Florida Senate - 2022 COMMITTEE AMENDMENT
Bill No. CS for SB 1694
Ì570256-Î570256
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/02/2022 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Appropriations (Hutson) recommended the
following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 119.0725, Florida Statutes, is created
6 to read:
7 119.0725 Agency cybersecurity information; public records
8 exemption; public meetings exemption.—
9 (1) As used in this section, the term:
10 (a) “Breach” means unauthorized access of data in
11 electronic form containing personal information. Good faith
12 access of personal information by an employee or agent of an
13 agency does not constitute a breach, provided that the
14 information is not used for a purpose unrelated to the business
15 or subject to further unauthorized use.
16 (b) “Critical infrastructure” means existing and proposed
17 information technology and operational technology systems and
18 assets, whether physical or virtual, the incapacity or
19 destruction of which would negatively affect security, economic
20 security, public health, or public safety.
21 (c) “Cybersecurity” has the same meaning as in s. 282.0041.
22 (d) “Data” has the same meaning as in s. 282.0041.
23 (e) “Incident” means a violation or imminent threat of
24 violation, whether such violation is accidental or deliberate,
25 of information technology resources, security, policies, or
26 practices. As used in this paragraph, the term “imminent threat
27 of violation” means a situation in which the agency has a
28 factual basis for believing that a specific incident is about to
29 occur.
30 (f) “Information technology” has the same meaning as in s.
31 282.0041.
32 (g) “Operational technology” means the hardware and
33 software that cause or detect a change through the direct
34 monitoring or control of physical devices, systems, processes,
35 or events.
36 (2) The following information held by an agency is
37 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
38 of the State Constitution:
39 (a) Coverage limits and deductible or self-insurance
40 amounts of insurance or other risk mitigation coverages acquired
41 for the protection of information technology systems,
42 operational technology systems, or data of an agency.
43 (b) Information relating to critical infrastructure.
44 (c) Network schematics, hardware and software
45 configurations, or encryption information or information that
46 identifies detection, investigation, or response practices for
47 suspected or confirmed cybersecurity incidents, including
48 suspected or confirmed breaches, if the disclosure of such
49 information would facilitate unauthorized access to or
50 unauthorized modification, disclosure, or destruction of:
51 1. Data or information, whether physical or virtual; or
52 2. Information technology resources, which include an
53 agency’s existing or proposed information technology systems.
54 (3) Any portion of a meeting that would reveal information
55 made confidential and exempt under subsection (2) is exempt from
56 s. 286.011 and s. 24(b), Art. I of the State Constitution. An
57 exempt portion of a meeting may not be off the record and must
58 be recorded and transcribed. The recording and transcript are
59 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
60 of the State Constitution.
61 (4) The public records exemptions contained in this section
62 apply to information held by an agency before, on, or after July
63 1, 2022.
64 (5)(a) Information made confidential and exempt pursuant to
65 this section shall be made available to a law enforcement
66 agency, the Auditor General, the Cybercrime Office of the
67 Department of Law Enforcement, the Florida Digital Service
68 within the Department of Management Services, and, for agencies
69 under the jurisdiction of the Governor, the Chief Inspector
70 General.
71 (b) Such confidential and exempt information may be
72 disclosed by an agency in the furtherance of its official duties
73 and responsibilities or to another agency or governmental entity
74 in the furtherance of its statutory duties and responsibilities.
75 (6) Agencies may report information about cybersecurity
76 incidents in the aggregate.
77 (7) This section is subject to the Open Government Sunset
78 Review Act in accordance with s. 119.15 and shall stand repealed
79 on October 2, 2027, unless reviewed and saved from repeal
80 through reenactment by the Legislature.
81 Section 2. Subsection (13) of section 98.015, Florida
82 Statutes, is amended to read:
83 98.015 Supervisor of elections; election, tenure of office,
84 compensation, custody of registration-related documents, office
85 hours, successor, seal; appointment of deputy supervisors;
86 duties; public records exemption.—
87 (13)(a) Portions of records held by a supervisor of
88 elections which contain network schematics, hardware and
89 software configurations, or encryption, or which identify
90 detection, investigation, or response practices for suspected or
91 confirmed information technology security incidents, including
92 suspected or confirmed breaches, are confidential and exempt
93 from s. 119.07(1) and s. 24(a), Art. I of the State
94 Constitution, if the disclosure of such records would facilitate
95 unauthorized access to or the unauthorized modification,
96 disclosure, or destruction of:
97 1. Data or information, whether physical or virtual; or
98 2. Information technology resources as defined in s.
99 119.011(9), which includes:
100 a. Information relating to the security of a supervisor of
101 elections’ technology, processes, and practices designed to
102 protect networks, computers, data processing software, and data
103 from attack, damage, or unauthorized access; or
104 b. Security information, whether physical or virtual, which
105 relates to a supervisor of elections’ existing or proposed
106 information technology systems.
