Bill Amendment: FL S1870 | 2020 | Regular Session

NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: Technology Innovation

Status: 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]

Download: Florida-2020-S1870-Senate_Committee_Substitue_Amendment_635976_Amendment_Delete_All_427788_.html
       Florida Senate - 2020                        COMMITTEE AMENDMENT
       Bill No. SB 1870
       
       
       
       
       
       
                                Ì635976[Î635976                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                                       .                                
                                       .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Innovation, Industry, and Technology (Hutson)
       recommended the following:
       
    1         Senate Substitute for Amendment (427788) (with title
    2  amendment)
    3  
    4         Delete everything after the enacting clause
    5  and insert:
    6         Section 1. Subsection (2) of section 20.22, Florida
    7  Statutes, is amended to read:
    8         20.22 Department of Management Services.—There is created a
    9  Department of Management Services.
   10         (2)  The following divisions and programs within the
   11  Department of Management Services shall consist of the following
   12  are established:
   13         (a) The Facilities Program.
   14         (b)  The Division of Telecommunications State Technology,
   15  the director of which is appointed by the secretary of the
   16  department and shall serve as the state chief information
   17  officer. The state chief information officer must be a proven,
   18  effective administrator who must have at least 10 years of
   19  executive-level experience in the public or private sector,
   20  preferably with experience in the development of information
   21  technology strategic planning and the development and
   22  implementation of fiscal and substantive information technology
   23  policy and standards.
   24         (c) The Workforce Program.
   25         (d)1.The Support Program.
   26         2. The Federal Property Assistance Program.
   27         (e) The Administration Program.
   28         (f) The Division of Administrative Hearings.
   29         (g) The Division of Retirement.
   30         (h) The Division of State Group Insurance.
   31         (i) The Florida Digital Service.
   32         Section 2. Section 282.0041, Florida Statutes, is amended
   33  to read:
   34         282.0041 Definitions.—As used in this chapter, the term:
   35         (1) “Agency assessment” means the amount each customer
   36  entity must pay annually for services from the Department of
   37  Management Services and includes administrative and data center
   38  services costs.
   39         (2) “Agency data center” means agency space containing 10
   40  or more physical or logical servers.
   41         (3) “Breach” has the same meaning as provided in s.
   42  501.171.
   43         (4) “Business continuity plan” means a collection of
   44  procedures and information designed to keep an agency’s critical
   45  operations running during a period of displacement or
   46  interruption of normal operations.
   47         (5) “Cloud computing” has the same meaning as provided in
   48  Special Publication 800-145 issued by the National Institute of
   49  Standards and Technology.
   50         (6) “Computing facility” or “agency computing facility”
   51  means agency space containing fewer than a total of 10 physical
   52  or logical servers, but excluding single, logical-server
   53  installations that exclusively perform a utility function such
   54  as file and print servers.
   55         (7)  “Credential service provider” means a provider
   56  competitively procured by the department to supply secure
   57  identity management and verification services based on open
   58  standards to qualified entities.
   59         (8)(7) “Customer entity” means an entity that obtains
   60  services from the Department of Management Services.
   61         (9)(8) “Data” means a subset of structured information in a
   62  format that allows such information to be electronically
   63  retrieved and transmitted.
   64         (10) “Data-call” means an electronic transaction with the
   65  credential service provider that verifies the authenticity of a
   66  digital identity by querying enterprise data.
   67         (11)(9) “Department” means the Department of Management
   68  Services.
   69         (12)(10) “Disaster recovery” means the process, policies,
   70  procedures, and infrastructure related to preparing for and
   71  implementing recovery or continuation of an agency’s vital
   72  technology infrastructure after a natural or human-induced
   73  disaster.
   74         (13) “Electronic” means technology having electrical,
   75  digital, magnetic, wireless, optical, electromagnetic, or
   76  similar capabilities.
   77         (14) “Electronic credential” means a digital asset which
   78  verifies the identity of a person, organization, application, or
   79  device.
   80         (15) “Enterprise” means the collection of state agencies.
   81  The term includes the Department of Legal Affairs, the
   82  Department of Agriculture and Consumer Services, the Department
   83  of Financial Services, and the judicial branch.
   84         (16) “Enterprise architecture” means a comprehensive
   85  operational framework that contemplates the needs and assets of
   86  the enterprise to support interoperability across state
   87  government.
   88         (17)(11) “Enterprise information technology service” means
   89  an information technology service that is used in all agencies
   90  or a subset of agencies and is established in law to be
   91  designed, delivered, and managed at the enterprise level.
   92         (18)(12) “Event” means an observable occurrence in a system
   93  or network.
   94         (19)(13) “Incident” means a violation or imminent threat of
   95  violation, whether such violation is accidental or deliberate,
   96  of information technology resources, security, policies, or
   97  practices. An imminent threat of violation refers to a situation
   98  in which the state agency has a factual basis for believing that
   99  a specific incident is about to occur.
  100         (20)(14) “Information technology” means equipment,
  101  hardware, software, firmware, programs, systems, networks,
  102  infrastructure, media, and related material used to
  103  automatically, electronically, and wirelessly collect, receive,
  104  access, transmit, display, store, record, retrieve, analyze,
  105  evaluate, process, classify, manipulate, manage, assimilate,
  106  control, communicate, exchange, convert, converge, interface,
  107  switch, or disseminate information of any kind or form.
  108         (21)(15) “Information technology policy” means a definite
  109  course or method of action selected from among one or more
  110  alternatives that guide and determine present and future
  111  decisions.
  112         (22)(16) “Information technology resources” has the same
  113  meaning as provided in s. 119.011.
  114         (23)(17) “Information technology security” means the
  115  protection afforded to an automated information system in order
  116  to attain the applicable objectives of preserving the integrity,
  117  availability, and confidentiality of data, information, and
  118  information technology resources.
  119         (24) “Interoperability” means the technical ability to
  120  share and use data across and throughout the enterprise.
  121         (25)(18) “Open data” means data collected or created by a
  122  state agency and structured in a way that enables the data to be
  123  fully discoverable and usable by the public. The term does not
  124  include data that are restricted from public distribution based
  125  on federal or state privacy, confidentiality, and security laws
  126  and regulations or data for which a state agency is statutorily
  127  authorized to assess a fee for its distribution.
  128         (26)(19) “Performance metrics” means the measures of an
  129  organization’s activities and performance.
  130         (27)(20) “Project” means an endeavor that has a defined
  131  start and end point; is undertaken to create or modify a unique
  132  product, service, or result; and has specific objectives that,
  133  when attained, signify completion.
  134         (28)(21) “Project oversight” means an independent review
  135  and analysis of an information technology project that provides
  136  information on the project’s scope, completion timeframes, and
  137  budget and that identifies and quantifies issues or risks
  138  affecting the successful and timely completion of the project.
