Back to Florida

SB0540 • 2026

Office of Financial Regulation

Office of Financial Regulation

Children
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Martin
Last action
2026-03-13
Official status
House - Died in Messages
Effective date
2026-07-01

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Office of Financial Regulation

Office of Financial Regulation; Requiring the Department of Children and Families to cooperate with and seek cooperation from the Office of Financial Regulation concerning certain protective investigations of suspected financial exploitation of specified adults; requiring loan originators, mortgage brokers, and mortgage lenders to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information; providing additional acts that constitute a ground for specified disciplinary actions against loan originators and mortgage brokers; authorizing the office to make investigations and examinations to aid the Department of Children and Families with certain protective investigations; requiring money services businesses to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information, etc.

What This Bill Does

  • Office of Financial Regulation; Requiring the Department of Children and Families to cooperate with and seek cooperation from the Office of Financial Regulation concerning certain protective investigations of suspected financial exploitation of specified adults; requiring loan originators, mortgage brokers, and mortgage lenders to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information; providing additional acts that constitute a ground for specified disciplinary actions against loan originators and mortgage brokers; authorizing the office to make investigations and examinations to aid the Department of Children and Families with certain protective investigations; requiring money services businesses to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information, etc.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

686220

Committee amendment S 540 Filed • Banking and Insurance (Martin)

Replaced by Committee Substitute 1/15/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • SB 540 Ì686220vÎ686220 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 01/15/2026 .
465000

Committee amendment S 540 Filed • Banking and Insurance (Martin)

Replaced by Substitute Amendment 1/15/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • SB 540 Ì465000[Î465000 LEGISLATIVE ACTION Senate .
  • House Comm: RS .
  • 01/15/2026 .
151196

Committee amendment S 540 Filed • Banking and Insurance (Martin)

Replaced by Committee Substitute 1/15/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • SB 540 Ì1511968Î151196 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 01/15/2026 .
820822

Committee amendment S 540 Filed • Banking and Insurance (Martin)

Replaced by Committee Substitute 1/15/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • SB 540 Ì820822~Î820822 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 01/15/2026 .
704244

Committee amendment S 540 c1 • Appropriations Committee on Agriculture, Environment, and General Government (Martin)

Replaced by Committee Substitute 2/12/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • CS for SB 540 Ì704244ÇÎ704244 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 02/12/2026 .
318308

Committee amendment S 540 c2 • Rules (Martin)

Replaced by Committee Substitute 2/24/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • CS for CS for SB 540 Ì318308.Î318308 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 02/24/2026 .
482984

Floor amendment S 540 c3 • Martin

Senate: Withdrawn 2/25/2026

Plain English: Florida Senate - 2026 SENATOR AMENDMENT Bill No.

  • Florida Senate - 2026 SENATOR AMENDMENT Bill No.
  • CS for CS for CS for SB 540 Ì482984SÎ482984 LEGISLATIVE ACTION Senate .
  • House .
  • .

Bill History

  1. 2026-03-13 House

    • Died in Messages

  2. 2026-02-25 Senate

    • Read 2nd time -SJ 436 • Read 3rd time -SJ 436 • CS passed; YEAS 36 NAYS 0 -SJ 436 • Immediately certified -SJ 437

  3. 2026-02-25 House

    • In Messages

  4. 2026-02-24 Senate

    • CS/CS/CS by- Rules; YEAS 22 NAYS 0 • Pending reference review -under Rule 4.7(2) - (Committee Substitute) • Placed on Calendar, on 2nd reading • Placed on Special Order Calendar, 02/25/26 • CS/CS/CS by Rules read 1st time

  5. 2026-02-19 Senate

    • On Committee agenda-- Rules, 02/24/26, 12:00 pm, 412 Knott Building

  6. 2026-02-18 Senate

    • CS/CS by Appropriations Committee on Agriculture, Environment, and General Government read 1st time

  7. 2026-02-16 Senate

    • Pending reference review under Rule 4.7(2) - (Committee Substitute) • Now in Rules

  8. 2026-02-12 Senate

    • CS/CS by Appropriations Committee on Agriculture, Environment, and General Government; YEAS 10 NAYS 0

  9. 2026-02-09 Senate

    • On Committee agenda-- Appropriations Committee on Agriculture, Environment, and General Government, 02/12/26, 4:30 pm, 412 Knott Building

  10. 2026-01-22 Senate

    • CS by Banking and Insurance read 1st time

  11. 2026-01-16 Senate

    • Now in Appropriations Committee on Agriculture, Environment, and General Government

  12. 2026-01-15 Senate

    • Pending reference review under Rule 4.7(2) - (Committee Substitute)

  13. 2026-01-13 Senate

    • CS by Banking and Insurance; YEAS 10 NAYS 0 • Introduced

  14. 2026-01-08 Senate

    • On Committee agenda-- Banking and Insurance, 01/13/26, 4:00 pm, 412 Knott Building

  15. 2025-12-01 Senate

    • Referred to Banking and Insurance; Appropriations Committee on Agriculture, Environment, and General Government; Rules

  16. 2025-11-17 Senate

    • Filed

Official Summary Text

Office of Financial Regulation; Requiring the Department of Children and Families to cooperate with and seek cooperation from the Office of Financial Regulation concerning certain protective investigations of suspected financial exploitation of specified adults; requiring loan originators, mortgage brokers, and mortgage lenders to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information; providing additional acts that constitute a ground for specified disciplinary actions against loan originators and mortgage brokers; authorizing the office to make investigations and examinations to aid the Department of Children and Families with certain protective investigations; requiring money services businesses to develop, implement, and maintain comprehensive written information security programs for the protection of information systems and nonpublic personal information, etc.

Current Bill Text

Read the full stored bill text
Florida Senate
-
2026

CS for CS for CS for SB 540

By
the Committee on Rules; the Appropriations Committee on
Agriculture, Environment, and General Government; the Committee
on Banking and Insurance; and Senator Martin

