Florida Senate - 2017 CS for SB 110
By the Committee on Education; and Senator Brandes
581-02688-17 2017110c1
1 A bill to be entitled
2 An act relating to public records and public meetings;
3 creating s. 1004.055, F.S.; creating an exemption from
4 public records requirements for certain records held
5 by a state university or Florida College System
6 institution which identify detection, investigation,
7 or response practices for suspected or confirmed
8 information technology security incidents; creating an
9 exemption from public records requirements for certain
10 portions of risk assessments, evaluations, external
11 and internal audits, and other reports of a
12 university’s or institution’s information technology
13 security program; creating an exemption from public
14 meetings requirements for portions of public meetings
15 which would reveal such data and information;
16 providing an exemption from public records
17 requirements for a specified period for the recording
18 and transcript of a closed meeting; authorizing
19 disclosure of confidential and exempt information to
20 certain agencies and officers; defining the term
21 “external audit”; providing retroactive application;
22 providing for future legislative review and repeal of
23 the exemptions; providing statements of public
24 necessity; providing a directive to the Division of
25 Law Revision and Information; providing an effective
26 date.
27
28 Be It Enacted by the Legislature of the State of Florida:
29
30 Section 1. Section 1004.055, Florida Statutes, is created
31 to read:
32 1004.055 Security of data and information technology in
33 state postsecondary education institutions.—
34 (1) All of the following data or information from
35 technology systems owned, contracted, or maintained by a state
36 university or a Florida College System institution are
37 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
38 of the State Constitution:
39 (a) Records held by the university or institution which
40 identify detection, investigation, or response practices for
41 suspected or confirmed information technology security
42 incidents, including suspected or confirmed breaches, if the
43 disclosure of such records would facilitate unauthorized access
44 to or unauthorized modification, disclosure, or destruction of:
45 1. Data or information, whether physical or virtual; or
46 2. Information technology resources, which include:
47 a. Information relating to the security of the university’s
48 or institution’s technologies, processes, and practices designed
49 to protect networks, computers, data processing software, and
50 data from attack, damage, or unauthorized access; or
51 b. Security information, whether physical or virtual, which
52 relates to the university’s or institution’s existing or
53 proposed information technology systems.
54 (b) Those portions of risk assessments, evaluations,
55 external and internal audits, and other reports of the
56 university’s or institution’s information technology security
57 program for its data, information, and information technology
58 resources which are held by the university or institution, if
59 the disclosure of such records would facilitate unauthorized
60 access to or unauthorized modification, disclosure, or
61 destruction of:
62 1. Data or information, whether physical or virtual; or
63 2. Information technology resources, which include:
64 a. Information relating to the security of the university’s
65 or institution’s technologies, processes, and practices designed
66 to protect networks, computers, data processing software, and
67 data from attack, damage, or unauthorized access; or
68 b. Security information, whether physical or virtual, which
69 relates to the university’s or institution’s existing or
70 proposed information technology systems.
71 (2) Those portions of a public meeting as specified in s.
72 286.011 which would reveal data and information described in
73 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. 1
74 of the State Constitution. An exempt portion of the meeting may
75 not be off the record. All exempt portions of such a meeting
76 must be recorded and transcribed. The recording and transcript
77 of the meeting must remain confidential and exempt from
78 disclosure under s. 119.07(1) and s. 24(a), Art. 1 of the State
79 Constitution unless a court of competent jurisdiction, following
80 an in camera review, determines that the meeting was not
81 restricted to the discussion of data and information made
82 confidential and exempt by this section. In the event of such a
83 judicial determination, only that portion of the transcript
84 which reveals nonexempt data and information may be disclosed.
85 (3) The records and portions of public meeting recordings
86 and transcripts described in subsections (1) and (2) must be
87 available to the Auditor General; the Cybercrime Office of the
88 Department of Law Enforcement; for a state university, the Board
89 of Governors; and for a Florida College System institution, the
90 State Board of Education. Such records and portions of meetings,
91 recordings, and transcripts may be made available to a state or
92 federal agency for security purposes or in furtherance of the
93 agency’s official duties. For purposes of this section,
94 “external audit” means an audit that is conducted by an entity
95 other than the state university or Florida College System
96 institution that is the subject of the audit.
97 (4) The exemptions listed in this section apply to such
98 records or portions of public meetings, recordings, and
99 transcripts held by the university or institution before, on, or
100 after the effective date of this act.
101 (5) This section is subject to the Open Government Sunset
102 Review Act in accordance with s. 119.15 and shall stand repealed
103 on October 2, 2022, unless reviewed and saved from repeal
104 through reenactment by the Legislature.
105 Section 2. (1)(a) The Legislature finds that it is a public
106 necessity that records held by a state university or Florida
107 College System institution which identify detection,
108 investigation, or response practices for suspected or confirmed
109 information technology security incidents, including suspected
110 or confirmed breaches, be made confidential and exempt from s.
111 119.07(1), Florida Statutes, and s. 24(a), Article I of the
112 State Constitution if the disclosure of such records would
113 facilitate unauthorized access to or unauthorized modification,
114 disclosure, or destruction of:
115 1. Data or information, whether physical or virtual; or
116 2. Information technology resources, which include:
117 a. Information relating to the security of the university’s
118 or institution’s technologies, processes, and practices designed
119 to protect networks, computers, data processing software, and
120 data from attack, damage, or unauthorized access; or
121 b. Security information, whether physical or virtual, which
122 relates to the university’s or institution’s existing or
123 proposed information technology systems.
