Florida Senate - 2018 CS for CS for SB 1880
By the Committees on Governmental Oversight and Accountability;
and Banking and Insurance; and Senators Broxson and Mayfield
585-03168-18 20181880c2
1 A bill to be entitled
2 An act relating to public records and public meetings;
3 creating s. 627.352, F.S.; providing an exemption from
4 public records requirements for certain records held
5 by the Citizens Property Insurance Corporation which
6 identify detection, investigation, or response
7 practices for suspected or confirmed information
8 technology security incidents; creating an exemption
9 from public records requirements for certain portions
10 of risk assessments, evaluations, audits, and other
11 reports of the corporation’s information technology
12 security program; creating an exemption from public
13 meetings requirements for portions of public meetings
14 which would reveal such data and information;
15 providing an exemption from public records
16 requirements for a specified period for the recording
17 and transcript of a closed meeting; authorizing
18 disclosure of confidential and exempt information to
19 certain agencies and officers; providing for future
20 legislative review and repeal; providing a statement
21 of public necessity; providing retroactive
22 application; providing a directive to the Division of
23 Law Revision and Information; providing an effective
24 date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. Section 627.352, Florida Statutes, is created to
29 read:
30 627.352 Security of data and information technology in
31 Citizens Property Insurance Corporation.—
32 (1) The following data and information from technology
33 systems owned by, under contract with, or maintained by Citizens
34 Property Insurance Corporation are confidential and exempt from
35 s. 119.07(1) and s. 24(a), Art. I of the State Constitution:
36 (a) Records held by the corporation which identify
37 detection, investigation, or response practices for suspected or
38 confirmed information technology security incidents, including
39 suspected or confirmed breaches, if the disclosure of such
40 records would facilitate unauthorized access to or unauthorized
41 modification, disclosure, or destruction of:
42 1. Data or information, whether physical or virtual; or
43 2. Information technology resources, including:
44 a. Information relating to the security of the
45 corporation’s technologies, processes, and practices designed to
46 protect networks, computers, data processing software, and data
47 from attack, damage, or unauthorized access; or
48 b. Security information, whether physical or virtual, which
49 relates to the corporation’s existing or proposed information
50 technology systems.
51 (b) Those portions of risk assessments, evaluations,
52 audits, and other reports of the corporation’s information
53 technology security program for its data, information, and
54 information technology resources which are held by the
55 corporation, if the disclosure of such records would facilitate
56 unauthorized access to or the unauthorized modification,
57 disclosure, or destruction of:
58 1. Data or information, whether physical or virtual; or
59 2. Information technology resources, which include:
60 a. Information relating to the security of the
61 corporation’s technologies, processes, and practices designed to
62 protect networks, computers, data processing software, and data
63 from attack, damage, or unauthorized access; or
64 b. Security information, whether physical or virtual, which
65 relates to the corporation’s existing or proposed information
66 technology systems.
67 (2) Those portions of a public meeting as specified in s.
68 286.011 which would reveal data and information described in
69 subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
70 of the State Constitution. No exempt portion of an exempt
71 meeting may be off the record. All exempt portions of such a
72 meeting must be recorded and transcribed. The recording and
73 transcript of the meeting must remain confidential and exempt
74 from disclosure under s. 119.07(1) and s. 24(a), Art. I of the
75 State Constitution unless a court of competent jurisdiction,
76 following an in camera review, determines that the meeting was
77 not restricted to the discussion of data and information made
78 confidential and exempt by this section. In the event of such a
79 judicial determination, only that portion of the transcript
80 which reveals nonexempt data and information may be disclosed to
81 a third party.
82 (3) The records and portions of public meeting recordings
83 and transcripts described in subsection (2) must be available to
84 the Auditor General, the Cybercrime Office of the Department of
85 Law Enforcement, and the Office of Insurance Regulation. Such
86 records and portions of meetings, recordings, and transcripts
87 may be made available to a state or federal agency for security
88 purposes or in furtherance of the agency’s official duties.
89 (4) The exemptions listed in this section apply to such
90 records or portions of public meetings, recordings, and
91 transcripts held by the corporation before, on, or after the
92 effective date of this act.
