Florida Senate - 2018 CS for SB 1880
By the Committee on Banking and Insurance; and Senator Broxson
597-02621-18 20181880c1
1 A bill to be entitled
2 An act relating to public records; creating s.
3 627.352, F.S.; providing an exemption from public
4 records requirements for certain records held by the
5 Citizens Property Insurance Corporation which identify
6 detection, investigation, or response practices for
7 suspected or confirmed information technology security
8 incidents; creating an exemption from public records
9 requirements for certain portions of risk assessments,
10 evaluations, audits, and other reports of the
11 corporation’s information technology security program;
12 creating an exemption from public meetings
13 requirements for portions of public meetings which
14 would reveal such data and information; providing an
15 exemption from public records requirements for a
16 specified period for the recording and transcript of a
17 closed meeting; authorizing disclosure of confidential
18 and exempt information to certain agencies and
19 officers; providing for future legislative review and
20 repeal; providing a statement of public necessity;
21 providing retroactive application; providing an
22 effective date.
23
24 Be It Enacted by the Legislature of the State of Florida:
25
26 Section 1. Section 627.352, Florida Statutes, is created to
27 read:
28 627.352 Security of data and information technology in
29 Citizens Property Insurance Corporation.—
30 (1) The following data and information from technology
31 systems owned by, under contract with, or maintained by Citizens
32 Property Insurance Corporation are confidential and exempt from
33 s. 119.07(1) and s. 24(a), Art. I of the State Constitution:
34 (a) Records held by the corporation which identify
35 detection, investigation, or response practices for suspected or
36 confirmed information technology security incidents, including
37 suspected or confirmed breaches, if the disclosure of such
38 records would facilitate unauthorized access to or unauthorized
39 modification, disclosure, or destruction of:
40 1. Data or information, whether physical or virtual; or
41 2. Information technology resources, including:
42 a. Information relating to the security of the
43 corporation’s technologies, processes, and practices designed to
44 protect networks, computers, data processing software, and data
45 from attack, damage, or unauthorized access; or
46 b. Security information, whether physical or virtual, which
47 relates to the corporation’s existing or proposed information
48 technology systems.
49 (b) Those portions of risk assessments, evaluations,
50 audits, and other reports of the corporation’s information
51 technology security program for its data, information, and
52 information technology resources which are held by the
53 corporation, if the disclosure of such records would facilitate
54 unauthorized access to or the unauthorized modification,
55 disclosure, or destruction of:
56 1. Data or information, whether physical or virtual; or
57 2. Information technology resources, which include:
58 a. Information relating to the security of the
59 corporation’s technologies, processes, and practices designed to
60 protect networks, computers, data processing software, and data
61 from attack, damage, or unauthorized access; or
62 b. Security information, whether physical or virtual, which
63 relates to the corporation’s existing or proposed information
64 technology systems.
65 (2) Those portions of a public meeting as specified in s.
66 286.011 which would reveal data and information described in
67 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
68 of the State Constitution. No exempt portion of an exempt
69 meeting may be off the record. All exempt portions of such a
70 meeting must be recorded and transcribed. The recording and
71 transcript of the meeting must remain confidential and exempt
72 from disclosure under s. 119.07(1) and s. 24(a), Art. I of the
73 State Constitution unless a court of competent jurisdiction,
74 following an in camera review, determines that the meeting was
75 not restricted to the discussion of data and information made
76 confidential and exempt by this section. In the event of such a
77 judicial determination, only that portion of the transcript
78 which reveals nonexempt data and information may be disclosed to
79 a third party.
80 (3) The records and portions of public meeting recordings
81 and transcripts described in subsection (2) must be available to
82 the Auditor General, the Cybercrime Office of the Department of
83 Law Enforcement, and the Office of Insurance Regulation. Such
84 records and portions of meetings, recordings, and transcripts
85 may be made available to a state or federal agency for security
86 purposes or in furtherance of the agency’s official duties.
87 (4) The exemptions listed in this section apply to such
88 records or portions of public meetings, recordings, and
89 transcripts held by the corporation before, on, or after July 1,
90 2018.
