Florida Senate - 2020               CS for CS for CS for SB 1870
       
       
        
       By the Committees on Appropriations; Banking and Insurance; and
       Innovation, Industry, and Technology; and Senators Hutson and
       Harrell
       
       
       
       576-04569-20                                          20201870c3
    1                        A bill to be entitled                      
    2         An act relating to technology innovation; amending s.
    3         20.22, F.S.; establishing the Florida Digital Service
    4         and the Division of Telecommunications within the
    5         Department of Management Services; abolishing the
    6         Division of State Technology within the department;
    7         amending s. 110.205, F.S.; exempting the state chief
    8         data officer and the state chief information security
    9         officer within the Florida Digital Service from the
   10         Career Service System; providing for the salary and
   11         benefits of such positions to be set by the
   12         department; amending s. 282.0041, F.S.; defining
   13         terms; revising the definition of the term “open
   14         data”; amending s. 282.0051, F.S.; revising
   15         information technology-related powers, duties, and
   16         functions of the department acting through the Florida
   17         Digital Service; specifying the designation of the
   18         state chief information officer and the state chief
   19         data officer; specifying qualifications for such
   20         positions; specifying requirements, contingent upon
   21         legislative appropriation, for the department;
   22         authorizing the department to develop a certain
   23         process; prohibiting the department from retrieving or
   24         disclosing any data without a certain shared-data
   25         agreement in place; specifying rulemaking authority
   26         for the department; amending s. 282.00515, F.S.;
   27         requiring the Department of Legal Affairs, the
   28         Department of Financial Services, or the Department of
   29         Agriculture and Consumer Services to notify the
   30         Governor and the Legislature and provide a certain
   31         justification and explanation if such agency adopts
   32         alternative standards to certain enterprise
   33         architecture standards; providing construction;
   34         prohibiting the department from retrieving or
   35         disclosing any data without a certain shared-data
   36         agreement in place; conforming a cross-reference;
   37         amending ss. 282.318, 287.0591, 365.171, 365.172,
   38         365.173, and 943.0415, F.S.; conforming provisions to
   39         changes made by the act; creating s. 559.952, F.S.;
   40         providing a short title; creating the Financial
   41         Technology Sandbox within the Office of Financial
   42         Regulation; defining terms; requiring the office, if
   43         certain conditions are met, to grant a license to a
   44         Financial Technology Sandbox applicant, grant
   45         exceptions to specified provisions of general law
   46         relating to consumer finance loans and money services
   47         businesses, and grant waivers of certain rules;
   48         authorizing a substantially affected person to seek a
   49         declaratory statement before applying to the Financial
   50         Technology Sandbox; specifying application
   51         requirements and procedures; specifying requirements
   52         and procedures for the office in reviewing and
   53         approving or denying applications; providing
   54         requirements for the office in specifying the number
   55         of the consumers authorized to receive an innovative
   56         financial product or service; specifying authorized
   57         actions of, limitations on, and requirements for
   58         licensees operating in the Financial Technology
   59         Sandbox; requiring licensees to make a specified
   60         disclosure to consumers; authorizing the office to
   61         enter into certain agreements with other regulatory
   62         agencies; authorizing the office to examine licensee
   63         records; authorizing a licensee to apply for one
   64         extension of an initial sandbox period for a certain
   65         timeframe; specifying requirements and procedures for
   66         applying for an extension; specifying requirements and
   67         procedures for, and authorized actions of, licensees
   68         when concluding a sandbox period or extension;
   69         requiring licensees to submit certain reports to the
   70         office at specified intervals; providing construction;
   71         specifying the liability of a licensee; authorizing
   72         the office to take certain disciplinary actions
   73         against a licensee under certain circumstances;
   74         providing construction relating to service of process;
   75         specifying the rulemaking authority of the Financial
   76         Services Commission; providing the office authority to
   77         issue orders and enforce the orders; providing an
   78         appropriation; providing that specified provisions of
   79         the act are contingent upon passage of other
   80         provisions addressing public records; providing
   81         effective dates.
   82          
   83  Be It Enacted by the Legislature of the State of Florida:
   84  
   85         Section 1. Subsection (2) of section 20.22, Florida
   86  Statutes, is amended to read:
   87         20.22 Department of Management Services.—There is created a
   88  Department of Management Services.
   89         (2) The following divisions, and programs, and services
   90  within the Department of Management Services are established:
   91         (a) Facilities Program.
   92         (b) The Florida Digital Service Division of State
   93  Technology, the director of which is appointed by the secretary
   94  of the department and shall serve as the state chief information
   95  officer. The state chief information officer must be a proven,
   96  effective administrator who must have at least 10 years of
   97  executive-level experience in the public or private sector,
   98  preferably with experience in the development of information
   99  technology strategic planning and the development and
  100  implementation of fiscal and substantive information technology
  101  policy and standards.
  102         (c) Workforce Program.
  103         (d)1. Support Program.
  104         2. Federal Property Assistance Program.
  105         (e) Administration Program.
  106         (f) Division of Administrative Hearings.
  107         (g) Division of Retirement.
  108         (h) Division of State Group Insurance.
  109         (i)Division of Telecommunications.
  110         Section 2. Paragraph (e) of subsection (2) of section
  111  110.205, Florida Statutes, is amended to read:
  112         110.205 Career service; exemptions.—
  113         (2) EXEMPT POSITIONS.—The exempt positions that are not
  114  covered by this part include the following:
  115         (e) The state chief information officer, the state chief
  116  data officer, and the state chief information security officer.
  117  Unless otherwise fixed by law, The Department of Management
  118  Services shall set the salary and benefits of these positions
  119  this position in accordance with the rules of the Senior
  120  Management Service.
  121         Section 3. Section 282.0041, Florida Statutes, is amended
  122  to read:
  123         282.0041 Definitions.—As used in this chapter, the term:
  124         (1) “Agency assessment” means the amount each customer
  125  entity must pay annually for services from the Department of
  126  Management Services and includes administrative and data center
  127  services costs.
  128         (2) “Agency data center” means agency space containing 10
  129  or more physical or logical servers.
  130         (3) “Breach” has the same meaning as provided in s.
  131  501.171.
  132         (4) “Business continuity plan” means a collection of
  133  procedures and information designed to keep an agency’s critical
  134  operations running during a period of displacement or
  135  interruption of normal operations.
  136         (5) “Cloud computing” has the same meaning as provided in
  137  Special Publication 800-145 issued by the National Institute of
  138  Standards and Technology.
  139         (6) “Computing facility” or “agency computing facility”
  140  means agency space containing fewer than a total of 10 physical
  141  or logical servers, but excluding single, logical-server
  142  installations that exclusively perform a utility function such
  143  as file and print servers.
  144         (7) “Customer entity” means an entity that obtains services
  145  from the Department of Management Services.
  146         (8) “Data” means a subset of structured information in a
  147  format that allows such information to be electronically
  148  retrieved and transmitted.
  149         (9) “Data governance” means the practice of organizing,
  150  classifying, securing, and implementing policies, procedures,
  151  and standards for the effective use of an organization’s data.
  152         (10) “Department” means the Department of Management
  153  Services.
  154         (11)(10) “Disaster recovery” means the process, policies,
  155  procedures, and infrastructure related to preparing for and
  156  implementing recovery or continuation of an agency’s vital
  157  technology infrastructure after a natural or human-induced
  158  disaster.
