Florida Senate - 2017 SB 110
By Senator Brandes
24-00089A-17 2017110__
1 A bill to be entitled
2 An act relating to public records and public meetings;
3 creating s. 1004.055, F.S.; creating an exemption from
4 public records requirements for certain records held
5 by a state university or Florida College System
6 institution which identify detection, investigation,
7 or response practices for suspected or confirmed
8 information technology security incidents; creating an
9 exemption from public records requirements for certain
10 portions of risk assessments, evaluations, external
11 and internal audits, and other reports of a
12 university’s or institution’s information technology
13 security program; creating an exemption from public
14 meetings requirements for portions of public meetings
15 which would reveal such data and information;
16 providing an exemption from public records
17 requirements for a specified period for the recording
18 and transcript of a closed meeting; authorizing
19 disclosure of confidential and exempt information to
20 certain agencies and officers; defining the term
21 “external audit”; providing retroactive application;
22 providing for future legislative review and repeal of
23 the exemptions; providing statements of public
24 necessity; providing a directive to the Division of
25 Law Revision and Information; providing an effective
26 date.
27
28 Be It Enacted by the Legislature of the State of Florida:
29
30 Section 1. Section 1004.055, Florida Statutes, is created
31 to read:
32 1004.055 Security of data and information technology in
33 state postsecondary education institutions.—
34 (1) All of the following data or information from
35 technology systems owned, contracted, or maintained by a state
36 university or a Florida College System institution are
37 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
38 of the State Constitution:
39 (a) Records held by the university or institution which
40 identify detection, investigation, or response practices for
41 suspected or confirmed information technology security
42 incidents, including suspected or confirmed breaches, if the
43 disclosure of such records would facilitate unauthorized access
44 to or unauthorized modification, disclosure, or destruction of:
45 1. Data or information, whether physical or virtual; or
46 2. Information technology resources, which include:
47 a. Information relating to the security of the university’s
48 or institution’s technologies, processes, and practices designed
49 to protect networks, computers, data processing software, and
50 data from attack, damage, or unauthorized access; or
51 b. Security information, whether physical or virtual, which
52 relates to the university’s or institution’s existing or
53 proposed information technology systems.
54 (b) Those portions of risk assessments, evaluations,
55 external and internal audits, and other reports of the
56 university’s or institution’s information technology security
57 program for its data, information, and information technology
58 resources which are held by the university or institution, if
59 the disclosure of such records would facilitate unauthorized
60 access to or unauthorized modification, disclosure, or
61 destruction of:
62 1. Data or information, whether physical or virtual; or
63 2. Information technology resources, which include:
64 a. Information relating to the security of the university’s
65 or institution’s technologies, processes, and practices designed
66 to protect networks, computers, data processing software, and
67 data from attack, damage, or unauthorized access; or
68 b. Security information, whether physical or virtual, which
69 relates to the university’s or institution’s existing or
70 proposed information technology systems.
71 (2) Those portions of a public meeting as specified in s.
72 286.011 which would reveal data and information described in
73 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. 1
74 of the State Constitution. An exempt portion of the meeting may
75 not be off the record. All exempt portions of such a meeting
76 must be recorded and transcribed. The recording and transcript
77 of the meeting must remain confidential and exempt from
78 disclosure under s. 119.07(1) and s. 24(a), Art. 1 of the State
79 Constitution unless a court of competent jurisdiction, following
80 an in camera review, determines that the meeting was not
81 restricted to the discussion of data and information made
82 confidential and exempt by this section. In the event of such a
83 judicial determination, only that portion of the transcript
84 which reveals nonexempt data and information may be disclosed.
85 (3) The records and portions of public meeting recordings
86 and transcripts described in subsections (1) and (2) must be
87 available to the Auditor General, the Cybercrime Office of the
88 Department of Law Enforcement, and, for state universities, the
89 Board of Governors. Such records and portions of meetings,
90 recordings, and transcripts may be made available to a state or
91 federal agency for security purposes or in furtherance of the
92 agency’s official duties. For purposes of this section,
93 “external audit” means an audit that is conducted by an entity
94 other than the state university or Florida College System
95 institution that is the subject of the audit.
96 (4) The exemptions listed in this section apply to such
97 records or portions of public meetings, recordings, and
98 transcripts held by the university or institution before, on, or
99 after the effective date of this act.
100 (5) This section is subject to the Open Government Sunset
101 Review Act in accordance with s. 119.15 and shall stand repealed
102 on October 2, 2022, unless reviewed and saved from repeal
103 through reenactment by the Legislature.
104 Section 2. (1)(a) The Legislature finds that it is a public
105 necessity that records held by a state university or Florida
106 College System institution which identify detection,
107 investigation, or response practices for suspected or confirmed
108 information technology security incidents, including suspected
109 or confirmed breaches, be made confidential and exempt from s.
110 119.07(1), Florida Statutes, and s. 24(a), Article I of the
111 State Constitution if the disclosure of such records would
112 facilitate unauthorized access to or unauthorized modification,
113 disclosure, or destruction of:
114 1. Data or information, whether physical or virtual; or
115 2. Information technology resources, which include:
116 a. Information relating to the security of the university’s
117 or institution’s technologies, processes, and practices designed
118 to protect networks, computers, data processing software, and
119 data from attack, damage, or unauthorized access; or
120 b. Security information, whether physical or virtual, which
121 relates to the university’s or institution’s existing or
122 proposed information technology systems.
