 the Investment Advisers Act of 1940, 17 C.F.R. s.
341 275.202(a)(11)(G)-1(d), as amended.
342 (28) “Place of business” of an investment adviser means an
343 office at which the investment adviser regularly provides
344 investment advisory services to, solicits, meets with, or
345 otherwise communicates with clients; and any other location that
346 is held out to the general public as a location at which the
347 investment adviser provides investment advisory services to,
348 solicits, meets with, or otherwise communicates with clients.
349 Section 6. Paragraph (i) of subsection (9) of section
350 517.061, Florida Statutes, is amended to read:
351 517.061 Exempt transactions.—Except as otherwise provided
352 in subsection (11), the exemptions provided herein from the
353 registration requirements of s. 517.07 are self-executing and do
354 not require any filing with the office before being claimed. Any
355 person who claims entitlement to an exemption under this section
356 bears the burden of proving such entitlement in any proceeding
357 brought under this chapter. The registration provisions of s.
358 517.07 do not apply to any of the following transactions;
359 however, such transactions are subject to s. 517.301:
360 (9) The offer or sale of securities to:
361 (i) A family office as defined in Securities and Exchange
362 Commission Rule 202(a)(11)(G)-1(b) 202(a)(11)(G)-1 under the
363 Investment Advisers Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)
364 1(b) s. 275.202(a)(11)(G)-1, as amended, provided that:
365 1. The family office has assets under management in excess
366 of $5 million;
367 2. The family office is not formed for the specific purpose
368 of acquiring the securities offered; and
369 3. The prospective investment of the family office is
370 directed by a person who has knowledge and experience in
371 financial and business matters that the family office is capable
372 of evaluating the merits and risks of the prospective
373 investment.
374
375 In determining whether a person meets the definition of a family
376 office under this paragraph, the terms “affiliated family
377 office,” “control,” “executive officer,” “family client,”
378 “family entity,” “family member,” “former family member,” “key
379 employee,” and “spousal equivalent” have the same meaning as in
380 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
381 the Investment Advisers Act of 1940, 17 C.F.R. s.
382 275.202(a)(11)(G)-1(d), as amended.
383 Section 7. Paragraph (a) of subsection (1) of section
384 517.201, Florida Statutes, is amended, and paragraph (c) is
385 added to that subsection, to read:
386 517.201 Investigations; examinations; subpoenas; hearings;
387 witnesses.—
388 (1) The office:
389 (a) May make investigations and examinations within or
390 outside of this state as it deems necessary:
391 1. To determine whether a person has violated or is about
392 to violate any provision of this chapter or a rule or order
393 hereunder; or
394 2. To aid in the enforcement of this chapter; or
395 3. In accordance with a memorandum of agreement pursuant to
396 s. 415.106(4)(b), to aid the Department of Children and Families
397 with any protective investigations the Department of Children
398 and Families is required to conduct under s. 415.104.
399 (c) May consider or use as part of any investigation or
400 examination pursuant to this section the information contained
401 in any suspected financial exploitation report or any records
402 generated as a result of such report which is obtained pursuant
403 to s. 415.106(4).
404 Section 8. Paragraphs (b) and (c) of subsection (3) and
405 subsection (6) of section 517.34, Florida Statutes, are amended
406 to read:
407 517.34 Protection of specified adults.—
408 (3) A dealer or investment adviser may delay a disbursement
409 or transaction of funds or securities from an account of a
410 specified adult or an account for which a specified adult is a
411 beneficiary or beneficial owner if all of the following apply:
412 (b) Not later than 3 business days after the date on which
413 the delay was first placed, the dealer or investment adviser
414 complies with all of the following conditions:
415 1. Notifies in writing all parties authorized to transact
416 business on the account and any trusted contact on the account,
417 using the contact information provided for the account, with the
418 exception of any party the dealer or investment adviser
419 reasonably believes has engaged in, is engaging in, has
420 attempted to engage in, or will attempt to engage in the
421 suspected financial exploitation of the specified adult. The
422 notice, which may be provided electronically, must provide the
423 reason for the delay.
424 2. Notifies the office of the delay electronically on a
425 form prescribed by commission rule. The form must be consistent
426 with the purposes of this section and must contain, but need not
427 be limited to, the following information:
428 a. The date on which the delay was first placed.