  159         (12)“Electronic” means technology having electrical,
  160  digital, magnetic, wireless, optical, electromagnetic, or
  161  similar capabilities.
  162         (13)“Electronic credential” means an electronic
  163  representation of the identity of a person, an organization, an
  164  application, or a device.
  165         (14)“Enterprise” means state agencies and the Department
  166  of Legal Affairs, the Department of Financial Services, and the
  167  Department of Agriculture and Consumer Services.
  168         (15)“Enterprise architecture” means a comprehensive
  169  operational framework that contemplates the needs and assets of
  170  the enterprise to support interoperability.
  171         (16)(11) “Enterprise information technology service” means
  172  an information technology service that is used in all agencies
  173  or a subset of agencies and is established in law to be
  174  designed, delivered, and managed at the enterprise level.
  175         (17)(12) “Event” means an observable occurrence in a system
  176  or network.
  177         (18)(13) “Incident” means a violation or imminent threat of
  178  violation, whether such violation is accidental or deliberate,
  179  of information technology resources, security, policies, or
  180  practices. An imminent threat of violation refers to a situation
  181  in which the state agency has a factual basis for believing that
  182  a specific incident is about to occur.
  183         (19)(14) “Information technology” means equipment,
  184  hardware, software, firmware, programs, systems, networks,
  185  infrastructure, media, and related material used to
  186  automatically, electronically, and wirelessly collect, receive,
  187  access, transmit, display, store, record, retrieve, analyze,
  188  evaluate, process, classify, manipulate, manage, assimilate,
  189  control, communicate, exchange, convert, converge, interface,
  190  switch, or disseminate information of any kind or form.
  191         (20)(15) “Information technology policy” means a definite
  192  course or method of action selected from among one or more
  193  alternatives that guide and determine present and future
  194  decisions.
  195         (21)(16) “Information technology resources” has the same
  196  meaning as provided in s. 119.011.
  197         (22)(17) “Information technology security” means the
  198  protection afforded to an automated information system in order
  199  to attain the applicable objectives of preserving the integrity,
  200  availability, and confidentiality of data, information, and
  201  information technology resources.
  202         (23)“Interoperability” means the technical ability to
  203  share and use data across and throughout the enterprise.
  204         (24)(18) “Open data” means data collected or created by a
  205  state agency, the Department of Legal Affairs, the Department of
  206  Financial Services, and the Department of Agriculture and
  207  Consumer Services, and structured in a way that enables the data
  208  to be fully discoverable and usable by the public. The term does
  209  not include data that are restricted from public disclosure
  210  distribution based on federal or state privacy, confidentiality,
  211  and security laws and regulations, including, but not limited
  212  to, those related to privacy, confidentiality, security,
  213  personal health, business or trade secret information, and
  214  exemptions from state public records laws; or data for which a
  215  state agency, the Department of Legal Affairs, the Department of
  216  Financial Services, or the Department of Agriculture and
  217  Consumer Services is statutorily authorized to assess a fee for
  218  its distribution.
  219         (25)(19) “Performance metrics” means the measures of an
  220  organization’s activities and performance.
  221         (26)(20) “Project” means an endeavor that has a defined
  222  start and end point; is undertaken to create or modify a unique
  223  product, service, or result; and has specific objectives that,
  224  when attained, signify completion.
  225         (27)(21) “Project oversight” means an independent review
  226  and analysis of an information technology project that provides
  227  information on the project’s scope, completion timeframes, and
  228  budget and that identifies and quantifies issues or risks
  229  affecting the successful and timely completion of the project.
  230         (28)(22) “Risk assessment” means the process of identifying
  231  security risks, determining their magnitude, and identifying
  232  areas needing safeguards.
  233         (29)(23) “Service level” means the key performance
  234  indicators (KPI) of an organization or service which must be
  235  regularly performed, monitored, and achieved.
  236         (30)(24) “Service-level agreement” means a written contract
  237  between the Department of Management Services and a customer
  238  entity which specifies the scope of services provided, service
  239  level, the duration of the agreement, the responsible parties,
  240  and service costs. A service-level agreement is not a rule
  241  pursuant to chapter 120.
  242         (31)(25) “Stakeholder” means a person, group, organization,
  243  or state agency involved in or affected by a course of action.
  244         (32)(26) “Standards” means required practices, controls,
  245  components, or configurations established by an authority.
  246         (33)(27) “State agency” means any official, officer,
  247  commission, board, authority, council, committee, or department
  248  of the executive branch of state government; the Justice
  249  Administrative Commission; and the Public Service Commission.
  250  The term does not include university boards of trustees or state
  251  universities. As used in part I of this chapter, except as
  252  otherwise specifically provided, the term does not include the
  253  Department of Legal Affairs, the Department of Agriculture and
  254  Consumer Services, or the Department of Financial Services.
  255         (34)(28) “SUNCOM Network” means the state enterprise
  256  telecommunications system that provides all methods of
  257  electronic or optical telecommunications beyond a single
  258  building or contiguous building complex and used by entities
  259  authorized as network users under this part.
  260         (35)(29) “Telecommunications” means the science and
  261  technology of communication at a distance, including electronic
  262  systems used in the transmission or reception of information.
  263         (36)(30) “Threat” means any circumstance or event that has
  264  the potential to adversely impact a state agency’s operations or
  265  assets through an information system via unauthorized access,
  266  destruction, disclosure, or modification of information or
  267  denial of service.
  268         (37)(31) “Variance” means a calculated value that
  269  illustrates how far positive or negative a projection has
  270  deviated when measured against documented estimates within a
  271  project plan.
  272         Section 4. Section 282.0051, Florida Statutes, is amended
  273  to read:
  274         282.0051 Department of Management Services; Florida Digital
  275  Service; powers, duties, and functions.—
  276         (1)The Florida Digital Service has been created within the
  277  department to propose innovative solutions that securely
  278  modernize state government, including technology and information
  279  services, to achieve value through digital transformation and
  280  interoperability, and to fully support the cloud-first policy as
  281  specified in s. 282.206. The department, through the Florida
  282  Digital Service, shall have the following powers, duties, and
  283  functions:
  284         (a)(1) Develop and publish information technology policy
  285  for the management of the state’s information technology
  286  resources.
  287         (b)(2)Develop an enterprise architecture that:
  288         1.Acknowledges the unique needs of the entities within the
  289  enterprise in the development and publication of standards and
  290  terminologies to facilitate digital interoperability;
  291         2.Supports the cloud-first policy as specified in s.
  292  282.206; and
  293         3.Addresses how information technology infrastructure may
  294  be modernized to achieve cloud-first objectives Establish and
  295  publish information technology architecture standards to provide
  296  for the most efficient use of the state’s information technology
  297  resources and to ensure compatibility and alignment with the
  298  needs of state agencies. The department shall assist state
  299  agencies in complying with the standards.
  300         (c)(3) Establish project management and oversight standards
  301  with which state agencies must comply when implementing
  302  information technology projects. The department, acting through
  303  the Florida Digital Service, shall provide training
  304  opportunities to state agencies to assist in the adoption of the
  305  project management and oversight standards. To support data
  306  driven decisionmaking, the standards must include, but are not
  307  limited to:
  308         1.(a) Performance measurements and metrics that objectively
  309  reflect the status of an information technology project based on
  310  a defined and documented project scope, cost, and schedule.
  311         2.(b) Methodologies for calculating acceptable variances in
  312  the projected versus actual scope, schedule, or cost of an
  313  information technology project.