93 (5) This section is subject to the Open Government Sunset
94 Review Act in accordance with s. 119.15 and shall stand repealed
95 on October 2, 2023, unless reviewed and saved from repeal
96 through reenactment by the Legislature.
97 Section 2. (1)(a) The Legislature finds that it is a public
98 necessity that the following data or information from technology
99 systems owned, under contract, or maintained by the corporation
100 be confidential and exempt from s. 119.07(1), Florida Statutes,
101 and s. 24(a), Article I of the State Constitution:
102 1. Records held by the corporation which identify
103 detection, investigation, or response practices for suspected or
104 confirmed information technology security incidents, including
105 suspected or confirmed breaches, if the disclosure of such
106 records would facilitate unauthorized access to or unauthorized
107 modification, disclosure, or destruction of:
108 a. Data or information, whether physical or virtual; or
109 b. Information technology resources, which include:
110 (I) Information relating to the security of the
111 corporation’s technologies, processes, and practices designed to
112 protect networks, computers, data processing software, and data
113 from attack, damage, or unauthorized access; or
114 (II) Security information, whether physical or virtual,
115 which relates to the corporation’s existing or proposed
116 information technology systems.
117 2. Those portions of risk assessments, evaluations, audits,
118 and other reports of the corporation’s information technology
119 security program for its data, information, and information
120 technology resources which are held by the corporation, if the
121 disclosure of such records would facilitate unauthorized access
122 to or the unauthorized modification, disclosure, or destruction
123 of:
124 a. Data or information, whether physical or virtual; or
125 b. Information technology resources, which include:
126 (I) Information relating to the security of the
127 corporation’s technologies, processes, and practices designed to
128 protect networks, computers, data processing software, and data
129 from attack , damage, or unauthorized access; or
130 (II) Security information, whether physical or virtual,
131 which relates to the corporation’s existing or proposed
132 information technology systems.
133 (b) The Legislature also finds that those portions of a
134 public meeting as specified in s. 286.011, Florida Statutes,
135 which would reveal data and information described in subsection
136 (1) are exempt from s. 286.011, Florida Statutes, and s. 24(b),
137 Article I of the State Constitution. The recording and
138 transcript of the meeting must remain confidential and exempt
139 from disclosure under s. 119.07(1), Florida Statutes, and s.
140 24(a), Article I of the State Constitution unless a court of
141 competent jurisdiction, following an in camera review,
142 determines that the meeting was not restricted to the discussion
143 of data and information made confidential and exempt by this
144 section. In the event of such a judicial determination, only
145 that portion of the transcript which reveals nonexempt data and
146 information may be disclosed to a third party.
147 (c) The Legislature further finds that it is a public
148 necessity that records held by the corporation which identify
149 detection, investigation, or response practices for suspected or
150 confirmed information technology security incidents, including
151 suspected or confirmed breaches, be made confidential and exempt
152 from s. 119.07(1), Florida Statutes, and s. 24(a), Article I of
153 the State Constitution if the disclosure of such records would
154 facilitate unauthorized access to or the unauthorized
155 modification, disclosure, or destruction of:
156 1. Data or information, whether physical or virtual; or
157 2. Information technology resources, which include:
158 a. Information relating to the security of the
159 corporation’s technologies, processes, and practices designed to
160 protect networks, computers, data processing software, and data
161 from attack, damage, or unauthorized access; or
162 b. Security information, whether physical or virtual, which
163 relates to the corporation’s existing or proposed information
164 technology systems.
165 (d) Such records must be made confidential and exempt for
166 the following reasons:
167 1. Records held by the corporation which identify
168 information technology detection, investigation, or response
169 practices for suspected or confirmed information technology
170 security incidents or breaches are likely to be used in the
171 investigations of the incidents or breaches. The release of such
172 information could impede the investigation and impair the
173 ability of reviewing entities to effectively and efficiently
174 execute their investigative duties. In addition, the release of
175 such information before an active investigation is completed
176 could jeopardize the ongoing investigation.
177 2. An investigation of an information technology security
178 incident or breach is likely to result in the gathering of
179 sensitive personal information, including identification numbers
180 and personal financial and health information. Such information
181 could be used to commit identity theft or other crimes. In
182 addition, release of such information could subject possible
183 victims of the security incident or breach to further harm.
