AB824,,2727a. A schedule indicating how often the data owner will review requests. AB824,,2828b. Assessment criteria for the approval or rejection of requests. AB824,,2929c. Documentation of the rationale for the rejection of a request. AB824,,3030d. Notice of the rejection to the requesting entity. AB824,,31313. Establish and ensure compliance with internal policies and with any relevant regulatory requirements on the sharing of sensitive information with another legal entity. AB824,,32324. Establish and ensure compliance with internal policies and procedures that reflect best practices of data handling on all of the following subjects: AB824,,3333a. Identity and access management controls, including limiting the access to any data subject to a data agreement. AB824,,3434b. Data retention and data destruction. AB824,,3535c. The periodic review of new and changing business and regulatory requirements that may impact data sharing. AB824,,36365. Establish and ensure compliance with internal policies and procedures regarding the handling of data agreement breaches; security incidents, in compliance with s. 134.98; and related disputes. AB824,,3737(b) A data custodian that provides storage for sensitive information shall do all of the following: AB824,,38381. Provide a secure environment for the storage of a data owner’s data. The environment shall be designed and configured in a manner that reflects best practices of data security on subjects including all of the following: AB824,,3939a. Identity and access management controls, including limiting the access to any data subject to a data agreement. AB824,,4040b. Role-based permissions, including limiting the access to data subject to a data agreement to only authorized users. AB824,,4141c. Data encryption at rest and in transit. AB824,,4242d. Cyber security monitoring and threat detection. AB824,,4343e. Recovery capabilities in the event of a disaster, such as fail-over, backup, and restore capabilities. AB824,,44442. Establish and ensure compliance with internal policies and procedures that reflect best practices on all of the following subjects: AB824,,4545a. Data access control. AB824,,4646b. Data retention and data destruction. AB824,,4747c. Auditing capabilities and the performance of audits. AB824,,4848d. The periodic review of new and changing business and regulatory requirements that may impact data solution organization. AB824,,4949e. Any other requirements established in a data agreement. AB824,,50503. Establish and ensure compliance with internal policies and procedures related to security incidents that include all of the following: AB824,,5151a. A description of the severity levels by which security incidents are classified with descriptions and relevant examples for each severity classification. AB824,,5252b. The number of hours after a security incident is detected when a data custodian must notify the data owner and data steward of the incident and the timing of subsequent updates, based on the nature or severity of the incident. AB824,,5353c. A policy and process to designate a specific member of the data custodian’s team to provide security incident communications to the data owner and data steward. AB824,,5454d. A policy to inform the data owner and data steward of the time the incident occurred, if known; the time the incident was detected; the nature of the incident, including which data sets were known to have been impacted; the severity of the incident; the remediation steps that have been or will be taken; the estimated timeline to resolve the incident; and a way for the data owner or data steward to contact the data custodian to seek further information about the incident. AB824,,5555e. A policy to provide a follow-up notification after the resolution of an incident that includes the time the incident was resolved, the nature of the resolution, any changes to the data custodian’s systems or protocols to prevent subsequent incidents, and any recommended changes to the data owner’s or data steward’s systems protocols to prevent subsequent incidents. AB824,,5656f. A record retention policy that requires the data custodian to maintain records detailing its response to security incidents for a reasonable time after the resolution of the security incident. AB824,,57574. Establish and ensure compliance with internal policies and procedures related to auditing capabilities that require the data custodian to perform an audit of its systems at the request of the data owner. AB824,,5858(c) A data steward that uses or facilitates the use of sensitive information shall do all of the following: AB824,,59591. Establish and ensure compliance with internal policies and procedures that reflect best practices of data handling on subjects including all of the following: AB824,,6060a. Standards, policies, procedures, and requirements for requesting, accessing, interpreting, and using data. AB824,,6161b. Identity and access management controls, including limiting the access to any data subject to a data agreement. AB824,,6262c. Verification of data outputs to meet quality, accuracy, and reliability specifications. AB824,,6363d. Establishment of data element definitions and lineage. AB824,,6464e. Establishment and maintenance of auditing policies, procedures, and reporting. AB824,,6565f. Policies and procedures regarding data retention and destruction. AB824,,6666g. Interpretation of new and changing business and regulatory requirements that may impact data solution organization. AB824,,6767h. Any other requirements established in a data agreement. AB824,,68682. Establish and ensure compliance with policies and procedures regarding the handling of data agreement breaches, security incidents, in compliance with s. 134.98, and related disputes. AB824,,6969(3) Agreements between data controllers. Data agreements are required when sensitive information controlled by one data controller is to be shared with, accessed by, or used by another data controller. A data agreement shall contain all of the following provisions: AB824,,7070(a) Identification of the parties to the agreement. AB824,,7171(b) Identification of the data subject to the agreement. AB824,,7272(c) Identification of the permitted uses and restrictions of the data subject to the agreement, including whether the data owner permits the data controller to share with another entity any enhanced data that was based on the data owner’s original data. AB824,,7373(d) Identification of any confidentiality requirements for the data subject to the agreement. AB824,,7474(e) Identification of the law governing the data subject to the agreement, such as the federal Family Educational Rights and Privacy Act, the federal Health Insurance Portability and Accountability Act, the federal Health Information Technology for Economic and Clinical Health Act, the federal Criminal Justice Information Services Security Policy, or the federal Children’s Online Privacy Protection Rule. AB824,,7575(f) Identification of the governing law and venue that shall govern the validity, construction, enforcement, and interpretation of the agreement. AB824,,7676(g) Provisions governing the response to security incidents, in compliance with s. 134.98, including all of the following: AB824,,77771. The name and contact information of one or more individuals who are authorized to provide and receive security incident communications pertaining to the data subject to the agreement. AB824,,78782. An attestation from a data custodian that it has established and agrees to comply with security incident policies and procedures under sub. (2) (b) 3. AB824,,7979(h) Definition of the term of the data agreement. A data agreement under this section shall remain in effect until a mutually agreed upon termination date or until all data subject to the agreement is destroyed or returned to the data owner, whichever occurs first. AB824,,8080(i) Provisions regarding the right to terminate the agreement, including all of the following: AB824,,81811. Conditions under which the agreement may be terminated. AB824,,82822. The method of notification required before termination is effective. AB824,,83833. The advance notice period required before termination is effective. AB824,,84844. Any special circumstances under which immediate termination of the agreement may be pursued. AB824,,8585(j) Provisions regarding authorization for or prohibition of the collection and analysis of metadata. AB824,,8686(k) In a data sharing agreement between a data owner and a data custodian, provisions regarding auditing capabilities and the performance of audits. A data custodian shall attest that it has enabled appropriate capabilities to support compliance with the regulatory statutes identified in the agreement and shall agree, at the request of the data owner, to perform an audit of the data owner’s data under its custodianship. Such an audit shall have a mutually agreed upon scope and shall be performed within a mutually agreed upon time frame. AB824,,8787(L) Any other requirements as established by any party to the agreement.
/2023/related/proposals/ab824
true
proposaltext
/2023/related/proposals/ab824/1/_51
proposaltext/2023/REG/AB824,,56
proposaltext/2023/REG/AB824,,56
section
true