  314         3.(c) Reporting requirements, including requirements
  315  designed to alert all defined stakeholders that an information
  316  technology project has exceeded acceptable variances defined and
  317  documented in a project plan.
  318         4.(d) Content, format, and frequency of project updates.
  319         (d)(4) Perform project oversight on all state agency
  320  information technology projects that have total project costs of
  321  $10 million or more and that are funded in the General
  322  Appropriations Act or any other law. The department, acting
  323  through the Florida Digital Service, shall report at least
  324  quarterly to the Executive Office of the Governor, the President
  325  of the Senate, and the Speaker of the House of Representatives
  326  on any information technology project that the department
  327  identifies as high-risk due to the project exceeding acceptable
  328  variance ranges defined and documented in a project plan. The
  329  report must include a risk assessment, including fiscal risks,
  330  associated with proceeding to the next stage of the project, and
  331  a recommendation for corrective actions required, including
  332  suspension or termination of the project.
  333         (e)(5) Identify opportunities for standardization and
  334  consolidation of information technology services that support
  335  interoperability and the cloud-first policy, as specified in s.
  336  282.206, and business functions and operations, including
  337  administrative functions such as purchasing, accounting and
  338  reporting, cash management, and personnel, and that are common
  339  across state agencies. The department, acting through the
  340  Florida Digital Service, shall biennially on January 1 of each
  341  even-numbered year April 1 provide recommendations for
  342  standardization and consolidation to the Executive Office of the
  343  Governor, the President of the Senate, and the Speaker of the
  344  House of Representatives.
  345         (f)(6) Establish best practices for the procurement of
  346  information technology products and cloud-computing services in
  347  order to reduce costs, increase the quality of data center
  348  services, or improve government services.
  349         (g)(7) Develop standards for information technology reports
  350  and updates, including, but not limited to, operational work
  351  plans, project spend plans, and project status reports, for use
  352  by state agencies.
  353         (h)(8) Upon request, assist state agencies in the
  354  development of information technology-related legislative budget
  355  requests.
  356         (i)(9) Conduct annual assessments of state agencies to
  357  determine compliance with all information technology standards
  358  and guidelines developed and published by the department and
  359  provide results of the assessments to the Executive Office of
  360  the Governor, the President of the Senate, and the Speaker of
  361  the House of Representatives.
  362         (j)(10) Provide operational management and oversight of the
  363  state data center established pursuant to s. 282.201, which
  364  includes:
  365         1.(a) Implementing industry standards and best practices
  366  for the state data center’s facilities, operations, maintenance,
  367  planning, and management processes.
  368         2.(b) Developing and implementing cost-recovery mechanisms
  369  that recover the full direct and indirect cost of services
  370  through charges to applicable customer entities. Such cost
  371  recovery mechanisms must comply with applicable state and
  372  federal regulations concerning distribution and use of funds and
  373  must ensure that, for any fiscal year, no service or customer
  374  entity subsidizes another service or customer entity. The
  375  Florida Digital Service may recommend other payment mechanisms
  376  to the Executive Office of the Governor, the President of the
  377  Senate, and the Speaker of the House of Representatives. Such
  378  mechanism may be implemented only if specifically authorized by
  379  the Legislature.
  380         3.(c) Developing and implementing appropriate operating
  381  guidelines and procedures necessary for the state data center to
  382  perform its duties pursuant to s. 282.201. The guidelines and
  383  procedures must comply with applicable state and federal laws,
  384  regulations, and policies and conform to generally accepted
  385  governmental accounting and auditing standards. The guidelines
  386  and procedures must include, but need not be limited to:
  387         a.1. Implementing a consolidated administrative support
  388  structure responsible for providing financial management,
  389  procurement, transactions involving real or personal property,
  390  human resources, and operational support.
  391         b.2. Implementing an annual reconciliation process to
  392  ensure that each customer entity is paying for the full direct
  393  and indirect cost of each service as determined by the customer
  394  entity’s use of each service.
  395         c.3. Providing rebates that may be credited against future
  396  billings to customer entities when revenues exceed costs.
  397         d.4. Requiring customer entities to validate that
  398  sufficient funds exist in the appropriate data processing
  399  appropriation category or will be transferred into the
  400  appropriate data processing appropriation category before
  401  implementation of a customer entity’s request for a change in
  402  the type or level of service provided, if such change results in
  403  a net increase to the customer entity’s cost for that fiscal
  404  year.
  405         e.5. By November 15 of each year, providing to the Office
  406  of Policy and Budget in the Executive Office of the Governor and
  407  to the chairs of the legislative appropriations committees the
  408  projected costs of providing data center services for the
  409  following fiscal year.
  410         f.6. Providing a plan for consideration by the Legislative
  411  Budget Commission if the cost of a service is increased for a
  412  reason other than a customer entity’s request made pursuant to
  413  sub-subparagraph d. subparagraph 4. Such a plan is required only
  414  if the service cost increase results in a net increase to a
  415  customer entity for that fiscal year.
  416         g.7. Standardizing and consolidating procurement and
  417  contracting practices.
  418         4.(d) In collaboration with the Department of Law
  419  Enforcement, developing and implementing a process for
  420  detecting, reporting, and responding to information technology
  421  security incidents, breaches, and threats.
  422         5.(e) Adopting rules relating to the operation of the state
  423  data center, including, but not limited to, budgeting and
  424  accounting procedures, cost-recovery methodologies, and
  425  operating procedures.
  426         (k)Conduct a market analysis not less frequently than
  427  every 3 years beginning in 2021 to determine whether the
  428  information technology resources within the enterprise are
  429  utilized in the most cost-effective and cost-efficient manner,
  430  while recognizing that the replacement of certain legacy
  431  information technology systems within the enterprise may be cost
  432  prohibitive or cost inefficient due to the remaining useful life
  433  of those resources; whether the enterprise is complying with the
  434  cloud-first policy specified in s. 282.206; and whether the
  435  enterprise is utilizing best practices with respect to
  436  information technology, information services, and the
  437  acquisition of emerging technologies and information services.
  438  Each market analysis shall be used to prepare a strategic plan
  439  for continued and future information technology and information
  440  services for the enterprise, including, but not limited to,
  441  proposed acquisition of new services or technologies and
  442  approaches to the implementation of any new services or
  443  technologies. Copies of each market analysis and accompanying
  444  strategic plan must be submitted to the Executive Office of the
  445  Governor, the President of the Senate, and the Speaker of the
  446  House of Representatives not later than December 31 of each year
  447  that a market analysis is conducted.
  448         (f) Conducting an annual market analysis to determine
  449  whether the state’s approach to the provision of data center
  450  services is the most effective and cost-efficient manner by
  451  which its customer entities can acquire such services, based on
  452  federal, state, and local government trends; best practices in
  453  service provision; and the acquisition of new and emerging
  454  technologies. The results of the market analysis shall assist
  455  the state data center in making adjustments to its data center
  456  service offerings.
  457         (l)(11) Recommend other information technology services
  458  that should be designed, delivered, and managed as enterprise
  459  information technology services. Recommendations must include
  460  the identification of existing information technology resources
  461  associated with the services, if existing services must be
  462  transferred as a result of being delivered and managed as
  463  enterprise information technology services.
  464         (m)(12) In consultation with state agencies, propose a
  465  methodology and approach for identifying and collecting both
  466  current and planned information technology expenditure data at
  467  the state agency level.
