Florida Senate - 2017 COMMITTEE AMENDMENT
Bill No. CS for SB 110
Ì427674EÎ427674
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
04/03/2017 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(Rouson) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 35 - 191
4 and insert:
5 technology systems owned, under contract, or maintained by a
6 state university or a Florida College System institution are
7 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
8 of the State Constitution:
9 (a) Records held by the university or institution which
10 identify detection, investigation, or response practices for
11 suspected or confirmed information technology security
12 incidents, including suspected or confirmed breaches, if the
13 disclosure of such records would facilitate unauthorized access
14 to or unauthorized modification, disclosure, or destruction of:
15 1. Data or information, whether physical or virtual; or
16 2. Information technology resources, which include:
17 a. Information relating to the security of the university’s
18 or institution’s technologies, processes, and practices designed
19 to protect networks, computers, data processing software, and
20 data from attack, damage, or unauthorized access; or
21 b. Security information, whether physical or virtual, which
22 relates to the university’s or institution’s existing or
23 proposed information technology systems.
24 (b) Those portions of risk assessments, evaluations,
25 audits, and other reports of the university’s or institution’s
26 information technology security program for its data,
27 information, and information technology resources which are held
28 by the university or institution, if the disclosure of such
29 records would facilitate unauthorized access to or the
30 unauthorized modification, disclosure, or destruction of:
31 1. Data or information, whether physical or virtual; or
32 2. Information technology resources, which include:
33 a. Information relating to the security of the university’s
34 or institution’s technologies, processes, and practices designed
35 to protect networks, computers, data processing software, and
36 data from attack, damage, or unauthorized access; or
37 b. Security information, whether physical or virtual, which
38 relates to the university’s or institution’s existing or
39 proposed information technology systems.
40 (2) Those portions of a public meeting as specified in s.
41 286.011 which would reveal data and information described in
42 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
43 of the State Constitution. No exempt portion of an exempt
44 meeting may be off the record. All exempt portions of such a
45 meeting must be recorded and transcribed. The recording and
46 transcript of the meeting must remain confidential and exempt
47 from disclosure under s. 119.071(1) and s. 24(a), Art. 1 of the
48 State Constitution unless a court of competent jurisdiction,
49 following an in camera review, determines that the meeting was
50 not restricted to the discussion of data and information made
51 confidential and exempt by this section. In the event of such a
52 judicial determination, only that portion of the transcript
53 which reveals nonexempt data and information may be disclosed to
54 a third party.
55 (3) The records and portions of public meeting recordings
56 and transcripts described in subsection (1) must be available
57 to: the Auditor General; the Cybercrime Office of the Department
58 of Law Enforcement; for a state university, the Board of
59 Governors; and for a Florida College System institution, the
60 State Board of Education. Such records and portions of meetings,
61 recordings, and transcripts may be made available to a state or
62 federal agency for security purposes or in furtherance of the
63 agency’s official duties.
64 (4) The exemptions listed in this section apply to such
65 records or portions of public meetings, recordings, and
66 transcripts held by the university or institution before, on, or
67 after the effective date of this act.
68 (5) This section is subject to the Open Government Sunset
69 Review Act in accordance with s. 119.15 and shall stand repealed
70 on October 2, 2022, unless reviewed and saved from repeal
71 through reenactment by the Legislature.
72 Section 2. (1)(a) The Legislature finds that it is a public
73 necessity that the following data or information from technology
74 systems owned, under contract, or maintained by a state
75 university or a Florida College System institution be
76 confidential and exempt from s. 119.07(1), Florida Statutes, and
77 s. 24(a), Article I of the State Constitution:
78 1. Records held by the university or institution which
79 identify detection, investigation, or response practices for
80 suspected or confirmed information technology security
81 incidents, including suspected or confirmed breaches, if the
82 disclosure of such records would facilitate unauthorized access
83 to or unauthorized modification, disclosure, or destruction of:
84 a. Data or information, whether physical or virtual; or
85 b. Information technology resources, which include:
86 (I) Information relating to the security of the
87 university’s or institution’s technologies, processes, and
88 practices designed to protect networks, computers, data
89 processing software, and data from attack, damage, or
90 unauthorized access; or
91 (II) Security information, whether physical or virtual,
92 which relates to the university’s or institution’s existing or
93 proposed information technology systems.
94 2. Those portions of risk assessments, evaluations, audits,
95 and other reports of the university’s or institution’s
96 information technology security program for its data,
97 information, and information technology resources which are held
98 by the university or institution, if the disclosure of such
99 records would facilitate unauthorized access to or the
100 unauthorized modification, disclosure, or destruction of:
101 a. Data or information, whether physical or virtual; or
102 b. Information technology resources, which include:
103 (I) Information relating to the security of the
104 university’s or institution’s technologies, processes, and
105 practices designed to protect networks, computers, data
106 processing software, and data from attack, damage, or
107 unauthorized access; or
108 (II) Security information, whether physical or virtual,
109 which relates to the university’s or institution’s existing or
110 proposed information technology systems.
