Florida Senate - 2014 CS for CS for SB 1526 By the Committees on Rules; and Judiciary; and Senator Thrasher 595-04153-14 20141526c2 1 A bill to be entitled 2 An act relating to public records; amending s. 3 501.171, F.S.; creating an exemption from public 4 records requirements for information received by the 5 Department of Legal Affairs pursuant to a notice of a 6 data breach or pursuant to certain investigations; 7 authorizing disclosure under certain circumstances; 8 defining the term “proprietary information”; providing 9 for future review and repeal of the exemption under 10 the Open Government Sunset Review Act; providing a 11 statement of public necessity; providing a contingent 12 effective date. 13 14 Be It Enacted by the Legislature of the State of Florida: 15 16 Section 1. Subsection (11) is added to section 501.171, 17 Florida Statutes, as created by SB 1524, 2014 Regular Session, 18 to read: 19 501.171 Security of confidential personal information.— 20 (11) PUBLIC RECORDS EXEMPTION.— 21 (a) All information received by the department pursuant to 22 a notification required by this section, or received by the 23 department pursuant to an investigation by the department or a 24 law enforcement agency, is confidential and exempt from s. 25 119.07(1) and s. 24(a), Art. I of the State Constitution, until 26 such time as the investigation is completed or ceases to be 27 active. This exemption shall be construed in conformity with s. 28 119.071(2)(c). 29 (b) During an active investigation, information made 30 confidential and exempt pursuant to paragraph (a) may be 31 disclosed by the department: 32 1. In the furtherance of its official duties and 33 responsibilities; 34 2. For print, publication, or broadcast if the department 35 determines that such release would assist in notifying the 36 public or locating or identifying a person that the department 37 believes to be a victim of a data breach or improper disposal of 38 customer records, except that information made confidential and 39 exempt by paragraph (c) may not be released pursuant to this 40 subparagraph; or 41 3. To another governmental entity in the furtherance of its 42 official duties and responsibilities. 43 (c) Upon completion of an investigation or once an 44 investigation ceases to be active, the following information 45 received by the department shall remain confidential and exempt 46 from s. 119.07(1) and s. 24(a), Art. I of the State 47 Constitution: 48 1. All information to which another public records 49 exemption applies. 50 2. Personal information. 51 3. A computer forensic report. 52 4. Information that would otherwise reveal weaknesses in a 53 covered entity’s data security. 54 5. Information that would disclose a covered entity’s 55 proprietary information. 56 (d) For purposes of this subsection, the term “proprietary 57 information” means information that: 58 1. Is owned or controlled by the covered entity. 59 2. Is intended to be private and is treated by the covered 60 entity as private because disclosure would harm the covered 61 entity or its business operations. 62 3. Has not been disclosed except as required by law or a 63 private agreement that provides that the information will not be 64 released to the public. 65 4. Is not publicly available or otherwise readily 66 ascertainable through proper means from another source in the 67 same configuration as received by the department. 68 5. Includes: 69 a. Trade secrets as defined in s. 688.002. 70 b. Competitive interests, the disclosure of which would 71 impair the competitive business of the covered entity who is the 72 subject of the information. 73 (e) This subsection is subject to the Open Government 74 Sunset Review Act in accordance with s. 119.15 and shall stand 75 repealed on October 2, 2019, unless reviewed and saved from 76 repeal through reenactment by the Legislature. 77 Section 2. The Legislature finds that it is a public 78 necessity that all information received by the Department of 79 Legal Affairs pursuant to a notification of a violation of s. 80 501.171, Florida Statutes, or received by the department 81 pursuant to an investigation by the department or a law 82 enforcement agency, be made confidential and exempt from s. 83 119.07(1), Florida Statutes, and s. 24(a), Article I of the 84 State Constitution for the following reasons: 85 (1) A notification of a violation of s. 501.171, Florida 86 Statutes, is likely to result in an investigation of such 87 violation because a data breach is likely the result of criminal 88 activity that may lead to further criminal activity. The 89 premature release of such information could frustrate or thwart 90 the investigation and impair the ability of the Department of 91 Legal Affairs to effectively and efficiently administer s. 92 501.171, Florida Statutes. In addition, release of such 93 information before completion of an active investigation could 94 jeopardize the ongoing investigation. 95 (2) The Legislature finds that it is a public necessity to 96 continue to protect from public disclosure all information to 97 which another public record exemption applies once an 98 investigation is completed or ceases to be active. Release of 99 such information by the Department of Legal Affairs would undo 100 the specific statutory exemption protecting that information. 101 (3) An investigation of a data breach or improper disposal 102 of customer records is likely to result in the gathering of 103 sensitive personal information, including social security 104 numbers, identification numbers, and personal financial and 105 health information. Such information could be used for the 106 purpose of identity theft. In addition, release of such 107 information could subject possible victims of the data breach or 108 improper disposal of customer records to further financial harm. 109 Furthermore, matters of personal health are traditionally 110 private and confidential concerns between the patient and the 111 health care provider. The private and confidential nature of 112 personal health matters pervades both the public and private 113 health care sectors. 114 (4) Release of a computer forensic report or other 115 information that would otherwise reveal weaknesses in a covered 116 entity’s data security could compromise the future security of 117 that entity, or other entities, if such information were 118 available upon conclusion of an investigation or once an 119 investigation ceased to be active. The release of such report or 120 information could compromise the security of current entities 121 and make those entities susceptible to future data breaches. 122 Release of such report or information could result in the 123 identification of vulnerabilities and further breaches of that 124 system. 125 (5) Notices received by the Department of Legal Affairs and 126 information received during an investigation of a data breach 127 are likely to contain proprietary information, including trade 128 secrets, about the security of the breached system. The release 129 of the proprietary information could result in the 130 identification of vulnerabilities and further breaches of that 131 system. In addition, a trade secret derives independent, 132 economic value, actual or potential, from being generally 133 unknown to, and not readily ascertainable by, other persons who 134 might obtain economic value from its disclosure or use. Allowing 135 public access to proprietary information, including a trade 136 secret, through a public records request could destroy the value 137 of the proprietary information and cause a financial loss to the 138 covered entity submitting the information. Release of such 139 information could give business competitors an unfair advantage 140 and weaken the position of the entity supplying the proprietary 141 information in the marketplace. 142 Section 3. 143