Bill Text: FL S1870 | 2020 | Regular Session | Comm Sub
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Technology Innovation
Spectrum: Bipartisan Bill
Status: (Introduced - Dead) 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]
Download: Florida-2020-S1870-Comm_Sub.html
Bill Title: Technology Innovation
Spectrum: Bipartisan Bill
Status: (Introduced - Dead) 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]
Download: Florida-2020-S1870-Comm_Sub.html
Florida Senate - 2020 CS for SB 1870 By the Committee on Innovation, Industry, and Technology; and Senator Hutson 580-03376-20 20201870c1 1 A bill to be entitled 2 An act relating to technology innovation; amending s. 3 20.22, F.S.; renaming the Division of State Technology 4 within the Department of Management Services as the 5 Division of Telecommunications; deleting provisions 6 relating to the appointment of the Division of State 7 Technology’s director and qualifications for the state 8 chief information officer; adding the Florida Digital 9 Service to the department; amending s. 282.0041, F.S.; 10 defining terms; amending s. 282.0051, F.S.; 11 establishing the Florida Digital Service within the 12 department; transferring specified powers, duties, and 13 functions of the department to the Florida Digital 14 Service and revising such powers, duties, and 15 functions; providing for appointments of a state chief 16 information officer and a chief data officer and 17 specifying their duties; requiring the Florida Digital 18 Service to develop a comprehensive enterprise 19 architecture; providing requirements for the 20 enterprise architecture; specifying duties of, and 21 authorized actions by, the Florida Digital Service; 22 providing duties of, and authorized actions by, the 23 department; authorizing the Florida Digital Service to 24 adopt rules; amending s. 282.00515, F.S.; establishing 25 the Enterprise Architecture Advisory Council; 26 requiring the council to comply with specified 27 requirements; specifying the composition of the 28 council; providing membership and meeting requirements 29 and duties of the council; deleting provisions 30 relating to specified duties and powers of the 31 Department of Legal Affairs, the Department of 32 Financial Services, and the Department of Agriculture 33 and Consumer Services; amending ss. 282.318, 287.0591, 34 365.171, 365.172, 365.173, and 943.0415, F.S.; 35 conforming provisions to changes made by the act; 36 creating s. 559.952, F.S.; providing a short title; 37 creating the Financial Technology Sandbox within the 38 Office of Financial Regulation; defining terms; 39 authorizing the office to grant waivers of specified 40 financial regulatory requirements to certain 41 applicants offering certain financial products or 42 services during a sandbox period; authorizing certain 43 persons to seek a declaratory statement before filing 44 an application for the Financial Technology Sandbox; 45 specifying requirements and procedures for an 46 application to enter the Financial Technology Sandbox; 47 specifying requirements and procedures for the office 48 in reviewing applications; specifying authorized 49 actions of, limitations on, and disclosure 50 requirements for persons making financial products or 51 services available during a sandbox period; 52 authorizing the office to enter into agreement with 53 certain regulatory agencies for specified purposes; 54 providing recordkeeping requirements; authorizing the 55 office to examine specified records; providing 56 requirements and procedures for applying for 57 extensions and concluding sandbox periods; requiring 58 written notification to consumers at the end of an 59 extension or conclusion of the sandbox period; 60 providing acts that persons who make innovative 61 financial products or services available to consumers 62 may and may not engage in at the end of an extension 63 or conclusion of the sandbox period; specifying state 64 financial regulatory laws that the office may grant 65 exceptions to; specifying reporting requirements to 66 the office; providing construction; providing that 67 such persons are not immune from civil damages and are 68 subject to certain laws; providing penalties; 69 providing for service of process; requiring the 70 Financial Services Commission to adopt rules; 71 authorizing the office to issue orders and enforce 72 them through administrative or judicial process; 73 authorizing the office to issue and enforce orders for 74 payment of restitution; providing effective dates. 75 76 Be It Enacted by the Legislature of the State of Florida: 77 78 Section 1. Subsection (2) of section 20.22, Florida 79 Statutes, is amended to read: 80 20.22 Department of Management Services.—There is created a 81 Department of Management Services. 82 (2) Thefollowing divisions and programs within the83 Department of Management Services shall consist of the following 84are established: 85 (a) The Facilities Program. 86 (b) The Division of TelecommunicationsState Technology,87the director of which is appointed by the secretary of the88department and shall serve as the state chief information89officer. The state chief information officer must be a proven,90effective administrator who must have at least 10 years of91executive-level experience in the public or private sector,92preferably with experience in the development of information93technology strategic planning and the development and94implementation of fiscal and substantive information technology95policy and standards. 96 (c) The Workforce Program. 97 (d)1. The Support Program. 98 2. The Federal Property Assistance Program. 99 (e) The Administration Program. 100 (f) The Division of Administrative Hearings. 101 (g) The Division of Retirement. 102 (h) The Division of State Group Insurance. 103 (i) The Florida Digital Service. 104 Section 2. Section 282.0041, Florida Statutes, is amended 105 to read: 106 282.0041 Definitions.—As used in this chapter, the term: 107 (1) “Agency assessment” means the amount each customer 108 entity must pay annually for services from the Department of 109 Management Services and includes administrative and data center 110 services costs. 111 (2) “Agency data center” means agency space containing 10 112 or more physical or logical servers. 113 (3) “Breach” has the same meaning as provided in s. 114 501.171. 115 (4) “Business continuity plan” means a collection of 116 procedures and information designed to keep an agency’s critical 117 operations running during a period of displacement or 118 interruption of normal operations. 119 (5) “Cloud computing” has the same meaning as provided in 120 Special Publication 800-145 issued by the National Institute of 121 Standards and Technology. 122 (6) “Computing facility” or “agency computing facility” 123 means agency space containing fewer than a total of 10 physical 124 or logical servers, but excluding single, logical-server 125 installations that exclusively perform a utility function such 126 as file and print servers. 127 (7) “Credential service provider” means a provider 128 competitively procured by the department to supply secure 129 identity management and verification services based on open 130 standards to qualified entities. 131 (8) “Customer entity” means an entity that obtains services 132 from the Department of Management Services. 133 (9)(8)“Data” means a subset of structured information in a 134 format that allows such information to be electronically 135 retrieved and transmitted. 136 (10) “Data-call” means an electronic transaction with the 137 credential service provider that verifies the authenticity of a 138 digital identity by querying enterprise data. 139 (11)(9)“Department” means the Department of Management 140 Services. 141 (12)(10)“Disaster recovery” means the process, policies, 142 procedures, and infrastructure related to preparing for and 143 implementing recovery or continuation of an agency’s vital 144 technology infrastructure after a natural or human-induced 145 disaster. 