  139         (29) “Qualified entity” means a public or private entity or
  140  individual that enters into a binding agreement with the
  141  department, meets usage criteria, agrees to terms and
  142  conditions, and is subsequently and prescriptively authorized by
  143  the department to access data under the terms of that agreement.
  144         (30)(22) “Risk assessment” means the process of identifying
  145  security risks, determining their magnitude, and identifying
  146  areas needing safeguards.
  147         (31)(23) “Service level” means the key performance
  148  indicators (KPI) of an organization or service which must be
  149  regularly performed, monitored, and achieved.
  150         (32)(24) “Service-level agreement” means a written contract
  151  between the Department of Management Services and a customer
  152  entity which specifies the scope of services provided, service
  153  level, the duration of the agreement, the responsible parties,
  154  and service costs. A service-level agreement is not a rule
  155  pursuant to chapter 120.
  156         (33)(25) “Stakeholder” means a person, group, organization,
  157  or state agency involved in or affected by a course of action.
  158         (34)(26) “Standards” means required practices, controls,
  159  components, or configurations established by an authority.
  160         (35)(27) “State agency” means any official, officer,
  161  commission, board, authority, council, committee, or department
  162  of the executive branch of state government; the Justice
  163  Administrative Commission; and the Public Service Commission.
  164  The term does not include university boards of trustees or state
  165  universities. As used in part I of this chapter, except as
  166  otherwise specifically provided, the term does not include the
  167  Department of Legal Affairs, the Department of Agriculture and
  168  Consumer Services, or the Department of Financial Services.
  169         (36)(28) “SUNCOM Network” means the state enterprise
  170  telecommunications system that provides all methods of
  171  electronic or optical telecommunications beyond a single
  172  building or contiguous building complex and used by entities
  173  authorized as network users under this part.
  174         (37)(29) “Telecommunications” means the science and
  175  technology of communication at a distance, including electronic
  176  systems used in the transmission or reception of information.
  177         (38)(30) “Threat” means any circumstance or event that has
  178  the potential to adversely impact a state agency’s operations or
  179  assets through an information system via unauthorized access,
  180  destruction, disclosure, or modification of information or
  181  denial of service.
  182         (39)(31) “Variance” means a calculated value that
  183  illustrates how far positive or negative a projection has
  184  deviated when measured against documented estimates within a
  185  project plan.
  186         Section 3. Section 282.0051, Florida Statutes, is amended
  187  to read:
  188         282.0051 Florida Digital Service Department of Management
  189  Services; powers, duties, and functions.—There is established
  190  the Florida Digital Service within the department to create
  191  innovative solutions that securely modernize state government,
  192  achieve value through digital transformation and
  193  interoperability, and fully support the cloud-first policy as
  194  specified in s. 282.206.
  195         (1) The Florida Digital Service department shall have the
  196  following powers, duties, and functions:
  197         (a)(1) Develop and publish information technology policy
  198  for the management of the state’s information technology
  199  resources.
  200         (b)(2) Establish and publish information technology
  201  architecture standards to provide for the most efficient use of
  202  the state’s information technology resources and to ensure
  203  compatibility and alignment with the needs of state agencies.
  204  The Florida Digital Service department shall assist state
  205  agencies in complying with the standards.
  206         (c)(3) Establish project management and oversight
  207  standards with which state agencies must comply when
  208  implementing projects that have an information technology
  209  component projects. The Florida Digital Service department shall
  210  provide training opportunities to state agencies to assist in
  211  the adoption of the project management and oversight standards.
  212  To support data-driven decision making, the standards must
  213  include, but are not limited to:
  214         1.(a) Performance measurements and metrics that
  215  objectively reflect the status of a project with an information
  216  technology component project based on a defined and documented
  217  project scope, cost, and schedule.
  218         2.(b) Methodologies for calculating acceptable variances
  219  in the projected versus actual scope, schedule, or cost of a
  220  project with an information technology component project.
  221         3.(c) Reporting requirements, including requirements
  222  designed to alert all defined stakeholders that a project with
  223  an information technology component project has exceeded
  224  acceptable variances defined and documented in a project plan.
  225         4.(d) Content, format, and frequency of project updates.
  226         (d)(4) Perform project oversight on all state agency
  227  information technology projects that have an information
  228  technology component with a total project cost costs of $10
  229  million or more and that are funded in the General
  230  Appropriations Act or any other law. The Florida Digital Service
  231  department shall report at least quarterly to the Executive
  232  Office of the Governor, the President of the Senate, and the
  233  Speaker of the House of Representatives on any project with an
  234  information technology component project that the Florida
  235  Digital Service department identifies as high-risk due to the
  236  project exceeding acceptable variance ranges defined and
  237  documented in a project plan. The report must include a risk
  238  assessment, including fiscal risks, associated with proceeding
  239  to the next stage of the project, and a recommendation for
  240  corrective actions required, including suspension or termination
  241  of the project. The Florida Digital Service shall establish a
  242  process for state agencies to apply for an exception to the
  243  requirements of this paragraph for a specific project with an
  244  information technology component.
  245         (e)(5) Identify opportunities for standardization and
  246  consolidation of information technology services that support
  247  interoperability and the cloud-first policy as specified in s.
  248  282.206, business functions and operations, including
  249  administrative functions such as purchasing, accounting and
  250  reporting, cash management, and personnel, and that are common
  251  across state agencies. The Florida Digital Service department
  252  shall biennially on April 1 provide recommendations for
  253  standardization and consolidation to the Executive Office of the
  254  Governor, the President of the Senate, and the Speaker of the
  255  House of Representatives.
  256         (f)(6) Establish best practices for the procurement of
  257  information technology products and cloud-computing services in
  258  order to reduce costs, increase the quality of data center
  259  services, or improve government services.
  260         (g)(7) Develop standards for information technology reports
  261  and updates, including, but not limited to, operational work
  262  plans, project spend plans, and project status reports, for use
  263  by state agencies.
  264         (h)(8) Upon request, assist state agencies in the
  265  development of information technology-related legislative budget
  266  requests.
  267         (i)(9) Conduct annual assessments of state agencies to
  268  determine compliance with all information technology standards
  269  and guidelines developed and published by the Florida Digital
  270  Service department and provide results of the assessments to the
  271  Executive Office of the Governor, the President of the Senate,
  272  and the Speaker of the House of Representatives.
  273         (j)(10) Provide operational management and oversight of the
  274  state data center established pursuant to s. 282.201, which
  275  includes:
  276         1.(a) Implementing industry standards and best practices
  277  for the state data center’s facilities, operations, maintenance,
  278  planning, and management processes.