429 b. The name, age, and address, or location, if different,
430 of the specified adult.
431 c. The business location of the dealer or investment
432 adviser.
433 d. The name, address, and telephone number and title of the
434 employee who reported suspected financial exploitation of the
435 specified adult.
436 e. The facts and circumstances that caused the employee to
437 report suspected financial exploitation.
438 f. The names, addresses, and telephone numbers of the
439 specified adult’s family members.
440 g. The name, address, and telephone number of each person
441 suspected of engaging in financial exploitation.
442 h. The name, address, and telephone number of the caregiver
443 of the specified adult, if different from the person or persons
444 suspected of engaging in financial exploitation.
445 i. A description of actions taken by the dealer or
446 investment adviser, if any, such as notification to a criminal
447 justice agency.
448 j. Any other information available to the reporting person
449 which may establish the cause of financial exploitation that
450 occurred or is occurring.
451 (c) Not later than 3 business days after the date on which
452 the delay was first placed, the dealer or investment adviser
453 Notifies the office of the delay electronically on a form
454 prescribed by commission rule. The form must be consistent with
455 the purposes of this section and may include only the following
456 information:
457 1. The date on which the notice is submitted to the office.
458 2. The date on which the delay was first placed.
459 3. The following information about the specified adult:
460 a. Gender.
461 b. Age.
462 c. Zip code of residence address.
463 4. The following information about the dealer or investment
464 adviser who placed the delay:
465 a. Name.
466 b. Title.
467 c. Firm name.
468 d. Business address.
469 5. A section with the following questions for which the
470 only allowable responses are “Yes” or “No”:
471 a. Is financial exploitation of a specified adult suspected
472 in connection with a disbursement or transaction?
473 b. Are funds currently at risk of being lost?
474
475 The form must contain substantially the following statement in
476 conspicuous type: “The office may take disciplinary action
477 against any person making a knowing and willful
478 misrepresentation on this form.”
479 (6) A dealer, an investment adviser, or an associated
480 person who in good faith and exercising reasonable care complies
481 with this section is immune from any administrative or civil
482 liability that might otherwise arise from such delay in a
483 disbursement or transaction in accordance with this section.
484 This subsection does not supersede or diminish any immunity
485 granted under chapter 415, nor does it substitute for the duty
486 to report to the central abuse hotline as required under s.
487 415.1034.
488 Section 9. Section 520.135, Florida Statutes, is created to
489 read:
490 520.135 Surrendered or repossessed vehicles.—The rights and
491 obligations of parties with respect to a surrendered or
492 repossessed motor vehicle are exclusively governed by part VI of
493 chapter 679.
494 Section 10. Subsections (1) and (2) of section 560.114,
495 Florida Statutes, are amended to read:
496 560.114 Disciplinary actions; penalties.—
497 (1) The following actions by a money services business, an
498 authorized vendor, or a affiliated party that was affiliated at
499 the time of commission of the actions constitute grounds for the
500 issuance of a cease and desist order; the issuance of a removal
501 order; the denial, suspension, or revocation of a license; or
502 taking any other action within the authority of the office
503 pursuant to this chapter:
504 (a) Failure to comply with any provision of this chapter or
505 related rule or order, or any written agreement entered into
506 with the office.
507 (b) Fraud, misrepresentation, deceit, or gross negligence
508 in any transaction by a money services business, regardless of
509 reliance thereon by, or damage to, a customer.
510 (c) Fraudulent misrepresentation, circumvention, or
511 concealment of any matter that must be stated or furnished to a
512 customer pursuant to this chapter, regardless of reliance
513 thereon by, or damage to, such customer.
514 (d) False, deceptive, or misleading advertising.
515 (e) Failure to maintain, preserve, keep available for
516 examination, and produce all books, accounts, files, or other
517 documents required by this chapter or related rules or orders,
518 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
519 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
520 or by an agreement entered into with the office.
521 (f) Refusing to allow the examination or inspection of
522 books, accounts, files, or other documents by the office
523 pursuant to this chapter, or to comply with a subpoena issued by
524 the office.
525 (g) Failure to pay a judgment recovered in any court by a
526 claimant in an action arising out of a money transmission
527 transaction within 30 days after the judgment becomes final.
528 (h) Engaging in an act prohibited under s. 560.111 or s.