146 (13) “Electronic” means technology having electrical, 147 digital, magnetic, wireless, optical, electromagnetic, or 148 similar capabilities. 149 (14) “Electronic credential” means a digital asset that 150 verifies the identity of a person, organization, application, or 151 device. 152 (15) “Enterprise” means the collection of state agencies. 153 The term includes the Department of Legal Affairs, the 154 Department of Agriculture and Consumer Services, the Department 155 of Financial Services, and the judicial branch. 156 (16) “Enterprise architecture” means a comprehensive 157 operational framework that contemplates the needs and assets of 158 the enterprise to support interoperability across state 159 government. 160 (17)(11)“Enterprise information technology service” means 161 an information technology service that is used in all agencies 162 or a subset of agencies and is established in law to be 163 designed, delivered, and managed at the enterprise level. 164 (18)(12)“Event” means an observable occurrence in a system 165 or network. 166 (19)(13)“Incident” means a violation or imminent threat of 167 violation, whether such violation is accidental or deliberate, 168 of information technology resources, security, policies, or 169 practices. An imminent threat of violation refers to a situation 170 in which the state agency has a factual basis for believing that 171 a specific incident is about to occur. 172 (20)(14)“Information technology” means equipment, 173 hardware, software, firmware, programs, systems, networks, 174 infrastructure, media, and related material used to 175 automatically, electronically, and wirelessly collect, receive, 176 access, transmit, display, store, record, retrieve, analyze, 177 evaluate, process, classify, manipulate, manage, assimilate, 178 control, communicate, exchange, convert, converge, interface, 179 switch, or disseminate information of any kind or form. 180 (21)(15)“Information technology policy” means a definite 181 course or method of action selected from among one or more 182 alternatives that guide and determine present and future 183 decisions. 184 (22)(16)“Information technology resources” has the same 185 meaning as provided in s. 119.011. 186 (23)(17)“Information technology security” means the 187 protection afforded to an automated information system in order 188 to attain the applicable objectives of preserving the integrity, 189 availability, and confidentiality of data, information, and 190 information technology resources. 191 (24) “Interoperability” means the technical ability to 192 share and use data across and throughout the enterprise. 193 (25)(18)“Open data” means data collected or created by a 194 state agency and structured in a way that enables the data to be 195 fully discoverable and usable by the public. The term does not 196 include data that are restricted from public distribution based 197 on federal or state privacy, confidentiality, and security laws 198 and regulations or data for which a state agency is statutorily 199 authorized to assess a fee for its distribution. 200 (26)(19)“Performance metrics” means the measures of an 201 organization’s activities and performance. 202 (27)(20)“Project” means an endeavor that has a defined 203 start and end point; is undertaken to create or modify a unique 204 product, service, or result; and has specific objectives that, 205 when attained, signify completion. 206 (28)(21)“Project oversight” means an independent review 207 and analysis of an information technology project that provides 208 information on the project’s scope, completion timeframes, and 209 budget and that identifies and quantifies issues or risks 210 affecting the successful and timely completion of the project. 211 (29) “Qualified entity” means a public or private entity or 212 individual that enters into a binding agreement with the 213 department, meets usage criteria, agrees to terms and 214 conditions, and is subsequently and prescriptively authorized by 215 the department to access data under the terms of that agreement. 216 (30)(22)“Risk assessment” means the process of identifying 217 security risks, determining their magnitude, and identifying 218 areas needing safeguards. 219 (31)(23)“Service level” means the key performance 220 indicators (KPI) of an organization or service which must be 221 regularly performed, monitored, and achieved. 222 (32)(24)“Service-level agreement” means a written contract 223 between the Department of Management Services and a customer 224 entity which specifies the scope of services provided, service 225 level, the duration of the agreement, the responsible parties, 226 and service costs. A service-level agreement is not a rule 227 pursuant to chapter 120. 228 (33)(25)“Stakeholder” means a person, group, organization, 229 or state agency involved in or affected by a course of action. 230 (34)(26)“Standards” means required practices, controls, 231 components, or configurations established by an authority. 232 (35)(27)“State agency” means any official, officer, 233 commission, board, authority, council, committee, or department 234 of the executive branch of state government; the Justice 235 Administrative Commission; and the Public Service Commission. 236 The term does not include university boards of trustees or state 237 universities. As used in part I of this chapter, except as 238 otherwise specifically provided, the term does not include the 239 Department of Legal Affairs, the Department of Agriculture and 240 Consumer Services, or the Department of Financial Services. 241 (36)(28)“SUNCOM Network” means the state enterprise 242 telecommunications system that provides all methods of 243 electronic or optical telecommunications beyond a single 244 building or contiguous building complex and used by entities 245 authorized as network users under this part. 246 (37)(29)“Telecommunications” means the science and 247 technology of communication at a distance, including electronic 248 systems used in the transmission or reception of information. 249 (38)(30)“Threat” means any circumstance or event that has 250 the potential to adversely impact a state agency’s operations or 251 assets through an information system via unauthorized access, 252 destruction, disclosure, or modification of information or 253 denial of service. 254 (39)(31)“Variance” means a calculated value that 255 illustrates how far positive or negative a projection has 256 deviated when measured against documented estimates within a 257 project plan. 258 Section 3. Section 282.0051, Florida Statutes, is amended 259 to read: 260 282.0051 Florida Digital ServiceDepartment of Management261Services; powers, duties, and functions.—There is established 262 the Florida Digital Service within the department to create 263 innovative solutions that securely modernize state government, 264 achieve value through digital transformation and 265 interoperability, and fully support the cloud-first policy as 266 specified in s. 282.206. 267 (1) The Florida Digital Servicedepartmentshall have the 268 following powers, duties, and functions: 269 (a)(1)Develop and publish information technology policy 270 for the management of the state’s information technology 271 resources. 272 (b)(2)Establish and publish information technology 273 architecture standards to provide for the most efficient use of 274the state’sinformation technology resources and to ensure 275 compatibility and alignment with the needs of state agencies. 276 The Florida Digital Servicedepartmentshall assist state 277 agencies in complying with the standards. 278 (c)(3)Establish project management and oversight standards 279 with which state agencies must comply when implementing projects 280 that have an information technology componentprojects. The 281 Florida Digital Servicedepartmentshall provide training 282 opportunities to state agencies to assist in the adoption of the 283 project management and oversight standards. To support data 284 driven decisionmaking, the standards must include, but are not 285 limited to: 286 1.