  279         2.(b) Developing and implementing cost-recovery or other
  280  payment mechanisms that recover the full direct and indirect
  281  cost of services through charges to applicable customer
  282  entities. Such cost-recovery or other payment mechanisms must
  283  comply with applicable state and federal regulations concerning
  284  distribution and use of funds and must ensure that, for any
  285  fiscal year, no service or customer entity subsidizes another
  286  service or customer entity.
  287         3.(c) Developing and implementing appropriate operating
  288  guidelines and procedures necessary for the state data center to
  289  perform its duties pursuant to s. 282.201. The guidelines and
  290  procedures must comply with applicable state and federal laws,
  291  regulations, and policies and conform to generally accepted
  292  governmental accounting and auditing standards. The guidelines
  293  and procedures must include, but need not be limited to:
  294         a.1. Implementing a consolidated administrative support
  295  structure responsible for providing financial management,
  296  procurement, transactions involving real or personal property,
  297  human resources, and operational support.
  298         b.2. Implementing an annual reconciliation process to
  299  ensure that each customer entity is paying for the full direct
  300  and indirect cost of each service as determined by the customer
  301  entity’s use of each service.
  302         c.3. Providing rebates that may be credited against future
  303  billings to customer entities when revenues exceed costs.
  304         d.4. Requiring customer entities to validate that
  305  sufficient funds exist in the appropriate data processing
  306  appropriation category or will be transferred into the
  307  appropriate data processing appropriation category before
  308  implementation of a customer entity’s request for a change in
  309  the type or level of service provided, if such change results in
  310  a net increase to the customer entity’s cost for that fiscal
  311  year.
  312         e.5. By November 15 of each year, providing to the Office
  313  of Policy and Budget in the Executive Office of the Governor and
  314  to the chairs of the legislative appropriations committees the
  315  projected costs of providing data center services for the
  316  following fiscal year.
  317         f.6. Providing a plan for consideration by the Legislative
  318  Budget Commission if the cost of a service is increased for a
  319  reason other than a customer entity’s request made pursuant to
  320  sub-subparagraph d. subparagraph 4. Such a plan is required only
  321  if the service cost increase results in a net increase to a
  322  customer entity for that fiscal year.
  323         g.7. Standardizing and consolidating procurement and
  324  contracting practices.
  325         4.(d) In collaboration with the Department of Law
  326  Enforcement, developing and implementing a process for
  327  detecting, reporting, and responding to information technology
  328  security incidents, breaches, and threats.
  329         5.(e) Adopting rules relating to the operation of the state
  330  data center, including, but not limited to, budgeting and
  331  accounting procedures, cost-recovery or other payment
  332  methodologies, and operating procedures.
  333         (f) Conducting an annual market analysis to determine
  334  whether the state’s approach to the provision of data center
  335  services is the most effective and cost-efficient manner by
  336  which its customer entities can acquire such services, based on
  337  federal, state, and local government trends; best practices in
  338  service provision; and the acquisition of new and emerging
  339  technologies. The results of the market analysis shall assist
  340  the state data center in making adjustments to its data center
  341  service offerings.
  342         (k)(11) Recommend other information technology services
  343  that should be designed, delivered, and managed as enterprise
  344  information technology services. Recommendations must include
  345  the identification of existing information technology resources
  346  associated with the services, if existing services must be
  347  transferred as a result of being delivered and managed as
  348  enterprise information technology services.
  349         (l)(12) In consultation with state agencies, propose a
  350  methodology and approach for identifying and collecting both
  351  current and planned information technology expenditure data at
  352  the state agency level.
  353         (m)1.(13)(a) Notwithstanding any other law, provide project
  354  oversight on any project with an information technology
  355  component project of the Department of Financial Services, the
  356  Department of Legal Affairs, and the Department of Agriculture
  357  and Consumer Services which has a total project cost of $25
  358  million or more and which impacts one or more other agencies.
  359  Such projects with an information technology component projects
  360  must also comply with the applicable information technology
  361  architecture, project management and oversight, and reporting
  362  standards established by the Florida Digital Service department.
  363  The Florida Digital Service shall establish a process for the
  364  Department of Financial Services, the Department of Legal
  365  Affairs, and the Department of Agriculture and Consumer Services
  366  to apply for an exception to the requirements of this paragraph
  367  for a specific project with an information technology component.
  368         2.(b) When performing the project oversight function
  369  specified in subparagraph 1. paragraph (a), report at least
  370  quarterly to the Executive Office of the Governor, the President
  371  of the Senate, and the Speaker of the House of Representatives
  372  on any project with an information technology component project
  373  that the Florida Digital Service department identifies as high
  374  risk due to the project exceeding acceptable variance ranges
  375  defined and documented in the project plan. The report shall
  376  include a risk assessment, including fiscal risks, associated
  377  with proceeding to the next stage of the project and a
  378  recommendation for corrective actions required, including
  379  suspension or termination of the project.
  380         (n)(14) If a project with an information technology
  381  component project implemented by a state agency must be
  382  connected to or otherwise accommodated by an information
  383  technology system administered by the Department of Financial
  384  Services, the Department of Legal Affairs, or the Department of
  385  Agriculture and Consumer Services, consult with these
  386  departments regarding the risks and other effects of such
  387  projects on their information technology systems and work
  388  cooperatively with these departments regarding the connections,
  389  interfaces, timing, or accommodations required to implement such
  390  projects.
  391         (o)(15) If adherence to standards or policies adopted by or
  392  established pursuant to this section causes conflict with
  393  federal regulations or requirements imposed on a state agency
  394  and results in adverse action against the state agency or
  395  federal funding, work with the state agency to provide
  396  alternative standards, policies, or requirements that do not
  397  conflict with the federal regulation or requirement. The Florida
  398  Digital Service department shall annually report such
  399  alternative standards to the Governor, the President of the
  400  Senate, and the Speaker of the House of Representatives.
  401         (p)1.(16)(a) Establish an information technology policy for
  402  all information technology-related state contracts, including
  403  state term contracts for information technology commodities,
  404  consultant services, and staff augmentation services. The
  405  information technology policy must include:
  406         a.1. Identification of the information technology product
  407  and service categories to be included in state term contracts.
  408         b.2. Requirements to be included in solicitations for state
  409  term contracts.
  410         c.3. Evaluation criteria for the award of information
  411  technology-related state term contracts.
  412         d.4. The term of each information technology-related state
  413  term contract.
  414         e.5. The maximum number of vendors authorized on each state
  415  term contract.
  416         2.(b) Evaluate vendor responses for information technology
  417  related state term contract solicitations and invitations to
  418  negotiate.
  419         3.(c) Answer vendor questions on information technology
  420  related state term contract solicitations.
  421         4.(d) Ensure that the information technology policy
  422  established pursuant to subparagraph 1. paragraph (a) is
  423  included in all solicitations and contracts that are
  424  administratively executed by the department.
  425         (q)(17) Recommend potential methods for standardizing data
  426  across state agencies which will promote interoperability and
  427  reduce the collection of duplicative data.
