Florida Senate - 2016 SB 1588
By Senator Hays
11-01389-16 20161588__
1 A bill to be entitled
2 An act relating to public records; creating s.
3 1004.055, F.S.; providing an exemption from public
4 records and meetings requirements for certain data and
5 information collected from technology systems owned,
6 contracted, or maintained by a state university or
7 Florida College System institution; providing
8 exceptions to the exemption; providing for future
9 review and repeal of the exemption under the Open
10 Government Sunset Review Act; providing a statement of
11 public necessity; providing a directive to the
12 Division of Law Revision and Information; providing an
13 effective date.
14
15 Be It Enacted by the Legislature of the State of Florida:
16
17 Section 1. Section 1004.055, Florida Statutes, is created
18 to read:
19 1004.055 Data, information, and network security and
20 privacy.—
21 (1) All of the following data and information collected
22 from technology systems owned, contracted, or maintained by a
23 state university or a Florida College System institution are
24 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
25 of the State Constitution:
26 (a) Risk assessment and risk mitigation information that is
27 used to determine security threats and risk remediation plans
28 for data, information, and information technology resources of
29 the state university or Florida College System institution.
30 (b) Internal policies and procedures used to ensure the
31 security of the data and information technology resources,
32 which, if disclosed, could facilitate the unauthorized access to
33 or the unauthorized modification, disclosure, or destruction of
34 data, information, or information technology resources.
35 (c) Results of periodic internal or external audits and
36 evaluations of the information technology security program for a
37 state university’s or Florida College System institution’s data
38 and information technology resources.
39 (d) Information relating to the detection, investigation,
40 or response to a suspected or confirmed security incident,
41 including suspected or confirmed breaches, which, if disclosed,
42 could facilitate the unauthorized access to or the unauthorized
43 modification, disclosure, or destruction of data or information
44 technology resources.
45 (e) Records, information, photographs, audio and visual
46 presentations, schematic diagrams, source code, proprietary
47 information, trade secrets, business transactions, surveys,
48 recommendations, or consultations or portions thereof relating
49 directly to or revealing the information technology security
50 programs for a state university’s or Florida College System
51 institution’s data and information technology resources,
52 regardless of the medium in which they are stored.
53 (f) System authentication credentials, including passwords,
54 security codes, access codes, biometric information, personal
55 identification numbers, or any other type of information
56 required to access a state university’s or Florida College
57 System institution’s data and information technology resources.
58 (2) Those portions of meetings which would reveal data and
59 information described in subsection (1) are exempt from s.
60 286.011 and s. 24(b), Art. I of the State Constitution. All
61 exempt portions of a meeting must be recorded and transcribed.
62 An exempt portion of a meeting may not be off the record. The
63 transcript of the meeting shall remain confidential and exempt
64 from disclosure unless a court of competent jurisdiction,
65 following an in camera review, determines that the meeting was
66 not restricted to the discussion of data and information made
67 confidential and exempt by this section. In the event of such a
68 judicial determination, only that portion of the transcript
69 which reveals nonexempt data and information may be disclosed to
70 a third party.
71 (3) These exemptions are remedial in nature, and it is the
72 intent of the Legislature that the exemptions apply to security
73 system plans held by a state university or Florida College
74 System institution before, on, or after the effective date of
75 this act.
76 (4) Data and information made confidential and exempt by
77 this section may be disclosed by the custodian of public records
78 to the Auditor General, the Chief Inspector General, and the
79 Cybercrime Office of the Department of Law Enforcement or to
80 another state or federal agency to prevent, detect, guard
81 against, respond to, investigate, or manage the consequences of
82 any attempted or actual act of terrorism, or to prosecute those
83 persons who are responsible for such attempts or acts. The
84 entities or persons receiving such information shall maintain
85 the exempt status of the information.
86 (5) This section is subject to the Open Government Sunset
87 Review Act in accordance with s. 119.15 and shall stand repealed
88 on October 2, 2021, unless reviewed and saved from repeal
89 through reenactment by the Legislature.
90 Section 2. (1) The Legislature finds that it is a public
91 necessity that risk assessments, risk mitigation, internal
92 policies and procedures, internal or external audits and
93 evaluations, system authentication credentials, and all records,
94 information, photographs, audio and visual presentations,
95 schematic diagrams, source code, proprietary information, trade
96 secrets, business transactions, surveys, recommendations, or
97 consultations related directly to or revealing information
98 technology resources or security of a state university or a
99 Florida College System institution be exempt from ss. 119.07(1)
100 and 286.011, Florida Statutes, and s. 24, Article 1 of the State
101 Constitution. The Legislature finds that the increasing use of
102 advanced information technology in public institutions of higher
103 education requires a systematic risk management approach to
104 minimize the increased security threats to data and information
105 technology resources.
106 (2) The Legislature further finds that the data,
107 information, and information technology resources collected,
108 constructed, and maintained by public institutions of higher
109 education are assets that require protection. It is essential
110 that these systems be protected from misuse and that both the
111 information technology resources and the data or information
112 stored in them be accessed and maintained in a secure
113 environment.
114 (3) The Legislature further finds that an investigation of
115 an information technology security system incident or breach is
116 likely to result in the gathering of sensitive personal
117 information, including social security numbers, identification
118 numbers, personal financial and health information, and
119 educational records exempt from disclosure under the Family
120 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
121 1002.225 and 1006.52, Florida Statutes. This information could
122 be used for identity theft or further financial harm. The
123 release of a computer forensic report or other information that
124 would reveal weaknesses in a state university’s or Florida
125 College System institution’s data security could compromise
126 future security if such information were available before
127 conclusion of an investigation or once the investigation ceased
128 to be active.
129 (4) The Legislature further finds that the disclosure of
130 information related to state university or Florida College
131 System institution data or information technology systems could
132 potentially compromise the confidentiality, integrity, and
133 availability of such resources and significantly impair the
134 administration of vital educational services. It is necessary
135 that this information be made confidential in order to protect
136 the technology systems, resources, and data of state
137 universities and Florida College System institutions.
138 Section 3. The Division of Law Revision and Information is
139 directed to replace the phrase “the effective date of this act”
140 wherever it occurs in this act with such date.
141 Section 4. This act shall take effect upon becoming a law.