595-03185-26 2026540c3
1 A bill to be entitled
2 An act relating to the Office of Financial Regulation;
3 amending s. 415.106, F.S.; requiring the Department of
4 Children and Families to cooperate with and seek
5 cooperation from the Office of Financial Regulation
6 concerning certain protective investigations of
7 suspected financial exploitation of specified adults;
8 requiring the department to provide copies of certain
9 suspected financial exploitation reports to the office
10 within a certain timeframe; authorizing the department
11 to provide copies of certain records at the request of
12 the office within a specified timeframe; authorizing
13 the office to use such reports or records as required
14 or authorized in certain provisions; specifying that
15 certain confidentiality provisions that apply to the
16 department apply to the records of the office and its
17 employees and agents; authorizing the department and
18 the office to enter into a specified memorandum of
19 agreement; amending s. 415.107, F.S.; revising the
20 persons, officials, and agencies granted access to
21 certain records relating to vulnerable adults;
22 creating s. 494.00123, F.S.; defining terms; requiring
23 loan originators, mortgage brokers, and mortgage
24 lenders to develop, implement, and maintain
25 comprehensive written information security programs
26 for the protection of information systems and
27 nonpublic personal information; providing requirements
28 for such programs; requiring loan originators,
29 mortgage brokers, and mortgage lenders to establish
30 written incident response plans for specified
31 purposes; providing requirements for such plans;
32 providing applicability; providing compliance
33 requirements under specified circumstances; requiring
34 loan originators, mortgage brokers, and mortgage
35 lenders to maintain copies of information security
36 programs for a specified timeframe and to make them
37 available to the office under certain circumstances;
38 specifying requirements for notices of security
39 breaches; providing construction; requiring the
40 Financial Services Commission to adopt rules; amending
41 s. 494.00255, F.S.; providing additional acts that
42 constitute a ground for specified disciplinary actions
43 against loan originators and mortgage brokers;
44 amending s. 517.021, F.S.; revising the definition of
45 the term “investment adviser”; defining terms;
46 amending s. 517.061, F.S.; defining terms; amending s.
47 517.201, F.S.; authorizing the office to make
48 investigations and examinations to aid the Department
49 of Children and Families with certain protective
50 investigations; authorizing the office to consider or
51 use certain information as part of certain
52 investigations and examinations; amending s. 517.34,
53 F.S.; revising the information required to be
54 contained in the form by which a dealer or investment
55 advisor notifies the office of certain delayed
56 disbursements or transactions of funds or securities;
57 providing construction; creating s. 520.135, F.S.;
58 specifying that the rights and obligations of parties
59 with respect to a surrendered or repossessed motor
60 vehicle are exclusively governed by certain
61 provisions; amending s. 560.114, F.S.; specifying the
62 entities that are subject to certain disciplinary
63 actions and penalties; revising the list of actions by
64 money services businesses which constitute grounds for
65 certain disciplinary actions and penalties; specifying
66 requirements for emergency suspension orders that
67 suspend money services business licenses; providing
68 that an emergency suspension order is effective when
69 the licensee against whom the order is directed has
70 actual or constructive knowledge of the order;
71 requiring the office to institute timely proceedings
72 after issuance of an emergency suspension order;
73 authorizing a licensee subject to an emergency
74 suspension order to seek judicial review; requiring,
75 rather than authorizing, the office to suspend
76 licenses of money services businesses under certain
77 circumstances; creating s. 560.1311, F.S.; defining
78 terms; requiring money services businesses to develop,
79 implement, and maintain comprehensive written
80 information security programs for the protection of
81 information systems and nonpublic personal
82 information; specifying requirements for such
83 programs; requiring money services businesses to
84 establish written incident response plans for
85 specified purposes; specifying requirements for such
86 plans; providing applicability; specifying compliance
87 requirements under specified circumstances; requiring
88 money services businesses to maintain copies of
89 information security programs for a specified
90 timeframe and to make them available to the office
91 under certain circumstances; specifying requirements
92 for notices of security breaches; providing
93 construction; requiring the commission to adopt rules;
94 amending s. 560.309, F.S.; providing that licensees
95 must comply with the Fair Debt Collections Practices
96 Act only if the licensees meet certain criteria;
97 amending s. 560.405, F.S.; requiring that redemptions
98 transacted using a debit card be treated the same as
99 redemptions transacted using cash; prohibiting
100 redemption through a credit card transaction; amending
101 s. 560.406, F.S.; providing that licensees must comply
102 with the Fair Debt Collections Practices Act only if
103 the licensees meet certain criteria; creating s.
104 655.0171, F.S.; defining terms; requiring financial
105 institutions to take measures to protect and secure
106 certain data that contain personal information;
107 providing requirements for notices of security
108 breaches to the office, the Department of Legal
109 Affairs, certain individuals, and certain credit
110 reporting agencies; amending s. 655.032, F.S.;
111 authorizing the office to consider or use certain
112 information as part of certain investigations or other
113 actions; amending s. 655.045, F.S.; authorizing the
114 office to consider or use certain information as part
115 of certain investigations or other actions; revising
116 the timeline for the mailing of payment for salary and
117 travel expenses of certain field staff; amending s.
118 657.005, F.S.; revising requirements for permission to
119 organize credit unions; amending s. 657.024, F.S.;
120 authorizing meetings of credit union members to be
121 held virtually without an in-person quorum and
122 authorizing virtual attendance to satisfy quorum
123 requirements under certain circumstances; amending s.
124 657.042, F.S.; removing provisions that impose
125 limitations on investments in real estate and
126 equipment for credit unions; amending s. 658.21, F.S.;
127 revising requirements and factors for approving
128 applications for organizing banks and trust companies;
129 amending s. 658.33, F.S.; revising requirements for
130 directors of certain banks and trust companies;
131 amending s. 662.141, F.S.; revising the timeline for
132 the mailing of payment for the salary and travel
133 expenses of certain field staff; amending s. 517.12,
134 F.S.; conforming a cross-reference; providing an
135 effective date.
136
137 Be It Enacted by the Legislature of the State of Florida:
138
139 Section 1. Subsection (4) is added to section 415.106,
140 Florida Statutes, to read:
141 415.106 Cooperation by the department and criminal justice
142 and other agencies.—
143
(4) To the fullest extent possible, the department shall

144
cooperate with and seek cooperation from the Office of Financial

145
Regulation concerning
protective
investigations of
suspected

146
financial exploitation of specified adults, as defined in s.

147
415.10341,
which
are reported to the central abuse hotline and

148
which
the department is responsible for conducting pursuant to

149
s. 415.104
.

150
(a) In accordance with s. 415.107, the department
shall

151
provide copies of all
suspected financial exploitation
reports

152
received by the central abuse hotline
pursuant to s. 415.1034

153
from any financial institution
as defined in s. 655.0
0
5(1),

154
securities dealer as defined in s. 517.021(12), or investment

155
adviser as defined in s. 517.021
(20)

to the Office of Financial

156
Regulation within 15 days
after
receiving the report. The

157
department may provide copies of any records generated as a

158
result of such reports at the request of the Office of Financial

159
Regulation within 15 days
after
such request.

160
1. The Office of Financial Regulation may use the reports

161
or records obtained as required or authorized in this subsection

162
for any investigation, examination, or other action conducted

163
pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655
.

164
2. Except as provided in this chapter and chapter
s

517 and

165
655, all confidentiality provisions that apply to the department

166
continue to apply to the records made available to the Office of

167
Financial Regulation and its
officials,
employees
,
and agents

168
under s. 415.107.

169
(b)

The department and the Office of Financial Regulation

170
may enter into a memorandum of agreement that specifies how the

171
Office of Financial Regulation
,
in the agency’s role as the

172
regulator of financial
services,
may assist the department with

173
effectively and efficiently conducting a protective

174
investigation of any vulnerable adult
financial exploitation

175
report received by the central abuse hotline and
, if the

176
agencies enter into a memorandum of agreement,

it must
specif
y

177
how
such
assistance will be implemented.

178 Section 2. Paragraph (m) is added to subsection (3) of
179 section 415.107, Florida Statutes, to read:
180 415.107 Confidentiality of reports and records.—
181 (3) Access to all records, excluding the name of the
182 reporter which shall be released only as provided in subsection
183 (6), shall be granted only to the following persons, officials,
184 and agencies:
185
(m)
Any appropriate officials, employees
,
or agents of the

186
Office of Financial Regulation who
are responsible for

187
conducting investigations, examinations, or other actions

188
pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655.

189 Section 3. Section 494.00123, Florida Statutes, is created
190 to read:
191
494.00123

Information security programs.—

192
(1)

DEFINITIONS.—As used in this section, the term:

193
(a)

“Customer” means a person who seeks to obtain or who

194
obtains or has obtained a financial product or service from a

195
licensee.

196
(b)

“Customer information” means any record containing

197
nonpublic personal information about a customer of a financial

198
transaction, whether on paper, electronic, or in other forms,

199
which is handled or maintained by or on behalf of the licensee

200
or its affiliates.

201
(c)

“Cybersecurity event” means an event resulting in

202
unauthorized access to, or disruption or misuse of, an

203
information system or customer information stored on such

204
information system.
The term does not include the unauthorized

205
acquisition of encrypted customer information if the encryption

206
process or key is not also acquired, released
,
or used without

207
authorization.
T
he term does not include an event with regard to

208
which the licensee has determined that the customer information

209
accessed by an unauthorized person has not been used or released

210
and has been returned or destroyed.

211
(d)

“Encrypted” means the transformation of data into a

212
form
that
results in a low probability of assigning meaning

213
without the use of a protective process or key.

214
(e)

“Financial product or service” means any product or

215
service offered by a licensee under this chapter.

216
(f)

“Information security program” means the

217
administrative, technical, or physical safeguards used to

218
access, collect, distribute, process, protect, store, use,

219
transmit, dispose of, or otherwise handle customer information.

220
(g)

“Information system” means a discrete set of electronic

221
information resources organized for the collection, processing,

222
maintenance, use, sharing, dissemination, or disposition of

223
electronic information, as well as any specialized system such

224
as an industrial process control system, telephone switching and

225
private branch exchange system, or environmental control system,

226
which contain customer information or which are connected to a

227
system that contains customer information.

228
(h)1.

“Nonpublic personal information” means:

229
a.

Personally identifiable financial information; and

230
b.

Any list, description, or other grouping of customers

231
which is derived using any personally identifiable financial

232
information that is not publicly available, such as account

233
numbers, including any list of individuals’ names and street

234
addresses which is derived, in whole or in part, using

235
personally identifiable financial information that is not

236
publicly available.

237
2.

The term does not include:

238
a.

Publicly available information, except as included on a

239
list, description, or other grouping of customers described in

240
sub-subparagraph 1.b.;

241
b.

Any list, description, or other grouping of consumers,

242
or any publicly available information pertaining to such list,

243
description, or other grouping of consumers, which is derived

244
without using any personally identifiable financial information

245
that is not publicly available; or

246
c.

Any list of individuals’ names and addresses which

247
contains only publicly available information, is not derived, in

248
whole or in part, using personally identifiable financial

249
information that is not publicly available, and is not disclosed

250
in a manner that indicates that any of the individuals on the

251
list is a customer of a licensee.

252
3.

As used in this paragraph, the term:

253
a.(I)

“Personally identifiable financial information” means

254
any information that:

255
(A)

A customer provides to a licensee to obtain a financial

256
product or service, such as information that a customer provides

257
to a licensee on an application to obtain a loan or other

258
financial product or service;

259
(B)

A licensee receives about a consumer which is obtained

260
during or as a result of any transaction involving a financial

261
product or service between the licensee and the customer, such

262
as information collected through an information-collecting

263
device from a web server; or

264
(C)

A licensee otherwise obtains about a customer in

265
connection with providing a financial product or service to the

266
customer, such as the fact that an individual is or has been one

267
of the licensee’s customers or has obtained a financial product

268
or service from the licensee.