124 (b) Such records must be made confidential and exempt for
125 the following reasons:
126 1. Records held by a state university or Florida College
127 System institution which identify information technology
128 detection, investigation, or response practices for suspected or
129 confirmed information technology security incidents or breaches
130 are likely to be used in the investigation of the incident or
131 breach. The release of such information could impede the
132 investigation and impair the ability of reviewing entities to
133 effectively and efficiently execute their investigative duties.
134 In addition, the release of such information before an active
135 investigation is completed could jeopardize the ongoing
136 investigation.
137 2. An investigation of an information technology security
138 incident or breach is likely to result in the gathering of
139 sensitive personal information, including identification
140 numbers, personal financial and health information, and
141 educational records exempt from disclosure under the Family
142 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g, and ss.
143 1002.225 and 1006.52, Florida Statutes. Such information could
144 be used to commit identity theft or other crimes. In addition,
145 release of such information could subject possible victims of
146 the security incident or breach to further harm.
147 3. Disclosure of a record, including a computer forensic
148 analysis, or other information that would reveal weaknesses in a
149 state university’s or Florida College System institution’s data
150 security could compromise that security in the future if such
151 information were available upon conclusion of an investigation
152 or once an investigation ceased to be active.
153 4. Such records are likely to contain proprietary
154 information about the security of the system at issue. The
155 disclosure of such information could result in the
156 identification of vulnerabilities and further breaches of that
157 system. In addition, the release of such information could give
158 business competitors an unfair advantage and weaken the security
159 technology supplier supplying the proprietary information in the
160 marketplace.
161 5. The disclosure of such records could potentially
162 compromise the confidentiality, integrity, and availability of
163 state university and Florida College System institution data and
164 information technology resources, which would significantly
165 impair the administration of vital educational programs. It is
166 necessary that this information be made confidential in order to
167 protect the technology systems, resources, and data of the
168 universities and institutions. The Legislature further finds
169 that this public records exemption be given retroactive
170 application because it is remedial in nature.
171 (2)(a) The Legislature also finds that it is a public
172 necessity that portions of risk assessments, evaluations,
173 external and internal audits, and other reports of a state
174 university’s or Florida College System institution’s information
175 technology security program for its data, information, and
176 information technology resources which are held by the
177 university or institution be made confidential and exempt from
178 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
179 State Constitution if the disclosure of such portions of records
180 would facilitate unauthorized access to or the unauthorized
181 modification, disclosure, or destruction of:
182 1. Data or information, whether physical or virtual; or
183 2. Information technology resources, which include:
184 a. Information relating to the security of the university’s
185 or institution’s technologies, processes, and practices designed
186 to protect networks, computers, data processing software, and
187 data from attack, damage, or unauthorized access; or
188 b. Security information, whether physical or virtual, which
189 relates to the university’s or institution’s existing or
190 proposed information technology systems.
191 (b) The Legislature finds that it may be valuable, prudent,
192 or critical to a state university or Florida College System
193 institution to have an independent entity conduct a risk
194 assessment, an audit, or an evaluation or complete a report of
195 the university’s or institution’s information technology program
196 or related systems. Such documents would likely include an
197 analysis of the university’s or institution’s current
198 information technology program or systems which could clearly
199 identify vulnerabilities or gaps in current systems or processes
200 and propose recommendations to remedy identified
201 vulnerabilities.
202 (3)(a) The Legislature further finds that it is a public
203 necessity that those portions of a public meeting which could
204 reveal information described in subsections (1) and (2) be made
205 exempt from s. 286.011, Florida Statutes, and s. 24(b), Article
206 I of the State Constitution. It is necessary that such meetings
207 be made exempt from the open meetings requirements in order to
208 protect institutional information technology systems, resources,
209 and data. The information disclosed during portions of meetings
210 would clearly identify a state university’s or Florida College
211 System institution’s information technology systems and its
212 vulnerabilities. This disclosure would jeopardize the
213 information technology security of the institution and
214 compromise the integrity and availability of state university or
215 Florida College System institution data and information
216 technology resources, which would significantly impair the
217 administration of educational programs.
218 (b) The Legislature further finds that it is a public
219 necessity that the recording and transcript of those portions of
220 meetings specified in paragraph (a) be made confidential and
221 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
222 Article I of the State Constitution unless a court determines
223 that the meeting was not restricted to the discussion of data
224 and information made confidential and exempt by this act. It is
225 necessary that the resulting recordings and transcripts be made
226 confidential and exempt from the public record requirements in
227 order to protect institutional information technology systems,
228 resources, and data. The disclosure of such recordings and
229 transcripts would clearly identify a state university’s or
230 Florida College System institution’s information technology
231 systems and its vulnerabilities. This disclosure would
232 jeopardize the information technology security of the
233 institution and compromise the integrity and availability of
234 state university or Florida College System institution data and
235 information technology resources, which would significantly
236 impair the administration of educational programs.
237 (c) The Legislature further finds that this public meeting
238 and public records exemption must be given retroactive
239 application because it is remedial in nature.
240 Section 3. The Division of Law Revision and Information is
241 directed to replace the phrase “the effective date of this act”
242 wherever it occurs in this act with the date this act becomes a
243 law.
244 Section 4. This act shall take effect upon becoming a law.