(a)Performance measurements and metrics that objectively 287 reflect the status of a project with an information technology 288 componentprojectbased on a defined and documented project 289 scope, cost, and schedule. 290 2.(b)Methodologies for calculating acceptable variances in 291 the projected versus actual scope, schedule, or cost of a 292 project with an information technology componentproject. 293 3.(c)Reporting requirements, including requirements 294 designed to alert all defined stakeholders that a project with 295 an information technology componentprojecthas exceeded 296 acceptable variances defined and documented in a project plan. 297 4.(d)Content, format, and frequency of project updates. 298 (d)(4)Perform project oversight on all state agency 299information technologyprojects that have an information 300 technology component with a total project costcostsof $10 301 million or more and that are funded in the General 302 Appropriations Act or any other law. The Florida Digital Service 303departmentshall report at least quarterly to the Executive 304 Office of the Governor, the President of the Senate, and the 305 Speaker of the House of Representatives on any project with an 306 information technology componentprojectthat the Florida 307 Digital Servicedepartmentidentifies as high-risk due to the 308 project exceeding acceptable variance ranges defined and 309 documented in a project plan. The report must include a risk 310 assessment, including fiscal risks, associated with proceeding 311 to the next stage of the project, and a recommendation for 312 corrective actions required, including suspension or termination 313 of the project. The Florida Digital Service shall establish a 314 process for state agencies to apply for an exception to the 315 requirements of this paragraph for a specific project with an 316 information technology component. 317 (e)(5)Identify opportunities for standardization and 318 consolidation of information technology services that support 319 interoperability and the cloud-first policy as specified in s. 320 282.206, business functions and operations, including 321 administrative functions such as purchasing, accounting and 322 reporting, cash management, and personnel, and that are common 323 across state agencies. The Florida Digital Servicedepartment324 shall biennially on April 1 provide recommendations for 325 standardization and consolidation to the Executive Office of the 326 Governor, the President of the Senate, and the Speaker of the 327 House of Representatives. 328 (f)(6)Establish best practices for the procurement of 329 information technology products and cloud-computing services in 330 order to reduce costs, increase the quality of data center 331 services, or improve government services. 332 (g)(7)Develop standards for information technology reports 333 and updates, including, but not limited to, operational work 334 plans, project spend plans, and project status reports, for use 335 by state agencies. 336 (h)(8)Upon request, assist state agencies in the 337 development of information technology-related legislative budget 338 requests. 339 (i)(9)Conduct annual assessments of state agencies to 340 determine compliance with all information technology standards 341 and guidelines developed and published by the Florida Digital 342 Servicedepartmentand provide results of the assessments to the 343 Executive Office of the Governor, the President of the Senate, 344 and the Speaker of the House of Representatives. 345 (j)(10)Provide operational management and oversight of the 346 state data center established pursuant to s. 282.201, which 347 includes: 348 1.(a)Implementing industry standards and best practices 349 for the state data center’s facilities, operations, maintenance, 350 planning, and management processes. 351 2.(b)Developing and implementing cost-recovery or other 352 payment mechanisms that recover the full direct and indirect 353 cost of services through charges to applicable customer 354 entities. Such cost-recovery or other payment mechanisms must 355 comply with applicable state and federal regulations concerning 356 distribution and use of funds and must ensure that, for any 357 fiscal year, no service or customer entity subsidizes another 358 service or customer entity. 359 3.(c)Developing and implementing appropriate operating 360 guidelines and procedures necessary for the state data center to 361 perform its duties pursuant to s. 282.201. The guidelines and 362 procedures must comply with applicable state and federal laws, 363 regulations, and policies and conform to generally accepted 364 governmental accounting and auditing standards. The guidelines 365 and procedures must include, but need not be limited to: 366 a.1.Implementing a consolidated administrative support 367 structure responsible for providing financial management, 368 procurement, transactions involving real or personal property, 369 human resources, and operational support. 370 b.2.Implementing an annual reconciliation process to 371 ensure that each customer entity is paying for the full direct 372 and indirect cost of each service as determined by the customer 373 entity’s use of each service. 374 c.3.Providing rebates that may be credited against future 375 billings to customer entities when revenues exceed costs. 376 d.4.Requiring customer entities to validate that 377 sufficient funds exist in the appropriate data processing 378 appropriation category or will be transferred into the 379 appropriate data processing appropriation category before 380 implementation of a customer entity’s request for a change in 381 the type or level of service provided, if such change results in 382 a net increase to the customer entity’s cost for that fiscal 383 year. 384 e.5.By November 15 of each year, providing to the Office 385 of Policy and Budget in the Executive Office of the Governor and 386 to the chairs of the legislative appropriations committees the 387 projected costs of providing data center services for the 388 following fiscal year. 389 f.6.Providing a plan for consideration by the Legislative 390 Budget Commission if the cost of a service is increased for a 391 reason other than a customer entity’s request made pursuant to 392 sub-subparagraph d.subparagraph 4.Such a plan is required only 393 if the service cost increase results in a net increase to a 394 customer entity for that fiscal year. 395 g.7.Standardizing and consolidating procurement and 396 contracting practices. 397 4.(d)In collaboration with the Department of Law 398 Enforcement, developing and implementing a process for 399 detecting, reporting, and responding to information technology 400 security incidents, breaches, and threats. 401 5.(e)Adopting rules relating to the operation of the state 402 data center, including, but not limited to, budgeting and 403 accounting procedures, cost-recovery or other payment 404 methodologies, and operating procedures. 405(f) Conducting an annual market analysis to determine406whether the state’s approach to the provision of data center407services is the most effective and cost-efficient manner by408which its customer entities can acquire such services, based on409federal, state, and local government trends; best practices in410service provision; and the acquisition of new and emerging411technologies. The results of the market analysis shall assist412the state data center in making adjustments to its data center413service offerings.414 (k)(11)Recommend other information technology services 415 that should be designed, delivered, and managed as enterprise 416 information technology services. Recommendations must include 417 the identification of existing information technology resources 418 associated with the services, if existing services must be 419 transferred as a result of being delivered and managed as 420 enterprise information technology services. 