  428         (r)(18) Recommend open data technical standards and
  429  terminologies for use by state agencies.
  430         (2)(a) The Secretary of Management Services shall appoint a
  431  state chief information officer, who shall administer the
  432  Florida Digital Service and is included in the Senior Management
  433  Service.
  434         (b) The state chief information officer shall appoint a
  435  chief data officer, who shall report to the state chief
  436  information officer and is included in the Senior Management
  437  Service.
  438         (3) The Florida Digital Service shall develop a
  439  comprehensive enterprise architecture that:
  440         (a) Recognizes the unique needs of those included within
  441  the enterprise that results in the publication of standards,
  442  terminologies, and procurement guidelines to facilitate digital
  443  interoperability.
  444         (b) Supports the cloud-first policy as specified in s.
  445  282.206.
  446         (c) Addresses how information technology infrastructure may
  447  be modernized to achieve cloud-first objectives.
  448         (4) The Florida Digital Service shall, pursuant to
  449  legislative appropriation:
  450         (a) Create and maintain a comprehensive indexed data
  451  catalog that lists what data elements are housed within the
  452  enterprise and in which legacy system or application these data
  453  elements are located.
  454         (b) Develop and publish, in collaboration with the
  455  enterprise, a data dictionary for each agency that reflects the
  456  nomenclature in the comprehensive indexed data catalog.
  457         (c) Review and document use cases across the enterprise
  458  architecture.
  459         (d) Develop and publish standards that support the creation
  460  and deployment of application programming interfaces to
  461  facilitate integration throughout the enterprise.
  462         (e) Facilitate collaborative analysis of enterprise
  463  architecture data to improve service delivery.
  464         (f) Develop plans to provide a testing environment in which
  465  any newly developed solution can be tested for compliance within
  466  the enterprise architecture and for functionality assurance
  467  before deployment.
  468         (g) Publish standards necessary to facilitate a secure
  469  ecosystem of data interoperability that is compliant with the
  470  enterprise architecture and allows for a qualified entity to
  471  access enterprise’s data under the terms of the agreements with
  472  the department.
  473         (h) Publishing standards that facilitate the deployment of
  474  applications or solutions to existing enterprise obligations in
  475  a controlled and phased approach, including, but not limited to:
  476         1. Electronic credentials, including Digital licenses, as
  477  referenced in s. 322.032.
  478         2. Interoperability that enables supervisors of elections
  479  to authenticate voter eligibility in real time at the point of
  480  service.
  481         3. The criminal justice database.
  482         4. Motor vehicle insurance cancellation integration between
  483  insurers and the Department of Highway Safety and Motor
  484  Vehicles.
  485         5. Interoperability solutions between agencies, including,
  486  but not limited to, the Department of Health, the Agency for
  487  Health Care Administration, the Agency for Persons with
  488  Disabilities, the Department of Education, the Department of
  489  Elderly Affairs, and the Department of Children and Families.
  490         6. Interoperability solutions to support military members,
  491  veterans, and their families.
  492         (5) Pursuant to legislative authorization and subject to
  493  appropriation:
  494         (a) The department may procure a credential service
  495  provider through a competitive process pursuant to s. 287.057.
  496  The terms of the contract developed from such procurement must
  497  pay for the value on a per-data-call or subscription basis, and
  498  there shall be no cost to the enterprise or law enforcement for
  499  using the services provided by the credential service provider.
  500         (b) The department may enter into agreements with qualified
  501  entities that have the technological capabilities necessary to
  502  integrate with the credential service provider; ensure secure
  503  validation and authentication of data; meet usage criteria; and
  504  agree to terms and conditions, privacy policies, and uniform
  505  remittance terms relating to the consumption of enterprise data.
  506  These agreements must include clear, enforceable, and
  507  significant penalties for violations of the agreements.
  508         (c) The department may enter into agreements with qualified
  509  entities that meet usage criteria and agree to the enterprise
  510  architecture terms of service and privacy policies. These
  511  agreements must include clear, enforceable, and significant
  512  penalties for violations of the agreements.
  513         (d) The terms of the agreements between the department, the
  514  credential service provider and the qualified entities shall be
  515  based on the per-data-call or subscription charges to validate
  516  and authenticate and allow the department to recover any state
  517  costs for implementing and administering a solution. Credential
  518  service provider and qualifying entity revenues may not be
  519  derived from any other transactions that generate revenue for
  520  the enterprise outside of the per-data-call or subscription
  521  charges.
  522         (e) All revenues generated from the agreements with the
  523  credential service provider and qualified entities shall be
  524  remitted to the department, and the department shall deposit
  525  these revenues into the Department of Management Services
  526  Operating Trust Fund for distribution pursuant to a legislative
  527  appropriation and department agreements with the credential
  528  service provider and qualified entities.
  529         (f) Upon the signing of the agreement and the enterprise
  530  architecture terms of service and privacy policies with a
  531  qualified entity the department shall provide to the qualified
  532  entity, as applicable, appropriate access to enterprise data to
  533  facilitate authorized integrations to collaboratively solve
  534  enterprise use cases.
  535         (6) The Florida Digital Service may develop a process to:
  536         (a) Receive written notice from the state agencies within
  537  the enterprise of any planned or existing procurement of an
  538  information technology project that is subject to governance by
  539  the enterprise architecture.
  540         (b) Intervene in any planned procurement by a state agency
  541  so that the procurement complies with the enterprise
  542  architecture.
  543         (c) Report to the Governor, the President of the Senate,
  544  and the Speaker of the House of Representatives on any
  545  information technology project within the judicial branch that
  546  does not comply with the enterprise architecture.
  547         (7)(19)The Florida Digital Service may adopt rules to
  548  administer this section.
  549  
  550         Section 4. Section 282.00515, Florida Statutes, is amended
  551  to read:
  552         282.00515 Enterprise Architecture Advisory Council Duties
  553  of Cabinet Agencies.—The Department of Legal Affairs, the
  554  Department of Financial Services, and the Department of
  555  Agriculture and Consumer Services shall adopt the standards
  556  established in s. 282.0051(2), (3), and (7) or adopt alternative
  557  standards based on best practices and industry standards, and
  558  may contract with the department to provide or perform any of
  559  the services and functions described in s. 282.0051 for the
  560  Department of Legal Affairs, the Department of Financial
  561  Services, or the Department of Agriculture and Consumer
  562  Services.
  563         (1)(a) The Enterprise Architecture Advisory Council, an
  564  advisory council as defined in s. 20.03(7), is established
  565  within the Department of Management Services. The council shall
  566  comply with the requirements of s. 20.052, except as otherwise
  567  provided in this section.
  568         (b) The council shall consist of the following members:
  569         1. Four members appointed by the Governor.
  570         2. One member appointed by the President of the Senate.3.