529 560.1115.
530 (i) Insolvency.
531 (j) Failure by a money services business to remove an
532 affiliated party after the office has issued and served upon the
533 money services business a final order setting forth a finding
534 that the affiliated party has violated a provision of this
535 chapter.
536 (k) Making a material misstatement, misrepresentation, or
537 omission in an application for licensure, any amendment to such
538 application, or application for the appointment of an authorized
539 vendor.
540 (l) Committing any act that results in a license or its
541 equivalent, to practice any profession or occupation being
542 denied, suspended, revoked, or otherwise acted against by a
543 licensing authority in any jurisdiction.
544 (m) Being the subject of final agency action or its
545 equivalent, issued by an appropriate regulator, for engaging in
546 unlicensed activity as a money services business or deferred
547 presentment provider in any jurisdiction.
548 (n) Committing any act resulting in a license or its
549 equivalent to practice any profession or occupation being
550 denied, suspended, revoked, or otherwise acted against by a
551 licensing authority in any jurisdiction for a violation of 18
552 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
553 s. 5324, or any other law or rule of another state or of the
554 United States relating to a money services business, deferred
555 presentment provider, or usury that may cause the denial,
556 suspension, or revocation of a money services business or
557 deferred presentment provider license or its equivalent in such
558 jurisdiction.
559 (o) Having been convicted of, or entered a plea of guilty
560 or nolo contendere to, any felony or crime punishable by
561 imprisonment of 1 year or more under the law of any state or the
562 United States which involves fraud, moral turpitude, or
563 dishonest dealing, regardless of adjudication.
564 (p) Having been convicted of, or entered a plea of guilty
565 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
566 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
567 (q) Having been convicted of, or entered a plea of guilty
568 or nolo contendere to, misappropriation, conversion, or unlawful
569 withholding of moneys belonging to others, regardless of
570 adjudication.
571 (r) Having been convicted of, or entered a plea of guilty
572 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
573 1022, regardless of adjudication.
574 (s)(r) Failure to inform the office in writing within 30
575 days after having pled guilty or nolo contendere to, or being
576 convicted of, any felony or crime punishable by imprisonment of
577 1 year or more under the law of any state or the United States,
578 or any crime involving fraud, moral turpitude, or dishonest
579 dealing.
580 (t)(s) Aiding, assisting, procuring, advising, or abetting
581 any person in violating a provision of this chapter or any order
582 or rule of the office or commission.
583 (u)(t) Failure to pay any fee, charge, or cost imposed or
584 assessed under this chapter.
585 (v)(u) Failing to pay a fine assessed by the office within
586 30 days after the due date as stated in a final order.
587 (w)(v) Failure to pay any judgment entered by any court
588 within 30 days after the judgment becomes final.
589 (x)(w) Engaging or advertising engagement in the business
590 of a money services business or deferred presentment provider
591 without a license, unless exempted from licensure.
592 (y)(x) Payment to the office for a license or other fee,
593 charge, cost, or fine with a check or electronic transmission of
594 funds that is dishonored by the applicant’s or licensee’s
595 financial institution.
596 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
597 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
598 1022.380, and 1022.410, and United States Treasury Interpretive
599 Release 2004-1.
600 (aa)(z) Any practice or conduct that creates the likelihood
601 of a material loss, insolvency, or dissipation of assets of a
602 money services business or otherwise materially prejudices the
603 interests of its customers.
604 (bb)(aa) Failure of a check casher to maintain a federally
605 insured depository account as required by s. 560.309.
606 (cc)(bb) Failure of a check casher to deposit into its own
607 federally insured depository account any payment instrument
608 cashed as required by s. 560.309.
609 (dd)(cc) Violating any provision of the Military Lending
610 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
611 in 32 C.F.R. part 232, in connection with a deferred presentment
612 transaction conducted under part IV of this chapter.
613 (ee) Failure to comply with the notification requirements
614 in s. 501.171(3) and (4).
615 (2) Pursuant to s. 120.60(6), The office shall issue an
616 emergency suspension order suspending may summarily suspend the
617 license of a money services business if the office finds that a
618 licensee poses a danger deemed by the Legislature to be an
619 immediate and, serious danger to the public health, safety, and
620 welfare. A proceeding in which the office seeks the issuance of
621 a final order for the summary suspension of a licensee shall be
622 conducted by the commissioner of the office, or his or her
623 designee, who shall issue such order.
