ENROLLED 2016 Legislature CS for SB 624 2016624er 1 2 An act relating to public records; amending s. 3 282.318, F.S.; creating exemptions from public records 4 requirements for certain records held by a state 5 agency which identify detection, investigation, or 6 response practices for suspected or confirmed 7 information technology security incidents and for 8 certain portions of risk assessments, evaluations, 9 external audits, and other reports of a state agency’s 10 information technology program; authorizing disclosure 11 of confidential and exempt information to certain 12 agencies and officers; providing for retroactive 13 application; providing for future legislative review 14 and repeal of the exemptions; providing statements of 15 public necessity; providing an effective date. 16 17 Be It Enacted by the Legislature of the State of Florida: 18 19 Section 1. Paragraph (i) of subsection (4) of section 20 282.318, Florida Statutes, is amended, present subsection (5) of 21 that section is renumbered as subsection (6), and a new 22 subsection (5) is added to that section, to read: 23 282.318 Security of data and information technology.— 24 (4) Each state agency head shall, at a minimum: 25 (i) Develop a process for detecting, reporting, and 26 responding to threats, breaches, or information technology 27 security incidents which isthat areconsistent with the 28 security rules, guidelines, and processes established by the 29 Agency for State Technology. 30 1. All information technology security incidents and 31 breaches must be reported to the Agency for State Technology. 32 2. For information technology security breaches, state 33 agencies shall provide notice in accordance with s. 501.171. 34 3. Records held by a state agency which identify detection, 35 investigation, or response practices for suspected or confirmed 36 information technology security incidents, including suspected 37 or confirmed breaches, are confidential and exempt from s. 38 119.07(1) and s. 24(a), Art. I of the State Constitution, if the 39 disclosure of such records would facilitate unauthorized access 40 to or the unauthorized modification, disclosure, or destruction 41 of: 42 a. Data or information, whether physical or virtual; or 43 b. Information technology resources, which includes: 44 (I) Information relating to the security of the agency’s 45 technologies, processes, and practices designed to protect 46 networks, computers, data processing software, and data from 47 attack, damage, or unauthorized access; or 48 (II) Security information, whether physical or virtual, 49 which relates to the agency’s existing or proposed information 50 technology systems. 51 52 Such records shall be available to the Auditor General, the 53 Agency for State Technology, the Cybercrime Office of the 54 Department of Law Enforcement, and, for state agencies under the 55 jurisdiction of the Governor, the Chief Inspector General. Such 56 records may be made available to a local government, another 57 state agency, or a federal agency for information technology 58 security purposes or in furtherance of the state agency’s 59 official duties. This exemption applies to such records held by 60 a state agency before, on, or after the effective date of this 61 exemption. This subparagraph is subject to the Open Government 62 Sunset Review Act in accordance with s. 119.15 and shall stand 63 repealed on October 2, 2021, unless reviewed and saved from 64 repeal through reenactment by the Legislature. 65 (5) The portions of risk assessments, evaluations, external 66 audits, and other reports of a state agency’s information 67 technology security program for the data, information, and 68 information technology resources of the state agency which are 69 held by a state agency are confidential and exempt from s. 70 119.07(1) and s. 24(a), Art. I of the State Constitution if the 71 disclosure of such portions of records would facilitate 72 unauthorized access to or the unauthorized modification, 73 disclosure, or destruction of: 74 (a) Data or information, whether physical or virtual; or 75 (b) Information technology resources, which include: 76 1. Information relating to the security of the agency’s 77 technologies, processes, and practices designed to protect 78 networks, computers, data processing software, and data from 79 attack, damage, or unauthorized access; or 80 2. Security information, whether physical or virtual, which 81 relates to the agency’s existing or proposed information 82 technology systems. 83 84 Such portions of records shall be available to the Auditor 85 General, the Cybercrime Office of the Department of Law 86 Enforcement, the Agency for State Technology, and, for agencies 87 under the jurisdiction of the Governor, the Chief Inspector 88 General. Such portions of records may be made available to a 89 local government, another state agency, or a federal agency for 90 information technology security purposes or in furtherance of 91 the state agency’s official duties. For purposes of this 92 subsection, “external audit” means an audit that is conducted by 93 an entity other than the state agency that is the subject of the 94 audit. This exemption applies to such records held by a state 95 agency before, on, or after the effective date of this 96 exemption. This subsection is subject to the Open Government 97 Sunset Review Act in accordance with s. 119.15 and shall stand 98 repealed on October 2, 2021, unless reviewed and saved from 99 repeal through reenactment by the Legislature. 