  468         (n)1.(13)(a) Notwithstanding any other law, provide project
  469  oversight on any information technology project of the
  470  Department of Financial Services, the Department of Legal
  471  Affairs, and the Department of Agriculture and Consumer Services
  472  which has a total project cost of $25 million or more and which
  473  impacts one or more other agencies. Such information technology
  474  projects must also comply with the applicable information
  475  technology architecture, project management and oversight, and
  476  reporting standards established by the department, acting
  477  through the Florida Digital Service.
  478         2.(b) When performing the project oversight function
  479  specified in subparagraph 1. paragraph (a), report at least
  480  quarterly to the Executive Office of the Governor, the President
  481  of the Senate, and the Speaker of the House of Representatives
  482  on any information technology project that the department,
  483  acting through the Florida Digital Service, identifies as high
  484  risk due to the project exceeding acceptable variance ranges
  485  defined and documented in the project plan. The report shall
  486  include a risk assessment, including fiscal risks, associated
  487  with proceeding to the next stage of the project and a
  488  recommendation for corrective actions required, including
  489  suspension or termination of the project.
  490         (o)(14) If an information technology project implemented by
  491  a state agency must be connected to or otherwise accommodated by
  492  an information technology system administered by the Department
  493  of Financial Services, the Department of Legal Affairs, or the
  494  Department of Agriculture and Consumer Services, consult with
  495  these departments regarding the risks and other effects of such
  496  projects on their information technology systems and work
  497  cooperatively with these departments regarding the connections,
  498  interfaces, timing, or accommodations required to implement such
  499  projects.
  500         (p)(15) If adherence to standards or policies adopted by or
  501  established pursuant to this section causes conflict with
  502  federal regulations or requirements imposed on an entity within
  503  the enterprise a state agency and results in adverse action
  504  against an entity the state agency or federal funding, work with
  505  the entity state agency to provide alternative standards,
  506  policies, or requirements that do not conflict with the federal
  507  regulation or requirement. The department, acting through the
  508  Florida Digital Service, shall annually report such alternative
  509  standards to the Executive Office of the Governor, the President
  510  of the Senate, and the Speaker of the House of Representatives.
  511         (q)1.(16)(a) Establish an information technology policy for
  512  all information technology-related state contracts, including
  513  state term contracts for information technology commodities,
  514  consultant services, and staff augmentation services. The
  515  information technology policy must include:
  516         a.1. Identification of the information technology product
  517  and service categories to be included in state term contracts.
  518         b.2. Requirements to be included in solicitations for state
  519  term contracts.
  520         c.3. Evaluation criteria for the award of information
  521  technology-related state term contracts.
  522         d.4. The term of each information technology-related state
  523  term contract.
  524         e.5. The maximum number of vendors authorized on each state
  525  term contract.
  526         2.(b) Evaluate vendor responses for information technology
  527  related state term contract solicitations and invitations to
  528  negotiate.
  529         3.(c) Answer vendor questions on information technology
  530  related state term contract solicitations.
  531         4.(d) Ensure that the information technology policy
  532  established pursuant to subparagraph 1. paragraph (a) is
  533  included in all solicitations and contracts that are
  534  administratively executed by the department.
  535         (r)(17) Recommend potential methods for standardizing data
  536  across state agencies which will promote interoperability and
  537  reduce the collection of duplicative data.
  538         (s)(18) Recommend open data technical standards and
  539  terminologies for use by the enterprise state agencies.
  540         (t)Ensure that enterprise information technology solutions
  541  are capable of utilizing an electronic credential and comply
  542  with the enterprise architecture standards.
  543         (2)(a)The Secretary of Management Services shall designate
  544  a state chief information officer, who shall administer the
  545  Florida Digital Service. The state chief information officer,
  546  prior to appointment, must have at least 5 years of experience
  547  in the development of information system strategic planning and
  548  development or information technology policy, and, preferably,
  549  have leadership-level experience in the design, development, and
  550  deployment of interoperable software and data solutions.
  551         (b)The state chief information officer, in consultation
  552  with the Secretary of Management Services, shall designate a
  553  state chief data officer. The chief data officer must be a
  554  proven and effective administrator who must have significant and
  555  substantive experience in data management, data governance,
  556  interoperability, and security.
  557         (3)The department, acting through the Florida Digital
  558  Service and from funds appropriated to the Florida Digital
  559  Service, shall:
  560         (a)Create, not later than October 1, 2021, and maintain a
  561  comprehensive indexed data catalog in collaboration with the
  562  enterprise that lists the data elements housed within the
  563  enterprise and the legacy system or application in which these
  564  data elements are located. The data catalog must, at a minimum,
  565  specifically identify all data that is restricted from public
  566  disclosure based on federal or state laws and regulations and
  567  require that all such information be protected in accordance
  568  with s. 282.318.
  569         (b)Develop and publish, not later than October 1, 2021, in
  570  collaboration with the enterprise, a data dictionary for each
  571  agency that reflects the nomenclature in the comprehensive
  572  indexed data catalog.
  573         (c)Adopt, by rule, standards that support the creation and
  574  deployment of an application programming interface to facilitate
  575  integration throughout the enterprise.
  576         (d)Adopt, by rule, standards necessary to facilitate a
  577  secure ecosystem of data interoperability that is compliant with
  578  the enterprise architecture.
  579         (e)Adopt, by rule, standards that facilitate the
  580  deployment of applications or solutions to the existing
  581  enterprise system in a controlled and phased approach.
  582         (f)After submission of documented use cases developed in
  583  conjunction with the affected agencies, assist the affected
  584  agencies with the deployment, contingent upon a specific
  585  appropriation therefor, of new interoperable applications and
  586  solutions:
  587         1.For the Department of Health, the Agency for Health Care
  588  Administration, the Agency for Persons with Disabilities, the
  589  Department of Education, the Department of Elderly Affairs, and
  590  the Department of Children and Families.
  591         2.To support military members, veterans, and their
  592  families.
  593         (4)Upon the adoption of the enterprise architecture
  594  standards in rule, the department, acting through the Florida
  595  Digital Service, may develop a process to:
  596         (a)Receive written notice from the entities within the
  597  enterprise of any planned procurement of an information
  598  technology project that is subject to enterprise architecture
  599  standards.
  600         (b)Participate in the development of specifications and
  601  recommend modifications to any planned procurement by state
  602  agencies so that the procurement complies with the enterprise
  603  architecture.
  604         (5)The department, acting through the Florida Digital
  605  Service, may not retrieve or disclose any data without a shared
  606  data agreement in place between the department and the
  607  enterprise entity that has primary custodial responsibility of,
  608  or data-sharing responsibility for, that data.
  609         (6)The department, acting through the Florida Digital
  610  Service, shall adopt rules to administer this section.
  611         (19) Adopt rules to administer this section.
  612         Section 5. Section 282.00515, Florida Statutes, is amended
  613  to read:
  614         282.00515 Duties of Cabinet agencies.—
  615         (1) The Department of Legal Affairs, the Department of
  616  Financial Services, and the Department of Agriculture and
  617  Consumer Services shall adopt the standards established in s.
  618  282.0051(1)(b), (c), and (s) and (3)(e) s. 282.0051(2), (3), and
  619  (7) or adopt alternative standards based on best practices and
  620  industry standards that allow for open data interoperability.
  621         (2) If the Department of Legal Affairs, the Department of
  622  Financial Services, or the Department of Agriculture and
  623  Consumer Services adopts alternative standards in lieu of the
  624  enterprise architecture standards adopted pursuant to s.
