Florida Senate - 2020 SB 1170
By Senator Baxley
12-01201-20 20201170__
1 A bill to be entitled
2 An act relating to public records and meetings;
3 amending s. 282.318, F.S.; revising a provision to
4 reflect the abolishment of the Agency for State
5 Technology; providing an exemption from public records
6 requirements for portions of records held by a state
7 agency which contain network schematics, hardware and
8 software configurations, or encryption; removing the
9 scheduled repeal of a certain public records
10 exemption; providing an exemption from public meetings
11 requirements for portions of meetings which would
12 reveal certain records; requiring the recording and
13 transcription of exempt portions of such meetings;
14 providing an exemption from public records
15 requirements for such recordings and transcripts;
16 providing an exception; revising applicability of
17 provisions requiring and authorizing certain records
18 to be made available to certain entities; providing
19 for future legislative review and repeal under the
20 Open Government Sunset Review Act of the exemptions;
21 providing for retroactive application of the
22 exemptions; providing statements of public necessity;
23 providing an effective date.
24
25 Be It Enacted by the Legislature of the State of Florida:
26
27 Section 1. Section 282.318, Florida Statutes, is amended to
28 read:
29 282.318 Security of data and information technology.—
30 (1) This section may be cited as the “Information
31 Technology Security Act.”
32 (2) As used in this section, the term “state agency” has
33 the same meaning as provided in s. 282.0041, except that the
34 term includes the Department of Legal Affairs, the Department of
35 Agriculture and Consumer Services, and the Department of
36 Financial Services.
37 (3) The department is responsible for establishing
38 standards and processes consistent with generally accepted best
39 practices for information technology security, to include
40 cybersecurity, and adopting rules that safeguard an agency’s
41 data, information, and information technology resources to
42 ensure availability, confidentiality, and integrity and to
43 mitigate risks. The department shall also:
44 (a) Designate a state chief information security officer
45 who must have experience and expertise in security and risk
46 management for communications and information technology
47 resources.
48 (b) Develop, and annually update by February 1, a statewide
49 information technology security strategic plan that includes
50 security goals and objectives for the strategic issues of
51 information technology security policy, risk management,
52 training, incident management, and disaster recovery planning.
53 (c) Develop and publish for use by state agencies an
54 information technology security framework that, at a minimum,
55 includes guidelines and processes for:
56 1. Establishing asset management procedures to ensure that
57 an agency’s information technology resources are identified and
58 managed consistent with their relative importance to the
59 agency’s business objectives.
60 2. Using a standard risk assessment methodology that
61 includes the identification of an agency’s priorities,
62 constraints, risk tolerances, and assumptions necessary to
63 support operational risk decisions.
64 3. Completing comprehensive risk assessments and
65 information technology security audits, which may be completed
66 by a private sector vendor, and submitting completed assessments
67 and audits to the department.
68 4. Identifying protection procedures to manage the
69 protection of an agency’s information, data, and information
70 technology resources.
71 5. Establishing procedures for accessing information and
72 data to ensure the confidentiality, integrity, and availability
73 of such information and data.
74 6. Detecting threats through proactive monitoring of
75 events, continuous security monitoring, and defined detection
76 processes.
77 7. Establishing agency computer security incident response
78 teams and describing their responsibilities for responding to
79 information technology security incidents, including breaches of
80 personal information containing confidential or exempt data.
81 8. Recovering information and data in response to an
82 information technology security incident. The recovery may
83 include recommended improvements to the agency processes,
84 policies, or guidelines.
85 9. Establishing an information technology security incident
86 reporting process that includes procedures and tiered reporting
87 timeframes for notifying the department and the Department of
88 Law Enforcement of information technology security incidents.
89 The tiered reporting timeframes shall be based upon the level of
90 severity of the information technology security incidents being
91 reported.
92 10. Incorporating information obtained through detection
93 and response activities into the agency’s information technology
94 security incident response plans.