421 (l)(12)In consultation with state agencies, propose a 422 methodology and approach for identifying and collecting both 423 current and planned information technology expenditure data at 424 the state agency level. 425 (m)1.(13)(a)Notwithstanding any other law, provide project 426 oversight on any project with an information technology 427 componentprojectof the Department of Financial Services, the 428 Department of Legal Affairs, and the Department of Agriculture 429 and Consumer Services which has a total project cost of $25 430 million or more and which impacts one or more other agencies. 431 Such projects with an information technology componentprojects432 must also comply with the applicable information technology 433 architecture, project management and oversight, and reporting 434 standards established by the Florida Digital Servicedepartment. 435 The Florida Digital Service shall establish a process for the 436 Department of Financial Services, the Department of Legal 437 Affairs, and the Department of Agriculture and Consumer Services 438 to apply for an exception to the requirements of this paragraph 439 for a specific project with an information technology component. 440 2.(b)When performing the project oversight function 441 specified in subparagraph 1.paragraph (a), report at least 442 quarterly to the Executive Office of the Governor, the President 443 of the Senate, and the Speaker of the House of Representatives 444 on any project with an information technology componentproject445 that the Florida Digital Servicedepartmentidentifies as high 446 risk due to the project exceeding acceptable variance ranges 447 defined and documented in the project plan. The report shall 448 include a risk assessment, including fiscal risks, associated 449 with proceeding to the next stage of the project and a 450 recommendation for corrective actions required, including 451 suspension or termination of the project. 452 (n)(14)If a project with an information technology 453 componentprojectimplemented by a state agency must be 454 connected to or otherwise accommodated by an information 455 technology system administered by the Department of Financial 456 Services, the Department of Legal Affairs, or the Department of 457 Agriculture and Consumer Services, consult with these 458 departments regarding the risks and other effects of such 459 projects on their information technology systems and work 460 cooperatively with these departments regarding the connections, 461 interfaces, timing, or accommodations required to implement such 462 projects. 463 (o)(15)If adherence to standards or policies adopted by or 464 established pursuant to this section causes conflict with 465 federal regulations or requirements imposed on a state agency 466 and results in adverse action against the state agency or 467 federal funding, work with the state agency to provide 468 alternative standards, policies, or requirements that do not 469 conflict with the federal regulation or requirement. The Florida 470 Digital Servicedepartmentshall annually report such 471 alternative standards to the Governor, the President of the 472 Senate, and the Speaker of the House of Representatives. 473 (p)1.(16)(a)Establish an information technology policy for 474 all information technology-related state contracts, including 475 state term contracts for information technology commodities, 476 consultant services, and staff augmentation services. The 477 information technology policy must include: 478 a.1.Identification of the information technology product 479 and service categories to be included in state term contracts. 480 b.2.Requirements to be included in solicitations for state 481 term contracts. 482 c.3.Evaluation criteria for the award of information 483 technology-related state term contracts. 484 d.4.The term of each information technology-related state 485 term contract. 486 e.5.The maximum number of vendors authorized on each state 487 term contract. 488 2.(b)Evaluate vendor responses for information technology 489 related state term contract solicitations and invitations to 490 negotiate. 491 3.(c)Answer vendor questions on information technology 492 related state term contract solicitations. 493 4.(d)Ensure that the information technology policy 494 established pursuant to subparagraph 1.paragraph (a)is 495 included in all solicitations and contracts that are 496 administratively executed by the department. 497 (q)(17)Recommend potential methods for standardizing data 498 across state agencies which will promote interoperability and 499 reduce the collection of duplicative data. 500 (r)(18)Recommend open data technical standards and 501 terminologies for use by state agencies. 502 (2)(a) The Secretary of Management Services shall appoint a 503 state chief information officer, who shall administer the 504 Florida Digital Service and is included in the Senior Management 505 Service. 506 (b) The state chief information officer shall appoint a 507 chief data officer, who shall report to the state chief 508 information officer and is included in the Senior Management 509 Service. 510 (3) The Florida Digital Service shall develop a 511 comprehensive enterprise architecture that: 512 (a) Recognizes the unique needs of those included within 513 the enterprise that results in the publication of standards, 514 terminologies, and procurement guidelines to facilitate digital 515 interoperability. 516 (b) Supports the cloud-first policy as specified in s. 517 282.206. 518 (c) Addresses how information technology infrastructure may 519 be modernized to achieve cloud-first objectives. 520 (4) The Florida Digital Service shall, pursuant to 521 legislative appropriation: 522 (a) Create and maintain a comprehensive indexed data 523 catalog that lists what data elements are housed within the 524 enterprise and in which legacy system or application these data 525 elements are located. 526 (b) Develop and publish, in collaboration with the 527 enterprise, a data dictionary for each agency that reflects the 528 nomenclature in the comprehensive indexed data catalog. 529 (c) Review and document use cases across the enterprise 530 architecture. 531 (d) Develop and publish standards that support the creation 532 and deployment of application programming interfaces to 533 facilitate integration throughout the enterprise. 534 (e) Facilitate collaborative analysis of enterprise 535 architecture data to improve service delivery. 536 (f) Develop plans to provide a testing environment in which 537 any newly developed solution can be tested for compliance within 538 the enterprise architecture and for functionality assurance 539 before deployment. 540 (g) Publish standards necessary to facilitate a secure 541 ecosystem of data interoperability that is compliant with the 542 enterprise architecture and allows for a qualified entity to 543 access the enterprise’s data under the terms of the agreements 544 with the department. 545 (h) Publish standards that facilitate the deployment of 546 applications or solutions to existing enterprise obligations in 547 a controlled and phased approach, including, but not limited to: 548 1. Electronic credentials, including digital licenses as 549 referenced in s. 322.032. 550 2. Interoperability that enables supervisors of elections 551 to authenticate voter eligibility in real time at the point of 552 service. 553 3. The criminal justice database. 554 4. Motor vehicle insurance cancellation integration between 555 insurers and the Department of Highway Safety and Motor 556 Vehicles. 557 5. Interoperability solutions between agencies, including, 558 but not limited to, the Department of Health, the Agency for 559 Health Care Administration, the Agency for Persons with 560 Disabilities, the Department of Education, the Department of 561 Elderly Affairs, and the Department of Children and Families. 562 6. Interoperability solutions to support military members, 563 veterans, and their families. 