269
(II)

The term “personally identifiable financial

270
information” does not include:

271
(A)

A list of names and addresses of customers of an entity

272
that is not a financial institution; or

273
(B)

Information that does not identify a customer, such as

274
blind data or aggregate information that does not contain

275
personal identifiers such as account numbers, names, or

276
addresses.

277
b.(I)

“Publicly available information” means any

278
information that a licensee has a reasonable basis to believe is

279
lawfully made available to the general public from:

280
(A)

Federal, state, or local government records, such as

281
government real estate records or security interest filings;

282
(B)

Widely distributed media, such as information from a

283
telephone records repository or directory, a television or radio

284
program, a newspaper, a social media platform, or a website that

285
is available to the general public on an unrestricted basis. A

286
website is not restricted merely because an Internet service

287
provider or a site operator requires a fee or a password, so

288
long as access is available to the general public; or

289
(C)

Disclosures to the general public which are required to

290
be made by federal, state, or local law.

291
(II)

As used in this sub-subparagraph, the term “reasonable

292
basis to believe is lawfully made available to the general

293
public” relating to any information means that the person has

294
taken steps to determine:

295
(A)

That the information is of the type that is available

296
to the general public, such as information included on the

297
public record in the jurisdiction where a mortgage would be

298
recorded; and

299
(B)

Whether an individual can direct that the information

300
not be made available to the general public and, if so, the

301
customer to whom the information relates has not done so, such

302
as when a telephone number is listed in a telephone directory

303
and the customer has informed the licensee that the telephone

304
number is not unlisted.

305
(i)

“Third-party service provider” means a person, other

306
than a licensee, which contracts with a licensee to maintain,

307
process, or store nonpublic personal information, or is

308
otherwise permitted access to nonpublic personal information

309
through its provision of services to a licensee.

310
(2)

INFORMATION SECURITY PROGRAM.—

311
(a)

Each licensee shall develop, implement, and maintain a

312
comprehensive written information security program that contains

313
administrative, technical, and physical safeguards for the

314
protection of the licensee’s information system and nonpublic

315
personal information.

316
(b)

Each licensee shall ensure that the information

317
security program meets all of the following criteria:

318
1.

Be commensurate with the following measures:

319
a.

Size and complexity of the licensee.

320
b.

Nature and scope of the licensee’s activities, including

321
the licensee’s use of third-party service providers.

322
c.

Sensitivity of nonpublic personal information that is

323
used by the licensee or that is in the licensee’s possession,

324
custody, or control.

325
2.

Be designed to do all of the following:

326
a.

Protect the security and confidentiality of nonpublic

327
personal information and the security of the licensee’s

328
information system.

329
b.

Protect against threats or hazards to the security or

330
integrity of nonpublic personal information and the licensee’s

331
information system.

332
c.

Protect against unauthorized access to or the use of

333
nonpublic personal information and minimize the likelihood of

334
harm to any customer.

335
3.

Define and periodically reevaluate the retention

336
schedule and the mechanism for the destruction of nonpublic

337
personal information if retention is no longer necessary for the

338
licensee’s business operations or is no longer required by

339
applicable law.

340
4.

Regularly test and monitor systems and procedures for

341
the detection of actual and attempted attacks on, or intrusions

342
into, the licensee’s information system.

343
5.

Be monitored, evaluated, and adjusted, as necessary, to

344
meet all of the following requirements:

345
a.

Determine whether the licensee’s information security

346
program is consistent with relevant changes in technology.

347
b.

Confirm the licensee’s information security program

348
accounts for the sensitivity of nonpublic personal information.

349
c.

Identify changes that may be necessary to the licensee’s

350
information system.

351
d.

Mitigate any internal or external threats to nonpublic

352
personal information.

353
e.

Amend the licensee’s information security program for

354
any material changes to the licensee’s business arrangements,

355
including, but not limited to, mergers and acquisitions,

356
alliances and joint ventures, and outsourcing arrangements.

357
(c)1.

As part of a licensee’s information security program,

358
the licensee shall establish a written incident response plan

359
designed to promptly respond to, and recover from, a

360
cybersecurity event that compromises:

361
a.

The confidentiality, integrity, or availability of

362
nonpublic personal information in the licensee’s possession;

363
b.

The licensee’s information system; or

364
c.

The continuing functionality of any aspect of the

365
licensee’s operations.

366
2.

The written incident response plan must address all of

367
the following:

368
a.

The licensee’s internal process for responding to a

369
cybersecurity event.

370
b.

The goals of the licensee’s incident response plan.

371
c.

The assignment of clear roles, responsibilities, and

372
levels of decisionmaking authority for the licensee’s personnel

373
who participate in the incident response plan.

374
d.

External communications, internal communications, and

375
information sharing related to a cybersecurity event.

376
e.

The identification of remediation requirements for

377
weaknesses identified in information systems and associated

378
controls.

379
f.

The documentation and reporting regarding cybersecurity

380
events and related incident response activities.

381
g.

The evaluation and revision of the incident response

382
plan, as appropriate, following a cybersecurity event.

383
h.

The process by which notice must be given as required

384
under subsection (3) and s. 501.171(3) and (4).

385
(d)1.

This section does not apply to a licensee that has

386
fewer than:

387
a.

Twenty individuals on its workforce, including employees

388
and independent contractors; or

389
b.

Five hundred customers during a calendar year.

390
2.

A licensee that no longer qualifies for exemption under

391
subparagraph 1. has 180 calendar days to comply with this

392
section after the date of the disqualification.

393
(e)

Each licensee shall maintain a copy of the information

394
security program for a minimum of 5 years and shall make it

395
available to the office upon request or as part of an

396
examination.

397
(3)

NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee

398
shall provide notice to the office of any breach of security, as

399
defined in s. 501.171, affecting 500 or more individuals in this

400
state at a time and in the manner prescribed by commission rule.

401
(4)

CONSTRUCTION.—This section may not be construed to

402
relieve a covered entity from complying with s. 501.171. To the

403
extent a licensee is a covered entity, as defined in s.

404
501.171(1), the licensee remains subject to s. 501.171.

405
(5)

RULES.—The commission shall adopt rules to administer

406
this section, including rules that allow a licensee that is in

407
compliance with the Federal Trade Commission’s Standards for

408
Safeguarding Customer Information, 16 C.F.R. part 314, to be

409
deemed in compliance with subsection (2).

410 Section 4. Paragraph (z) is added to subsection (1) of
411 section 494.00255, Florida Statutes, to read:
412 494.00255 Administrative penalties and fines; license
413 violations.—
414 (1) Each of the following acts constitutes a ground for
415 which the disciplinary actions specified in subsection (2) may
416 be taken against a person licensed or required to be licensed
417 under part II or part III of this chapter:
418
(z)

Failure to comply with the notification requirements in

419
s. 501.171(3) and (4).

420 Section 5. Present subsections (28) through (36) of section
421 517.021, Florida Statutes, are redesignated as subsections (29)
422 through (37), respectively, a new subsection (28) is added to
423 that section, and subsection (20) of that section is amended, to
424 read:
425 517.021 Definitions.—When used in this chapter, unless the
426 context otherwise indicates, the following terms have the
427 following respective meanings:
428 (20)(a) “Investment adviser” means a person, other than an
429 associated person of an investment adviser or a federal covered
430 adviser, that receives compensation, directly or indirectly, and
431 engages for all or part of the person’s time, directly or
432 indirectly, or through publications or writings, in the business
433 of advising others as to the value of securities or as to the
434 advisability of investments in, purchasing of, or selling of
435 securities.
436 (b) The term does not include any of the following:
437 1. A dealer or an associated person of a dealer whose
438 performance of services in paragraph (a) is solely incidental to
439 the conduct of the dealer’s or associated person’s business as a
440 dealer and who does not receive special compensation for those
441 services.
442 2. A licensed practicing attorney or certified public
443 accountant whose performance of such services is solely
444 incidental to the practice of the attorney’s or accountant’s
445 profession.
446 3. A bank authorized to do business in this state.
447 4. A bank holding company as defined in the Bank Holding
448 Company Act of 1956, as amended, authorized to do business in
449 this state.
450 5. A trust company having trust powers, as defined in s.
451 658.12, which it is authorized to exercise in this state, which
452 trust company renders or performs investment advisory services
453 in a fiduciary capacity incidental to the exercise of its trust
454 powers.
455 6. A person that renders investment advice exclusively to
456 insurance or investment companies.
457 7. A person
:

458
a.