95 11. Developing agency strategic and operational information
96 technology security plans required pursuant to this section.
97 12. Establishing the managerial, operational, and technical
98 safeguards for protecting state government data and information
99 technology resources that align with the state agency risk
100 management strategy and that protect the confidentiality,
101 integrity, and availability of information and data.
102 (d) Assist state agencies in complying with this section.
103 (e) In collaboration with the Cybercrime Office of the
104 Department of Law Enforcement, annually provide training for
105 state agency information security managers and computer security
106 incident response team members that contains training on
107 information technology security, including cybersecurity,
108 threats, trends, and best practices.
109 (f) Annually review the strategic and operational
110 information technology security plans of executive branch
111 agencies.
112 (4) Each state agency head shall, at a minimum:
113 (a) Designate an information security manager to administer
114 the information technology security program of the state agency.
115 This designation must be provided annually in writing to the
116 department by January 1. A state agency’s information security
117 manager, for purposes of these information security duties,
118 shall report directly to the agency head.
119 (b) In consultation with the department and the Cybercrime
120 Office of the Department of Law Enforcement, establish an agency
121 computer security incident response team to respond to an
122 information technology security incident. The agency computer
123 security incident response team shall convene upon notification
124 of an information technology security incident and must comply
125 with all applicable guidelines and processes established
126 pursuant to paragraph (3)(c).
127 (c) Submit to the department annually by July 31, the state
128 agency’s strategic and operational information technology
129 security plans developed pursuant to rules and guidelines
130 established by the department.
131 1. The state agency strategic information technology
132 security plan must cover a 3-year period and, at a minimum,
133 define security goals, intermediate objectives, and projected
134 agency costs for the strategic issues of agency information
135 security policy, risk management, security training, security
136 incident response, and disaster recovery. The plan must be based
137 on the statewide information technology security strategic plan
138 created by the department and include performance metrics that
139 can be objectively measured to reflect the status of the state
140 agency’s progress in meeting security goals and objectives
141 identified in the agency’s strategic information security plan.
142 2. The state agency operational information technology
143 security plan must include a progress report that objectively
144 measures progress made towards the prior operational information
145 technology security plan and a project plan that includes
146 activities, timelines, and deliverables for security objectives
147 that the state agency will implement during the current fiscal
148 year.
149 (d) Conduct, and update every 3 years, a comprehensive risk
150 assessment, which may be completed by a private sector vendor,
151 to determine the security threats to the data, information, and
152 information technology resources, including mobile devices and
153 print environments, of the agency. The risk assessment must
154 comply with the risk assessment methodology developed by the
155 department and is confidential and exempt from s. 119.07(1),
156 except that such information shall be available to the Auditor
157 General, the Division of State Technology within the department,
158 the Cybercrime Office of the Department of Law Enforcement, and,
159 for state agencies under the jurisdiction of the Governor, the
160 Chief Inspector General.
161 (e) Develop, and periodically update, written internal
162 policies and procedures, which include procedures for reporting
163 information technology security incidents and breaches to the
164 Cybercrime Office of the Department of Law Enforcement and the
165 Division of State Technology within the department. Such
166 policies and procedures must be consistent with the rules,
167 guidelines, and processes established by the department to
168 ensure the security of the data, information, and information
169 technology resources of the agency. The internal policies and
170 procedures that, if disclosed, could facilitate the unauthorized
171 modification, disclosure, or destruction of data or information
172 technology resources are confidential information and exempt
173 from s. 119.07(1), except that such information shall be
174 available to the Auditor General, the Cybercrime Office of the
175 Department of Law Enforcement, the Division of State Technology
176 within the department, and, for state agencies under the
177 jurisdiction of the Governor, the Chief Inspector General.
178 (f) Implement managerial, operational, and technical
179 safeguards and risk assessment remediation plans recommended by
180 the department to address identified risks to the data,
181 information, and information technology resources of the agency.