  625  282.0051, such department must notify the Governor, the
  626  President of the Senate, and the Speaker of the House of
  627  Representatives in writing of the adoption of the alternative
  628  standards and provide a justification for adoption of the
  629  alternative standards and explain how the agency will achieve
  630  open data interoperability.
  631         (3)The Department of Legal Affairs, the Department of
  632  Financial Services, and the Department of Agriculture and
  633  Consumer Services, and may contract with the department to
  634  provide or perform any of the services and functions described
  635  in s. 282.0051 for the Department of Legal Affairs, the
  636  Department of Financial Services, or the Department of
  637  Agriculture and Consumer Services.
  638         (4)(a)Nothing in this section or in s. 282.0051 requires
  639  the Department of Legal Affairs, the Department of Financial
  640  Services, or the Department of Agriculture and Consumer Services
  641  to integrate with information technology outside its own
  642  department or with the Florida Digital Service.
  643         (b)The department, acting through the Florida Digital
  644  Service, may not retrieve or disclose any data without a shared
  645  data agreement in place between the department and the
  646  Department of Legal Affairs, the Department of Financial
  647  Services, or the Department of Agriculture and Consumer
  648  Services.
  649         Section 6. Paragraph (a) of subsection (3), paragraphs (d),
  650  (e), (g), and (j) of subsection (4), and subsection (5) of
  651  section 282.318, Florida Statutes, are amended to read:
  652         282.318 Security of data and information technology.—
  653         (3) The department is responsible for establishing
  654  standards and processes consistent with generally accepted best
  655  practices for information technology security, to include
  656  cybersecurity, and adopting rules that safeguard an agency’s
  657  data, information, and information technology resources to
  658  ensure availability, confidentiality, and integrity and to
  659  mitigate risks. The department shall also:
  660         (a) Designate an employee of the Florida Digital Service as
  661  the a state chief information security officer. The state chief
  662  information security officer who must have experience and
  663  expertise in security and risk management for communications and
  664  information technology resources.
  665         (4) Each state agency head shall, at a minimum:
  666         (d) Conduct, and update every 3 years, a comprehensive risk
  667  assessment, which may be completed by a private sector vendor,
  668  to determine the security threats to the data, information, and
  669  information technology resources, including mobile devices and
  670  print environments, of the agency. The risk assessment must
  671  comply with the risk assessment methodology developed by the
  672  department and is confidential and exempt from s. 119.07(1),
  673  except that such information shall be available to the Auditor
  674  General, the Florida Digital Service Division of State
  675  Technology within the department, the Cybercrime Office of the
  676  Department of Law Enforcement, and, for state agencies under the
  677  jurisdiction of the Governor, the Chief Inspector General.
  678         (e) Develop, and periodically update, written internal
  679  policies and procedures, which include procedures for reporting
  680  information technology security incidents and breaches to the
  681  Cybercrime Office of the Department of Law Enforcement and the
  682  Florida Digital Service Division of State Technology within the
  683  department. Such policies and procedures must be consistent with
  684  the rules, guidelines, and processes established by the
  685  department to ensure the security of the data, information, and
  686  information technology resources of the agency. The internal
  687  policies and procedures that, if disclosed, could facilitate the
  688  unauthorized modification, disclosure, or destruction of data or
  689  information technology resources are confidential information
  690  and exempt from s. 119.07(1), except that such information shall
  691  be available to the Auditor General, the Cybercrime Office of
  692  the Department of Law Enforcement, the Florida Digital Service
  693  Division of State Technology within the department, and, for
  694  state agencies under the jurisdiction of the Governor, the Chief
  695  Inspector General.
  696         (g) Ensure that periodic internal audits and evaluations of
  697  the agency’s information technology security program for the
  698  data, information, and information technology resources of the
  699  agency are conducted. The results of such audits and evaluations
  700  are confidential information and exempt from s. 119.07(1),
  701  except that such information shall be available to the Auditor
  702  General, the Cybercrime Office of the Department of Law
  703  Enforcement, the Florida Digital Service Division of State
  704  Technology within the department, and, for agencies under the
  705  jurisdiction of the Governor, the Chief Inspector General.
  706         (j) Develop a process for detecting, reporting, and
  707  responding to threats, breaches, or information technology
  708  security incidents which is consistent with the security rules,
  709  guidelines, and processes established by the department Agency
  710  for State Technology.
  711         1. All information technology security incidents and
  712  breaches must be reported to the Florida Digital Service
  713  Division of State Technology within the department and the
  714  Cybercrime Office of the Department of Law Enforcement and must
  715  comply with the notification procedures and reporting timeframes
  716  established pursuant to paragraph (3)(c).
  717         2. For information technology security breaches, state
  718  agencies shall provide notice in accordance with s. 501.171.
  719         3. Records held by a state agency which identify detection,
  720  investigation, or response practices for suspected or confirmed
  721  information technology security incidents, including suspected
  722  or confirmed breaches, are confidential and exempt from s.
  723  119.07(1) and s. 24(a), Art. I of the State Constitution, if the
  724  disclosure of such records would facilitate unauthorized access
  725  to or the unauthorized modification, disclosure, or destruction
  726  of:
  727         a. Data or information, whether physical or virtual; or
  728         b. Information technology resources, which includes:
  729         (I) Information relating to the security of the agency’s
  730  technologies, processes, and practices designed to protect
  731  networks, computers, data processing software, and data from
  732  attack, damage, or unauthorized access; or
  733         (II) Security information, whether physical or virtual,
  734  which relates to the agency’s existing or proposed information
  735  technology systems.
  736  
  737  Such records shall be available to the Auditor General, the
  738  Florida Digital Service Division of State Technology within the
  739  department, the Cybercrime Office of the Department of Law
  740  Enforcement, and, for state agencies under the jurisdiction of
  741  the Governor, the Chief Inspector General. Such records may be
  742  made available to a local government, another state agency, or a
  743  federal agency for information technology security purposes or
  744  in furtherance of the state agency’s official duties. This
  745  exemption applies to such records held by a state agency before,
  746  on, or after the effective date of this exemption. This
  747  subparagraph is subject to the Open Government Sunset Review Act
  748  in accordance with s. 119.15 and shall stand repealed on October
  749  2, 2021, unless reviewed and saved from repeal through
  750  reenactment by the Legislature.
  751         (5) The portions of risk assessments, evaluations, external
  752  audits, and other reports of a state agency’s information
  753  technology security program for the data, information, and
  754  information technology resources of the state agency which are
  755  held by a state agency are confidential and exempt from s.
  756  119.07(1) and s. 24(a), Art. I of the State Constitution if the
  757  disclosure of such portions of records would facilitate
  758  unauthorized access to or the unauthorized modification,
  759  disclosure, or destruction of:
  760         (a) Data or information, whether physical or virtual; or
  761         (b) Information technology resources, which include:
  762         1. Information relating to the security of the agency’s
  763  technologies, processes, and practices designed to protect
  764  networks, computers, data processing software, and data from
  765  attack, damage, or unauthorized access; or
  766         2. Security information, whether physical or virtual, which
  767  relates to the agency’s existing or proposed information
  768  technology systems.
  769  
  770  Such portions of records shall be available to the Auditor
  771  General, the Cybercrime Office of the Department of Law
  772  Enforcement, the Florida Digital Service Division of State
  773  Technology within the department, and, for agencies under the
  774  jurisdiction of the Governor, the Chief Inspector General. Such
  775  portions of records may be made available to a local government,
  776  another state agency, or a federal agency for information
  777  technology security purposes or in furtherance of the state
  778  agency’s official duties. For purposes of this subsection,
  779  “external audit” means an audit that is conducted by an entity
  780  other than the state agency that is the subject of the audit.