Without a place of business in this state if the person

459
has had

that
, during the preceding 12 months,
has
fewer than six
460 clients who are residents of this state.
461
b.

With a place of business in this state if the person has

462
had, during the preceding 12 months, fewer than six clients who

463
are residents of this state and no clients who are not residents

464
of this state.

465
466 As used in this subparagraph, the term “client” has the same
467 meaning as provided in Securities and Exchange Commission Rule
468
222-2

275.222-2
, 17 C.F.R. s. 275.222-2, as amended.
469 8. A federal covered adviser.
470 9. The United States, a state, or any political subdivision
471 of a state, or any agency, authority, or instrumentality of any
472 such entity; a business entity that is wholly owned directly or
473 indirectly by such a governmental entity; or any officer, agent,
474 or employee of any such governmental or business entity who is
475 acting within the scope of his or her official duties.
476
10.

A family office as defined in Securities and Exchange

477
Commission Rule 202(a)(11)(G)-1(b)

under the Investment Advisers

478
Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b),
as amended.

In

479
determining whether a person meets the definition of a family

480
office under this subparagraph,
the terms “affiliated family

481
office,” “control,” “executive officer,”

“family client,”

482
“family entity,” “family member,” “former family member,”

“key

483
employee,” and “spousal equivalent” have the same meaning as in

484
Securities and Exchange Commission Rule 202(a)(11)(G)-1(d)
under

485
the Investment Advisers Act of 1940,
17 C.F.R. s.

486
275.202(a)(11)(G)-1(d)
, as amended
.

487
(28)

“Place of business” of an investment adviser means an

488
office at which the investment adviser regularly provides

489
investment advisory services to, solicits, meets with, or

490
otherwise communicates with clients; and any other location that

491
is held out to the general public as a location at which the

492
investment adviser provides investment advisory services to,

493
solicits, meets with, or otherwise communicates with clients.

494 Section 6. Paragraph (i) of subsection (9) of section
495 517.061, Florida Statutes, is amended to read:
496 517.061 Exempt transactions.—Except as otherwise provided
497 in subsection (11), the exemptions provided herein from the
498 registration requirements of s. 517.07 are self-executing and do
499 not require any filing with the office before being claimed. Any
500 person who claims entitlement to an exemption under this section
501 bears the burden of proving such entitlement in any proceeding
502 brought under this chapter. The registration provisions of s.
503 517.07 do not apply to any of the following transactions;
504 however, such transactions are subject to s. 517.301:
505 (9) The offer or sale of securities to:
506 (i) A family office as defined in Securities and Exchange
507 Commission Rule
202(a)(11)(G)-1(b
)

202(a)(11)(G)-1
under the
508 Investment Advisers Act of 1940, 17 C.F.R.
s. 275.202(a)(11)(G)

509
1(b)

s. 275.202(a)(11)(G)-1
, as amended, provided that:
510 1. The family office has assets under management in excess
511 of $5 million;
512 2. The family office is not formed for the specific purpose
513 of acquiring the securities offered; and
514 3. The prospective investment of the family office is
515 directed by a person who has knowledge and experience in
516 financial and business matters that the family office is capable
517 of evaluating the merits and risks of the prospective
518 investment.
519
520
In determining whether a person meets the definition of a family

521
office under this paragraph,
the terms “affiliated family

522
office,” “control,” “executive officer,”

“family client,”

523
“family entity,” “family member,” “former family member,”

“key

524
employee,” and “spousal equivalent” have the same meaning as in

525
Securities and Exchange Commission Rule 202(a)(11)(G)-1(d)
under

526
the Investment Advisers Act of 1940,
17 C.F.R. s.

527
275.202(a)(11)(G)-1(d)
, as amended
.

528 Section 7. Paragraph (a) of subsection (1) of section
529 517.201, Florida Statutes, is amended, and paragraph (c) is
530 added to that subsection, to read:
531 517.201 Investigations; examinations; subpoenas; hearings;
532 witnesses.—
533 (1) The office:
534 (a) May make investigations and examinations within or
535 outside of this state as it deems necessary:
536 1. To determine whether a person has violated or is about
537 to violate any provision of this chapter or a rule or order
538 hereunder;
or

539 2. To aid in the enforcement of this chapter
; or

540
3.
In accordance with a memorandum of
agreement
pursuant to

541
s. 415.106(4)(b), to aid the Department of Children and Families

542
with any protective investigations the Department of Children

543
and Families is required to conduct under s. 415.104
.
544
(c)
May c
onsider or use as part of any investigation or

545
examination pursuant to this section the information contained

546
in any suspected financial exploitation report or any records

547
generated as a result of such report which is obtained pursuant

548
to s. 415.106(4)
.

549 Section 8. Paragraphs (b) and (c) of subsection (3) and
550 subsection (6) of section 517.34, Florida Statutes, are amended
551 to read:
552 517.34 Protection of specified adults.—
553 (3) A dealer or investment adviser may delay a disbursement
554 or transaction of funds or securities from an account of a
555 specified adult or an account for which a specified adult is a
556 beneficiary or beneficial owner if all of the following apply:
557 (b) Not later than 3 business days after the date on which
558 the delay was first placed, the dealer or investment adviser
559
complies with all of the following conditions:

560
1.
Notifies in writing all parties authorized to transact
561 business on the account and any trusted contact on the account,
562 using the contact information provided for the account, with the
563 exception of any party the dealer or investment adviser
564 reasonably believes has engaged in, is engaging in, has
565 attempted to engage in, or will attempt to engage in the
566 suspected financial exploitation of the specified adult. The
567 notice, which may be provided electronically, must provide the
568 reason for the delay.
569
2.
Notifies the office of the delay electronically on a

570
form prescribed by commission rule. The form must be consistent

571
with the purposes of this section and must
contain
, but need not

572
be limited to,
the following information:

573
a. The date on which the delay was first placed.

574
b. The name, age, and address, or location
,
if different,

575
of the specified adult.

576
c. The business location of the dealer or investment

577
adviser.

578
d. The name, address, and telephone number and title of the

579
employee who reported suspected financial exploitation of the

580
specified adult.

581
e. The facts and circumstances that caused the employee to

582
report suspected financial exploitation.

583
f. The names, addresses, and telephone numbers of the

584
specified adult’s family members.

585
g. The name, address, and telephone number of each person

586
suspected of engaging in financial exploitation.

587
h. The name, address, and telephone number of the caregiver

588
of the specified adult, if different from the person or persons

589
suspected of engaging in financial exploitation.

590
i. A description of actions taken by the dealer or

591
investment adviser, if any, such as notification to a criminal

592
justice agency.

593
j. Any other information available to the reporting person

594
which may establish the cause of financial exploitation that

595
occurred or is occurring.

596
(c) Not later than 3 business days after the date on which

597
the delay was first placed, the dealer or investment adviser

598
Notifies the office of the delay electronically on a form

599
prescribed by commission rule. The form must be consistent with

600
the purposes of this section and may include only the following

601
information:

602
1. The date on which the notice is submitted to the office.

603
2. The date on which the delay was first placed.

604
3. The following information about the specified adult:

605
a. Gender.

606
b. Age.

607
c. Zip code of residence address.

608
4. The following information about the dealer or investment

609
adviser who placed the delay:

610
a. Name.

611
b. Title.

612
c. Firm name.

613
d. Business address.

614
5. A section with the following questions for which the

615
only allowable responses are “Yes” or “No”:

616
a. Is financial exploitation of a specified adult suspected

617
in connection with a disbursement or transaction?

618
b. Are funds currently at risk of being lost?

619
620
The form must contain substantially the following statement in

621
conspicuous type: “The office may take disciplinary action

622
against any person making a knowing and willful

623
misrepresentation on this form.”

624 (6) A dealer, an investment adviser, or an associated
625 person who in good faith and exercising reasonable care complies
626 with this section is immune from any administrative or civil
627 liability that might otherwise arise from such delay in a
628 disbursement or transaction in accordance with this section.
629 This subsection does not supersede or diminish any immunity
630 granted under chapter 415
, nor does it substitute for the duty

631
to report to the central abuse hotline as required under s.

632
415.1034
.
633 Section 9. Section 520.135, Florida Statutes, is created to
634 read:
635
520.13
5

Surrendered or r
epossessed vehicles
.—
The rights and

636
obligations of parties with respect to a surrendered or

637
repossessed motor vehicle
are
exclusively governed by part VI of

638
chapter 679.