564 (5) Pursuant to legislative authorization and subject to 565 appropriation: 566 (a) The department may procure a credential service 567 provider through a competitive process pursuant to s. 287.057. 568 The terms of the contract developed from such procurement must 569 pay for the value on a per-data-call or subscription basis, and 570 there shall be no cost to the enterprise or law enforcement for 571 using the services provided by the credential service provider. 572 (b) The department may enter into agreements with qualified 573 entities that have the technological capabilities necessary to 574 integrate with the credential service provider; ensure secure 575 validation and authentication of data; meet usage criteria; and 576 agree to terms and conditions, privacy policies, and uniform 577 remittance terms relating to the consumption of enterprise data. 578 These agreements must include clear, enforceable, and 579 significant penalties for violations of the agreements. 580 (c) The department may enter into agreements with qualified 581 entities that meet usage criteria and agree to the enterprise 582 architecture terms of service and privacy policies. These 583 agreements must include clear, enforceable, and significant 584 penalties for violations of the agreements. 585 (d) The terms of the agreements between the department, the 586 credential service provider, and the qualified entities shall be 587 based on the per-data-call or subscription charges to validate 588 and authenticate and allow the department to recover any state 589 costs for implementing and administering a solution. Credential 590 service provider and qualifying entity revenues may not be 591 derived from any other transactions that generate revenue for 592 the enterprise outside of the per-data-call or subscription 593 charges. 594 (e) All revenues generated from the agreements with the 595 credential service provider and qualified entities shall be 596 remitted to the department, and the department shall deposit 597 these revenues into the Department of Management Services 598 Operating Trust Fund for distribution pursuant to a legislative 599 appropriation and department agreements with the credential 600 service provider and qualified entities. 601 (f) Upon the signing of the agreement and the enterprise 602 architecture terms of service and privacy policies with a 603 qualified entity, the department shall provide to the qualified 604 entity, as applicable, appropriate access to enterprise data to 605 facilitate authorized integrations to collaboratively solve 606 enterprise use cases. 607 (6) The Florida Digital Service may develop a process to: 608 (a) Receive written notice from the state agencies within 609 the enterprise of any planned or existing procurement of an 610 information technology project that is subject to governance by 611 the enterprise architecture. 612 (b) Intervene in any planned procurement by a state agency 613 so that the procurement complies with the enterprise 614 architecture. 615 (c) Report to the Governor, the President of the Senate, 616 and the Speaker of the House of Representatives on any 617 information technology project within the judicial branch that 618 does not comply with the enterprise architecture. 619 (7)(19)The Florida Digital Service may adopt rules to 620 administer this section. 621 Section 4. Section 282.00515, Florida Statutes, is amended 622 to read: 623 282.00515 Enterprise Architecture Advisory CouncilDuties624of Cabinet agencies.— 625 (1)(a) The Enterprise Architecture Advisory Council, an 626 advisory council as defined in s. 20.03(7), is established 627 within the Department of Management Services. The council shall 628 comply with the requirements of s. 20.052 except as otherwise 629 provided in this section. 630 (b) The council shall consist of the following members: 631 1. Four members appointed by the Governor. 632 2. One member appointed by the President of the Senate. 633 3. One member appointed by the Speaker of the House of 634 Representatives. 635 4. One member appointed by the Chief Justice of the Supreme 636 Court. 637 5. The director of the Office of Policy and Budget in the 638 Executive Office of the Governor, or the person acting in the 639 director’s capacity should the position be vacant. 640 6. The Secretary of Management Services, or the person 641 acting in the secretary’s capacity should the position be 642 vacant. 643 7. The state chief information officer, or the person 644 acting in the state chief information officer’s capacity should 645 the position be vacant. 646 8. The chief information officer of the Department of 647 Financial Services, or the person acting in the chief 648 information officer’s capacity should the position be vacant. 649 9. The chief information officer of the Department of Legal 650 Affairs, or the person acting in the chief information officer’s 651 capacity should the position be vacant. 652 10. The chief information officer of the Department of 653 Agriculture and Consumer Services, or the person acting in the 654 chief information officer’s capacity should the position be 655 vacant. 656 (2)(a) The appointments made by the Governor, the President 657 of the Senate, the Speaker of the House of Representatives, and 658 the Chief Justice of the Supreme Court are for terms of 4 years. 659 However, for the purpose of providing staggered terms: 660 1. The appointments made by the Governor, the President of 661 the Senate, and the Speaker of the House of Representatives are 662 for initial terms of 2 years. 663 2. The appointment made by the Chief Justice is for an 664 initial term of 3 years. 665 (b) A vacancy on the council among members appointed under 666 subparagraph (1)(b)1., subparagraph (1)(b)2., subparagraph 667 (1)(b)3., or subparagraph (1)(b)4. shall be filled in the same 668 manner as the original appointment for the remainder of the 669 unexpired term. 670 (c) The council shall elect a chair from among its members. 671 (d) The council shall meet at least semiannually, beginning 672 October 1, 2020, to discuss implementation, management, and 673 coordination of the enterprise architecture as defined in s. 674 282.0041; identify potential issues and threats with specific 675 use cases; and recommend proactive solutions. The council may 676 conduct its meetings through teleconferences or other similar 677 meansThe Department of Legal Affairs, the Department of678Financial Services, and the Department of Agriculture and679Consumer Services shall adopt the standards established in s.680282.0051(2), (3), and (7) or adopt alternative standards based681on best practices and industry standards, and may contract with682the department to provide or perform any of the services and683functions described in s. 282.0051 for the Department of Legal684Affairs, the Department of Financial Services, or the Department685of Agriculture and Consumer Services. 686 Section 5. Paragraph (a) of subsection (3) of section 687 282.318, Florida Statutes, is amended to read: 688 282.318 Security of data and information technology.— 689 (3) The department is responsible for establishing 690 standards and processes consistent with generally accepted best 691 practices for information technology security, to include 692 cybersecurity, and adopting rules that safeguard an agency’s 693 data, information, and information technology resources to 694 ensure availability, confidentiality, and integrity and to 695 mitigate risks. The department shall also: 696 (a) Designate a state chief information security officer 697 who shall be appointed by and report to the state chief 698 information officer of the Florida Digital Service and is in the 699 Senior Management Service. The state chief information security 700 officer must have experience and expertise in security and risk 701 management for communications and information technology 702 resources. 703 Section 6. Subsection (4) of section 287.0591, Florida 704 Statutes, is amended to read: 705 287.0591 Information technology.