  781  This exemption applies to such records held by a state agency
  782  before, on, or after the effective date of this exemption. This
  783  subsection is subject to the Open Government Sunset Review Act
  784  in accordance with s. 119.15 and shall stand repealed on October
  785  2, 2021, unless reviewed and saved from repeal through
  786  reenactment by the Legislature.
  787         Section 7. Subsection (4) of section 287.0591, Florida
  788  Statutes, is amended to read:
  789         287.0591 Information technology.—
  790         (4) If the department issues a competitive solicitation for
  791  information technology commodities, consultant services, or
  792  staff augmentation contractual services, the Florida Digital
  793  Service Division of State Technology within the department shall
  794  participate in such solicitations.
  795         Section 8. Paragraph (a) of subsection (3) of section
  796  365.171, Florida Statutes, is amended to read:
  797         365.171 Emergency communications number E911 state plan.—
  798         (3) DEFINITIONS.—As used in this section, the term:
  799         (a) “Office” means the Division of Telecommunications State
  800  Technology within the Department of Management Services, as
  801  designated by the secretary of the department.
  802         Section 9. Paragraph (s) of subsection (3) of section
  803  365.172, Florida Statutes, is amended to read:
  804         365.172 Emergency communications number “E911.”—
  805         (3) DEFINITIONS.—Only as used in this section and ss.
  806  365.171, 365.173, 365.174, and 365.177, the term:
  807         (s) “Office” means the Division of Telecommunications State
  808  Technology within the Department of Management Services, as
  809  designated by the secretary of the department.
  810         Section 10. Paragraph (a) of subsection (1) of section
  811  365.173, Florida Statutes, is amended to read:
  812         365.173 Communications Number E911 System Fund.—
  813         (1) REVENUES.—
  814         (a) Revenues derived from the fee levied on subscribers
  815  under s. 365.172(8) must be paid by the board into the State
  816  Treasury on or before the 15th day of each month. Such moneys
  817  must be accounted for in a special fund to be designated as the
  818  Emergency Communications Number E911 System Fund, a fund created
  819  in the Division of Telecommunications State Technology, or other
  820  office as designated by the Secretary of Management Services.
  821         Section 11. Subsection (5) of section 943.0415, Florida
  822  Statutes, is amended to read:
  823         943.0415 Cybercrime Office.—There is created within the
  824  Department of Law Enforcement the Cybercrime Office. The office
  825  may:
  826         (5) Consult with the Florida Digital Service Division of
  827  State Technology within the Department of Management Services in
  828  the adoption of rules relating to the information technology
  829  security provisions in s. 282.318.
  830         Section 12. Effective January 1, 2021, section 559.952,
  831  Florida Statutes, is created to read:
  832         559.952 Financial Technology Sandbox.—
  833         (1) SHORT TITLE.—This section may be cited as the
  834  “Financial Technology Sandbox.”
  835         (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  836  created the Financial Technology Sandbox within the Office of
  837  Financial Regulation to allow financial technology innovators to
  838  test new products and services in a supervised, flexible
  839  regulatory sandbox using exceptions to specified general law and
  840  waivers of the corresponding rule requirements under defined
  841  conditions. The creation of a supervised, flexible regulatory
  842  sandbox provides a welcoming business environment for technology
  843  innovators and may lead to significant business growth.
  844         (3) DEFINITIONS.—As used in this section, the term:
  845         (a) “Business entity” means a domestic corporation or other
  846  organized domestic entity with a physical presence, other than
  847  that of a registered office or agent or virtual mailbox, in this
  848  state.
  849         (b) “Commission” means the Financial Services Commission.
  850         (c) “Consumer” means a person in this state, whether a
  851  natural person or a business organization, who purchases, uses,
  852  receives, or enters into an agreement to purchase, use, or
  853  receive an innovative financial product or service made
  854  available through the Financial Technology Sandbox.
  855         (d) “Control person” means an individual, a partnership, a
  856  corporation, a trust, or other organization that possesses the
  857  power, directly or indirectly, to direct the management or
  858  policies of a company, whether through ownership of securities,
  859  by contract, or through other means. A person is presumed to
  860  control a company if, with respect to a particular company, that
  861  person:
  862         1. Is a director, a general partner, or an officer
  863  exercising executive responsibility or having similar status or
  864  functions;
  865         2. Directly or indirectly may vote 10 percent or more of a
  866  class of a voting security or sell or direct the sale of 10
  867  percent or more of a class of voting securities; or
  868         3. In the case of a partnership, may receive upon
  869  dissolution or has contributed 10 percent or more of the
  870  capital.
  871         (e) “Corresponding rule requirements” means the commission
  872  rules, or portions thereof, which implement the general laws
  873  enumerated in paragraph (4)(a).
  874         (f) “Financial product or service” means a product or
  875  service related to a consumer finance loan, as defined in s.
  876  516.01, or a money transmitter or payment instrument seller, as
  877  those terms are defined in s. 560.103, including mediums of
  878  exchange that are in electronic or digital form, which is
  879  subject to the general laws enumerated in paragraph (4)(a) and
  880  corresponding rule requirements and which is under the
  881  jurisdiction of the office.
  882         (g) “Financial Technology Sandbox” means the program
  883  created by this section which allows a licensee to make an
  884  innovative financial product or service available to consumers
  885  during a sandbox period through exceptions to general laws and
  886  waivers of corresponding rule requirements.
  887         (h) “Innovative” means new or emerging technology, or new
  888  uses of existing technology, which provide a product, service,
  889  business model, or delivery mechanism to the public and which
  890  are not known to have a comparable offering in this state
  891  outside the Financial Technology Sandbox.
  892         (i) “Licensee” means a business entity that has been
  893  approved by the office to participate in the Financial
  894  Technology Sandbox.
  895         (j) “Office” means, unless the context clearly indicates
  896  otherwise, the Office of Financial Regulation.
  897         (k) “Sandbox period” means the initial 24-month period in
  898  which the office has authorized a licensee to make an innovative
  899  financial product or service available to consumers, and any
  900  extension granted pursuant to subsection (7).
  901         (4) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  902  REQUIREMENTS.—
  903         (a) Notwithstanding any other law, upon approval of a
  904  Financial Technology Sandbox application, the following
  905  provisions and corresponding rule requirements are not
  906  applicable to the licensee during the sandbox period:
  907         1. Section 516.03(1), except for the application fee, the
  908  investigation fee, the requirement to provide the social
  909  security numbers of control persons, evidence of liquid assets
  910  of at least $25,000, and the office’s authority to investigate
  911  the applicant’s background. The office may prorate the license
  912  renewal fee for an extension granted under subsection (7).
  913         2. Section 516.05(1) and (2), except that the office shall
  914  investigate the applicant’s background.
  915         3. Section 560.109, only to the extent that the section
  916  requires the office to examine a licensee at least once every 5
  917  years.
  918         4. Section 560.118(2).
  919         5. Section 560.125(1), only to the extent that subsection
  920  would prohibit a licensee from engaging in the business of a
  921  money transmitter or payment instrument seller during the
  922  sandbox period.