639 Section 10. Subsections (1) and (2) of section 560.114,
640 Florida Statutes, are amended to read:
641 560.114 Disciplinary actions; penalties.—
642 (1) The following actions by a money services business,
an

643 authorized vendor, or
a

affiliated
party
that was affiliated at

644
the time of commission of the actions
constitute grounds for the
645 issuance of a cease and desist order; the issuance of a removal
646 order; the denial, suspension, or revocation of a license; or
647 taking any other action within the authority of the office
648 pursuant to this chapter:
649 (a) Failure to comply with any provision of this chapter or
650 related rule or order, or any written agreement entered into
651 with the office.
652 (b) Fraud, misrepresentation, deceit, or gross negligence
653 in any transaction by a money services business, regardless of
654 reliance thereon by, or damage to, a customer.
655 (c) Fraudulent misrepresentation, circumvention, or
656 concealment of any matter that must be stated or furnished to a
657 customer pursuant to this chapter, regardless of reliance
658 thereon by, or damage to, such customer.
659 (d) False, deceptive, or misleading advertising.
660 (e) Failure to maintain, preserve, keep available for
661 examination, and produce all books, accounts, files, or other
662 documents required by this chapter or related rules or orders,
663 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
664 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
665 or by an agreement entered into with the office.
666 (f) Refusing to allow the examination or inspection of
667 books, accounts, files, or other documents by the office
668 pursuant to this chapter, or to comply with a subpoena issued by
669 the office.
670 (g) Failure to pay a judgment recovered in any court by a
671 claimant in an action arising out of a money transmission
672 transaction within 30 days after the judgment becomes final.
673 (h) Engaging in an act prohibited under s. 560.111 or s.
674 560.1115.
675 (i) Insolvency.
676 (j) Failure by a money services business to remove an
677 affiliated party after the office has issued and served upon the
678 money services business a final order setting forth a finding
679 that the affiliated party has violated a provision of this
680 chapter.
681 (k) Making a material misstatement, misrepresentation, or
682 omission in an application for licensure, any amendment to such
683 application, or application for the appointment of an authorized
684 vendor.
685 (l) Committing any act that results in a license or its
686 equivalent, to practice any profession or occupation being
687 denied, suspended, revoked, or otherwise acted against by a
688 licensing authority in any jurisdiction.
689 (m) Being the subject of final agency action or its
690 equivalent, issued by an appropriate regulator, for engaging in
691 unlicensed activity as a money services business or deferred
692 presentment provider in any jurisdiction.
693 (n) Committing any act resulting in a license or its
694 equivalent to practice any profession or occupation being
695 denied, suspended, revoked, or otherwise acted against by a
696 licensing authority in any jurisdiction for a violation of 18
697 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
698 s. 5324, or any other law or rule of another state or of the
699 United States relating to a money services business, deferred
700 presentment provider, or usury that may cause the denial,
701 suspension, or revocation of a money services business or
702 deferred presentment provider license or its equivalent in such
703 jurisdiction.
704 (o) Having been convicted of, or entered a plea of guilty
705 or nolo contendere to, any felony or crime punishable by
706 imprisonment of 1 year or more under the law of any state or the
707 United States which involves fraud, moral turpitude, or
708 dishonest dealing, regardless of adjudication.
709 (p) Having been convicted of, or entered a plea of guilty
710 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
711 U.S.C.
s. 5318, s. 5322, or
s. 5324, regardless of adjudication.
712 (q) Having been convicted of, or entered a plea of guilty
713 or nolo contendere to, misappropriation, conversion, or unlawful
714 withholding of moneys belonging to others, regardless of
715 adjudication.
716
(r)

Having been convicted of, or entered a plea of guilty

717
or nolo contendere to, a violation of 31 C.F.R. chapter X, part

718
1022, regardless of adjudication.

719
(s)
(r)
Failure to inform the office in writing within 30
720 days after having pled guilty or nolo contendere to, or being
721 convicted of, any felony or crime punishable by imprisonment of
722 1 year or more under the law of any state or the United States,
723 or any crime involving fraud, moral turpitude, or dishonest
724 dealing.
725
(t)
(s)
Aiding, assisting, procuring, advising, or abetting
726 any person in violating a provision of this chapter or any order
727 or rule of the office or commission.
728
(u)
(t)
Failure to pay any fee, charge, or cost imposed or
729 assessed under this chapter.
730
(v)
(u)
Failing to pay a fine assessed by the office within
731 30 days after the due date as stated in a final order.
732
(w)
(v)
Failure to pay any judgment entered by any court
733 within 30 days after the judgment becomes final.
734
(x)
(w)
Engaging or advertising engagement in the business
735 of a money services business or deferred presentment provider
736 without a license, unless exempted from licensure.
737
(y)
(x)
Payment to the office for a license or other fee,
738 charge, cost, or fine with a check or electronic transmission of
739 funds that is dishonored by the applicant’s or licensee’s
740 financial institution.
741
(z)
(y)
Violations of 31 C.F.R. ss. 1010.306, 1010.311,
742 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
743 1022.380, and 1022.410, and United States Treasury Interpretive
744 Release 2004-1.
745
(aa)
(z)
Any practice or conduct that creates the likelihood
746 of a material loss, insolvency, or dissipation of assets of a
747 money services business or otherwise materially prejudices the
748 interests of its customers.
749
(bb)
(aa)
Failure of a check casher to maintain a federally
750 insured depository account as required by s. 560.309.
751
(cc)
(bb)
Failure of a check casher to deposit into its own
752 federally insured depository account any payment instrument
753 cashed as required by s. 560.309.
754
(dd)
(cc)
Violating any provision of the Military Lending
755 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
756 in 32 C.F.R. part 232, in connection with a deferred presentment
757 transaction conducted under part IV of this chapter.
758
(ee)

Failure to comply with the notification requirements

759
in s. 501.171(3) and (4).

760 (2)
Pursuant to s. 120.60(6),
The office
shall issue an

761
emergency suspension order suspending

may summarily suspend
the
762 license of a money services business if the office finds that a
763 licensee poses
a danger deemed by the Legislature to be

an

764 immediate
and
,
serious
danger
to the public health, safety, and
765 welfare.
A proceeding in which the office seeks the issuance of

766
a final order for the summary suspension of a licensee shall be

767
conducted by the commissioner of the office, or his or her

768
designee, who shall issue such order.

769
(a) An emergency suspension order under this subsection may

770
be issued without prior notice and an opportunity to be heard.

771
An emergency suspension order must:

772
1. State the grounds on which the order is based;

773
2. Advise the licensee against whom the order is directed

774
that the order takes effect immediately and, to the extent

775
applicable, requires the licensee to immediately cease and

776
desist from the conduct or violation that is the subject of the

777
order or to take the affirmative action stated in the order as

778
necessary to correct a condition resulting from the conduct or

779
violation or as otherwise appropriate;

780
3. Be delivered by personal delivery or sent by certified

781
mail, return receipt requested, to the licensee against whom the

782
order is directed at the licensee’s last known address; and

783
4. Include a notice that the licensee subject to the

784
emergency suspension order may seek judicial review pursuant to

785
s. 120.68.

786
(b) An emergency suspension order is effective as soon as

787
the licensee against whom the order is directed has actual or

788
constructive knowledge of the issuance of the order.

789
(c) The office shall institute timely proceedings under ss.

790
120.569 and 120.57 after issuance of an emergency suspension

791
order.

792
(d) A licensee subject to an emergency suspension order may

793
seek judicial review pursuant to s. 120.68.

794
(e)
The following acts are deemed
by the Legislature
to
795 constitute an immediate and serious danger to the public health,
796 safety, and welfare, and the office
shall

may
immediately
issue

797
an emergency suspension order to
suspend the license of a money
798 services business if:
799
1.
(a)
The money services business fails to provide to the
800 office, upon written request, any of the records required by s.
801 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
802 adopted under those sections. The suspension may be rescinded if
803 the licensee submits the requested records to the office.
804
2.
(b)
The money services business fails to maintain a
805 federally insured depository account as required by
s.

806
560.208(4) or
s. 560.309.
807
3.
(c)
A natural person required to be listed on the license
808 application for a money services business pursuant to s.
809 560.141(1)(a)3. is criminally charged with, or arrested for, a
810 crime described in paragraph (1)(o), paragraph (1)(p), or
811 paragraph(1)(q).
812 Section 11. Section 560.1311, Florida Statutes, is created
813 to read:
814
560.1311

Information security programs.—

815
(1)

DEFINITIONS.—As used in this section, the term:

816
(a)

“Customer” means a person who seeks to obtain or who

817
obtains or has obtained a financial product or service from a

818
licensee.

819
(b)

“Customer information” means any record containing

820
nonpublic personal information about a customer of a financial

821
transaction, whether on paper, electronic, or in other forms,

822
which is handled or maintained by or on behalf of the licensee

823
or its affiliates.