100 Section 2. (1)(a) The Legislature finds that it is a public 101 necessity that public records held by a state agency which 102 identify detection, investigation, or response practices for 103 suspected or confirmed information technology security 104 incidents, including suspected or confirmed breaches, be made 105 confidential and exempt from s. 119.07(1), Florida Statutes, and 106 s. 24(a), Article I of the State Constitution if the disclosure 107 of such records would facilitate unauthorized access to or the 108 unauthorized modification, disclosure, or destruction of: 109 1. Data or information, whether physical or virtual; or 110 2. Information technology resources, which includes: 111 a. Information relating to the security of the agency’s 112 technologies, processes, and practices designed to protect 113 networks, computers, data processing software, and data from 114 attack, damage, or unauthorized access; or 115 b. Security information, whether physical or virtual, which 116 relates to the agency’s existing or proposed information 117 technology systems. 118 (b) Such records shall be made confidential and exempt for 119 the following reasons: 120 1. Records held by a state agency which identify 121 information technology detection, investigation, or response 122 practices for suspected or confirmed information technology 123 incidents or breaches are likely to be used in the investigation 124 of the incident or breach. The release of such information could 125 impede the investigation and impair the ability of reviewing 126 entities to effectively and efficiently execute their 127 investigative duties. In addition, the release of such 128 information before completion of an active investigation could 129 jeopardize the ongoing investigation. 130 2. An investigation of an information technology security 131 incident or breach is likely to result in the gathering of 132 sensitive personal information, including identification numbers 133 and personal financial and health information not otherwise 134 exempt or confidential and exempt from public records 135 requirements under any other law. Such information could be used 136 for the purpose of identity theft or other crimes. In addition, 137 release of such information could subject possible victims of 138 the incident or breach to further harm. 139 3. Disclosure of a record, including a computer forensic 140 analysis, or other information that would reveal weaknesses in a 141 state agency’s data security could compromise the future 142 security of that agency or other entities if such information 143 were available upon conclusion of an investigation or once an 144 investigation ceased to be active. The disclosure of such a 145 record or information could compromise the security of state 146 agencies and make those state agencies susceptible to future 147 data incidents or breaches. 148 4. Such records are likely to contain proprietary 149 information about the security of the system at issue. The 150 disclosure of such information could result in the 151 identification of vulnerabilities and further breaches of that 152 system. In addition, the release of such information could give 153 business competitors an unfair advantage and weaken the position 154 of the entity supplying the proprietary information in the 155 marketplace. 156 5. The disclosure of such records could potentially 157 compromise the confidentiality, integrity, and availability of 158 state agency data and information technology resources, which 159 would significantly impair the administration of vital 160 governmental programs. It is necessary that this information be 161 made confidential in order to protect the technology systems, 162 resources, and data of state agencies. The Legislature further 163 finds that this public records exemption be given retroactive 164 application because it is remedial in nature. 165 (2)(a) The Legislature also finds that it is a public 166 necessity that portions of risk assessments, evaluations, 167 external audits, and other reports of a state agency’s 168 information technology security program for the data, 169 information, and information technology resources of the state 170 agency which are held by a state agency be made confidential and 171 exempt from s. 119.07(1), Florida Statutes, and s. 24(a), 172 Article I of the State Constitution if the disclosure of such 173 portions of records would facilitate unauthorized access to or 174 the unauthorized modification, disclosure, or destruction of: 175 1. Data or information, whether physical or virtual; or 176 2. Information technology resources, which includes: 177 a. Information relating to the security of the agency’s 178 technologies, processes, and practices designed to protect 179 networks, computers, data processing software, and data from 180 attack, damage, or unauthorized access; or 181 b. Security information, whether physical or virtual, which 182 relates to the agency’s existing or proposed information 183 technology systems. 184 (b) The Legislature finds that it may be valuable, prudent, 185 or critical to a state agency to have an independent entity 186 conduct a risk assessment, an audit, or an evaluation or 187 complete a report of the state agency’s information technology 188 program or related systems. Such documents would likely include 189 an analysis of the state agency’s current information technology 190 program or systems which could clearly identify vulnerabilities 191 or gaps in current systems or processes and propose 192 recommendations to remedy identified vulnerabilities. The 193 disclosure of such portions of records would jeopardize the 194 information technology security of the state agency, and 195 compromise the integrity and availability of agency data and 196 information technology resources, which would significantly 197 impair the administration of governmental programs. It is 198 necessary that such portions of records be made confidential and 199 exempt from public records requirements in order to protect 200 agency technology systems, resources, and data. The Legislature 201 further finds that this public records exemption shall be given 202 retroactive application because it is remedial in nature. 203 Section 3. This act shall take effect upon becoming a law.