624 (a) An emergency suspension order under this subsection may
625 be issued without prior notice and an opportunity to be heard.
626 An emergency suspension order must:
627 1. State the grounds on which the order is based;
628 2. Advise the licensee against whom the order is directed
629 that the order takes effect immediately and, to the extent
630 applicable, requires the licensee to immediately cease and
631 desist from the conduct or violation that is the subject of the
632 order or to take the affirmative action stated in the order as
633 necessary to correct a condition resulting from the conduct or
634 violation or as otherwise appropriate;
635 3. Be delivered by personal delivery or sent by certified
636 mail, return receipt requested, to the licensee against whom the
637 order is directed at the licensee’s last known address; and
638 4. Include a notice that the licensee subject to the
639 emergency suspension order may seek judicial review pursuant to
640 s. 120.68.
641 (b) An emergency suspension order is effective as soon as
642 the licensee against whom the order is directed has actual or
643 constructive knowledge of the issuance of the order.
644 (c) The office shall institute timely proceedings under ss.
645 120.569 and 120.57 after issuance of an emergency suspension
646 order.
647 (d) A licensee subject to an emergency suspension order may
648 seek judicial review pursuant to s. 120.68.
649 (e) The following acts are deemed by the Legislature to
650 constitute an immediate and serious danger to the public health,
651 safety, and welfare, and the office shall may immediately issue
652 an emergency suspension order to suspend the license of a money
653 services business if:
654 1.(a) The money services business fails to provide to the
655 office, upon written request, any of the records required by s.
656 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
657 adopted under those sections. The suspension may be rescinded if
658 the licensee submits the requested records to the office.
659 2.(b) The money services business fails to maintain a
660 federally insured depository account as required by s.
661 560.208(4) or s. 560.309.
662 3.(c) A natural person required to be listed on the license
663 application for a money services business pursuant to s.
664 560.141(1)(a)3. is criminally charged with, or arrested for, a
665 crime described in paragraph (1)(o), paragraph (1)(p), or
666 paragraph(1)(q).
667 Section 11. Section 560.1311, Florida Statutes, is created
668 to read:
669 560.1311 Information security programs.—
670 (1) DEFINITIONS.—As used in this section, the term:
671 (a) “Customer” means a person who seeks to obtain or who
672 obtains or has obtained a financial product or service from a
673 licensee.
674 (b) “Customer information” means any record containing
675 nonpublic personal information about a customer of a financial
676 transaction, whether on paper, electronic, or in other forms,
677 which is handled or maintained by or on behalf of the licensee
678 or its affiliates.
679 (c) “Cybersecurity event” means an event resulting in
680 unauthorized access to, or disruption or misuse of, an
681 information system or customer information stored on such
682 information system. The term does not include the unauthorized
683 acquisition of encrypted customer information if the encryption
684 process or key is not also acquired, released, or used without
685 authorization. The term does not include an event with regard to
686 which the licensee has determined that the customer information
687 accessed by an unauthorized person has not been used or released
688 and has been returned or destroyed.
689 (d) “Encrypted” means the transformation of data into a
690 form that results in a low probability of assigning meaning
691 without the use of a protective process or key.
692 (e) “Financial product or service” means any product or
693 service offered by a licensee under this chapter.
694 (f) “Information security program” means the
695 administrative, technical, or physical safeguards used to
696 access, collect, distribute, process, protect, store, use,
697 transmit, dispose of, or otherwise handle customer information.
698 (g) “Information system” means a discrete set of electronic
699 information resources organized for the collection, processing,
700 maintenance, use, sharing, dissemination, or disposition of
701 electronic information, as well as any specialized system such
702 as an industrial process control system, telephone switching and
703 private branch exchange system, or environmental control system,
704 which contain customer information or which are connected to a
705 system that contains customer information.
706 (h)1. “Nonpublic personal information” means:
707 a. Personally identifiable financial information; and
708 b. Any list, description, or other grouping of customers
709 which is derived using any personally identifiable financial
710 information that is not publicly available, such as account
711 numbers, including any list of individuals’ names and street
712 addresses which is derived, in whole or in part, using
713 personally identifiable financial information that is not
714 publicly available.
