Florida Senate - 2016 SB 624
By Senator Hays
11-00620A-16 2016624__
1 A bill to be entitled
2 An act relating to public records; amending s.
3 282.318, F.S.; creating exemptions from public records
4 requirements for information held by a state agency
5 relating to the detection or investigation of or
6 response to any suspected or confirmed security
7 breaches and the results of external audits and
8 evaluations of a state agency’s information technology
9 security program; authorizing disclosure of
10 confidential and exempt information to certain
11 agencies and officers; providing for retroactive
12 application; providing for future legislative review
13 and repeal of the exemptions; providing statements of
14 public necessity; providing an effective date.
15
16 Be It Enacted by the Legislature of the State of Florida:
17
18 Section 1. Paragraph (i) of subsection (4) of section
19 282.318, Florida Statutes, is amended, present subsection (5) of
20 that section is renumbered as subsection (6), and a new
21 subsection (5) is added to that section, to read:
22 282.318 Security of data and information technology.—
23 (4) Each state agency head shall, at a minimum:
24 (i) Develop a process for detecting, reporting, and
25 responding to threats, breaches, or information technology
26 security incidents that are consistent with the security rules,
27 guidelines, and processes established by the Agency for State
28 Technology.
29 1. All information technology security incidents and
30 breaches must be reported to the Agency for State Technology.
31 2. For information technology security breaches, state
32 agencies shall provide notice in accordance with s. 501.171.
33 3. Information held by a state agency relating to the
34 detection, investigation, or response to any suspected or
35 confirmed security incidents, including suspected or confirmed
36 breaches, which, if disclosed, could facilitate the unauthorized
37 access to or the unauthorized modification, disclosure, or
38 destruction of data or information technology resources is
39 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
40 of the State Constitution, except that such information shall be
41 available to the Auditor General, the Agency for State
42 Technology, the Cybercrime Office of the Department of Law
43 Enforcement, and, for state agencies under the jurisdiction of
44 the Governor, the Chief Inspector General. This exemption
45 applies to such information held by a state agency before, on,
46 or after the effective date of this exemption. This subparagraph
47 is subject to the Open Government Sunset Review Act in
48 accordance with s. 119.15 and shall stand repealed on October 2,
49 2021, unless reviewed and saved from repeal through reenactment
50 by the Legislature.
51 (5) The results of external audits and evaluations of a
52 state agency’s information technology security program for the
53 data, information, and information technology resources of the
54 state agency are confidential and exempt from s. 119.07(1) and
55 s. 24(a), Art. I of the State Constitution, except that such
56 information shall be available to the Auditor General, the
57 Cybercrime Office of the Department of Law Enforcement, the
58 Agency for State Technology, and, for agencies under the
59 jurisdiction of the Governor, the Chief Inspector General; and
60 may be made available to other state agencies for information
61 technology security purposes. This exemption applies to such
62 information held by a state agency before, on, or after the
63 effective date of this exemption. This subsection is subject to
64 the Open Government Sunset Review Act in accordance with s.
65 119.15 and shall stand repealed on October 2, 2021, unless
66 reviewed and saved from repeal through reenactment by the
67 Legislature.
68 Section 2. (1) The Legislature finds that it is a public
69 necessity that information relating to the detection or
70 investigation of or response to any suspected or confirmed
71 security incidents, including suspected or confirmed breaches,
72 which, if disclosed, could facilitate the unauthorized access to
73 or unauthorized modification, disclosure, or destruction of data
74 or information technology resources be made confidential and
75 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
76 Article I of the State Constitution for the following reasons:
77 (a) Information held by a state agency relating to security
78 incidents or breaches is likely to result in an investigation of
79 the incident or breach. The release of such information could
80 impede the investigation and impair the ability of reviewing
81 entities to effectively and efficiently execute their
82 investigative duties. In addition, release of such information
83 before completion of an active investigation could jeopardize
84 the ongoing investigation.
85 (b) An investigation of an information technology security
86 incident or breach is likely to result in the gathering of
87 sensitive personal information, including social security
88 numbers, identification numbers, and personal financial and
89 health information. Such information could be used for the
90 purpose of identity theft. In addition, release of such
91 information could subject possible victims of the incident or
92 breach to further financial harm. Furthermore, matters of
93 personal health are traditionally private and confidential
94 concerns between the patient and the health care provider. The
95 private and confidential nature of personal health matters
96 pervades both the public and private health care sectors.
97 (c) Release of a computer forensic report or other
98 information that would reveal weaknesses in a covered entity’s
99 data security could compromise the future security of that
100 entity, or other entities, if such information were available
101 upon conclusion of an investigation or once an investigation
102 ceased to be active. The release of such report or information
103 could compromise the security of current entities and make those
104 entities susceptible to future data incidents or breaches.
105 (d) Information held by an agency relating to the detection
106 or investigation of or response to a suspected or conformed
107 security incident or breach is likely to contain proprietary
108 information, including trade secrets, about the security of the
109 system at issue. The release of the proprietary information
110 could result in the identification of vulnerabilities and
111 further breaches of that system. In addition, a trade secret has
112 independent, economic value, actual or potential, in its being
113 generally unknown to, and not readily ascertainable by, other
114 persons who might obtain economic value from its disclosure or
115 use. Allowing public access to proprietary information,
116 including a trade secret, through a public records request could
117 destroy the value of the proprietary information and cause a
118 financial loss to the covered entity submitting the information.
119 Release of such information could give business competitors an
120 unfair advantage and weaken the position of the entity supplying
121 the proprietary information in the marketplace.
122 (e) The disclosure of such information could potentially
123 compromise the confidentiality, integrity, and availability of
124 state agency data and information technology resources, which
125 would significantly impair the administration of vital
126 governmental programs. It is necessary that this information be
127 made confidential in order to protect the technology systems,
128 resources, and data of state agencies. The Legislature further
129 finds that this public records exemption be given retroactive
130 application because it is remedial in nature.
131 (2) The Legislature also finds that it is a public
132 necessity that the results of external audits and evaluations of
133 a state agency’s information technology security program for the
134 data, information, and information technology resources of the
135 state agency be made confidential and exempt from s. 119.07(1),
136 Florida Statutes, and s. 24(a), Article I of the State
137 Constitution. A state agency may find it valuable, prudent, or
138 even critical to have an independent entity conduct an audit and
139 evaluation of the agency’s information technology program or
140 related systems. Such audits would likely include an analysis of
141 the current state of the state agency’s information technology
142 program or systems which could clearly identify vulnerabilities
143 or gaps in current systems or processes and propose
144 recommendations to remedy identified vulnerabilities. The
145 disclosure of such information would jeopardize the information
146 technology security of the state agency, and compromise the
147 integrity and availability of agency data and information
148 technology resources, which would significantly impair the
149 administration of governmental programs. It is necessary that
150 this information be made confidential and exempt from public
151 records requirements in order to protect agency technology
152 systems, resources, and data. The Legislature further finds that
153 this public records exemption be given retroactive application
154 because it is remedial in nature.
155 Section 3. This act shall take effect upon becoming a law.