91 (5) This section is subject to the Open Government Sunset
92 Review Act in accordance with s. 119.15 and shall stand repealed
93 on October 2, 2023, unless reviewed and saved from repeal
94 through reenactment by the Legislature.
95 Section 2. (1)(a) The Legislature finds that it is a public
96 necessity that the following data or information from technology
97 systems owned, under contract, or maintained by the corporation
98 be confidential and exempt from s. 119.07(1), Florida Statutes,
99 and s. 24(a), Article I of the State Constitution:
100 1. Records held by the corporation which identify
101 detection, investigation, or response practices for suspected or
102 confirmed information technology security incidents, including
103 suspected or confirmed breaches, if the disclosure of such
104 records would facilitate unauthorized access to or unauthorized
105 modification, disclosure, or destruction of:
106 a. Data or information, whether physical or virtual; or
107 b. Information technology resources, which include:
108 (I) Information relating to the security of the
109 corporation’s technologies, processes, and practices designed to
110 protect networks, computers, data processing software, and data
111 from attack, damage, or unauthorized access; or
112 (II) Security information, whether physical or virtual,
113 which relates to the corporation’s existing or proposed
114 information technology systems.
115 2. Those portions of risk assessments, evaluations, audits,
116 and other reports of the corporation’s information technology
117 security program for its data, information, and information
118 technology resources which are held by the corporation, if the
119 disclosure of such records would facilitate unauthorized access
120 to or the unauthorized modification, disclosure, or destruction
121 of:
122 a. Data or information, whether physical or virtual; or
123 b. Information technology resources, which include:
124 (I) Information relating to the security of the
125 corporation’s technologies, processes, and practices designed to
126 protect networks, computers, data processing software, and data
127 from attack , damage, or unauthorized access; or
128 (II) Security information, whether physical or virtual,
129 which relates to the corporation’s existing or proposed
130 information technology systems.
131 (b) The Legislature also finds that those portions of a
132 public meeting as specified in s. 286.011, Florida Statutes,
133 which would reveal data and information described in subsection
134 (1) are exempt from s. 286.011, Florida Statutes, and s. 24(b),
135 Article I of the State Constitution. The recording and
136 transcript of the meeting must remain confidential and exempt
137 from disclosure under s. 119.07(1), Florida Statutes, and s.
138 24(a), Article I of the State Constitution unless a court of
139 competent jurisdiction, following an in camera review,
140 determines that the meeting was not restricted to the discussion
141 of data and information made confidential and exempt by this
142 section. In the event of such a judicial determination, only
143 that portion of the transcript which reveals nonexempt data and
144 information may be disclosed to a third party.
145 (c) The Legislature further finds that it is a public
146 necessity that records held by the corporation which identify
147 detection, investigation, or response practices for suspected or
148 confirmed information technology security incidents, including
149 suspected or confirmed breaches, be made confidential and exempt
150 from s. 119.07(1), Florida Statutes, and s. 24(a), Article I of
151 the State Constitution if the disclosure of such records would
152 facilitate unauthorized access to or the unauthorized
153 modification, disclosure, or destruction of:
154 1. Data or information, whether physical or virtual; or
155 2. Information technology resources, which include:
156 a. Information relating to the security of the
157 corporation’s technologies, processes, and practices designed to
158 protect networks, computers, data processing software, and data
159 from attack, damage, or unauthorized access; or
160 b. Security information, whether physical or virtual, which
161 relates to the corporation’s existing or proposed information
162 technology systems.
163 (d) Such records must be made confidential and exempt for
164 the following reasons:
165 1. Records held by the corporation which identify
166 information technology detection, investigation, or response
167 practices for suspected or confirmed information technology
168 security incidents or breaches are likely to be used in the
169 investigations of the incidents or breaches. The release of such
170 information could impede the investigation and impair the
171 ability of reviewing entities to effectively and efficiently
172 execute their investigative duties. In addition, the release of
173 such information before an active investigation is completed
174 could jeopardize the ongoing investigation.