715 2. The term does not include:
716 a. Publicly available information, except as included on a
717 list, description, or other grouping of customers described in
718 sub-subparagraph 1.b.;
719 b. Any list, description, or other grouping of consumers,
720 or any publicly available information pertaining to such list,
721 description, or other grouping of consumers, which is derived
722 without using any personally identifiable financial information
723 that is not publicly available; or
724 c. Any list of individuals’ names and addresses which
725 contains only publicly available information, is not derived, in
726 whole or in part, using personally identifiable financial
727 information that is not publicly available, and is not disclosed
728 in a manner that indicates that any of the individuals on the
729 list is a customer of a licensee.
730 3. As used in this paragraph, the term:
731 a.(I) “Personally identifiable financial information” means
732 any information that:
733 (A) A customer provides to a licensee to obtain a financial
734 product or service, such as information that a customer provides
735 to a licensee on an application to obtain a loan or other
736 financial product or service;
737 (B) A licensee receives about a consumer which is obtained
738 during or as a result of any transaction involving a financial
739 product or service between the licensee and the customer, such
740 as information collected through an information-collecting
741 device from a web server; or
742 (C) A licensee otherwise obtains about a customer in
743 connection with providing a financial product or service to the
744 customer, such as the fact that an individual is or has been one
745 of the licensee’s customers or has obtained a financial product
746 or service from the licensee.
747 (II) The term “personally identifiable financial
748 information” does not include:
749 (A) A list of names and addresses of customers of an entity
750 that is not a financial institution; or
751 (B) Information that does not identify a customer, such as
752 blind data or aggregate information that does not contain
753 personal identifiers such as account numbers, names, or
754 addresses.
755 b.(I) “Publicly available information” means any
756 information that a licensee has a reasonable basis to believe is
757 lawfully made available to the general public from:
758 (A) Federal, state, or local government records, such as
759 government real estate records or security interest filings;
760 (B) Widely distributed media, such as information from a
761 telephone records repository or directory, a television or radio
762 program, a newspaper, a social media platform, or a website that
763 is available to the general public on an unrestricted basis. A
764 website is not restricted merely because an Internet service
765 provider or a site operator requires a fee or a password, so
766 long as access is available to the general public; or
767 (C) Disclosures to the general public which are required to
768 be made by federal, state, or local law.
769 (II) As used in this sub-subparagraph, the term “reasonable
770 basis to believe is lawfully made available to the general
771 public” relating to any information means that the person has
772 taken steps to determine:
773 (A) That the information is of the type that is available
774 to the general public, such as information included on the
775 public record in the jurisdiction where the mortgage would be
776 recorded; and
777 (B) Whether an individual can direct that the information
778 not be made available to the general public and, if so, the
779 customer to whom the information relates has not done so, such
780 as when a telephone number is listed in a telephone directory
781 and the customer has informed the licensee that the telephone
782 number is not unlisted.
783 (i) “Third-party service provider” means a person, other
784 than a licensee, which contracts with a licensee to maintain,
785 process, or store nonpublic personal information, or is
786 otherwise permitted access to nonpublic personal information
787 through its provision of services to a licensee.
788 (2) INFORMATION SECURITY PROGRAM.—
789 (a) Each licensee shall develop, implement, and maintain a
790 comprehensive written information security program that contains
791 administrative, technical, and physical safeguards for the
792 protection of the licensee’s information system and nonpublic
793 personal information.
794 (b) Each licensee shall ensure that the information
795 security program meets all of the following criteria:
796 1. Be commensurate with the following measures:
797 a. Size and complexity of the licensee.
798 b. Nature and scope of the licensee’s activities, including
799 the licensee’s use of third-party service providers.
800 c. Sensitivity of nonpublic personal information that is
801 used by the licensee or that is in the licensee’s possession,
802 custody, or control.
803 2. Be designed to do all of the following:
804 a. Protect the security and confidentiality of nonpublic
805 personal information and the security of the licensee’s
806 information system.
807 b. Protect against threats or hazards to the security or
808 integrity of nonpublic personal information and the licensee’s
809 information system.
810 c. Protect against unauthorized access to or the use of
811 nonpublic personal information and minimize the likelihood of
812 harm to any customer.
