Florida Senate - 2017 CS for CS for SB 110
By the Committees on Governmental Oversight and Accountability;
and Education; and Senators Brandes and Rouson
585-03366-17 2017110c2
1 A bill to be entitled
2 An act relating to public records and public meetings;
3 creating s. 1004.055, F.S.; creating an exemption from
4 public records requirements for certain records held
5 by a state university or Florida College System
6 institution which identify detection, investigation,
7 or response practices for suspected or confirmed
8 information technology security incidents; creating an
9 exemption from public records requirements for certain
10 portions of risk assessments, evaluations, audits, and
11 other reports of a university’s or institution’s
12 information technology security program; creating an
13 exemption from public meetings requirements for
14 portions of public meetings which would reveal such
15 data and information; providing an exemption from
16 public records requirements for a specified period for
17 the recording and transcript of a closed meeting;
18 authorizing disclosure of confidential and exempt
19 information to certain agencies and officers;
20 providing retroactive application; providing for
21 future legislative review and repeal of the
22 exemptions; providing statements of public necessity;
23 providing a directive to the Division of Law Revision
24 and Information; providing an effective date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. Section 1004.055, Florida Statutes, is created
29 to read:
30 1004.055 Security of data and information technology in
31 state postsecondary education institutions.—
32 (1) All of the following data or information from
33 technology systems owned, under contract, or maintained by a
34 state university or a Florida College System institution are
35 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
36 of the State Constitution:
37 (a) Records held by the university or institution which
38 identify detection, investigation, or response practices for
39 suspected or confirmed information technology security
40 incidents, including suspected or confirmed breaches, if the
41 disclosure of such records would facilitate unauthorized access
42 to or unauthorized modification, disclosure, or destruction of:
43 1. Data or information, whether physical or virtual; or
44 2. Information technology resources, which include:
45 a. Information relating to the security of the university’s
46 or institution’s technologies, processes, and practices designed
47 to protect networks, computers, data processing software, and
48 data from attack, damage, or unauthorized access; or
49 b. Security information, whether physical or virtual, which
50 relates to the university’s or institution’s existing or
51 proposed information technology systems.
52 (b) Those portions of risk assessments, evaluations,
53 audits, and other reports of the university’s or institution’s
54 information technology security program for its data,
55 information, and information technology resources which are held
56 by the university or institution, if the disclosure of such
57 records would facilitate unauthorized access to or the
58 unauthorized modification, disclosure, or destruction of:
59 1. Data or information, whether physical or virtual; or
60 2. Information technology resources, which include:
61 a. Information relating to the security of the university’s
62 or institution’s technologies, processes, and practices designed
63 to protect networks, computers, data processing software, and
64 data from attack, damage, or unauthorized access; or
65 b. Security information, whether physical or virtual, which
66 relates to the university’s or institution’s existing or
67 proposed information technology systems.
68 (2) Those portions of a public meeting as specified in s.
69 286.011 which would reveal data and information described in
70 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
71 of the State Constitution. No exempt portion of an exempt
72 meeting may be off the record. All exempt portions of such a
73 meeting must be recorded and transcribed. The recording and
74 transcript of the meeting must remain confidential and exempt
75 from disclosure under s. 119.07(1) and s. 24(a), Art. 1 of the
76 State Constitution unless a court of competent jurisdiction,
77 following an in camera review, determines that the meeting was
78 not restricted to the discussion of data and information made
79 confidential and exempt by this section. In the event of such a
80 judicial determination, only that portion of the transcript
81 which reveals nonexempt data and information may be disclosed to
82 a third party.
83 (3) The records and portions of public meeting recordings
84 and transcripts described in subsection (1) must be available
85 to: the Auditor General; the Cybercrime Office of the Department
86 of Law Enforcement; for a state university, the Board of
87 Governors; and for a Florida College System institution, the
88 State Board of Education. Such records and portions of meetings,
89 recordings, and transcripts may be made available to a state or
90 federal agency for security purposes or in furtherance of the
91 agency’s official duties.
92 (4) The exemptions listed in this section apply to such
93 records or portions of public meetings, recordings, and
94 transcripts held by the university or institution before, on, or
95 after the effective date of this act.
96 (5) This section is subject to the Open Government Sunset
97 Review Act in accordance with s. 119.15 and shall stand repealed
98 on October 2, 2022, unless reviewed and saved from repeal
99 through reenactment by the Legislature.