824
(c)

“Cybersecurity event” means an event resulting in

825
unauthorized access to, or disruption or misuse of, an

826
information system or customer information stored on such

827
information system.
The term does not include the unauthorized

828
acquisition of encrypted customer information if the encryption

829
process or key is not also acquired, released
,
or used without

830
authorization.
T
he term does not include an event with regard to

831
which the licensee has determined that the customer information

832
accessed by an unauthorized person has not been used or released

833
and has been returned or destroyed.

834
(d)

“Encrypted” means the transformation of data into a

835
form
that
results in a low probability of assigning meaning

836
without the use of a protective process or key.

837
(e)

“Financial product or service” means any product or

838
service offered by a licensee under this chapter.

839
(f)

“Information security program” means the

840
administrative, technical, or physical safeguards used to

841
access, collect, distribute, process, protect, store, use,

842
transmit, dispose of, or otherwise handle customer information.

843
(g)

“Information system” means a discrete set of electronic

844
information resources organized for the collection, processing,

845
maintenance, use, sharing, dissemination, or disposition of

846
electronic information, as well as any specialized system such

847
as an industrial process control system, telephone switching and

848
private branch exchange system, or environmental control system,

849
which contain customer information or which are connected to a

850
system that contains customer information.

851
(h)1.

“Nonpublic personal information” means:

852
a.

Personally identifiable financial information; and

853
b.

Any list, description, or other grouping of customers

854
which is derived using any personally identifiable financial

855
information that is not publicly available, such as account

856
numbers, including any list of individuals’ names and street

857
addresses which is derived, in whole or in part, using

858
personally identifiable financial information that is not

859
publicly available.

860
2.

The term does not include:

861
a.

Publicly available information, except as included on a

862
list, description, or other grouping of customers described in

863
sub-subparagraph 1.b.;

864
b.

Any list, description, or other grouping of consumers,

865
or any publicly available information pertaining to such list,

866
description, or other grouping of consumers, which is derived

867
without using any personally identifiable financial information

868
that is not publicly available; or

869
c.

Any list of individuals’ names and addresses which

870
contains only publicly available information, is not derived, in

871
whole or in part, using personally identifiable financial

872
information that is not publicly available, and is not disclosed

873
in a manner that indicates that any of the individuals on the

874
list is a customer of a licensee.

875
3.

As used in this paragraph, the term:

876
a.(I)

“Personally identifiable financial information” means

877
any information that:

878
(A)

A customer provides to a licensee to obtain a financial

879
product or service, such as information that a customer provides

880
to a licensee on an application to obtain a loan or other

881
financial product or service;

882
(B)

A licensee receives about a consumer which is obtained

883
during or as a result of any transaction involving a financial

884
product or service between the licensee and the customer, such

885
as information collected through an information-collecting

886
device from a web server; or

887
(C)

A licensee otherwise obtains about a customer in

888
connection with providing a financial product or service to the

889
customer, such as the fact that an individual is or has been one

890
of the licensee’s customers or has obtained a financial product

891
or service from the licensee.

892
(II)

The term “personally identifiable financial

893
information” does not include:

894
(A)

A list of names and addresses of customers of an entity

895
that is not a financial institution; or

896
(B)

Information that does not identify a customer, such as

897
blind data or aggregate information that does not contain

898
personal identifiers such as account numbers, names, or

899
addresses.

900
b.(I)

“Publicly available information” means any

901
information that a licensee has a reasonable basis to believe is

902
lawfully made available to the general public from:

903
(A)

Federal, state, or local government records, such as

904
government real estate records or security interest filings;

905
(B)

Widely distributed media, such as information from a

906
telephone records repository or directory, a television or radio

907
program, a newspaper, a social media platform, or a website that

908
is available to the general public on an unrestricted basis. A

909
website is not restricted merely because an Internet service

910
provider or a site operator requires a fee or a password, so

911
long as access is available to the general public; or

912
(C)

Disclosures to the general public which are required to

913
be made by federal, state, or local law.

914
(II)

As used in this sub-subparagraph, the term “reasonable

915
basis to believe is lawfully made available to the general

916
public” relating to any information means that the person has

917
taken steps to determine:

918
(A)

That the information is of the type that is available

919
to the general public, such as information included on the

920
public record in the jurisdiction where a mortgage would be

921
recorded; and

922
(B)

Whether an individual can direct that the information

923
not be made available to the general public and, if so, the

924
customer to whom the information relates has not done so, such

925
as when a telephone number is listed in a telephone directory

926
and the customer has informed the licensee that the telephone

927
number is not unlisted.

928
(i)

“Third-party service provider” means a person, other

929
than a licensee, which contracts with a licensee to maintain,

930
process, or store nonpublic personal information, or is

931
otherwise permitted access to nonpublic personal information

932
through its provision of services to a licensee.

933
(2)

INFORMATION SECURITY PROGRAM.—

934
(a)

Each licensee shall develop, implement, and maintain a

935
comprehensive written information security program that contains

936
administrative, technical, and physical safeguards for the

937
protection of the licensee’s information system and nonpublic

938
personal information.

939
(b)

Each licensee shall ensure that the information

940
security program meets all of the following criteria:

941
1.

Be commensurate with the following measures:

942
a.

Size and complexity of the licensee.

943
b.

Nature and scope of the licensee’s activities, including

944
the licensee’s use of third-party service providers.

945
c.

Sensitivity of nonpublic personal information that is

946
used by the licensee or that is in the licensee’s possession,

947
custody, or control.

948
2.

Be designed to do all of the following:

949
a.

Protect the security and confidentiality of nonpublic

950
personal information and the security of the licensee’s

951
information system.

952
b.

Protect against threats or hazards to the security or

953
integrity of nonpublic personal information and the licensee’s

954
information system.

955
c.

Protect against unauthorized access to or the use of

956
nonpublic personal information and minimize the likelihood of

957
harm to any customer.

958
3.

Define and periodically reevaluate the retention

959
schedule and the mechanism for the destruction of nonpublic

960
personal information if retention is no longer necessary for the

961
licensee’s business operations or is no longer required by

962
applicable law.

963
4.

Regularly test and monitor systems and procedures for

964
the detection of actual and attempted attacks on, or intrusions

965
into, the licensee’s information system.

966
5.

Be monitored, evaluated, and adjusted, as necessary, to

967
meet all of the following requirements:

968
a.

Determine whether the licensee’s information security

969
program is consistent with relevant changes in technology.

970
b.

Confirm the licensee’s information security program

971
accounts for the sensitivity of nonpublic personal information.

972
c.

Identify changes that may be necessary to the licensee’s

973
information system.

974
d.

Mitigate any internal or external threats to nonpublic

975
personal information.

976
e.

Amend the licensee’s information security program for

977
any material changes to the licensee’s business arrangements,

978
including, but not limited to, mergers and acquisitions,

979
alliances and joint ventures, and outsourcing arrangements.

980
(c)1.

As part of a licensee’s information security program,

981
the licensee shall establish a written incident response plan

982
designed to promptly respond to, and recover from, a

983
cybersecurity event that compromises:

984
a.

The confidentiality, integrity, or availability of

985
nonpublic personal information in the licensee’s possession;

986
b.

The licensee’s information system; or

987
c.

The continuing functionality of any aspect of the

988
licensee’s operations.

989
2.

The written incident response plan must address all of

990
the following:

991
a.

The licensee’s internal process for responding to a

992
cybersecurity event.

993
b.

The goals of the licensee’s incident response plan.

994
c.

The assignment of clear roles, responsibilities, and

995
levels of decisionmaking authority for the licensee’s personnel

996
who participate in the incident response plan.

997
d.

External communications, internal communications, and

998
information sharing related to a cybersecurity event.

999
e.

The identification of remediation requirements for

1000
weaknesses identified in information systems and associated

1001
controls.

1002
f.

The documentation and reporting regarding cybersecurity

1003
events and related incident response activities.

1004
g.

The evaluation and revision of the incident response

1005
plan, as appropriate, following a cybersecurity event.

1006
h.

The process by which notice must be given as required

1007
under subsection (3) and s. 501.171(3) and (4).

1008
(d)1.

This section does not apply to a licensee that has

1009
fewer than:

1010
a.

Twenty individuals on its workforce, including employees

1011
and independent contractors; or

1012
b.

Five hundred customers during a calendar year.

1013
2.

A licensee that no longer qualifies for exemption under

1014
subparagraph 1. has 180 calendar days to comply with this

1015
section after the date of the disqualification.

1016
(e)

Each licensee shall maintain a copy of the information

1017
security program for a minimum of 5 years and shall make it

1018
available to the office upon request or as part of an

1019
examination.

1020
(3)

NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee

1021
shall provide notice to the office of any breach of security, as

1022
defined in s. 501.171(1), affecting 500 or more individuals in

1023
this state at a time and in the manner prescribed by commission

1024
rule.

1025
(4)

CONSTRUCTION.—This section may not be construed to

1026
relieve a covered entity from complying with s. 501.171. To the

1027
extent a licensee is a covered entity, as defined in s.