182 (g) Ensure that periodic internal audits and evaluations of
183 the agency’s information technology security program for the
184 data, information, and information technology resources of the
185 agency are conducted. The results of such audits and evaluations
186 are confidential information and exempt from s. 119.07(1),
187 except that such information shall be available to the Auditor
188 General, the Cybercrime Office of the Department of Law
189 Enforcement, the Division of State Technology within the
190 department, and, for agencies under the jurisdiction of the
191 Governor, the Chief Inspector General.
192 (h) Ensure that the information technology security and
193 cybersecurity requirements in both the written specifications
194 for the solicitation and service-level agreement of information
195 technology and information technology resources and services
196 meet or exceed the applicable state and federal laws,
197 regulations, and standards for information technology security
198 and cybersecurity. Service-level agreements must identify
199 service provider and state agency responsibilities for privacy
200 and security, protection of government data, personnel
201 background screening, and security deliverables with associated
202 frequencies.
203 (i) Provide information technology security and
204 cybersecurity awareness training to all state agency employees
205 in the first 30 days after commencing employment concerning
206 information technology security risks and the responsibility of
207 employees to comply with policies, standards, guidelines, and
208 operating procedures adopted by the state agency to reduce those
209 risks. The training may be provided in collaboration with the
210 Cybercrime Office of the Department of Law Enforcement.
211 (j) Develop a process for detecting, reporting, and
212 responding to threats, breaches, or information technology
213 security incidents which is consistent with the security rules,
214 guidelines, and processes established by the Division of State
215 Technology within the department Agency for State Technology.
216 1. All information technology security incidents and
217 breaches must be reported to the Division of State Technology
218 within the department and the Cybercrime Office of the
219 Department of Law Enforcement and must comply with the
220 notification procedures and reporting timeframes established
221 pursuant to paragraph (3)(c).
222 2. For information technology security breaches, state
223 agencies shall provide notice in accordance with s. 501.171.
224 (5)3. Portions of records held by a state agency which
225 contain network schematics, hardware and software
226 configurations, or encryption, or which identify detection,
227 investigation, or response practices for suspected or confirmed
228 information technology security incidents, including suspected
229 or confirmed breaches, are confidential and exempt from s.
230 119.07(1) and s. 24(a), Art. I of the State Constitution, if the
231 disclosure of such records would facilitate unauthorized access
232 to or the unauthorized modification, disclosure, or destruction
233 of:
234 (a)a. Data or information, whether physical or virtual; or
235 (b)b. Information technology resources, which includes:
236 1.(I) Information relating to the security of the agency’s
237 technologies, processes, and practices designed to protect
238 networks, computers, data processing software, and data from
239 attack, damage, or unauthorized access; or
240 2.(II) Security information, whether physical or virtual,
241 which relates to the agency’s existing or proposed information
242 technology systems.
243
244 Such records shall be available to the Auditor General, the
245 Division of State Technology within the department, the
246 Cybercrime Office of the Department of Law Enforcement, and, for
247 state agencies under the jurisdiction of the Governor, the Chief
248 Inspector General. Such records may be made available to a local
249 government, another state agency, or a federal agency for
250 information technology security purposes or in furtherance of
251 the state agency’s official duties. This exemption applies to
252 such records held by a state agency before, on, or after the
253 effective date of this exemption. This subparagraph is subject
254 to the Open Government Sunset Review Act in accordance with s.