  923         6. Section 560.125(2), only to the extent that subsection
  924  would prohibit a licensee from appointing an authorized vendor
  925  during the sandbox period. Any authorized vendor of such a
  926  licensee during the sandbox period remains liable to the holder
  927  or remitter.
  928         7. Section 560.128.
  929         8. Section 560.141, except for s. 560.141(1)(a)1., 3., 7.
  930  10. and (b), (c), and (d).
  931         9. Section 560.142(1) and (2), except that the office may
  932  prorate, but may not entirely eliminate, the license renewal
  933  fees in s. 560.143 for an extension granted under subsection
  934  (7).
  935         10. Section 560.143(2), only to the extent necessary for
  936  proration of the renewal fee under subparagraph 9.
  937         11. Section 560.204(1), only to the extent that subsection
  938  would prohibit a licensee from engaging in, or advertising that
  939  it engages in, the selling or issuing of payment instruments or
  940  in the activity of a money transmitter during the sandbox
  941  period.
  942         12. Section 560.205(2).
  943         13. Section 560.208(2).
  944         14. Section 560.209, only to the extent that the office may
  945  modify, but may not entirely eliminate, the net worth, corporate
  946  surety bond, and collateral deposit amounts required under that
  947  section. The modified amounts must be in such lower amounts that
  948  the office determines to be commensurate with the factors under
  949  paragraph (5)(c) and the maximum number of consumers authorized
  950  to receive the financial product or service under this section.
  951         (b) The office may approve a Financial Technology Sandbox
  952  application if one or more of the general laws enumerated in
  953  paragraph (a) currently prevent the innovative financial product
  954  or service from being made available to consumers and if all
  955  other requirements of this section are met.
  956         (c) A licensee may conduct business through electronic
  957  means, including through the Internet or a software application.
  958         (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  959  APPROVAL.—
  960         (a) Before filing an application for licensure under this
  961  section, a substantially affected person may seek a declaratory
  962  statement pursuant to s. 120.565 regarding the applicability of
  963  a statute, a rule, or an agency order to the petitioner’s
  964  particular set of circumstances or a variance or waiver of a
  965  rule pursuant to s. 120.542.
  966         (b) Before making an innovative financial product or
  967  service available to consumers in the Financial Technology
  968  Sandbox, a business entity must file with the office an
  969  application for licensure under the Financial Technology
  970  Sandbox. The commission shall, by rule, prescribe the form and
  971  manner of the application and how the office will evaluate and
  972  apply each of the factors specified in paragraph (c).
  973         1. The application must specify each general law enumerated
  974  in paragraph (4)(a) which currently prevents the innovative
  975  financial product or service from being made available to
  976  consumers and the reasons why those provisions of general law
  977  prevent the innovative financial product or service from being
  978  made available to consumers.
  979         2. The application must contain sufficient information for
  980  the office to evaluate the factors specified in paragraph (c).
  981         3. An application submitted on behalf of a business entity
  982  must include evidence that the business entity has authorized
  983  the person to submit the application on behalf of the business
  984  entity intending to make an innovative financial product or
  985  service available to consumers.
  986         4. The application must specify the maximum number of
  987  consumers, which may not exceed the number of consumers
  988  specified in paragraph (f), to whom the applicant proposes to
  989  provide the innovative financial product or service.
  990         5. The application must include a proposed draft of the
  991  statement or statements meeting the requirements of paragraph
  992  (6)(b) which the applicant proposes to provide to consumers.
  993         (c) The office shall approve or deny in writing a Financial
  994  Technology Sandbox application within 60 days after receiving
  995  the completed application. The office and the applicant may
  996  jointly agree to extend the time beyond 60 days. Consistent with
  997  this section, the office may impose conditions on any approval.
  998  In deciding whether to approve or deny an application for
  999  licensure, the office must consider each of the following:
 1000         1. The nature of the innovative financial product or
 1001  service proposed to be made available to consumers in the
 1002  Financial Technology Sandbox, including all relevant technical
 1003  details.
 1004         2. The potential risk to consumers and the methods that
 1005  will be used to protect consumers and resolve complaints during
 1006  the sandbox period.
 1007         3. The business plan proposed by the applicant, including
 1008  company information, market analysis, and financial projections
 1009  or pro forma financial statements, and evidence of the financial
 1010  viability of the applicant.
 1011         4. Whether the applicant has the necessary personnel,
 1012  adequate financial and technical expertise, and a sufficient
 1013  plan to test, monitor, and assess the innovative financial
 1014  product or service.
 1015         5. Whether any control person of the applicant, regardless
 1016  of adjudication, has pled no contest to, has been convicted or
 1017  found guilty of, or is currently under investigation for fraud,
 1018  a state or federal securities violation, a property-based
 1019  offense, or a crime involving moral turpitude or dishonest
 1020  dealing, in which case the application to the Financial
 1021  Technology Sandbox must be denied.
 1022         6. A copy of the disclosures that will be provided to
 1023  consumers under paragraph (6)(b).
 1024         7. The financial responsibility of the applicant and any
 1025  control person, including whether the applicant or any control
 1026  person has a history of unpaid liens, unpaid judgments, or other
 1027  general history of nonpayment of legal debts, including, but not
 1028  limited to, having been the subject of a petition for bankruptcy
 1029  under the United States Bankruptcy Code within the past 7
 1030  calendar years.
 1031         8. Any other factor that the office determines to be
 1032  relevant.
 1033         (d) The office may not approve an application if:
 1034         1. The applicant had a prior Financial Technology Sandbox
 1035  application that was approved and that related to a
 1036  substantially similar financial product or service;
 1037         2. Any control person of the applicant was substantially
 1038  involved in the development, operation, or management with
 1039  another Financial Technology Sandbox applicant whose application
 1040  was approved and whose application related to a substantially
 1041  similar financial product or service; or
 1042         3. The applicant or any control person has failed to
 1043  affirmatively demonstrate financial responsibility.
 1044         (e) Upon approval of an application, the office shall
 1045  notify the licensee that the licensee is exempt from the
 1046  provisions of general law enumerated in paragraph (4)(a) and the
 1047  corresponding rule requirements during the sandbox period. The
 1048  office shall post on its website notice of the approval of the
 1049  application, a summary of the innovative financial product or
 1050  service, and the contact information of the licensee.
 1051         (f) The office, on a case-by-case basis, shall specify the
 1052  maximum number of consumers authorized to receive an innovative
 1053  financial product or service, after consultation with the
 1054  Financial Technology Sandbox applicant. The office may not
 1055  authorize more than 15,000 consumers to receive the financial
 1056  product or service until the licensee has filed the first report
 1057  required under subsection (8). After the filing of that report,
 1058  if the licensee demonstrates adequate financial capitalization,
 1059  risk management processes, and management oversight, the office
 1060  may authorize up to 25,000 consumers to receive the financial
 1061  product or service.
 1062         (g) A licensee has a continuing obligation to promptly
 1063  inform the office of any material change to the information
 1064  provided under paragraph (b).
 1065         (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
 1066         (a) A licensee may make an innovative financial product or
 1067  service available to consumers during the sandbox period.
 1068         (b)1. Before a consumer purchases, uses, receives, or
 1069  enters into an agreement to purchase, use, or receive an
 1070  innovative financial product or service through the Financial
 1071  Technology Sandbox, the licensee must provide a written
 1072  statement of all of the following to the consumer:
 1073         a. The name and contact information of the licensee.
 1074         b. That the financial product or service has been
 1075  authorized to be made available to consumers for a temporary
 1076  period by the office, under the laws of this state.