— 706 (4) If the department issues a competitive solicitation for 707 information technology commodities, consultant services, or 708 staff augmentation contractual services, the Florida Digital 709 ServiceDivision of State Technologywithin the department shall 710 participate in such solicitations. 711 Section 7. Paragraph (a) of subsection (3) of section 712 365.171, Florida Statutes, is amended to read: 713 365.171 Emergency communications number E911 state plan.— 714 (3) DEFINITIONS.—As used in this section, the term: 715 (a) “Office” means the Division of TelecommunicationsState716Technologywithin the Department of Management Services, as 717 designated by the secretary of the department. 718 Section 8. Paragraph (s) of subsection (3) of section 719 365.172, Florida Statutes, is amended to read: 720 365.172 Emergency communications number “E911.”— 721 (3) DEFINITIONS.—Only as used in this section and ss. 722 365.171, 365.173, 365.174, and 365.177, the term: 723 (s) “Office” means the Division of TelecommunicationsState724Technologywithin the Department of Management Services, as 725 designated by the secretary of the department. 726 Section 9. Paragraph (a) of subsection (1) of section 727 365.173, Florida Statutes, is amended to read: 728 365.173 Communications Number E911 System Fund.— 729 (1) REVENUES.— 730 (a) Revenues derived from the fee levied on subscribers 731 under s. 365.172(8) must be paid by the board into the State 732 Treasury on or before the 15th day of each month. Such moneys 733 must be accounted for in a special fund to be designated as the 734 Emergency Communications Number E911 System Fund, a fund created 735 in the Division of TelecommunicationsState Technology, or other 736 office as designated by the Secretary of Management Services. 737 Section 10. Subsection (5) of section 943.0415, Florida 738 Statutes, is amended to read: 739 943.0415 Cybercrime Office.—There is created within the 740 Department of Law Enforcement the Cybercrime Office. The office 741 may: 742 (5) Consult with the Florida Digital ServiceDivision of743State Technologywithin the Department of Management Services in 744 the adoption of rules relating to the information technology 745 security provisions in s. 282.318. 746 Section 11. Effective January 1, 2021, section 559.952, 747 Florida Statutes, is created to read: 748 559.952 Financial Technology Sandbox.— 749 (1) SHORT TITLE.—This section may be cited as the 750 “Financial Technology Sandbox.” 751 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is 752 created the Financial Technology Sandbox within the Office of 753 Financial Regulation to allow financial technology innovators to 754 test new products and services in a supervised, flexible 755 regulatory sandbox using exceptions to specified general law and 756 waivers of the corresponding rule requirements under defined 757 conditions. The creation of a supervised, flexible regulatory 758 sandbox provides a welcoming business environment for technology 759 innovators and may lead to significant business growth. 760 (3) DEFINITIONS.—As used in this section, the term: 761 (a) “Commission” means the Financial Services Commission. 762 (b) “Consumer” means a person in this state, whether a 763 natural person or a business entity, who purchases, uses, 764 receives, or enters into an agreement to purchase, use, or 765 receive an innovative financial product or service made 766 available through the Financial Technology Sandbox. 767 (c) “Financial product or service” means a product or 768 service related to finance, including securities, consumer 769 credit, or money transmission, which is traditionally subject to 770 general law or rule requirements in the provisions enumerated in 771 paragraph (7)(a) and which is under the jurisdiction of the 772 office. 773 (d) “Financial Technology Sandbox” means the program 774 created in this section which allows a person to make an 775 innovative financial product or service available to consumers 776 through the provisions enumerated in paragraph (7)(a) during a 777 sandbox period through an exception to general laws or a waiver 778 of rule requirements, or portions thereof, as specified in this 779 section. 780 (e) “Innovative” means new or emerging technology, or new 781 uses of existing technology, which provides a product, service, 782 business model, or delivery mechanism to the public. 783 (f) “Office” means, unless the context clearly indicates 784 otherwise, the Office of Financial Regulation. 785 (g) “Sandbox period” means the period, initially not longer 786 than 24 months, in which the office has: 787 1. Authorized an innovative financial product or service to 788 be made available to consumers. 789 2. Granted the person who makes the innovative financial 790 product or service available an exception to general law or a 791 waiver of the corresponding rule requirements, as determined by 792 the office, so that the authorization under subparagraph 1. is 793 possible. 794 (4) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR 795 APPROVAL.— 796 (a) Before filing an application to enter the Financial 797 Technology Sandbox, a substantially affected person may seek a 798 declaratory statement pursuant to s. 120.565 regarding the 799 applicability of a statute, rule, or agency order to the 800 petitioner’s particular set of circumstances. 801 (b) Before making an innovative financial product or 802 service available to consumers in the Financial Technology 803 Sandbox, a person must file an application with the office. The 804 commission shall prescribe by rule the form and manner of the 805 application. 806 1. In the application, the person must specify the general 807 law or rule requirements for which an exception or a waiver is 808 sought and the reasons why these requirements prevent the 809 innovative financial product or service from being made 810 available to consumers. 811 2. The application must also contain the information 812 specified in paragraph (e). 813 (c) A business entity filing an application under this 814 section must be a domestic corporation or other organized 815 domestic entity with a physical presence, other than that of a 816 registered office or agent or virtual mailbox, in this state. 817 (d) Before a person applies on behalf of a business entity 818 intending to make an innovative financial product or service 819 available to consumers, the person must obtain the consent of 820 the business entity. 821 (e) The office shall approve or deny in writing a Financial 822 Technology Sandbox application within 60 days after receiving 823 the completed application. The office and the applicant may 824 jointly agree to extend the time beyond 60 days. Consistent with 825 this section, the office may impose conditions on any approval. 826 In deciding to approve or deny an application, the office must 827 consider each of the following: 828 1. The nature of the innovative financial product or 829 service proposed to be made available to consumers in the 830 Financial Technology Sandbox, including all relevant technical 831 details. 832 2. The potential risk to consumers and the methods that 833 will be used to protect consumers and resolve complaints during 834 the sandbox period. 835 3. The business plan proposed by the applicant, including a 836 statement regarding the applicant’s current and proposed 837 capitalization. 838 4. Whether the applicant has the necessary personnel, 839 adequate financial and technical expertise, and a sufficient 840 plan to test, monitor, and assess the innovative financial 841 product or service. 842 5. If any person substantially involved in the development, 843 operation, or management of the applicant’s innovative financial 844 product or service has pled no contest to, has been convicted or 845 found guilty of, or is currently under investigation for, fraud, 846 a state or federal securities violation, any property-based 847 offense, or any crime involving moral turpitude or dishonest 848 dealing, their application to the Financial Technology Sandbox 849 will be denied. A plea of no contest, a conviction, or a finding 850 of guilt must be reported under this subparagraph regardless of 851 adjudication. 