  571  One member appointed by the Speaker of the House of
  572  Representatives.
  573         4. One member appointed by the Chief Justice of the Supreme
  574  Court.
  575         5. The director of the Office of Policy and Budget in the
  576  Executive Office of the Governor, or the person acting in the
  577  director’s capacity should the position be vacant.
  578         6. The Secretary of Management Services, or the person
  579  acting in the secretary’s capacity should the position be
  580  vacant.
  581         7. The state chief information officer, or the person
  582  acting in the state chief information officer’s capacity should
  583  the position be vacant.
  584         8. The chief information officer of the Department of
  585  Financial Services, or the person acting in the chief
  586  information officer’s capacity should the position be vacant.
  587         9. The chief information officer of the Department of Legal
  588  Affairs, or the person acting in the chief information officer’s
  589  capacity should the position be vacant.
  590         10. The chief information officer of the Department of
  591  Agriculture and Consumer Services, or the person acting in the
  592  chief information officer’s capacity should the position be
  593  vacant.
  594         (2)(a) The appointments made by the Governor, the President
  595  of the Senate, the Speaker of the House of Representatives, and
  596  the Chief Justice of the Supreme Court are for terms of 4 years.
  597  However, for the purpose of providing staggered terms:
  598         1. The appointments made by the Governor, the President of
  599  the Senate, and the Speaker of the House of Representatives are
  600  for initial terms of 2 years.
  601         2. The appointment made by the Chief Justice is for an
  602  initial term of 3 years.
  603         (b) A vacancy on the council among members appointed under
  604  subparagraph (1)(b)1., subparagraph (1)(b)2., subparagraph
  605  (1)(b)3., or subparagraph (1)(b)4. shall be filled in the same
  606  manner as the original appointment for the remainder of the
  607  unexpired term.
  608         (c) The council shall elect a chair from among its members.
  609         (d) The council shall meet at least semiannually, beginning
  610  October 1, 2020, to discuss implementation, management, and
  611  coordination of the enterprise architecture as defined in s.
  612  282.0041; identify potential issues and threats with specific
  613  use cases; and recommend proactive solutions. The council may
  614  conduct its meetings through teleconferences or other similar
  615  means.
  616         Section 5. Paragraph (a) of subsection (3) of section
  617  282.318, Florida Statutes, is amended to read:
  618         282.318 Security of data and information technology.—
  619         (3) The department is responsible for establishing
  620  standards and processes consistent with generally accepted best
  621  practices for information technology security, to include
  622  cybersecurity, and adopting rules that safeguard an agency’s
  623  data, information, and information technology resources to
  624  ensure availability, confidentiality, and integrity and to
  625  mitigate risks. The department shall also:
  626         (a) Designate a state chief information security officer
  627  who shall be appointed by and report to the state chief
  628  information officer of the Florida Digital Service and is in the
  629  Senior Management Service. The state chief information security
  630  officer must have experience and expertise in security and risk
  631  management for communications and information technology
  632  resources.
  633         Section 6. Subsection (4) of section 287.0591, Florida
  634  Statutes, is amended to read:
  635         287.0591 Information technology.—
  636         (4) If the department issues a competitive solicitation for
  637  information technology commodities, consultant services, or
  638  staff augmentation contractual services, the Florida Digital
  639  Service Division of State Technology within the department shall
  640  participate in such solicitations.
  641         Section 7. Paragraph (a) of subsection (3) of section
  642  365.171, Florida Statutes, is amended to read:
  643         365.171 Emergency communications number E911 state plan.—
  644         (3) DEFINITIONS.—As used in this section, the term:
  645         (a) “Office” means the Division of Telecommunications State
  646  Technology within the Department of Management Services, as
  647  designated by the secretary of the department.
  648         Section 8. Paragraph (s) of subsection (3) of section
  649  365.172, Florida Statutes, is amended to read:
  650         365.172 Emergency communications number “E911.”—
  651         (3) DEFINITIONS.—Only as used in this section and ss.
  652  365.171, 365.173, 365.174, and 365.177, the term:
  653         (s) “Office” means the Division of Telecommunications State
  654  Technology within the Department of Management Services, as
  655  designated by the secretary of the department.
  656         Section 9. Paragraph (a) of subsection (1) of section
  657  365.173, Florida Statutes, is amended to read:
  658         365.173 Communications Number E911 System Fund.—
  659         (1) REVENUES.—
  660         (a) Revenues derived from the fee levied on subscribers
  661  under s. 365.172(8) must be paid by the board into the State
  662  Treasury on or before the 15th day of each month. Such moneys
  663  must be accounted for in a special fund to be designated as the
  664  Emergency Communications Number E911 System Fund, a fund created
  665  in the Division of Telecommunications State Technology, or other
  666  office as designated by the Secretary of Management Services.
  667         Section 10. Subsection (5) of section 943.0415, Florida
  668  Statutes, is amended to read:
  669         943.0415 Cybercrime Office.—There is created within the
  670  Department of Law Enforcement the Cybercrime Office. The office
  671  may:
  672         (5) Consult with the Florida Digital Service Division of
  673  State Technology within the Department of Management Services in
  674  the adoption of rules relating to the information technology
  675  security provisions in s. 282.318.
  676         Section 11. Effective January 1, 2021, section 559.952,
  677  Florida Statutes, is created to read:
  678         559.952 Financial Technology Sandbox.—
  679         (1)SHORT TITLE.—This section may be cited as the
  680  “Financial Technology Sandbox.”
  681         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  682  created the Financial Technology Sandbox within the Office of
  683  Financial Regulation to allow financial technology innovators to
  684  test new products and services in a supervised, flexible
  685  regulatory sandbox using exceptions of specified general law and
  686  waivers of the corresponding rule requirements under defined
  687  conditions. The creation of a supervised, flexible regulatory
  688  sandbox provides a welcoming business environment for technology
  689  innovators and may lead to significant business growth.
  690         (3)DEFINITIONS.—As used in this section, the term:
  691         (a)“Commission” means the Financial Services Commission.
  692         (b)“Consumer” means a person in this state, whether a
  693  natural person or a business entity, who purchases, uses,
  694  receives, or enters into an agreement to purchase, use, or
  695  receive an innovative financial product or service made
  696  available through the Financial Technology Sandbox.
  697         (c)“Financial product or service” means a product or
  698  service related to finance, including securities, consumer
  699  credit, or money transmission, which is traditionally subject to
  700  general law or rule requirements in the provisions enumerated in
  701  paragraph (7)(a) and which is under the jurisdiction of the
  702  office.
  703         (d)“Financial Technology Sandbox” means the program
  704  created in this section which allows a person to make an
  705  innovative financial product or service available to consumers
  706  through the provisions enumerated in paragraph (7)(a) during a
  707  sandbox period through an exception to general laws or and a
  708  waiver of rule requirements, or portions thereof, as specified
  709  in this section.