111 (b) The Legislature also finds that those portions of a
112 public meeting as specified in s. 286.011, Florida Statutes,
113 which would reveal data and information described in subsection
114 (1) are exempt from s. 286.011, Florida Statutes, and s. 24(b),
115 Article I of the State Constitution. The recording and
116 transcript of the meeting must remain confidential and exempt
117 from disclosure under s. 119.071(1), Florida Statutes, and s.
118 24(a), Article 1 of the State Constitution unless a court of
119 competent jurisdiction, following an in camera review,
120 determines that the meeting was not restricted to the discussion
121 of data and information made confidential and exempt by this
122 section. In the event of such a judicial determination, only
123 that portion of the transcript which reveals nonexempt data and
124 information may be disclosed to a third party.
125 (c) The Legislature further finds that it is a public
126 necessity that records held by a state university or Florida
127 College System institution which identify detection,
128 investigation, or response practices for suspected or confirmed
129 information technology security incidents, including suspected
130 or confirmed breaches, be made confidential and exempt from s.
131 119.07(1), Florida Statutes, and s. 24(a), Article I of the
132 State Constitution if the disclosure of such records would
133 facilitate unauthorized access to or the unauthorized
134 modification, disclosure, or destruction of:
135 1. Data or information, whether physical or virtual; or
136 2. Information technology resources, which include:
137 a. Information relating to the security of the university’s
138 or institution’s technologies, processes, and practices designed
139 to protect networks, computers, data processing software, and
140 data from attack, damage, or unauthorized access; or
141 b. Security information, whether physical or virtual, which
142 relates to the university’s or institution’s existing or
143 proposed information technology systems.
144 (d) Such records must be made confidential and exempt for
145 the following reasons:
146 1. Records held by a state university or Florida College
147 System institution which identify information technology
148 detection, investigation, or response practices for suspected or
149 confirmed information technology security incidents or breaches
150 are likely to be used in the investigations of the incidents or
151 breaches. The release of such information could impede the
152 investigation and impair the ability of reviewing entities to
153 effectively and efficiently execute their investigative duties.
154 In addition, the release of such information before an active
155 investigation is completed could jeopardize the ongoing
156 investigation.
157 2. An investigation of an information technology security
158 incident or breach is likely to result in the gathering of
159 sensitive personal information, including identification
160 numbers, personal financial and health information, and
161 educational records exempt from disclosure under the Family
162 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
163 1002.225 and 1006.52, Florida Statutes. Such information could
164 be used to commit identity theft or other crimes. In addition,
165 release of such information could subject possible victims of
166 the security incident or breach to further harm.
167 3. Disclosure of a record, including a computer forensic
168 analysis, or other information that would reveal weaknesses in a
169 state university’s or Florida College System institution’s data
170 security could compromise that security in the future if such
171 information were available upon conclusion of an investigation
172 or once an investigation ceased to be active.
173 4. Such records are likely to contain proprietary
174 information about the security of the system at issue. The
175 disclosure of such information could result in the
176 identification of vulnerabilities and further breaches of that
177 system. In addition, the release of such information could give
178 business competitors an unfair advantage and weaken the security
179 technology supplier supplying the proprietary information in the
180 marketplace.
181 5. The disclosure of such records could potentially
182 compromise the confidentiality, integrity, and availability of
183 state university and Florida College System institution data and
184 information technology resources, which would significantly
185 impair the administration of vital educational programs. It is
186 necessary that this information be made confidential in order to
187 protect the technology systems, resources, and data of the
188 universities and institutions. The Legislature further finds
189 that this public records exemption be given retroactive
190 application because it is remedial in nature.
191 (2)(a) The Legislature also finds that it is a public
192 necessity that portions of risk assessments, evaluations,
193 audits, and other reports of a state university’s or Florida
194 College System institution’s information technology security
195 program for its data, information, and information technology
196 resources which are held by the university or institution be
197 made confidential and exempt from s. 119.07(1), Florida
198 Statutes, and s. 24(a), Article I of the State Constitution if
199 the disclosure of such portions of records would facilitate
200 unauthorized access to or the unauthorized modification,
201 disclosure, or destruction of:
202 1. Data or information, whether physical or virtual; or
203 2. Information technology resources, which include:
204 a. Information relating to the security of the university’s
205 or institution’s technologies, processes, and practices designed
206 to protect networks, computers, data processing software, and
207 data from attack, damage, or unauthorized access; or
208 b. Security information, whether physical or virtual, which
209 relates to the university’s or institution’s existing or
210 proposed information technology systems.
211 (b) The Legislature finds that it is valuable, prudent,
212
213 ================= T I T L E A M E N D M E N T ================
214 And the title is amended as follows:
215 Delete lines 10 - 21
216 and insert:
217 portions of risk assessments, evaluations, audits, and
218 other reports of a university’s or institution’s
219 information technology security program; creating an
220 exemption from public meetings requirements for
221 portions of public meetings which would reveal such
222 data and information; providing an exemption from
223 public records requirements for a specified period for
224 the recording and transcript of a closed meeting;
225 authorizing disclosure of confidential and exempt
226 information to certain agencies and officers;
227 providing retroactive application;