123 (b) Such records must be made confidential and exempt for
124 the following reasons:
125 1. Records held by a state university or Florida College
126 System institution which identify information technology
127 detection, investigation, or response practices for suspected or
128 confirmed information technology security incidents or breaches
129 are likely to be used in the investigation of the incident or
130 breach. The release of such information could impede the
131 investigation and impair the ability of reviewing entities to
132 effectively and efficiently execute their investigative duties.
133 In addition, the release of such information before an active
134 investigation is completed could jeopardize the ongoing
135 investigation.
136 2. An investigation of an information technology security
137 incident or breach is likely to result in the gathering of
138 sensitive personal information, including identification
139 numbers, personal financial and health information, and
140 educational records exempt from disclosure under the Family
141 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
142 1002.225 and 1006.52, Florida Statutes. Such information could
143 be used to commit identity theft or other crimes. In addition,
144 release of such information could subject possible victims of
145 the security incident or breach to further harm.
146 3. Disclosure of a record, including a computer forensic
147 analysis, or other information that would reveal weaknesses in a
148 state university’s or Florida College System institution’s data
149 security could compromise that security in the future if such
150 information were available upon conclusion of an investigation
151 or once an investigation ceased to be active.
152 4. Such records are likely to contain proprietary
153 information about the security of the system at issue. The
154 disclosure of such information could result in the
155 identification of vulnerabilities and further breaches of that
156 system. In addition, the release of such information could give
157 business competitors an unfair advantage and weaken the security
158 technology supplier supplying the proprietary information in the
159 marketplace.
160 5. The disclosure of such records could potentially
161 compromise the confidentiality, integrity, and availability of
162 state university and Florida College System institution data and
163 information technology resources, which would significantly
164 impair the administration of vital educational programs. It is
165 necessary that this information be made confidential in order to
166 protect the technology systems, resources, and data of the
167 universities and institutions. The Legislature further finds
168 that this public records exemption be given retroactive
169 application because it is remedial in nature.
170 (2)(a) The Legislature also finds that it is a public
171 necessity that portions of risk assessments, evaluations,
172 external and internal audits, and other reports of a state
173 university’s or Florida College System institution’s information
174 technology security program for its data, information, and
175 information technology resources which are held by the
176 university or institution be made confidential and exempt from
177 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
178 State Constitution if the disclosure of such portions of records
179 would facilitate unauthorized access to or the unauthorized
180 modification, disclosure, or destruction of:
181 1. Data or information, whether physical or virtual; or
182 2. Information technology resources, which include:
183 a. Information relating to the security of the university’s
184 or institution’s technologies, processes, and practices designed
185 to protect networks, computers, data processing software, and
186 data from attack, damage, or unauthorized access; or
187 b. Security information, whether physical or virtual, which
188 relates to the university’s or institution’s existing or
189 proposed information technology systems.
190 (b) The Legislature finds that it may be valuable, prudent,
191 or critical to a state university or Florida College System
192 institution to have an independent entity conduct a risk
193 assessment, an audit, or an evaluation or complete a report of
194 the university’s or institution’s information technology program
195 or related systems. Such documents would likely include an
196 analysis of the university’s or institution’s current
197 information technology program or systems which could clearly
198 identify vulnerabilities or gaps in current systems or processes
199 and propose recommendations to remedy identified
200 vulnerabilities.
201 (3)(a) The Legislature further finds that it is a public
202 necessity that those portions of a public meeting which could
203 reveal information described in subsections (1) and (2) be made
204 exempt from s. 286.011, Florida Statutes, and s. 24(b), Article
205 I of the State Constitution. It is necessary that such meetings
206 be made exempt from the open meetings requirements in order to
207 protect institutional information technology systems, resources,
208 and data. The information disclosed during portions of meetings
209 would clearly identify a state university’s or Florida College
210 System institution’s information technology systems and its
211 vulnerabilities. This disclosure would jeopardize the
212 information technology security of the institution and
213 compromise the integrity and availability of state university or
214 Florida College System institution data and information
215 technology resources, which would significantly impair the
216 administration of educational programs.
217 (b) The Legislature further finds that it is a public
218 necessity that the recording and transcript of those portions of
219 meetings specified in paragraph (a) be made confidential and
220 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
221 Article I of the State Constitution unless a court determines
222 that the meeting was not restricted to the discussion of data
223 and information made confidential and exempt by this act. It is
224 necessary that the resulting recordings and transcripts be made
225 confidential and exempt from the public record requirements in
226 order to protect institutional information technology systems,
227 resources, and data. The disclosure of such recordings and
228 transcripts would clearly identify a state university’s or
229 Florida College System institution’s information technology
230 systems and its vulnerabilities. This disclosure would
231 jeopardize the information technology security of the
232 institution and compromise the integrity and availability of
233 state university or Florida College System institution data and
234 information technology resources, which would significantly
235 impair the administration of educational programs.
236 (c) The Legislature further finds that this public meeting
237 and public records exemption must be given retroactive
238 application because it is remedial in nature.
239 Section 3. The Division of Law Revision and Information is
240 directed to replace the phrase “the effective date of this act”
241 wherever it occurs in this act with the date this act becomes a
242 law.
243 Section 4. This act shall take effect upon becoming a law.