100 Section 2. (1)(a) The Legislature finds that it is a public
101 necessity that the following data or information from technology
102 systems owned, under contract, or maintained by a state
103 university or a Florida College System institution be
104 confidential and exempt from s. 119.07(1), Florida Statutes, and
105 s. 24(a), Article I of the State Constitution:
106 1. Records held by the university or institution which
107 identify detection, investigation, or response practices for
108 suspected or confirmed information technology security
109 incidents, including suspected or confirmed breaches, if the
110 disclosure of such records would facilitate unauthorized access
111 to or unauthorized modification, disclosure, or destruction of:
112 a. Data or information, whether physical or virtual; or
113 b. Information technology resources, which include:
114 (I) Information relating to the security of the
115 university’s or institution’s technologies, processes, and
116 practices designed to protect networks, computers, data
117 processing software, and data from attack, damage, or
118 unauthorized access; or
119 (II) Security information, whether physical or virtual,
120 which relates to the university’s or institution’s existing or
121 proposed information technology systems.
122 2. Those portions of risk assessments, evaluations, audits,
123 and other reports of the university’s or institution’s
124 information technology security program for its data,
125 information, and information technology resources which are held
126 by the university or institution, if the disclosure of such
127 records would facilitate unauthorized access to or the
128 unauthorized modification, disclosure, or destruction of:
129 a. Data or information, whether physical or virtual; or
130 b. Information technology resources, which include:
131 (I) Information relating to the security of the
132 university’s or institution’s technologies, processes, and
133 practices designed to protect networks, computers, data
134 processing software, and data from attack, damage, or
135 unauthorized access; or
136 (II) Security information, whether physical or virtual,
137 which relates to the university’s or institution’s existing or
138 proposed information technology systems.
139 (b) The Legislature also finds that those portions of a
140 public meeting as specified in s. 286.011, Florida Statutes,
141 which would reveal data and information described in subsection
142 (1) are exempt from s. 286.011, Florida Statutes, and s. 24(b),
143 Article I of the State Constitution. The recording and
144 transcript of the meeting must remain confidential and exempt
145 from disclosure under s. 119.07(1), Florida Statutes, and s.
146 24(a), Article 1 of the State Constitution unless a court of
147 competent jurisdiction, following an in camera review,
148 determines that the meeting was not restricted to the discussion
149 of data and information made confidential and exempt by this
150 section. In the event of such a judicial determination, only
151 that portion of the transcript which reveals nonexempt data and
152 information may be disclosed to a third party.
153 (c) The Legislature further finds that it is a public
154 necessity that records held by a state university or Florida
155 College System institution which identify detection,
156 investigation, or response practices for suspected or confirmed
157 information technology security incidents, including suspected
158 or confirmed breaches, be made confidential and exempt from s.
159 119.07(1), Florida Statutes, and s. 24(a), Article I of the
160 State Constitution if the disclosure of such records would
161 facilitate unauthorized access to or the unauthorized
162 modification, disclosure, or destruction of:
163 1. Data or information, whether physical or virtual; or
164 2. Information technology resources, which include:
165 a. Information relating to the security of the university’s
166 or institution’s technologies, processes, and practices designed
167 to protect networks, computers, data processing software, and
168 data from attack, damage, or unauthorized access; or
169 b. Security information, whether physical or virtual, which
170 relates to the university’s or institution’s existing or
171 proposed information technology systems.
172 (d) Such records must be made confidential and exempt for
173 the following reasons:
174 1. Records held by a state university or Florida College
175 System institution which identify information technology
176 detection, investigation, or response practices for suspected or
177 confirmed information technology security incidents or breaches
178 are likely to be used in the investigations of the incidents or
179 breaches. The release of such information could impede the
180 investigation and impair the ability of reviewing entities to
181 effectively and efficiently execute their investigative duties.
182 In addition, the release of such information before an active
183 investigation is completed could jeopardize the ongoing
184 investigation.
185 2. An investigation of an information technology security
186 incident or breach is likely to result in the gathering of
187 sensitive personal information, including identification
188 numbers, personal financial and health information, and
189 educational records exempt from disclosure under the Family
190 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
191 1002.225 and 1006.52, Florida Statutes. Such information could
192 be used to commit identity theft or other crimes. In addition,
193 release of such information could subject possible victims of
194 the security incident or breach to further harm.