813 3. Define and periodically reevaluate the retention
814 schedule and the mechanism for the destruction of nonpublic
815 personal information if retention is no longer necessary for the
816 licensee’s business operations or is no longer required by
817 applicable law.
818 4. Regularly test and monitor systems and procedures for
819 the detection of actual and attempted attacks on, or intrusions
820 into, the licensee’s information system.
821 5. Be monitored, evaluated, and adjusted, as necessary, to
822 meet all of the following requirements:
823 a. Determine whether the licensee’s information security
824 program is consistent with relevant changes in technology.
825 b. Confirm the licensee’s information security program
826 accounts for the sensitivity of nonpublic personal information.
827 c. Identify changes that may be necessary to the licensee’s
828 information system.
829 d. Mitigate any internal or external threats to nonpublic
830 personal information.
831 e. Amend the licensee’s information security program for
832 any material changes to the licensee’s business arrangements,
833 including, but not limited to, mergers and acquisitions,
834 alliances and joint ventures, and outsourcing arrangements.
835 (c)1. As part of a licensee’s information security program,
836 the licensee shall establish a written incident response plan
837 designed to promptly respond to, and recover from, a
838 cybersecurity event that compromises:
839 a. The confidentiality, integrity, or availability of
840 nonpublic personal information in the licensee’s possession;
841 b. The licensee’s information system; or
842 c. The continuing functionality of any aspect of the
843 licensee’s operations.
844 2. The written incident response plan must address all of
845 the following:
846 a. The licensee’s internal process for responding to a
847 cybersecurity event.
848 b. The goals of the licensee’s incident response plan.
849 c. The assignment of clear roles, responsibilities, and
850 levels of decisionmaking authority for the licensee’s personnel
851 that participate in the incident response plan.
852 d. External communications, internal communications, and
853 information sharing related to a cybersecurity event.
854 e. The identification of remediation requirements for
855 weaknesses identified in information systems and associated
856 controls.
857 f. The documentation and reporting regarding cybersecurity
858 events and related incident response activities.
859 g. The evaluation and revision of the incident response
860 plan, as appropriate, following a cybersecurity event.
861 h. The process by which notice must be given as required
862 under subsection (3) and s. 501.171(3) and (4).
863 (d)1. This section does not apply to a licensee that has
864 fewer than:
865 a. Twenty individuals on its workforce, including employees
866 and independent contractors; or
867 b. Five hundred customers during a calendar year.
868 2. A licensee that no longer qualifies for exemption under
869 subparagraph 1. has 180 calendar days to comply with this
870 section after the date of the disqualification.
871 (e) Each licensee shall maintain a copy of the information
872 security program for a minimum of 5 years and shall make it
873 available to the office upon request or as part of an
874 examination.
875 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
876 shall provide notice to the office of any breach of security, as
877 defined in s. 501.171(1), affecting 500 or more individuals in
878 this state at a time and in the manner prescribed by commission
879 rule.
880 (4) CONSTRUCTION.—This section may not be construed to
881 relieve a covered entity from complying with s. 501.171. To the
882 extent a licensee is a covered entity, as defined in s.
883 501.171(1), the licensee remains subject to s. 501.171.
884 (5) RULES.—The commission shall adopt rules to administer
885 this section, including rules that allow a licensee that is in
886 compliance with the Federal Trade Commission’s Standards for
887 Safeguarding Customer Information, 16 C.F.R. part 314, to be
888 deemed in compliance with subsection (2).
889 Section 12. Subsection (10) of section 560.309, Florida
890 Statutes, is amended to read:
891 560.309 Conduct of business.—
892 (10) If a check is returned to a licensee from a payor
893 financial institution due to lack of funds, a closed account, or
894 a stop-payment order, the licensee may seek collection pursuant
895 to s. 68.065. In seeking collection, the licensee must comply
896 with the prohibitions against harassment or abuse, false or
897 misleading representations, and unfair practices in the Florida
898 Consumer Collection Practices Act under part VI of chapter 559,
899 including s. 559.77. The licensee must also comply with the Fair
900 Debt Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and
901 1692f if the licensee uses a third-party debt collector or any
902 name other than its own to collect such debts. A violation of
903 this subsection is a deceptive and unfair trade practice and
904 constitutes a violation of the Deceptive and Unfair Trade
905 Practices Act under part II of chapter 501. In addition, a
906 licensee must comply with the applicable provisions of the
907 Consumer Collection Practices Act under part VI of chapter 559,
908 including s. 559.77.