255 119.15 and shall stand repealed on October 2, 2021, unless
256 reviewed and saved from repeal through reenactment by the
257 Legislature.
258 (6)(5) The portions of risk assessments, evaluations,
259 external audits, and other reports of a state agency’s
260 information technology security program for the data,
261 information, and information technology resources of the state
262 agency which are held by a state agency are confidential and
263 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
264 Constitution if the disclosure of such portions of records would
265 facilitate unauthorized access to or the unauthorized
266 modification, disclosure, or destruction of:
267 (a) Data or information, whether physical or virtual; or
268 (b) Information technology resources, which include:
269 1. Information relating to the security of the agency’s
270 technologies, processes, and practices designed to protect
271 networks, computers, data processing software, and data from
272 attack, damage, or unauthorized access; or
273 2. Security information, whether physical or virtual, which
274 relates to the agency’s existing or proposed information
275 technology systems. For purposes of this subsection, the term
276 “external audit” means an audit that is conducted by an entity
277 other than the state agency that is the subject of the audit.
278 (7) Those portions of a public meeting as specified in s.
279 286.011 which would reveal records that are confidential and
280 exempt under subsection (5) or subsection (6) are exempt from s.
281 286.011 and s. 24(b), Art. I of the State Constitution. No
282 exempt portion of an exempt meeting may be off the record. All
283 exempt portions of such meeting shall be recorded and
284 transcribed. Such recordings and transcripts are confidential
285 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
286 I of the State Constitution unless a court of competent
287 jurisdiction, after an in camera review, determines that the
288 meeting was not restricted to the discussion of data and
289 information made confidential and exempt by this section. In the
290 event of such a judicial determination, only that portion of the
291 recording and transcript which reveals nonexempt data and
292 information may be disclosed to a third party.
293 (8) The Such portions of records made confidential and
294 exempt in subsections (5), (6), and (7) shall be available to
295 the Auditor General, the Cybercrime Office of the Department of
296 Law Enforcement, the Division of State Technology within the
297 department, and, for agencies under the jurisdiction of the
298 Governor, the Chief Inspector General. Such portions of records
299 may be made available to a local government, another state
300 agency, or a federal agency for information technology security
301 purposes or in furtherance of the state agency’s official
302 duties. For purposes of this subsection, “external audit” means
303 an audit that is conducted by an entity other than the state
304 agency that is the subject of the audit.
305 (9) The exemptions contained in subsections (5), (6), and
306 (7) apply This exemption applies to such records held by a state
307 agency before, on, or after the effective date of this
308 exemption.
309 (10) Subsections (5), (6), and (7) are This subsection is
310 subject to the Open Government Sunset Review Act in accordance
311 with s. 119.15 and shall stand repealed on October 2, 2025 2021,
312 unless reviewed and saved from repeal through reenactment by the
313 Legislature.
314 (11)(6) The department shall adopt rules relating to
315 information technology security and to administer this section.
316 Section 2. (1)(a) The Legislature finds it is a public
317 necessity that the following data or information held by a state
318 agency be made confidential and exempt from s. 119.07(1),
319 Florida Statutes, and s. 24(a), Article I of the State
320 Constitution:
321 1. Portions of records held by a state agency which contain
322 network schematics, hardware and software configurations,
323 encryption, or which identify detection, investigation, or
324 response practices for suspected or confirmed information
325 technology security incidents, including suspected or confirmed
326 breaches, if the disclosure of such records would facilitate
327 unauthorized access to or the unauthorized modification,
328 disclosure, or destruction of:
329 a. Data or information, whether physical or virtual; or
330 b. Information technology resources, which include:
331 (I) Information relating to the security of the agency’s
332 technologies, processes, and practices designed to protect
333 networks, computers, data processing software, and data from
334 attack, damage, or unauthorized access; or
335 (II) Security information, whether physical or virtual,
336 which relates to the agency’s existing or proposed information
337 technology systems.
338 2. Portions of risk assessments, evaluations, external
339 audits, and other reports of a state agency’s information
340 technology security programs, if the disclosure of such portions
341 of records would facilitate unauthorized access to or the
342 unauthorized modification, disclosure, or destruction of:
343 a. Data or information, whether physical or virtual; or
344 b. Information technology resources, which include:
345 (I) Information relating to the security of the state
346 agency’s technologies, processes, and practices designed to
347 protect networks, computers, data processing software, and data
348 from attack, damage, or unauthorized access; or
349 (II) Security information, whether physical or virtual,
350 which relates to the agency’s existing or proposed information
351 technology systems.