852 6. A copy of the disclosures that will be provided to 853 consumers under paragraph (6)(c). 854 7. The financial responsibility of any person substantially 855 involved in the development, operation, or management of the 856 applicant’s innovative financial product or service. 857 8. Any other factor that the office determines to be 858 relevant. 859 (f) The office may not approve an application if: 860 1. The applicant had a prior Financial Technology Sandbox 861 application that was approved and that related to a 862 substantially similar financial product or service; or 863 2. Any person substantially involved in the development, 864 operation, or management of the applicant’s innovative financial 865 product or service was substantially involved with another 866 Financial Technology Sandbox applicant whose application was 867 approved and whose application related to a substantially 868 similar financial product or service. 869 (g) Upon approval of an application, the office shall 870 specify the general law or rule requirements, or portions 871 thereof, for which an exception or rule waiver is granted during 872 the sandbox period and the length of the initial sandbox period, 873 not to exceed 24 months. The office shall post on its website 874 notice of the approval of the application, a summary of the 875 innovative financial product or service, and the contact 876 information of the person making the financial product or 877 service available. 878 (5) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.— 879 (a) A person whose Financial Technology Sandbox application 880 is approved may make an innovative financial product or service 881 available to consumers during the sandbox period. 882 (b) The office may, on a case-by-case basis and after 883 consultation with the person who makes the financial product or 884 service available to consumers, specify the maximum number of 885 consumers authorized to receive an innovative financial product 886 or service. The office may not authorize more than 15,000 887 consumers to receive the financial product or service until the 888 person who makes the financial product or service available to 889 consumers has filed the first report required under subsection 890 (8). After the filing of the report, if the person demonstrates 891 adequate financial capitalization, risk management process, and 892 management oversight, the office may authorize up to 25,000 893 consumers to receive the financial product or service. 894 (c)1. Before a consumer purchases, uses, receives, or 895 enters into an agreement to purchase, use, or receive an 896 innovative financial product or service through the Financial 897 Technology Sandbox, the person making the financial product or 898 service available must provide a written statement of all of the 899 following to the consumer: 900 a. The name and contact information of the person making 901 the financial product or service available to consumers. 902 b. That the financial product or service has been 903 authorized to be made available to consumers for a temporary 904 period by the office, under the laws of this state. 905 c. That this state does not endorse the financial product 906 or service. 907 d. That the financial product or service is undergoing 908 testing, may not function as intended, and may entail financial 909 risk. 910 e. That the person making the financial product or service 911 available to consumers is not immune from civil liability for 912 any losses or damages caused by the financial product or 913 service. 914 f. The expected end date of the sandbox period. 915 g. The contact information for the office, and notification 916 that suspected legal violations, complaints, or other comments 917 related to the financial product or service may be submitted to 918 the office. 919 h. Any other statements or disclosures required by rule of 920 the commission which are necessary to further the purposes of 921 this section. 922 2. The written statement must contain an acknowledgment 923 from the consumer, which must be retained for the duration of 924 the sandbox period by the person making the financial product or 925 service available. 926 (d) The office may enter into an agreement with a state, 927 federal, or foreign regulatory agency to allow persons: 928 1. Who make an innovative financial product or service 929 available in this state through the Financial Technology Sandbox 930 to make their products or services available in other 931 jurisdictions. 932 2. Who operate in similar financial technology sandboxes in 933 other jurisdictions to make innovative financial products and 934 services available in this state under the standards of this 935 section. 936 (e)1. A person whose Financial Technology Sandbox 937 application is approved by the office shall maintain 938 comprehensive records relating to the innovative financial 939 product or service. The person shall keep these records for at 940 least 5 years after the conclusion of the sandbox period. The 941 commission may specify by rule additional records requirements. 942 2. The office may examine the records maintained under 943 subparagraph 1. at any time, with or without notice. 944 (6) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.— 945 (a) A person who is authorized to make an innovative 946 financial product or service available to consumers may apply 947 for an extension of the initial sandbox period for up to 12 948 additional months for a purpose specified in subparagraph (b)1. 949 or subparagraph (b)2. A complete application for an extension 950 must be filed with the office at least 90 days before the 951 conclusion of the initial sandbox period. The office shall 952 approve or deny the application for extension in writing at 953 least 35 days before the conclusion of the initial sandbox 954 period. In deciding to approve or deny an application for 955 extension of the sandbox period, the office must, at a minimum, 956 consider the current status of the factors previously considered 957 under paragraph (4)(e). 958 (b) An application for an extension under paragraph (a) 959 must cite one of the following reasons as the basis for the 960 application and must provide all relevant supporting information 961 that: 962 1. Amendments to general law or rules are necessary to 963 offer the innovative financial product or service in this state 964 permanently. 965 2. An application for a license that is required in order 966 to offer the innovative financial product or service in this 967 state permanently has been filed with the office, and approval 968 is pending. 969 (c) At least 30 days before the conclusion of the initial 970 sandbox period or the extension, whichever is later, a person 971 who makes an innovative financial product or service available 972 shall provide written notification to consumers regarding the 973 conclusion of the initial sandbox period or the extension and 974 may not make the financial product or service available to any 975 new consumers after the conclusion of the initial sandbox period 976 or the extension, whichever is later, until legal authority 977 outside of the Financial Technology Sandbox exists to make the 978 financial product or service available to consumers. After the 979 conclusion of the sandbox period or the extension, whichever is 980 later, the person who makes the innovative financial product or 981 service available may: 982 1. Collect and receive money owed to the person or pay 983 money owed by the person, based on agreements with consumers 984 made before the conclusion of the sandbox period or the 985 extension. 986 2. Take necessary legal action. 987 3. Take other actions authorized by commission rule which 988 are not inconsistent with this subsection. 