909 Section 13. Subsection (3) of section 560.405, Florida
910 Statutes, is amended to read:
911 560.405 Deposit; redemption.—
912 (3) Notwithstanding subsection (1), in lieu of presentment,
913 a deferred presentment provider may allow the check to be
914 redeemed at any time upon payment of the outstanding transaction
915 balance and earned fees. A redemption transacted using a debit
916 card shall be treated the same as a redemption transacted using
917 cash. However, payment may not be made in the form of a personal
918 check or through a credit card transaction. Upon redemption, the
919 deferred presentment provider must return the drawer’s check and
920 provide a signed, dated receipt showing that the drawer’s check
921 has been redeemed.
922 Section 14. Subsection (2) of section 560.406, Florida
923 Statutes, is amended to read:
924 560.406 Worthless checks.—
925 (2) If a check is returned to a deferred presentment
926 provider from a payor financial institution due to insufficient
927 funds, a closed account, or a stop-payment order, the deferred
928 presentment provider may pursue all legally available civil
929 remedies to collect the check, including, but not limited to,
930 the imposition of all charges imposed on the deferred
931 presentment provider by the financial institution. In its
932 collection practices, a deferred presentment provider must
933 comply with the prohibitions against harassment or abuse, false
934 or misleading representations, and unfair practices that are
935 contained in the Florida Consumer Collection Practices Act under
936 part VI of chapter 559, including s. 559.77. A deferred
937 presentment provider must also comply with the Fair Debt
938 Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and 1692f
939 if the deferred presentment provider uses a third-party debt
940 collector or any name other than its own to collect such debts.
941 A violation of this act is a deceptive and unfair trade practice
942 and constitutes a violation of the Deceptive and Unfair Trade
943 Practices Act under part II of chapter 501. In addition, a
944 deferred presentment provider must comply with the applicable
945 provisions of the Consumer Collection Practices Act under part
946 VI of chapter 559, including s. 559.77.
947 Section 15. Section 655.0171, Florida Statutes, is created
948 to read:
949 655.0171 Requirements for customer data security and for
950 notices of security breaches.—
951 (1) DEFINITIONS.—As used in this section, the term:
952 (a) “Breach of security” or “breach” means unauthorized
953 access of data in electronic form containing personal
954 information. Good faith access of personal information by an
955 employee or agent of a financial institution does not constitute
956 a breach of security, provided that the information is not used
957 for a purpose unrelated to the business or subject to further
958 unauthorized use. As used in this paragraph, the term “data in
959 electronic form” means any data stored electronically or
960 digitally on any computer system or other database and includes
961 recordable tapes and other mass storage devices.
962 (b) “Department” means the Department of Legal Affairs.
963 (c)1. “Personal information” means:
964 a. An individual’s first name, or first initial, and last
965 name, in combination with any of the following data elements for
966 that individual:
967 (I) A social security number;
968 (II) A driver license or identification card number,
969 passport number, military identification number, or other
970 similar number issued on a government document used to verify
971 identity;
972 (III) A financial account number or credit or debit card
973 number, in combination with any required security code, access
974 code, or password that is necessary to permit access to the
975 individual’s financial account;
976 (IV) The individual’s biometric data as defined in s.
977 501.702; or
978 (V) Any information regarding the individual’s geolocation;
979 or
980 b. A username or e-mail address, in combination with a
981 password or security question and answer that would permit
982 access to an online account.
983 2. The term does not include information about an
984 individual which has been made publicly available by a federal,
985 state, or local governmental entity. The term also does not
986 include information that is encrypted, secured, or modified by
987 any other method or technology that removes elements that
988 personally identify an individual or that otherwise renders the
989 information unusable.
990 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
991 institution shall take reasonable measures to protect and secure
992 data that are in electronic form and that contain personal
993 information.
994 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
995 (a)1. Each financial institution shall provide notice to
996 the office of any breach of security affecting 500 or more
997 individuals in this state. Such notice must be provided to the
998 office as expeditiously as practicable, but no later than 30
999 days after the determination of the breach or the determination
1000 of a reason to believe that a breach has occurred.
1001 2. The written notice to the office must include the items
1002 required under s. 501.171(3)(b).