  710         (e)“Innovative” means new or emerging technology, or new
  711  uses of existing technology, which provides a product, service,
  712  business model, or delivery mechanism to the public.
  713         (f)“Office” means, unless the context clearly indicates
  714  otherwise, the Office of Financial Regulation.
  715         (g)“Sandbox period” means the period, initially not longer
  716  than 24 months, in which the office has:
  717         1.Authorized an innovative financial product or service to
  718  be made available to consumers.
  719         2.Granted the person who makes the innovative financial
  720  product or service available an exception to general law or a
  721  waiver of the corresponding rule requirements, as determined by
  722  the office, so that the authorization under subparagraph 1. is
  723  possible.
  724         (4)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS
  725  FOR APPROVAL.—
  726         (a)Before filing an application to enter the Financial
  727  Technology Sandbox, a substantially affected person may seek a
  728  declaratory statement pursuant to s. 120.565 regarding the
  729  applicability of a statute, rule, or agency order to the
  730  petitioner’s particular set of circumstances.
  731         (b)Before making an innovative financial product or
  732  service available to consumers in the Financial Technology
  733  Sandbox, a person must file an application with the office. The
  734  commission shall prescribe by rule the form and manner of the
  735  application.
  736         1.In the application, the person must specify the general
  737  law or rule requirements for which an exception or waiver is
  738  sought and the reasons why these requirements prevent the
  739  innovative financial product or service from being made
  740  available to consumers.
  741         2.The application must also contain the information
  742  specified in paragraph (e).
  743         (c)A business entity filing an application under this
  744  section must be a domestic corporation or other organized
  745  domestic entity with a physical presence, other than that of a
  746  registered office or agent or virtual mailbox, in this state.
  747         (d)Before a person applies on behalf of a business entity
  748  intending to make an innovative financial product or service
  749  available to consumers, the person must obtain the consent of
  750  the business entity.
  751         (e)The office shall approve or deny in writing a Financial
  752  Technology Sandbox application within 60 days after receiving
  753  the completed application. The office and the applicant may
  754  jointly agree to extend the time beyond 60 days. Consistent with
  755  this section, the office may impose conditions on any approval.
  756  In deciding to approve or deny an application, the office must
  757  consider each of the following:
  758         1.The nature of the innovative financial product or
  759  service proposed to be made available to consumers in the
  760  Financial Technology Sandbox, including all relevant technical
  761  details.
  762         2.The potential risk to consumers and the methods that
  763  will be used to protect consumers and resolve complaints during
  764  the sandbox period.
  765         3.The business plan proposed by the applicant, including a
  766  statement regarding the applicant’s current and proposed
  767  capitalization.
  768         4.Whether the applicant has the necessary personnel,
  769  adequate financial and technical expertise, and a sufficient
  770  plan to test, monitor, and assess the innovative financial
  771  product or service.
  772         5.If any person substantially involved in the development,
  773  operation, or management of the applicant’s innovative financial
  774  product or service has pled no contest to, has been convicted or
  775  found guilty of, or is currently under investigation for, fraud,
  776  a state or federal securities violation, any property-based
  777  offense, or any crime involving moral turpitude or dishonest
  778  dealing, their application to the Sandbox will be denied. A plea
  779  of no contest, a conviction, or a finding of guilt must be
  780  reported under this subparagraph regardless of adjudication.
  781         6.A copy of the disclosures that will be provided to
  782  consumers under paragraph (6)(c).
  783         7.The financial responsibility of any person substantially
  784  involved in the development, operation, or management of the
  785  applicant’s innovative financial product or service.
  786         8.Any other factor that the office determines to be
  787  relevant.
  788         (f)The office may not approve an application if:
  789         1.The applicant had a prior Financial Technology Sandbox
  790  application that was approved and that related to a
  791  substantially similar financial product or service; or
  792         2.Any person substantially involved in the development,
  793  operation, or management of the applicant’s innovative financial
  794  product or service was substantially involved with another
  795  Financial Technology Sandbox applicant whose application was
  796  approved and whose application related to a substantially
  797  similar financial product or service.
  798         (g)Upon approval of an application, the office shall
  799  specify the general law or rule requirements, or portions
  800  thereof, for which an exception or rule waiver is granted during
  801  the sandbox period and the length of the initial sandbox period,
  802  not to exceed 24 months. The office shall post on its website
  803  notice of the approval of the application, a summary of the
  804  innovative financial product or service, and the contact
  805  information of the person making the financial product or
  806  service available.
  807         (5)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
  808         (a)A person whose Financial Technology Sandbox application
  809  is approved may make an innovative financial product or service
  810  available to consumers during the sandbox period.
  811         (b)The office may, on a case-by-case basis and after
  812  consultation with the person who makes the financial product or
  813  service available to consumers, specify the maximum number of
  814  consumers authorized to receive an innovative financial product
  815  or service. The office may not authorize more than 15,000
  816  consumers to receive the financial product or service until the
  817  person who makes the financial product or service available to
  818  consumers has filed the first report required under subsection
  819  (8). After the filing of the report, if the person demonstrates
  820  adequate financial capitalization, risk management process, and
  821  management oversight, the office may authorize up to 25,000
  822  consumers to receive the financial product or service.
  823         (c)1.Before a consumer purchases, uses, receives, or
  824  enters into an agreement to purchase, use, or receive an
  825  innovative financial product or service through the Financial
  826  Technology Sandbox, the person making the financial product or
  827  service available must provide a written statement of all of the
  828  following to the consumer:
  829         a.The name and contact information of the person making
  830  the financial product or service available to consumers.
  831         b.That the financial product or service has been
  832  authorized to be made available to consumers for a temporary
  833  period by the office, under the laws of this state.
  834         c.That this state does not endorse the financial product
  835  or service.
  836         d.That the financial product or service is undergoing
  837  testing, may not function as intended, and may entail financial
  838  risk.
  839         e.That the person making the financial product or service
  840  available to consumers is not immune from civil liability for
  841  any losses or damages caused by the financial product or
  842  service.
  843         f.The expected end date of the sandbox period.
  844         g.The contact information for the office, and notification
  845  that suspected legal violations, complaints, or other comments
  846  related to the financial product or service may be submitted to
  847  the office.
  848         h.Any other statements or disclosures required by rule of
  849  the commission which are necessary to further the purposes of
  850  this section.
  851         2.The written statement must contain an acknowledgment
  852  from the consumer, which must be retained for the duration of
  853  the sandbox period by the person making the financial product or
  854  service available.
  855         (d)The office may enter into an agreement with a state,
  856  federal, or foreign regulatory agency to allow persons:
  857         1.Who make an innovative financial product or service
  858  available in this state through the Financial Technology Sandbox
  859  to make their products or services available in other
  860  jurisdictions.