989 (7) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE 990 REQUIREMENTS.— 991 (a) Notwithstanding any other provision of law, upon 992 approval of a Financial Technology Sandbox application, the 993 office may grant an applicant a waiver of a requirement, or a 994 portion thereof, which is imposed by rule as authorized by any 995 of the following provisions of general law, if all of the 996 conditions in paragraph (b) are met. If the application is 997 approved for a person who otherwise would be subject to the 998 provisions of chapter 560, chapter 516, chapter 517, chapter 999 520, or chapter 537, the following provisions shall not be 1000 applicable to the approved sandbox participant: 1001 1. Section 560.1105. 1002 2. Section 560.118. 1003 3. Section 560.125, except for s. 560.125(2). 1004 4. Section 560.128. 1005 5. Section 560.1401, except for s. 560.1401(2)-(4). 1006 6. Section 560.141, except for s. 560.141(1)(b)-(d). 1007 7. Section 560.142, except that the office may prorate the 1008 license renewal fees provided in ss. 560.142 and 560.143 for an 1009 extension granted under subsection (6). 1010 8. Section 560.143(2), to the extent necessary for 1011 proration of the renewal fee under subparagraph 7. 1012 9. Section 560.205, except for s. 560.205(1) and (3). 1013 10. Section 560.208, except for s. 560.208(3)-(6). 1014 11. Section 560.209, except that the office may modify the 1015 net worth, corporate surety bond, and collateral deposit amounts 1016 required under s. 560.209. The modified amounts must be in such 1017 lower amounts that the office determines to be commensurate with 1018 the considerations under paragraph (4)(e) and the maximum number 1019 of consumers authorized to receive the financial product or 1020 service under this section. 1021 12. Section 516.03, except for the license and 1022 investigation fee. The office may prorate the license renewal 1023 fees for an extension granted under subsection (6). The office 1024 may not waive the evidence of liquid assets of at least $25,000. 1025 13. Section 516.05, except that the office may make an 1026 investigation of the facts concerning the applicant’s 1027 background. 1028 14. Section 516.12. 1029 15. Section 516.19. 1030 16. Section 517.07. 1031 17. Section 517.12. 1032 18. Section 517.121. 1033 19. Section 520.03, except for the application fee. The 1034 office may prorate the license renewal fees for an extension 1035 granted under subsection (6). 1036 20. Section 520.12. 1037 21. Section 520.25. 1038 22. Section 520.32, except for the application fee. The 1039 office may prorate the license renewal fees for an extension 1040 granted under subsection (6). 1041 23. Section 520.39. 1042 24. Section 520.52, except for the application fee. The 1043 office may prorate the license renewal fees for an extension 1044 granted under subsection (6). 1045 25. Section 520.57. 1046 26. Section 520.63, except for the application fee. The 1047 office may prorate the license renewal fees for an extension 1048 granted under subsection (6). 1049 27. Section 520.997. 1050 28. Section 520.98. 1051 29. Section 537.004, except for s. 537.004(2) and (5). The 1052 office may prorate the license renewal fees for an extension 1053 granted under subsection (6). 1054 30. Section 537.005, except that the office may modify the 1055 corporate surety bond amount required by s. 537.005. The 1056 modified amount must be in such lower amount that the office 1057 determines to be commensurate with the considerations under 1058 paragraph (4)(e) and the maximum number of consumers authorized 1059 to receive the product or service under this section. 1060 31. Section 537.007. 1061 32. Section 537.009. 1062 33. Section 537.015. 1063 (b) During a sandbox period, the exceptions granted in 1064 paragraph (a) are applicable if all of the following conditions 1065 are met: 1066 1. The general law or corresponding rule currently prevents 1067 the innovative financial product or service to be made available 1068 to consumers. 1069 2. The exceptions or rule waivers are not broader than 1070 necessary to accomplish the purposes and standards specified in 1071 this section, as determined by the office. 1072 3. No provision relating to the liability of an 1073 incorporator, director, or officer of the applicant is eligible 1074 for a waiver. 1075 4. The other requirements of this section are met. 1076 (8) REPORT.—A person authorized to make an innovative 1077 financial product or service available to consumers under this 1078 section shall submit a report to the office twice a year as 1079 prescribed by commission rule. The report must, at a minimum, 1080 include financial reports and the number of consumers who have 1081 received the financial product or service. 1082 (9) CONSTRUCTION.—A person whose Financial Technology 1083 Sandbox application is approved shall be deemed licensed under 1084 the applicable exceptions to general law or waiver of the rule 1085 requirements specified under subsection (7), unless the person’s 1086 authorization to make the financial product or service available 1087 to consumers under this section has been revoked or suspended. 1088 (10) VIOLATIONS AND PENALTIES.— 1089 (a) A person who makes an innovative financial product or 1090 service available to consumers in the Financial Technology 1091 Sandbox is: 1092 1. Not immune from civil damages for acts and omissions 1093 relating to this section. 1094 2. Subject to all criminal statutes and any other statute 1095 not specifically excepted under subsection (7). 1096 (b)1. The office may, by order, revoke or suspend 1097 authorization granted to a person to make an innovative 1098 financial product or service available to consumers if: 1099 a. The person has violated or refused to comply with this 1100 section, a rule of the commission, an order of the office, or a 1101 condition placed by the office on the approval of the person’s 1102 Financial Technology Sandbox application; 1103 b. A fact or condition exists that, if it had existed or 1104 become known at the time that the Financial Technology Sandbox 1105 application was pending, would have warranted denial of the 1106 application or the imposition of material conditions; 1107 c. A material error, false statement, misrepresentation, or 1108 material omission was made in the Financial Technology Sandbox 1109 application; or 1110 d. After consultation with the person, continued testing of 1111 the innovative financial product or service would: 1112 (I) Be likely to harm consumers; or 1113 (II) No longer serve the purposes of this section because 1114 of the financial or operational failure of the financial product 1115 or service. 1116 2. Written notice of a revocation or suspension order made 1117 under subparagraph 1. must be served using any means authorized 1118 by law. If the notice relates to a suspension, the notice must 1119 include any condition or remedial action that the person must 1120 complete before the office lifts the suspension. 1121 (c) The office may refer any suspected violation of law to 1122 an appropriate state or federal agency for investigation, 1123 prosecution, civil penalties, and other appropriate enforcement 1124 actions. 1125 (d) If service of process on a person making an innovative 1126 financial product or service available to consumers in the 1127 Financial Technology Sandbox is not feasible, service on the 1128 office shall be deemed service on such person. 1129 (11) RULES AND ORDERS.— 1130 (a) The commission shall adopt rules to administer this 1131 section. 1132 (b) The office may issue all necessary orders to enforce 1133 this section and may enforce the orders in accordance with 1134 chapter 120 or in any court of competent jurisdiction. These 1135 orders include, but are not limited to, orders for payment of 1136 restitution for harm suffered by consumers as a result of an 1137 innovative financial product or service. 1138 Section 12. Except as otherwise expressly provided in this 1139 act, this act shall take effect July 1, 2020.