Florida Senate - 2016 SB 1588 By Senator Hays 11-01389-16 20161588__ 1 A bill to be entitled 2 An act relating to public records; creating s. 3 1004.055, F.S.; providing an exemption from public 4 records and meetings requirements for certain data and 5 information collected from technology systems owned, 6 contracted, or maintained by a state university or 7 Florida College System institution; providing 8 exceptions to the exemption; providing for future 9 review and repeal of the exemption under the Open 10 Government Sunset Review Act; providing a statement of 11 public necessity; providing a directive to the 12 Division of Law Revision and Information; providing an 13 effective date. 14 15 Be It Enacted by the Legislature of the State of Florida: 16 17 Section 1. Section 1004.055, Florida Statutes, is created 18 to read: 19 1004.055 Data, information, and network security and 20 privacy.— 21 (1) All of the following data and information collected 22 from technology systems owned, contracted, or maintained by a 23 state university or a Florida College System institution are 24 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 25 of the State Constitution: 26 (a) Risk assessment and risk mitigation information that is 27 used to determine security threats and risk remediation plans 28 for data, information, and information technology resources of 29 the state university or Florida College System institution. 30 (b) Internal policies and procedures used to ensure the 31 security of the data and information technology resources, 32 which, if disclosed, could facilitate the unauthorized access to 33 or the unauthorized modification, disclosure, or destruction of 34 data, information, or information technology resources. 35 (c) Results of periodic internal or external audits and 36 evaluations of the information technology security program for a 37 state university’s or Florida College System institution’s data 38 and information technology resources. 39 (d) Information relating to the detection, investigation, 40 or response to a suspected or confirmed security incident, 41 including suspected or confirmed breaches, which, if disclosed, 42 could facilitate the unauthorized access to or the unauthorized 43 modification, disclosure, or destruction of data or information 44 technology resources. 45 (e) Records, information, photographs, audio and visual 46 presentations, schematic diagrams, source code, proprietary 47 information, trade secrets, business transactions, surveys, 48 recommendations, or consultations or portions thereof relating 49 directly to or revealing the information technology security 50 programs for a state university’s or Florida College System 51 institution’s data and information technology resources, 52 regardless of the medium in which they are stored. 53 (f) System authentication credentials, including passwords, 54 security codes, access codes, biometric information, personal 55 identification numbers, or any other type of information 56 required to access a state university’s or Florida College 57 System institution’s data and information technology resources. 58 (2) Those portions of meetings which would reveal data and 59 information described in subsection (1) are exempt from s. 60 286.011 and s. 24(b), Art. I of the State Constitution. All 61 exempt portions of a meeting must be recorded and transcribed. 62 An exempt portion of a meeting may not be off the record. The 63 transcript of the meeting shall remain confidential and exempt 64 from disclosure unless a court of competent jurisdiction, 65 following an in camera review, determines that the meeting was 66 not restricted to the discussion of data and information made 67 confidential and exempt by this section. In the event of such a 68 judicial determination, only that portion of the transcript 69 which reveals nonexempt data and information may be disclosed to 70 a third party. 71 (3) These exemptions are remedial in nature, and it is the 72 intent of the Legislature that the exemptions apply to security 73 system plans held by a state university or Florida College 74 System institution before, on, or after the effective date of 75 this act. 76 (4) Data and information made confidential and exempt by 77 this section may be disclosed by the custodian of public records 78 to the Auditor General, the Chief Inspector General, and the 79 Cybercrime Office of the Department of Law Enforcement or to 80 another state or federal agency to prevent, detect, guard 81 against, respond to, investigate, or manage the consequences of 82 any attempted or actual act of terrorism, or to prosecute those 83 persons who are responsible for such attempts or acts. The 84 entities or persons receiving such information shall maintain 85 the exempt status of the information. 86 (5) This section is subject to the Open Government Sunset 87 Review Act in accordance with s. 119.15 and shall stand repealed 88 on October 2, 2021, unless reviewed and saved from repeal 89 through reenactment by the Legislature. 90 Section 2. (1) The Legislature finds that it is a public 91 necessity that risk assessments, risk mitigation, internal 92 policies and procedures, internal or external audits and 93 evaluations, system authentication credentials, and all records, 94 information, photographs, audio and visual presentations, 95 schematic diagrams, source code, proprietary information, trade 96 secrets, business transactions, surveys, recommendations, or 97 consultations related directly to or revealing information 98 technology resources or security of a state university or a 99 Florida College System institution be exempt from ss. 119.07(1) 100 and 286.011, Florida Statutes, and s. 24, Article 1 of the State 101 Constitution. The Legislature finds that the increasing use of 102 advanced information technology in public institutions of higher 103 education requires a systematic risk management approach to 104 minimize the increased security threats to data and information 105 technology resources. 106 (2) The Legislature further finds that the data, 107 information, and information technology resources collected, 108 constructed, and maintained by public institutions of higher 109 education are assets that require protection. It is essential 110 that these systems be protected from misuse and that both the 111 information technology resources and the data or information 112 stored in them be accessed and maintained in a secure 113 environment. 114 (3) The Legislature further finds that an investigation of 115 an information technology security system incident or breach is 116 likely to result in the gathering of sensitive personal 117 information, including social security numbers, identification 118 numbers, personal financial and health information, and 119 educational records exempt from disclosure under the Family 120 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss. 121 1002.225 and 1006.52, Florida Statutes. This information could 122 be used for identity theft or further financial harm. The 123 release of a computer forensic report or other information that 124 would reveal weaknesses in a state university’s or Florida 125 College System institution’s data security could compromise 126 future security if such information were available before 127 conclusion of an investigation or once the investigation ceased 128 to be active. 129 (4) The Legislature further finds that the disclosure of 130 information related to state university or Florida College 131 System institution data or information technology systems could 132 potentially compromise the confidentiality, integrity, and 133 availability of such resources and significantly impair the 134 administration of vital educational services. It is necessary 135 that this information be made confidential in order to protect 136 the technology systems, resources, and data of state 137 universities and Florida College System institutions. 138 Section 3. The Division of Law Revision and Information is 139 directed to replace the phrase “the effective date of this act” 140 wherever it occurs in this act with such date. 141 Section 4. This act shall take effect upon becoming a law.