Florida Senate - 2010                                     SB 586 
 
By Senator Fasano 
11-00473A-10                                           2010586__ 
1                        A bill to be entitled 
2         An act relating to data destruction; providing 
3         definitions; requiring all public agencies and private 
4         entities that collect personal information to adhere 
5         to the procedures provided in the National Institute 
6         of Standards and Technology “Guidelines for Media 
7         Sanitization” when destroying such information; 
8         requiring such agencies and entities to maintain a 
9         copy of the guidelines; requiring all state agencies 
10         to submit a sampling of sanitized media to a third 
11         party vendor for verification of data destruction; 
12         requiring the Department of Management Services to 
13         adopt rules; providing an effective date. 
14 
15  Be It Enacted by the Legislature of the State of Florida: 
16 
17         Section 1. Media sanitization.— 
18         (1) As used in this section, the term: 
19         (a) “Media” means: 
20         1. Hard copy information, which is the physical 
21  representation of information, including, but not limited to, 
22  paper printouts, printer and facsimile ribbons, drums, and 
23  platens; and 
24         2. Electronic information, which is the bits and bytes 
25  contained in hard drives, random-access memory, read-only 
26  memory, optical disc storage media, memory devices, telephones, 
27  mobile computing devices, networking equipment, and other types 
28  of information storage equipment. 
29         (b) “Sanitization” or “sanitized” means the process of 
30  removing data from media such that the data may not be retrieved 
31  or reconstructed. 
32         (2) All agencies, as defined in s. 119.011, Florida 
33  Statutes, and all private corporations, business trusts, 
34  partnerships, limited liability companies, associations, joint 
35  ventures, estates, trusts, or any other legal or commercial 
36  entities, for profit or not for profit, located in or doing 
37  business in this state, which collect any information that is 
38  deemed secret, private, personal, or confidential in nature; 
39  contains identifying information, including names, personal or 
40  business addresses, social security numbers, credit or debit 
41  card numbers, bank account numbers, telephone numbers, or 
42  photographs that are recorded on media; and is subject to 
43  sanitization or meets the criteria for destruction as set forth 
44  in the “Guidelines for Media Sanitization: Recommendation of the 
45  National Institute of Standards and Technology,” NIST Special 
46  Publication 800-88, must use the purge or physical destruction 
47  techniques for media destruction described in that document. 
48         (3) All state agencies and private entities subject to 
49  subsection (2) must keep a copy of the Guidelines for Media 
50  Sanitization available for use. An electronic copy of the 
51  document must be kept on the computer desktop of the chief 
52  information officer, security officer, records management 
53  officer, or other person responsible for the sanitization of the 
54  personal or private data at the agency or entity. 
55         (4) All state agencies must submit a sampling of sanitized 
56  electronic media to a third-party vendor without a stake in the 
57  sanitization process for verification of data destruction. The 
58  Department of Management Services shall adopt by rule criteria 
59  for the selection of such vendor and procedures for the 
60  submission and return of such samples. 
61         Section 2. This act shall take effect July 1, 2010.