352 (b) Such records must be made confidential and exempt from
353 public records requirements for the following reasons:
354 1. Portions of records held by a state agency which contain
355 network schematics, hardware and software configurations,
356 encryption, or which identify information technology detection,
357 investigation, or response practices for suspected or confirmed
358 information technology security incidents or breaches are likely
359 to be used in the investigations of the incidents or breaches.
360 The release of such information could impede the investigation
361 and impair the ability of reviewing entities to effectively and
362 efficiently execute their investigative duties. In addition, the
363 release of such information before an active investigation is
364 completed could jeopardize the ongoing investigation.
365 2. An investigation of an information technology security
366 incident or breach is likely to result in the gathering of
367 sensitive personal information, including identification numbers
368 and personal financial and health information. Such information
369 could be used to commit identity theft or other crimes. In
370 addition, release of such information could subject possible
371 victims of the security incident or breach to further harm.
372 3. Disclosure of a record, including a computer forensic
373 analysis, or other information that would reveal weaknesses in a
374 state agency’s data security could compromise that security in
375 the future if such information were available upon conclusion of
376 an investigation or once an investigation ceased to be active.
377 4. Such records are likely to contain proprietary
378 information about the security of the system at issue. The
379 disclosure of such information could result in the
380 identification of vulnerabilities and further breaches of that
381 system. In addition, the release of such information could give
382 business competitors an unfair advantage and weaken the security
383 technology supplier supplying the proprietary information in the
384 marketplace.
385 5. The disclosure of such records could potentially
386 compromise the confidentiality, integrity, and availability of
387 state agency data and information technology resources, which
388 would significantly impair the administration of vital state
389 programs. It is necessary that this information be made
390 confidential in order to protect the technology systems,
391 resources, and data of state agencies.
392 6. It is valuable, prudent, and critical to a state agency
393 to have an independent entity conduct a risk assessment, an
394 audit, or an evaluation or complete a report of the agency’s
395 information technology program or related systems. Such
396 documents would likely include an analysis of the agency’s
397 current information technology program or systems which could
398 clearly identify vulnerabilities or gaps in current systems or
399 processes and propose recommendations to remedy identified
400 vulnerabilities.
401 (2)(a)1. The Legislature also finds that it is a public
402 necessity that those portions of a public meeting which would
403 reveal data and information described in paragraph (1)(a) be
404 made exempt from s. 286.011, Florida Statutes, and s. 24(b),
405 Article I of the State Constitution.
406 2. Such meetings must be made exempt from open meetings
407 requirements in order to protect agency information technology
408 systems, resources, and data. This information would clearly
409 identify a state agency’s information technology systems and its
410 vulnerabilities and disclosure of such information would
411 jeopardize the information technology security of the state
412 agency and compromise the integrity and availability of state
413 agency data and information technology resources. Such
414 disclosure would significantly impair the administration of
415 state programs.
416 (b)1. The Legislature further finds that it is a public
417 necessity that the recordings and transcripts of the portions of
418 meetings specified in subparagraph (a)1. be made confidential
419 and exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
420 Article I of the State Constitution.
421 2. It is necessary that the resulting recordings and
422 transcripts be made confidential and exempt from public record
423 requirements in order to protect state information technology
424 systems, resources, and data. The disclosure of such recordings
425 and transcripts would clearly identify a state agency’s
426 information technology systems and its vulnerabilities. This
427 disclosure would jeopardize the information technology security
428 of the agency and compromise the integrity and availability of
429 state data and information technology resources, which would
430 significantly impair the administration of state programs.
431 (3) The Legislature further finds that these public meeting
432 and public records exemptions must be given retroactive
433 application because they are remedial in nature.
434 Section 3. This act shall take effect upon becoming a law.