  861         2.Who operate in similar financial technology sandboxes in
  862  other jurisdictions to make innovative financial products and
  863  services available in this state under the standards of this
  864  section.
  865         (e)1.A person whose Financial Technology Sandbox
  866  application is approved by the office shall maintain
  867  comprehensive records relating to the innovative financial
  868  product or service. The person shall keep these records for at
  869  least 5 years after the conclusion of the sandbox period. The
  870  commission may specify by rule additional records requirements.
  871         2.The office may examine the records maintained under
  872  subparagraph 1. at any time, with or without notice.
  873         (6)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
  874         (a)A person who is authorized to make an innovative
  875  financial product or service available to consumers may apply
  876  for an extension of the initial sandbox period for up to 12
  877  additional months for a purpose specified in subparagraph (b)1.
  878  or subparagraph (b)2. A complete application for an extension
  879  must be filed with the office at least 90 days before the
  880  conclusion of the initial sandbox period. The office shall
  881  approve or deny the application for extension in writing at
  882  least 35 days before the conclusion of the initial sandbox
  883  period. In deciding to approve or deny an application for
  884  extension of the sandbox period, the office must, at a minimum,
  885  consider the current status of the factors previously considered
  886  under paragraph (4)(e).
  887         (b)An application for an extension under paragraph (a)
  888  must cite one of the following reasons as the basis for the
  889  application and must provide all relevant supporting information
  890  that:
  891         1.Amendments to general law or rules are necessary to
  892  offer the innovative financial product or service in this state
  893  permanently.
  894         2.An application for a license that is required in order
  895  to offer the innovative financial product or service in this
  896  state permanently has been filed with the office, and approval
  897  is pending.
  898         (c)At least 30 days before the conclusion of the initial
  899  sandbox period or the extension, whichever is later, a person
  900  who makes an innovative financial product or service available
  901  shall provide written notification to consumers regarding the
  902  conclusion of the initial sandbox period or the extension and
  903  may not make the financial product or service available to any
  904  new consumers after the conclusion of the initial sandbox period
  905  or the extension, whichever is later, until legal authority
  906  outside of the Financial Technology Sandbox exists to make the
  907  financial product or service available to consumers. After the
  908  conclusion of the sandbox period or the extension, whichever is
  909  later, the person who makes the innovative financial product or
  910  service available may:
  911         1.Collect and receive money owed to the person or pay
  912  money owed by the person, based on agreements with consumers
  913  made before the conclusion of the sandbox period or the
  914  extension.
  915         2.Take necessary legal action.
  916         3.Take other actions authorized by commission rule which
  917  are not inconsistent with this subsection.
  918         (7)EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  919  REQUIREMENTS.—
  920         (a)Notwithstanding any other provision of law, upon
  921  approval of a Financial Technology Sandbox application, the
  922  office may grant an applicant a waiver of a requirement, or a
  923  portion thereof, which is imposed by  rule as authorized by any
  924  of the following provisions of general law, if all of the
  925  conditions in paragraph (b) are met. If the application is
  926  approved for a person who otherwise would be subject to the
  927  provisions of chapters 560, 516, 517, 520, or 537, the following
  928  provisions shall not be applicable to the approved sandbox
  929  participant:
  930         1.Section 560.1105.
  931         2.Section 560.118.
  932         3.Section 560.125, except for s. 560.125(2).
  933         4.Section 560.128.
  934         5.Section 560.1401, except for s. 560.1401(2)-(4).
  935         6.Section 560.141, except for s. 560.141(1)(b)-(d).
  936         7.Section 560.142, except that the office may prorate ,
  937  the license renewal fees provided in ss. 560.142 and 560.143 for
  938  an extension granted under subsection (7).
  939         8.Section 560.143(2) to the extent necessary for proration
  940  of the renewal fee under subparagraph 7.
  941         9.Section 560.205, except for s. 560.205(1) and (3).
  942         10.Section 560.208, except for s. 560.208(3)-(6).
  943         11.Section 560.209, except that the office may modify the
  944  net worth, corporate surety bond, and collateral deposit amounts
  945  required under s. 560.209. The modified amounts must be in such
  946  lower amounts that the office determines to be commensurate with
  947  the considerations under paragraph (4)(e) and the maximum number
  948  of consumers authorized to receive the financial product or
  949  service under this section.
  950         12.Section 516.03, except for the license and
  951  investigation fee. The office may prorate the license renewal
  952  fees for an extension granted under subsection (8). The office
  953  may not waive the evidence of liquid assets of at least $25,000.
  954         13.Section 516.05, except that the office may make an
  955  investigation of the facts concerning the applicant’s
  956  background.
  957         14.Section 516.12.
  958         15.Section 516.19.
  959         16.Section 517.07.
  960         17.Section 517.12.
  961         18.Section 517.121.
  962         19.Section 520.03, except for the application fee. The
  963  office may prorate the license renewal fees for an extension
  964  granted under subsection (8).
  965         20.Section 520.12.
  966         21.Section 520.25.
  967         22.Section 520.32, except for the application fee. The
  968  office may prorate the license renewal fees for an extension
  969  granted under subsection (8).
  970         23.Section 520.39.
  971         24.Section 520.52, except for the application fee. The
  972  office may prorate the license renewal fees for an extension
  973  granted under subsection (8).
  974         25.Section 520.57.
  975         26.Section 520.63, except for the application fee. The
  976  office may prorate the license renewal fees for an extension
  977  granted under subsection (8).
  978         27.Section 520.997.
  979         28.Section 520.98.
  980         29.Section 537.004, except for s. 537.004(2) and (5). The
  981  office may prorate the license renewal fees for an extension
  982  granted under subsection (7).
  983         30.Section 537.005, except that the office may modify the
  984  corporate surety bond amount required by s. 537.005. The
  985  modified amount must be in such lower amount that the office
  986  determines to be commensurate with the considerations under
  987  paragraph (4) (e) and the maximum number of consumers authorized
  988  to receive the product or service under this section.
  989         31.Section 537.007.
  990         32.Section 537.009.
  991         33.Section 537.015.
  992         (b)During a sandbox period, the exceptions granted in
  993  paragraph (a) are applicable if all of the following conditions
  994  are met:
  995         1.The general law or corresponding rule currently prevents
  996  the innovative financial product or service to be made available
  997  to consumers.
  998         2.The exceptions or rule waivers are not broader than
  999  necessary to accomplish the purposes and standards specified in
 1000  this section, as determined by the office.
 1001         3.No provision relating to the liability of an
 1002  incorporator, director, or officer of the applicant is eligible
 1003  for a waiver.
 1004         4.The other requirements of this section are met.
 1005         (9)REPORT.—A person authorized to make an innovative
 1006  financial product or service available to consumers under this
 1007  section shall submit a report to the office twice a year as
 1008  prescribed by commission rule. The report must, at a minimum,
 1009  include financial reports and the number of consumers who have
 1010  received the financial product or service.