 1077         c. That the state does not endorse the financial product or
 1078  service.
 1079         d. That the financial product or service is undergoing
 1080  testing, may not function as intended, and may entail financial
 1081  risk.
 1082         e. That the licensee is not immune from civil liability for
 1083  any losses or damages caused by the financial product or
 1084  service.
 1085         f. The expected end date of the sandbox period.
 1086         g. The contact information for the office and notification
 1087  that suspected legal violations, complaints, or other comments
 1088  related to the financial product or service may be submitted to
 1089  the office.
 1090         h. Any other statements or disclosures required by rule of
 1091  the commission which are necessary to further the purposes of
 1092  this section.
 1093         2. The written statement under subparagraph 1. must contain
 1094  an acknowledgment from the consumer, which must be retained for
 1095  the duration of the sandbox period by the licensee.
 1096         (c) The office may enter into an agreement with a state,
 1097  federal, or foreign regulatory agency to allow licensees under
 1098  the Financial Technology Sandbox to make their products or
 1099  services available in other jurisdictions. The commission shall
 1100  adopt rules to implement this paragraph.
 1101         (d) The office may examine the records of a licensee at any
 1102  time, with or without prior notice.
 1103         (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
 1104         (a) A licensee may apply for one extension of the initial
 1105  24-month sandbox period for 12 additional months for a purpose
 1106  specified in subparagraph (b)1. or subparagraph (b)2. A complete
 1107  application for an extension must be filed with the office at
 1108  least 90 days before the conclusion of the initial sandbox
 1109  period. The office shall approve or deny the application for
 1110  extension in writing at least 35 days before the conclusion of
 1111  the initial sandbox period. In determining whether to approve or
 1112  deny an application for extension of the sandbox period, the
 1113  office must, at a minimum, consider the current status of the
 1114  factors previously considered under paragraph (5)(c).
 1115         (b) An application for an extension under paragraph (a)
 1116  must cite one of the following reasons as the basis for the
 1117  application and must provide all relevant supporting
 1118  information:
 1119         1. Amendments to general law or rules are necessary to
 1120  offer the innovative financial product or service in this state
 1121  permanently.
 1122         2. An application for a license that is required in order
 1123  to offer the innovative financial product or service in this
 1124  state permanently has been filed with the office and approval is
 1125  pending.
 1126         (c) At least 30 days before the conclusion of the initial
 1127  24-month sandbox period or the extension, whichever is later, a
 1128  licensee shall provide written notification to consumers
 1129  regarding the conclusion of the initial sandbox period or the
 1130  extension and may not make the financial product or service
 1131  available to any new consumers after the conclusion of the
 1132  initial sandbox period or the extension, whichever is later,
 1133  until legal authority outside of the Financial Technology
 1134  Sandbox exists for the licensee to make the financial product or
 1135  service available to consumers. After the conclusion of the
 1136  sandbox period or the extension, whichever is later, the
 1137  business entity formerly licensed under the Financial Technology
 1138  Sandbox may:
 1139         1. Collect and receive money owed to the business entity or
 1140  pay money owed by the business entity, based on agreements with
 1141  consumers made before the conclusion of the sandbox period or
 1142  the extension.
 1143         2. Take necessary legal action.
 1144         3. Take other actions authorized by commission rule which
 1145  are not inconsistent with this section.
 1146         (8) REPORT.—A licensee shall submit a report to the office
 1147  twice a year as prescribed by commission rule. The report must,
 1148  at a minimum, include financial reports and the number of
 1149  consumers who have received the financial product or service.
 1150         (9) CONSTRUCTION.—A business entity whose Financial
 1151  Technology Sandbox application is approved under this section:
 1152         (a) Is licensed under chapter 516, chapter 560, or both
 1153  chapters 516 and 560, as applicable to the business entity’s
 1154  activities.
 1155         (b) Is subject to any provision of chapter 516 or chapter
 1156  560 not specifically excepted under paragraph (4)(a), as
 1157  applicable to the business entity’s activities, and must comply
 1158  with such provisions.
 1159         (c) May not engage in activities authorized under part III
 1160  of chapter 560, notwithstanding s. 560.204(2).
 1161         (10) VIOLATIONS AND PENALTIES.—
 1162         (a) A licensee who makes an innovative financial product or
 1163  service available to consumers in the Financial Technology
 1164  Sandbox remains subject to:
 1165         1. Civil damages for acts and omissions arising from or
 1166  related to any innovative financial product or services provided
 1167  or made available by the licensee or relating to this section.
 1168         2. All criminal and consumer protection laws and any other
 1169  statute not specifically excepted under paragraph (4)(a).
 1170         (b)1. The office may, by order, revoke or suspend a
 1171  licensee’s approval to participate in the Financial Technology
 1172  Sandbox if:
 1173         a. The licensee has violated or refused to comply with this
 1174  section, any statute not specifically excepted under paragraph
 1175  (4)(a), a rule of the commission that has not been waived, an
 1176  order of the office, or a condition placed by the office on the
 1177  approval of the licensee’s Financial Technology Sandbox
 1178  application;
 1179         b. A fact or condition exists that, if it had existed or
 1180  become known at the time that the Financial Technology Sandbox
 1181  application was pending, would have warranted denial of the
 1182  application or the imposition of material conditions;
 1183         c. A material error, false statement, misrepresentation, or
 1184  material omission was made in the Financial Technology Sandbox
 1185  application; or
 1186         d. After consultation with the licensee, the office
 1187  determines that continued testing of the innovative financial
 1188  product or service would:
 1189         (I) Be likely to harm consumers; or
 1190         (II) No longer serve the purposes of this section because
 1191  of the financial or operational failure of the financial product
 1192  or service.
 1193         2. Written notice of a revocation or suspension order made
 1194  under subparagraph 1. must be served using any means authorized
 1195  by law. If the notice relates to a suspension, the notice must
 1196  include any condition or remedial action that the licensee must
 1197  complete before the office lifts the suspension.
 1198         (c) The office may refer any suspected violation of law to
 1199  an appropriate state or federal agency for investigation,
 1200  prosecution, civil penalties, and other appropriate enforcement
 1201  action.
 1202         (d) If service of process on a licensee is not feasible,
 1203  service on the office is deemed service on the licensee.
 1204         (11) RULES AND ORDERS.—
 1205         (a) The commission shall adopt rules to administer this
 1206  section before approving any application under this section.
 1207         (b) The office may issue all necessary orders to enforce
 1208  this section and may enforce these orders in accordance with
 1209  chapter 120 or in any court of competent jurisdiction. These
 1210  orders include, but are not limited to, orders for payment of
 1211  restitution for harm suffered by consumers as a result of an
 1212  innovative financial product or service.
 1213         Section 13. For the 2020-2021 fiscal year, the sum of
 1214  $50,000 in nonrecurring funds is appropriated from the
 1215  Administrative Trust Fund to the Office of Financial Regulation
 1216  to implement s. 559.952, Florida Statutes, as created by this
 1217  act.
 1218         Section 14. The creation of s. 559.952, Florida Statutes,
 1219  and the appropriation to implement s. 559.952, Florida Statutes,
 1220  by this act shall take effect only if SB 1872 or similar
 1221  legislation takes effect and if such legislation is adopted in
 1222  the same legislative session or an extension thereof and becomes
 1223  a law.
 1224         Section 15. Except as otherwise expressly provided in this
 1225  act, this act shall take effect July 1, 2020.