Florida Senate - 2016                                    SB 1588
       
       
        
       By Senator Hays
       
       11-01389-16                                           20161588__
    1                        A bill to be entitled                      
    2         An act relating to public records; creating s.
    3         1004.055, F.S.; providing an exemption from public
    4         records and meetings requirements for certain data and
    5         information collected from technology systems owned,
    6         contracted, or maintained by a state university or
    7         Florida College System institution; providing
    8         exceptions to the exemption; providing for future
    9         review and repeal of the exemption under the Open
   10         Government Sunset Review Act; providing a statement of
   11         public necessity; providing a directive to the
   12         Division of Law Revision and Information; providing an
   13         effective date.
   14          
   15  Be It Enacted by the Legislature of the State of Florida:
   16  
   17         Section 1. Section 1004.055, Florida Statutes, is created
   18  to read:
   19         1004.055 Data, information, and network security and
   20  privacy.—
   21         (1) All of the following data and information collected
   22  from technology systems owned, contracted, or maintained by a
   23  state university or a Florida College System institution are
   24  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   25  of the State Constitution:
   26         (a) Risk assessment and risk mitigation information that is
   27  used to determine security threats and risk remediation plans
   28  for data, information, and information technology resources of
   29  the state university or Florida College System institution.
   30         (b) Internal policies and procedures used to ensure the
   31  security of the data and information technology resources,
   32  which, if disclosed, could facilitate the unauthorized access to
   33  or the unauthorized modification, disclosure, or destruction of
   34  data, information, or information technology resources.
   35         (c) Results of periodic internal or external audits and
   36  evaluations of the information technology security program for a
   37  state university’s or Florida College System institution’s data
   38  and information technology resources.
   39         (d) Information relating to the detection, investigation,
   40  or response to a suspected or confirmed security incident,
   41  including suspected or confirmed breaches, which, if disclosed,
   42  could facilitate the unauthorized access to or the unauthorized
   43  modification, disclosure, or destruction of data or information
   44  technology resources.
   45         (e) Records, information, photographs, audio and visual
   46  presentations, schematic diagrams, source code, proprietary
   47  information, trade secrets, business transactions, surveys,
   48  recommendations, or consultations or portions thereof relating
   49  directly to or revealing the information technology security
   50  programs for a state university’s or Florida College System
   51  institution’s data and information technology resources,
   52  regardless of the medium in which they are stored.
   53         (f) System authentication credentials, including passwords,
   54  security codes, access codes, biometric information, personal
   55  identification numbers, or any other type of information
   56  required to access a state university’s or Florida College
   57  System institution’s data and information technology resources.
   58         (2) Those portions of meetings which would reveal data and
   59  information described in subsection (1) are exempt from s.
   60  286.011 and s. 24(b), Art. I of the State Constitution. All
   61  exempt portions of a meeting must be recorded and transcribed.
   62  An exempt portion of a meeting may not be off the record. The
   63  transcript of the meeting shall remain confidential and exempt
   64  from disclosure unless a court of competent jurisdiction,
   65  following an in camera review, determines that the meeting was
   66  not restricted to the discussion of data and information made
   67  confidential and exempt by this section. In the event of such a
   68  judicial determination, only that portion of the transcript
   69  which reveals nonexempt data and information may be disclosed to
   70  a third party.
   71         (3) These exemptions are remedial in nature, and it is the
   72  intent of the Legislature that the exemptions apply to security
   73  system plans held by a state university or Florida College
   74  System institution before, on, or after the effective date of
   75  this act.
   76         (4) Data and information made confidential and exempt by
   77  this section may be disclosed by the custodian of public records
   78  to the Auditor General, the Chief Inspector General, and the
   79  Cybercrime Office of the Department of Law Enforcement or to
   80  another state or federal agency to prevent, detect, guard
   81  against, respond to, investigate, or manage the consequences of
   82  any attempted or actual act of terrorism, or to prosecute those
   83  persons who are responsible for such attempts or acts. The
   84  entities or persons receiving such information shall maintain
   85  the exempt status of the information.
   86         (5) This section is subject to the Open Government Sunset
   87  Review Act in accordance with s. 119.15 and shall stand repealed
   88  on October 2, 2021, unless reviewed and saved from repeal
   89  through reenactment by the Legislature.
   90         Section 2. (1) The Legislature finds that it is a public
   91  necessity that risk assessments, risk mitigation, internal
   92  policies and procedures, internal or external audits and
   93  evaluations, system authentication credentials, and all records,
   94  information, photographs, audio and visual presentations,
   95  schematic diagrams, source code, proprietary information, trade
   96  secrets, business transactions, surveys, recommendations, or
   97  consultations related directly to or revealing information
   98  technology resources or security of a state university or a
   99  Florida College System institution be exempt from ss. 119.07(1)
  100  and 286.011, Florida Statutes, and s. 24, Article 1 of the State
  101  Constitution. The Legislature finds that the increasing use of
  102  advanced information technology in public institutions of higher
  103  education requires a systematic risk management approach to
  104  minimize the increased security threats to data and information
  105  technology resources.
  106         (2) The Legislature further finds that the data,
  107  information, and information technology resources collected,
  108  constructed, and maintained by public institutions of higher
  109  education are assets that require protection. It is essential
  110  that these systems be protected from misuse and that both the
  111  information technology resources and the data or information
  112  stored in them be accessed and maintained in a secure
  113  environment.
  114         (3) The Legislature further finds that an investigation of
  115  an information technology security system incident or breach is
  116  likely to result in the gathering of sensitive personal
  117  information, including social security numbers, identification
  118  numbers, personal financial and health information, and
  119  educational records exempt from disclosure under the Family
  120  Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
  121  1002.225 and 1006.52, Florida Statutes. This information could
  122  be used for identity theft or further financial harm. The
  123  release of a computer forensic report or other information that
  124  would reveal weaknesses in a state university’s or Florida
  125  College System institution’s data security could compromise
  126  future security if such information were available before
  127  conclusion of an investigation or once the investigation ceased
  128  to be active.
  129         (4) The Legislature further finds that the disclosure of
  130  information related to state university or Florida College
  131  System institution data or information technology systems could
  132  potentially compromise the confidentiality, integrity, and
  133  availability of such resources and significantly impair the
  134  administration of vital educational services. It is necessary
  135  that this information be made confidential in order to protect
  136  the technology systems, resources, and data of state
  137  universities and Florida College System institutions.
  138         Section 3. The Division of Law Revision and Information is
  139  directed to replace the phrase “the effective date of this act”
  140  wherever it occurs in this act with such date.
  141         Section 4. This act shall take effect upon becoming a law.