175 2. An investigation of an information technology security
176 incident or breach is likely to result in the gathering of
177 sensitive personal information, including identification numbers
178 and personal financial and health information. Such information
179 could be used to commit identity theft or other crimes. In
180 addition, release of such information could subject possible
181 victims of the security incident or breach to further harm.
182 3. Disclosure of a record, including a computer forensic
183 analysis, or other information that would reveal weaknesses in
184 the corporation’s data security could compromise that security
185 in the future if such information were available upon conclusion
186 of an investigation or once an investigation ceased to be
187 active.
188 4. Such records are likely to contain proprietary
189 information about the security of the system at issue. The
190 disclosure of such information could result in the
191 identification of vulnerabilities and further breaches of that
192 system. In addition, the release of such information could give
193 business competitors an unfair advantage and weaken the security
194 technology supplier supplying the proprietary information in the
195 marketplace.
196 5. The disclosure of such records could potentially
197 compromise the confidentiality, integrity, and availability of
198 the corporation’s data and information technology resources. It
199 is a public necessity that this information be made confidential
200 in order to protect the technology systems, resources, and data
201 of the corporation. The Legislature further finds that this
202 public records exemption be given retroactive application
203 because it is remedial in nature.
204 (2)(a) The Legislature also finds that it is a public
205 necessity that portions of risk assessments, evaluations,
206 audits, and other reports of the corporation’s information
207 technology security program for its data, information, and
208 information technology resources which are held by the
209 corporation be made confidential and exempt from s. 119.07(1),
210 Florida Statutes, and s. 24(a), Article I of the State
211 Constitution if the disclosure of such portions of records would
212 facilitate unauthorized access to or the unauthorized
213 modification, disclosure, or destruction of:
214 1. Data or information, whether physical or virtual; or
215 2. Information technology resources, which include:
216 a. Information relating to the security of the
217 corporation’s technologies, processes, and practices designed to
218 protect networks, computers, data processing software, and data
219 from attack, damage, or unauthorized access; or
220 b. Security information, whether physical or virtual, which
221 relates to the corporation’s existing or proposed information
222 technology systems.
223 (b) The Legislature finds that it is valuable, prudent, and
224 critical to the corporation to have an independent entity
225 conduct a risk assessment, an audit, or an evaluation or
226 complete a report of the corporation’s information technology
227 program or related systems. Such documents would likely include
228 an analysis of the corporation’s current information technology
229 program or systems which could clearly identify vulnerabilities
230 or gaps in current systems or processes and propose
231 recommendations to remedy identified vulnerabilities.
232 (3)(a) The Legislature further finds that it is a public
233 necessity that those portions of a public meeting which could
234 reveal information described in this section be made exempt from
235 s. 286.011, Florida Statutes, and s. 24(b), Article I of the
236 State Constitution. It is a public necessity that such meetings
237 be made exempt from the open meetings requirements in order to
238 protect the corporation’s information technology systems,
239 resources, and data. The information disclosed during portions
240 of meetings would clearly identify the corporation’s information
241 technology systems and its vulnerabilities. This disclosure
242 would jeopardize the information technology security of the
243 corporation and compromise the integrity and availability of the
244 corporation’s data and information technology resources.
245 (b) The Legislature further finds that it is a public
246 necessity that the recording and transcript of those portions of
247 meetings specified in paragraph (a) be made confidential and
248 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
249 Article I of the State Constitution unless a court determines
250 that the meeting was not restricted to the discussion of data
251 and information made confidential and exempt by this act. It is
252 a public necessity that the resulting recordings and transcripts
253 be made confidential and exempt from the public records
254 requirements in order to protect the corporation’s information
255 technology systems, resources, and data. The disclosure of such
256 recordings and transcripts would clearly identify the
257 corporation’s information technology systems and its
258 vulnerabilities. This disclosure would jeopardize the
259 information technology security of the corporation and
260 compromise the integrity and availability of the corporation’s
261 data and information technology resources.
262 (c) The Legislature further finds that this public meeting
263 and public records exemption must be given retroactive
264 application because it is remedial in nature.
265 Section 3. This act shall take effect upon becoming a law.