1028
501.171(1), the licensee remains subject to s. 501.171.

1029
(5)

RULES.—The commission shall adopt rules to administer

1030
this section, including rules that allow a licensee that is in

1031
compliance with the Federal Trade Commission’s Standards for

1032
Safeguarding Customer Information, 16 C.F.R. part 314, to be

1033
deemed in compliance with subsection (2).

1034 Section 12. Subsection (10) of section 560.309, Florida
1035 Statutes, is amended to read:
1036 560.309 Conduct of business.—
1037 (10) If a check is returned to a licensee from a payor
1038 financial institution due to lack of funds, a closed account, or
1039 a stop-payment order, the licensee may seek collection pursuant
1040 to s. 68.065. In seeking collection, the licensee must comply
1041 with the prohibitions against harassment or abuse, false or
1042 misleading representations, and unfair practices in the
Florida

1043
Consumer Collection Practices Act under part VI of chapter 559,

1044
including s. 559.77. The licensee must also comply with the
Fair
1045 Debt Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and
1046 1692f
if the licensee uses a third-party debt collector or any

1047
name other than its own to collect such debts
. A violation of
1048 this subsection is a deceptive and unfair trade practice and
1049 constitutes a violation of the Deceptive and Unfair Trade
1050 Practices Act under part II of chapter 501.
In addition, a

1051
licensee must comply with the applicable provisions of the

1052
Consumer Collection Practices Act under part VI of chapter 559,

1053
including s. 559.77.

1054 Section 13. Subsection (3) of section 560.405, Florida
1055 Statutes, is amended to read:
1056 560.405 Deposit; redemption.—
1057 (3) Notwithstanding subsection (1), in lieu of presentment,
1058 a deferred presentment provider may allow the check to be
1059 redeemed at any time upon payment of the outstanding transaction
1060 balance and earned fees.
A redemption transacted using a debit

1061
card shall be treated the same as a redemption transacted using

1062
cash
.
However, payment may not be made in the form of a personal
1063 check
or through a credit card transaction
. Upon redemption, the
1064 deferred presentment provider must return the drawer’s check and
1065 provide a signed, dated receipt showing that the drawer’s check
1066 has been redeemed.
1067 Section 14. Subsection (2) of section 560.406, Florida
1068 Statutes, is amended to read:
1069 560.406 Worthless checks.—
1070 (2) If a check is returned to a deferred presentment
1071 provider from a payor financial institution due to insufficient
1072 funds, a closed account, or a stop-payment order, the deferred
1073 presentment provider may pursue all legally available civil
1074 remedies to collect the check, including, but not limited to,
1075 the imposition of all charges imposed on the deferred
1076 presentment provider by the financial institution. In its
1077 collection practices, a deferred presentment provider must
1078 comply with the prohibitions against harassment or abuse, false
1079 or misleading representations, and unfair practices that are
1080 contained in the
Florida Consumer Collection Practices Act under

1081
part VI of chapter 559, including s. 559.77. A deferred

1082
presentment provider must also comply with the
Fair Debt
1083 Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and 1692f
1084
if the deferred presentment provider uses a third-party debt

1085
collector or any name other than its own to collect such debts
.
1086 A violation of this act is a deceptive and unfair trade practice
1087 and constitutes a violation of the Deceptive and Unfair Trade
1088 Practices Act under part II of chapter 501.
In addition, a

1089
deferred presentment provider must comply with the applicable

1090
provisions of the Consumer Collection Practices Act under part

1091
VI of chapter 559, including s. 559.77.

1092 Section 15. Section 655.0171, Florida Statutes, is created
1093 to read:
1094
655.0171

Requirements for customer data security and for

1095
notices of security breaches.—

1096
(1)

DEFINITIONS.—As used in this section, the term:

1097
(a)

“Breach of security” or “breach” means unauthorized

1098
access of data in electronic form containing personal

1099
information. Good faith access of personal information by an

1100
employee or agent of a financial institution does not constitute

1101
a breach of security, provided that the information is not used

1102
for a purpose unrelated to the business or subject to further

1103
unauthorized use. As used in this paragraph, the term “data in

1104
electronic form” means any data stored electronically or

1105
digitally on any computer system or other database and includes

1106
recordable tapes and other mass storage devices.

1107
(b)

“Department” means the Department of Legal Affairs.

1108
(c)1.

“Personal information” means:

1109
a.

An individual’s first name, or first initial, and last

1110
name, in combination with any of the following data elements for

1111
that individual:

1112
(I)

A social security number;

1113
(II)

A driver license or identification card number,

1114
passport number, military identification number, or other

1115
similar number issued on a government document used to verify

1116
identity;

1117
(III)

A financial account number or credit or debit card

1118
number, in combination with any required security code, access

1119
code, or password that is necessary to permit access to the

1120
individual’s financial account;

1121
(IV)

The individual’s biometric data as defined in s.

1122
501.702; or

1123
(V)

Any information regarding the individual’s geolocation;

1124
or

1125
b.

A username or e-mail address, in combination with a

1126
password or security question and answer that would permit

1127
access to an online account.

1128
2.

The term does not include information about an

1129
individual which has been made publicly available by a federal,

1130
state, or local governmental entity. The term also does not

1131
include information that is encrypted, secured, or modified by

1132
any other method or technology that removes elements that

1133
personally identify an individual or that otherwise renders the

1134
information unusable.

1135
(2)

REQUIREMENTS FOR DATA SECURITY.—Each financial

1136
institution shall take reasonable measures to protect and secure

1137
data that are in electronic form and that contain personal

1138
information.

1139
(3)

NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—

1140
(a)1.

Each financial institution shall provide notice to

1141
the office of any breach of security affecting 500 or more

1142
individuals in this state. Such notice must be provided to the

1143
office as expeditiously as practicable, but no later than 30

1144
days after the determination of the breach or the determination

1145
of a reason to believe that a breach has occurred.

1146
2.

The written notice to the office must include the items

1147
required under s. 501.171(3)(b).

1148
3.

A financial institution must provide the following

1149
information to the office upon its request:

1150
a.

A police report, incident report, or computer forensics

1151
report.

1152
b.

A copy of the policies in place regarding breaches.

1153
c. Steps that have been taken to rectify the breach.

1154
4.

A financial institution may provide the office with

1155
supplemental information regarding a breach at any time.

1156
(b)

Each financial institution shall provide notice to the

1157
department of any breach of security affecting 500 or more

1158
individuals in this state. Such notice must be provided to the

1159
department in accordance with s. 501.171.

1160
(4)

NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each

1161
financial institution shall give notice to each individual in

1162
this state whose personal information was, or the financial

1163
institution reasonably believes to have been, accessed as a

1164
result of the breach, in accordance with s. 501.171(4). The

1165
notice must be provided no later than 30 days after the

1166
determination of the breach or the determination of a reason to

1167
believe that a breach has occurred. A financial institution may

1168
receive 15 additional days to provide notice to individuals of a

1169
security breach as required in this subsection if good cause for

1170
delay is provided in writing to the office within 30 days after

1171
determination of the breach or determination of the reason to

1172
believe that a breach has occurred.

1173
(5)

NOTICE TO CREDIT REPORTING AGENCIES.—If a financial

1174
institution discovers circumstances requiring notice pursuant to

1175
this section of more than 1,000 individuals at a single time,

1176
the financial institution shall also notify, without

1177
unreasonable delay, all consumer reporting agencies that compile

1178
and maintain files on consumers on a nationwide basis, as

1179
defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),

1180
of the timing, distribution, and content of the notices.

1181 Section 16. Present subsections (3), (4), and (5) of
1182 section 655.032, Florida Statutes, are redesignated as
1183 subsections (4), (5), and (6), respectively, and a new
1184 subsection (3) is added to that section, to read:
1185 655.032 Investigations, subpoenas, hearings, and
1186 witnesses.—
1187
(3)
The
office
may consider or use

as part of any

1188
investigation
or other action
pursuant to this section
the

1189
information
contained
in any
suspected financial exploitation

1190
report or any record
s
generated as a result of such report
which

1191
is
obtained pursuant to s. 415.106(4).