195 3. Disclosure of a record, including a computer forensic
196 analysis, or other information that would reveal weaknesses in a
197 state university’s or Florida College System institution’s data
198 security could compromise that security in the future if such
199 information were available upon conclusion of an investigation
200 or once an investigation ceased to be active.
201 4. Such records are likely to contain proprietary
202 information about the security of the system at issue. The
203 disclosure of such information could result in the
204 identification of vulnerabilities and further breaches of that
205 system. In addition, the release of such information could give
206 business competitors an unfair advantage and weaken the security
207 technology supplier supplying the proprietary information in the
208 marketplace.
209 5. The disclosure of such records could potentially
210 compromise the confidentiality, integrity, and availability of
211 state university and Florida College System institution data and
212 information technology resources, which would significantly
213 impair the administration of vital educational programs. It is
214 necessary that this information be made confidential in order to
215 protect the technology systems, resources, and data of the
216 universities and institutions. The Legislature further finds
217 that this public records exemption be given retroactive
218 application because it is remedial in nature.
219 (2)(a) The Legislature also finds that it is a public
220 necessity that portions of risk assessments, evaluations,
221 audits, and other reports of a state university’s or Florida
222 College System institution’s information technology security
223 program for its data, information, and information technology
224 resources which are held by the university or institution be
225 made confidential and exempt from s. 119.07(1), Florida
226 Statutes, and s. 24(a), Article I of the State Constitution if
227 the disclosure of such portions of records would facilitate
228 unauthorized access to or the unauthorized modification,
229 disclosure, or destruction of:
230 1. Data or information, whether physical or virtual; or
231 2. Information technology resources, which include:
232 a. Information relating to the security of the university’s
233 or institution’s technologies, processes, and practices designed
234 to protect networks, computers, data processing software, and
235 data from attack, damage, or unauthorized access; or
236 b. Security information, whether physical or virtual, which
237 relates to the university’s or institution’s existing or
238 proposed information technology systems.
239 (b) The Legislature finds that it is valuable, prudent, or
240 critical to a state university or Florida College System
241 institution to have an independent entity conduct a risk
242 assessment, an audit, or an evaluation or complete a report of
243 the university’s or institution’s information technology program
244 or related systems. Such documents would likely include an
245 analysis of the university’s or institution’s current
246 information technology program or systems which could clearly
247 identify vulnerabilities or gaps in current systems or processes
248 and propose recommendations to remedy identified
249 vulnerabilities.
250 (3)(a) The Legislature further finds that it is a public
251 necessity that those portions of a public meeting which could
252 reveal information described in subsections (1) and (2) be made
253 exempt from s. 286.011, Florida Statutes, and s. 24(b), Article
254 I of the State Constitution. It is necessary that such meetings
255 be made exempt from the open meetings requirements in order to
256 protect institutional information technology systems, resources,
257 and data. The information disclosed during portions of meetings
258 would clearly identify a state university’s or Florida College
259 System institution’s information technology systems and its
260 vulnerabilities. This disclosure would jeopardize the
261 information technology security of the institution and
262 compromise the integrity and availability of state university or
263 Florida College System institution data and information
264 technology resources, which would significantly impair the
265 administration of educational programs.
266 (b) The Legislature further finds that it is a public
267 necessity that the recording and transcript of those portions of
268 meetings specified in paragraph (a) be made confidential and
269 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
270 Article I of the State Constitution unless a court determines
271 that the meeting was not restricted to the discussion of data
272 and information made confidential and exempt by this act. It is
273 necessary that the resulting recordings and transcripts be made
274 confidential and exempt from the public record requirements in
275 order to protect institutional information technology systems,
276 resources, and data. The disclosure of such recordings and
277 transcripts would clearly identify a state university’s or
278 Florida College System institution’s information technology
279 systems and its vulnerabilities. This disclosure would
280 jeopardize the information technology security of the
281 institution and compromise the integrity and availability of
282 state university or Florida College System institution data and
283 information technology resources, which would significantly
284 impair the administration of educational programs.
285 (c) The Legislature further finds that this public meeting
286 and public records exemption must be given retroactive
287 application because it is remedial in nature.
288 Section 3. The Division of Law Revision and Information is
289 directed to replace the phrase “the effective date of this act”
290 wherever it occurs in this act with the date this act becomes a
291 law.
292 Section 4. This act shall take effect upon becoming a law.