184 3. Disclosure of a record, including a computer forensic
185 analysis, or other information that would reveal weaknesses in
186 the corporation’s data security could compromise that security
187 in the future if such information were available upon conclusion
188 of an investigation or once an investigation ceased to be
189 active.
190 4. Such records are likely to contain proprietary
191 information about the security of the system at issue. The
192 disclosure of such information could result in the
193 identification of vulnerabilities and further breaches of that
194 system. In addition, the release of such information could give
195 business competitors an unfair advantage and weaken the security
196 technology supplier supplying the proprietary information in the
197 marketplace.
198 5. The disclosure of such records could potentially
199 compromise the confidentiality, integrity, and availability of
200 the corporation’s data and information technology resources. It
201 is a public necessity that this information be made confidential
202 in order to protect the technology systems, resources, and data
203 of the corporation. The Legislature further finds that this
204 public records exemption be given retroactive application
205 because it is remedial in nature.
206 (2)(a) The Legislature also finds that it is a public
207 necessity that portions of risk assessments, evaluations,
208 audits, and other reports of the corporation’s information
209 technology security program for its data, information, and
210 information technology resources which are held by the
211 corporation be made confidential and exempt from s. 119.07(1),
212 Florida Statutes, and s. 24(a), Article I of the State
213 Constitution if the disclosure of such portions of records would
214 facilitate unauthorized access to or the unauthorized
215 modification, disclosure, or destruction of:
216 1. Data or information, whether physical or virtual; or
217 2. Information technology resources, which include:
218 a. Information relating to the security of the
219 corporation’s technologies, processes, and practices designed to
220 protect networks, computers, data processing software, and data
221 from attack, damage, or unauthorized access; or
222 b. Security information, whether physical or virtual, which
223 relates to the corporation’s existing or proposed information
224 technology systems.
225 (b) The Legislature finds that it is valuable, prudent, and
226 critical to the corporation to have an independent entity
227 conduct a risk assessment, an audit, or an evaluation or
228 complete a report of the corporation’s information technology
229 program or related systems. Such documents would likely include
230 an analysis of the corporation’s current information technology
231 program or systems which could clearly identify vulnerabilities
232 or gaps in current systems or processes and propose
233 recommendations to remedy identified vulnerabilities.
234 (3)(a) The Legislature further finds that it is a public
235 necessity that those portions of a public meeting which could
236 reveal information described in this section be made exempt from
237 s. 286.011, Florida Statutes, and s. 24(b), Article I of the
238 State Constitution. It is a public necessity that such meetings
239 be made exempt from the open meetings requirements in order to
240 protect the corporation’s information technology systems,
241 resources, and data. The information disclosed during portions
242 of meetings would clearly identify the corporation’s information
243 technology systems and its vulnerabilities. This disclosure
244 would jeopardize the information technology security of the
245 corporation and compromise the integrity and availability of the
246 corporation’s data and information technology resources.
247 (b) The Legislature further finds that it is a public
248 necessity that the recording and transcript of those portions of
249 meetings specified in paragraph (a) be made confidential and
250 exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
251 Article I of the State Constitution unless a court determines
252 that the meeting was not restricted to the discussion of data
253 and information made confidential and exempt by this act. It is
254 a public necessity that the resulting recordings and transcripts
255 be made confidential and exempt from the public records
256 requirements in order to protect the corporation’s information
257 technology systems, resources, and data. The disclosure of such
258 recordings and transcripts would clearly identify the
259 corporation’s information technology systems and its
260 vulnerabilities. This disclosure would jeopardize the
261 information technology security of the corporation and
262 compromise the integrity and availability of the corporation’s
263 data and information technology resources.
264 (c) The Legislature further finds that this public meeting
265 and public records exemption must be given retroactive
266 application because it is remedial in nature.
267 Section 3. The Division of Law Revision and Information is
268 directed to replace the phrase “the effective date of this act”
269 wherever it occurs in this act with the date this act becomes a
270 law.
271 Section 4. This act shall take effect upon becoming a law.