1192 Section 17. Present paragraphs (c) through (f) of
1193 subsection (1) of section 655.045, Florida Statutes, are
1194 redesignated as paragraphs (d) through (g), respectively, a new
1195 paragraph (c) is added to that subsection, and present paragraph
1196 (d) of that subsection is amended, to read:
1197 655.045 Examinations, reports, and internal audits;
1198 penalty.—
1199 (1) The office shall conduct an examination of the
1200 condition of each state financial institution at least every 18
1201 months. The office may conduct more frequent examinations based
1202 upon the risk profile of the financial institution, prior
1203 examination results, or significant changes in the institution
1204 or its operations. The office may use continuous, phase, or
1205 other flexible scheduling examination methods for very large or
1206 complex state financial institutions and financial institutions
1207 owned or controlled by a multi-financial institution holding
1208 company. The office shall consider examination guidelines from
1209 federal regulatory agencies in order to facilitate, coordinate,
1210 and standardize examination processes.
1211
(c) The office may consider or use
as part of any

1212
examination
or other action
conducted pursuant to this section

1213
the information
contained
in any
suspected financial

1214
exploitation
report or any record
s
generated as a result of such

1215
report
which is
obtained pursuant to s. 415.106(4).

1216
(e)
(d)
As used in this section, the term “costs” means the
1217 salary and travel expenses directly attributable to the field
1218 staff examining the state financial institution, subsidiary, or
1219 service corporation, and the travel expenses of any supervisory
1220 staff required as a result of examination findings. The mailing
1221 of any costs incurred under this subsection must be postmarked
1222 within
45

30
days after the date of receipt of a notice stating
1223 that such costs are due. The office may levy a late payment of
1224 up to $100 per day or part thereof that a payment is overdue,
1225 unless excused for good cause. However, for intentional late
1226 payment of costs, the office may levy an administrative fine of
1227 up to $1,000 per day for each day the payment is overdue.
1228 Section 18. Subsection (2) of section 657.005, Florida
1229 Statutes, is amended to read:
1230 657.005 Application for authority to organize a credit
1231 union; investigation.—
1232 (2) Any five or more
individuals, a majority of whom are

1233 residents of this state
and all of whom

who
represent a limited
1234 field of membership
,
may apply to the office for permission to
1235 organize a credit union. The fact that individuals within the
1236 proposed limited field of membership have credit union services
1237 available to them through another limited field of membership
1238 shall not preclude the granting of a certificate of
1239 authorization to engage in the business of a credit union.
1240 Section 19. Subsection (1) of section 657.024, Florida
1241 Statutes, is amended to read:
1242 657.024 Membership meetings.—
1243 (1) The members shall receive timely notice of the annual
1244 meeting and any special meetings of the members, which shall be
1245 held at the time, place, and in the manner provided in the
1246 bylaws.
The annual meeting and any special meetings of the

1247
members may be held virtually without an in-person quorum
,
and

1248
virtual attend
ance may satisfy q
uorum requirement
s
,
subject to

1249
the bylaws.

1250 Section 20. Paragraph (b) of subsection (3) and present
1251 subsection (5) of section 657.042, Florida Statutes, are amended
1252 to read:
1253 657.042 Investment powers and limitations.—A credit union
1254 may invest its funds subject to the following definitions,
1255 restrictions, and limitations:
1256 (3) INVESTMENT SUBJECT TO LIMITATION OF TWO PERCENT OF
1257 CAPITAL OF THE CREDIT UNION.—
1258 (b) Commercial paper and bonds of any corporation within
1259 the United States which have a fixed maturity, as provided in
1260 subsection
(6)

(7)
, except that the total investment in all such
1261 paper and bonds may not exceed 10 percent of the capital of the
1262 credit union.
1263
(5)

INVESTMENTS IN REAL ESTATE AND EQUIPMENT FOR THE CREDIT

1264
UNION.—

1265
(a)

Up to 5 percent of the capital of the credit union may

1266
be invested in real estate and improvements thereon, furniture,

1267
fixtures, and equipment utilized or to be utilized by the credit

1268
union for the transaction of business.

1269
(b)

The limitations provided by this subsection may be

1270
exceeded with the prior written approval of the office. The

1271
office shall grant such approval if it is satisfied that:

1272
1.

The proposed investment is necessary.

1273
2.

The amount thereof is commensurate with the size and

1274
needs of the credit union.

1275
3.

The investment will be beneficial to the members.

1276
4.

A reasonable plan is developed to reduce the investment

1277
to statutory limits.

1278 Section 21. Paragraphs (b) and (c) of subsection (4) of
1279 section 658.21, Florida Statutes, are amended to read:
1280 658.21 Approval of application; findings required.—The
1281 office shall approve the application if it finds that:
1282 (4)
1283 (b) At least two of the proposed directors who are not also
1284 proposed officers must have had
within the 10 years before the

1285
date of the application
at least 1 year of direct experience as
1286 an executive officer, regulator, or director of a financial
1287 institution
as specified in the application

within the 5 years

1288
before the date of the application
.
However, if the applicant

1289
demonstrates that at least one of the proposed directors has

1290
very substantial experience as an executive officer, director,

1291
or regulator of a financial institution more than 5 years before

1292
the date of the application, the office may modify the

1293
requirement and allow the applicant to have only one director

1294
who has direct financial institution experience within the last

1295
5 years.

1296 (c) The proposed president or chief executive officer must
1297 have had at least 1 year of direct experience as an executive
1298 officer, director, or regulator of a financial institution
1299 within the last
10

5
years.
In making a decision,
the office
1300
must also consider

may waive this requirement after considering
:
1301 1. The adequacy of the overall experience and expertise of
1302 the proposed president or chief executive officer;
1303 2. The likelihood of successful operation of the proposed
1304 state bank or trust company pursuant to subsection (1);
1305 3. The adequacy of the proposed capitalization under
1306 subsection (2);
1307 4. The proposed capital structure under subsection (3);
1308 5. The experience of the other proposed officers and
1309 directors; and
1310 6. Any other relevant data or information.
1311 Section 22. Subsection (2) of section 658.33, Florida
1312 Statutes, is amended to read:
1313 658.33 Directors, number, qualifications; officers.—
1314 (2) Not less than a majority of the directors must, during
1315 their whole term of service, be citizens of the United States,
1316 and at least a majority of the directors must have resided in
1317 this state for at least 1 year preceding their election and must
1318 be residents therein during their continuance in office. In the
1319 case of a bank or trust company with total assets of less than
1320 $150 million, at least one, and in the case of a bank or trust
1321 company with total assets of $150 million or more, two of the
1322 directors who are not also officers of the bank or trust company
1323 must have had at least 1 year of direct experience as an
1324 executive officer, regulator, or director of a financial
1325 institution within the last
10

5
years.
1326 Section 23. Subsection (4) of section 662.141, Florida
1327 Statutes, is amended to read:
1328 662.141 Examination, investigations, and fees.—The office
1329 may conduct an examination or investigation of a licensed family
1330 trust company at any time it deems necessary to determine
1331 whether the licensed family trust company or licensed family
1332 trust company-affiliated party thereof has violated or is about
1333 to violate any provision of this chapter, any applicable
1334 provision of the financial institutions codes, or any rule
1335 adopted by the commission pursuant to this chapter or the codes.
1336 The office may conduct an examination or investigation of a
1337 family trust company or foreign licensed family trust company at
1338 any time it deems necessary to determine whether the family
1339 trust company or foreign licensed family trust company has
1340 engaged in any act prohibited under s. 662.131 or s. 662.134
1341 and, if a family trust company or a foreign licensed family
1342 trust company has engaged in such act, to determine whether any
1343 applicable provision of the financial institutions codes has
1344 been violated.
1345 (4) For each examination of the books and records of a
1346 family trust company, licensed family trust company, or foreign
1347 licensed family trust company as authorized under this chapter,
1348 the trust company shall pay a fee for the costs of the
1349 examination by the office. As used in this section, the term
1350 “costs” means the salary and travel expenses of field staff
1351 which are directly attributable to the examination of the trust
1352 company and the travel expenses of any supervisory and support
1353 staff required as a result of examination findings. The mailing
1354 of payment for costs incurred must be postmarked within
45

30

1355 days after the receipt of a notice stating that the costs are
1356 due. The office may levy a late payment of up to $100 per day or
1357 part thereof that a payment is overdue unless waived for good
1358 cause. However, if the late payment of costs is intentional, the
1359 office may levy an administrative fine of up to $1,000 per day
1360 for each day the payment is overdue.
1361 Section 24. Subsection (21) of section 517.12, Florida
1362 Statutes, is amended to read:
1363 517.12 Registration of dealers, associated persons,
1364 intermediaries, and investment advisers.—
1365 (21) The registration requirements of this section do not
1366 apply to any general lines insurance agent or life insurance
1367 agent licensed under chapter 626, with regard to the sale of a
1368 security as defined in
s. 517.021(34)(g)

s. 517.021(33)(g)
, if
1369 the individual is directly authorized by the issuer to offer or
1370 sell the security on behalf of the issuer and the issuer is a
1371 federally chartered savings bank subject to regulation by the
1372 Federal Deposit Insurance Corporation. Actions under this
1373 subsection constitute activity under the insurance agent’s
1374 license for purposes of ss. 626.611 and 626.621.
1375 Section 25. This act shall take effect July 1, 2026.