 1011         (10)CONSTRUCTION.—A person whose Financial Technology
 1012  Sandbox application is approved shall be deemed licensed under
 1013  the applicable exceptions to general law or waiver of the rule
 1014  requirements specified under subsection (7), unless the person’s
 1015  authorization to make the financial product or service available
 1016  to consumers under this section has been revoked or suspended.
 1017         (11)VIOLATIONS AND PENALTIES.—
 1018         (a)A person who makes an innovative financial product or
 1019  service available to consumers in the Financial Technology
 1020  Sandbox is:
 1021         1.Not immune from civil damages for acts and omissions
 1022  relating to this section.
 1023         2.Subject to all criminal statutes and any other statute
 1024  not specifically excepted under section (7)..
 1025         (b)1.The office may, by order, revoke or suspend
 1026  authorization granted to a person to make an innovative
 1027  financial product or service available to consumers if:
 1028         a.The person has violated or refused to comply with this
 1029  section, a rule of the commission, an order of the office, or a
 1030  condition placed by the office on the approval of the person’s
 1031  Financial Technology Sandbox application;
 1032         b.A fact or condition exists that, if it had existed or
 1033  become known at the time that the Financial Technology Sandbox
 1034  application was pending, would have warranted denial of the
 1035  application or the imposition of material conditions;
 1036         c.A material error, false statement, misrepresentation, or
 1037  material omission was made in the Financial Technology Sandbox
 1038  application; or
 1039         d.After consultation with the person, continued testing of
 1040  the innovative financial product or service would:
 1041         (I)Be likely to harm consumers; or
 1042         (II)No longer serve the purposes of this section because
 1043  of the financial or operational failure of the financial product
 1044  or service.
 1045         2.Written notice of a revocation or suspension order made
 1046  under subparagraph 1. must be served using any means authorized
 1047  by law. If the notice relates to a suspension, the notice must
 1048  include any condition or remedial action that the person must
 1049  complete before the office lifts the suspension.
 1050         (c)The office may refer any suspected violation of law to
 1051  an appropriate state or federal agency for investigation,
 1052  prosecution, civil penalties, and other appropriate enforcement
 1053  actions.
 1054         (d)If service of process on a person making an innovative
 1055  financial product or service available to consumers in the
 1056  Financial Technology Sandbox is not feasible, service on the
 1057  office shall be deemed service on such person.
 1058         (12)RULES AND ORDERS.—
 1059         (a)The commission shall adopt rules to administer this
 1060  section.
 1061         (b)The office may issue all necessary orders to enforce
 1062  this section and may enforce the orders in accordance with
 1063  chapter 120 or in any court of competent jurisdiction. These
 1064  orders include, but are not limited to, orders for payment of
 1065  restitution for harm suffered by consumers as a result of an
 1066  innovative financial product or service.
 1067         Section 11. Except as otherwise expressly provided in this
 1068  act, this act shall take effect July 1, 2020.
 1069         
 1070  
 1071  ================= T I T L E  A M E N D M E N T ================
 1072  And the title is amended as follows:
 1073         Delete everything before the enacting clause
 1074  and insert:
 1075                        A bill to be entitled                      
 1076         An act relating to technology innovation; amending s.20.22,
 1077  F.S.; renaming the division of State Technology within the
 1078  department of Management Services as the Division of
 1079  Telecommunications; adding Florida Digital Service to the
 1080  department; amending s. 282.0041, F.S.; providing definitions;
 1081  amending s. 282.0051, F.S.; establishing the Florida Digital
 1082  Service within the department; transferring specified powers,
 1083  duties, and functions; providing appointments and duties of the
 1084  state chief information officer and chief data officer of the
 1085  Florida Digital Service; requiring the Florida Digital Service
 1086  to develop a comprehensive enterprise architecture; providing
 1087  requirements for such enterprise architecture; providing duties
 1088  and authorities of the Florida Digital Service; providing duties
 1089  of the department under certain circumstances; providing
 1090  requirements for procurement terms of contract under certain
 1091  circumstances; prohibiting costs to the enterprise and law
 1092  enforcement for using services provided by credential service
 1093  providers under certain circumstances; providing requirements
 1094  for agreements between the department and credential service
 1095  providers and qualified entities under certain circumstances;
 1096  providing disposition of revenues generated from such agreements
 1097  under certain circumstances; providing report requirements;
 1098  providing rulemaking authority to the Florida Digital Service;
 1099  establishing the Enterprise Architecture Advisory Council;
 1100  requiring the council to comply with specified requirements;
 1101  providing membership and meeting requirements and duties of the
 1102  council; deleting provisions relating to specified duties and
 1103  powers of the Department of Legal Affairs, the Department of
 1104  Financial Services, and the Department of Agriculture and
 1105  Consumer Services; amending ss. 282.318, 287.0591, 365.171,
 1106  365.172, 365.173, and 943.0415, F.S.; conforming provisions to
 1107  changes made by the act; creating s. 559.952, F.S.; providing a
 1108  short title; creating the Financial Technology Sandbox within
 1109  the Office of Financial Regulation; defining terms; authorizing
 1110  the office to grant exceptions and waivers of specified
 1111  financial regulatory requirements to certain applicants offering
 1112  certain financial products or services during a sandbox period;
 1113  requiring an application for the program for persons who want to
 1114  make innovative financial products or services available to
 1115  consumers; providing application requirements and procedures;
 1116  providing standards for application approval or denial;
 1117  requiring the office to perform certain actions upon approval of
 1118  an application; specifying authorized actions of, limitations
 1119  on, and disclosure requirements for persons making financial
 1120  products or services available during a sandbox period;
 1121  authorizing the office to enter into agreement with certain
 1122  regulatory agencies for specified purposes; providing
 1123  recordkeeping requirements; authorizing the office to examine
 1124  specified records; providing requirements and procedures for
 1125  applying for extensions and concluding sandbox periods;
 1126  specifying criteria for granting an extension and a waiver
 1127  requiring written notification to consumers at the end of an
 1128  extension or conclusion of the sandbox period; providing acts
 1129  that persons who make innovative financial products or services
 1130  available to consumers may and may not engage in at the end of
 1131  an extension or conclusion of the sandbox period; specifying
 1132  reporting requirements to the office; providing construction;
 1133  providing that such persons are not immune from civil damages
 1134  and are subject to criminal and consumer protection laws;
 1135  providing penalties; providing for service of process; requiring
 1136  the Financial Services Commission to adopt rules; authorizing
 1137  the office to issue orders and enforce such orders through
 1138  administrative or judicial process; authorizing the office to
 1139  issue and enforce orders for payment of restitution; providing
 1140  effective dates.
 1141  

feedback