1003 3. A financial institution must provide the following
1004 information to the office upon its request:
1005 a. A police report, incident report, or computer forensics
1006 report.
1007 b. A copy of the policies in place regarding breaches.
1008 c. Steps that have been taken to rectify the breach.
1009 4. A financial institution may provide the office with
1010 supplemental information regarding a breach at any time.
1011 (b) Each financial institution shall provide notice to the
1012 department of any breach of security affecting 500 or more
1013 individuals in this state. Such notice must be provided to the
1014 department in accordance with s. 501.171.
1015 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
1016 financial institution shall give notice to each individual in
1017 this state whose personal information was, or the financial
1018 institution reasonably believes to have been, accessed as a
1019 result of the breach in accordance with s. 501.171(4). The
1020 notice must be provided no later than 30 days after the
1021 determination of the breach or the determination of a reason to
1022 believe that a breach has occurred. A financial institution may
1023 receive 15 additional days to provide notice to individuals of a
1024 security breach as required in this subsection if good cause for
1025 delay is provided in writing to the office within 30 days after
1026 determination of the breach or determination of the reason to
1027 believe that a breach has occurred.
1028 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
1029 institution discovers circumstances requiring notice pursuant to
1030 this section of more than 1,000 individuals at a single time,
1031 the financial institution shall also notify, without
1032 unreasonable delay, all consumer reporting agencies that compile
1033 and maintain files on consumers on a nationwide basis, as
1034 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
1035 of the timing, distribution, and content of the notices.
1036 Section 16. Present subsections (3), (4), and (5) of
1037 section 655.032, Florida Statutes, are redesignated as
1038 subsections (4), (5), and (6), respectively, and a new
1039 subsection (3) is added to that section, to read:
1040 655.032 Investigations, subpoenas, hearings, and
1041 witnesses.—
1042 (3) The office may consider or use as part of any
1043 investigation or other action pursuant to this section the
1044 information contained in any suspected financial exploitation
1045 report or any records generated as a result of such report which
1046 is obtained pursuant to s. 415.106(4).
1047 Section 17. Present paragraphs (c) through (f) of
1048 subsection (1) of section 655.045, Florida Statutes, are
1049 redesignated as paragraphs (d) through (g), respectively, a new
1050 paragraph (c) is added to that subsection, and present paragraph
1051 (d) of that subsection is amended, to read:
1052 655.045 Examinations, reports, and internal audits;
1053 penalty.—
1054 (1) The office shall conduct an examination of the
1055 condition of each state financial institution at least every 18
1056 months. The office may conduct more frequent examinations based
1057 upon the risk profile of the financial institution, prior
1058 examination results, or significant changes in the institution
1059 or its operations. The office may use continuous, phase, or
1060 other flexible scheduling examination methods for very large or
1061 complex state financial institutions and financial institutions
1062 owned or controlled by a multi-financial institution holding
1063 company. The office shall consider examination guidelines from
1064 federal regulatory agencies in order to facilitate, coordinate,
1065 and standardize examination processes.
1066 (c) The office may consider or use as part of any
1067 examination or other action conducted pursuant to this section
1068 the information
1069
1070 ================= T I T L E A M E N D M E N T ================
1071 And the title is amended as follows:
1072 Delete lines 97 - 115
1073 and insert:
1074 amending s. 560.405, F.S.; requiring that redemptions
1075 transacted using a debit card be treated the same as
1076 redemptions transacted using cash; prohibiting
1077 redemption through a credit card transaction; amending
1078 s. 560.406, F.S.; providing that licensees must comply
1079 with the Fair Debt Collections Practices Act only if
1080 the licensees meet certain criteria; creating s.
1081 655.0171, F.S.; defining terms; requiring financial
1082 institutions to take measures to protect and secure
1083 certain data that contain personal information;
1084 providing requirements for notices of security
1085 breaches to the office, the Department of Legal
1086 Affairs, certain individuals, and certain credit
1087 reporting agencies; amending s. 655.032, F.S.;
1088 authorizing the office to consider or use certain
1089 information as part of certain investigations or other
1090 actions; amending s. 655.045, F.S.; authorizing the
1091 office to consider or use certain information as part
1092 of certain investigations or other actions; revising
1093 the timeline for the mailing