107 (b) The portions of records made confidential and exempt in
108 paragraph (a) shall be available to the Auditor General and may
109 be made available to another governmental entity for information
110 technology security purposes or in the furtherance of the
111 entity’s official duties.
112 (c) The public record exemption in paragraph (a) applies to
113 records held by a supervisor of elections before, on, or after
114 the effective date of the exemption.
115 (d) This subsection is subject to the Open Government
116 Sunset Review Act in accordance with s. 119.15 and shall stand
117 repealed on October 2, 2026, unless reviewed and saved from
118 repeal through reenactment by the Legislature.
119 Section 3. Subsections (6) and (11) of section 282.318,
120 Florida Statutes, are renumbered as subsections (5) and (10),
121 respectively, and present subsections (5), (7), (8), (9), and
122 (10) of that section are amended to read:
123 282.318 Cybersecurity.—
124 (5) Portions of records held by a state agency which
125 contain network schematics, hardware and software
126 configurations, or encryption, or which identify detection,
127 investigation, or response practices for suspected or confirmed
128 cybersecurity incidents, including suspected or confirmed
129 breaches, are confidential and exempt from s. 119.07(1) and s.
130 24(a), Art. I of the State Constitution, if the disclosure of
131 such records would facilitate unauthorized access to or the
132 unauthorized modification, disclosure, or destruction of:
133 (a) Data or information, whether physical or virtual; or
134 (b) Information technology resources, which includes:
135 1. Information relating to the security of the agency’s
136 technologies, processes, and practices designed to protect
137 networks, computers, data processing software, and data from
138 attack, damage, or unauthorized access; or
139 2. Security information, whether physical or virtual, which
140 relates to the agency’s existing or proposed information
141 technology systems.
142 (6)(7) Those portions of a public meeting as specified in
143 s. 286.011 which would reveal records which are confidential and
144 exempt under subsection (5) or subsection (6) are exempt from s.
145 286.011 and s. 24(b), Art. I of the State Constitution. No
146 exempt portion of an exempt meeting may be off the record. All
147 exempt portions of such meeting shall be recorded and
148 transcribed. Such recordings and transcripts are confidential
149 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
150 I of the State Constitution unless a court of competent
151 jurisdiction, after an in camera review, determines that the
152 meeting was not restricted to the discussion of data and
153 information made confidential and exempt by this section. In the
154 event of such a judicial determination, only that portion of the
155 recording and transcript which reveals nonexempt data and
156 information may be disclosed to a third party.
157 (7)(8) The portions of records made confidential and exempt
158 in subsections (5) and, (6), and (7) shall be available to the
159 Auditor General, the Cybercrime Office of the Department of Law
160 Enforcement, the Florida Digital Service within the department,
161 and, for agencies under the jurisdiction of the Governor, the
162 Chief Inspector General. Such portions of records may be made
163 available to a local government, another state agency, or a
164 federal agency for cybersecurity purposes or in furtherance of
165 the state agency’s official duties.
166 (8)(9) The exemptions contained in subsections (5) and,
167 (6), and (7) apply to records held by a state agency before, on,
168 or after the effective date of this exemption.
169 (9)(10) Subsections (5) and, (6), and (7) are subject to
170 the Open Government Sunset Review Act in accordance with s.
171 119.15 and shall stand repealed on October 2, 2025, unless
172 reviewed and saved from repeal through reenactment by the
173 Legislature.
174 Section 4. (1) The Legislature finds that it is a public
175 necessity that the following information held by an agency be
176 made confidential and exempt from s. 119.07(1), Florida
177 Statutes, and s. 24(a), Article I of the State Constitution:
178 (a) Coverage limits and deductible or self-insurance
179 amounts of insurance or other risk mitigation coverages acquired
180 for the protection of information technology systems,
181 operational technology systems, or data of an agency.
182 (b) Information relating to critical infrastructure.
183 (c) Network schematics, hardware and software
184 configurations, or encryption information or information that
185 identifies detection, investigation, or response practices for
186 suspected or confirmed cybersecurity incidents, including
187 suspected or confirmed breaches, if the disclosure of such
188 information would facilitate unauthorized access to or
189 unauthorized modification, disclosure, or destruction of:
190 1. Data or information, whether physical or virtual; or
191 2. Information technology resources, which include an
192 agency’s existing or proposed information technology systems.
193
194 Release of such information could place an agency at greater
195 risk of breaches, cybersecurity incidents, and ransomware
196 attacks. Such information could be used by criminals to identify
197 any vulnerabilities that may exist in an agency’s security
198 system, thereby compromising the integrity of the agency’s
199 information technology, operational technology, and data. If
200 information related to the coverage limits and deductible or
201 self-insurance amounts of cybersecurity insurance were
202 disclosed, it could give cybercriminals an understanding of the
203 monetary sum an agency can afford or may be willing to pay as a
204 result of a ransomware attack at the expense of the taxpayer. In
205 addition, critical infrastructure information is a vital
206 component of public safety and, if made publicly available,
207 could aid in the planning of, training for, and execution of
208 cyberattacks, thereby increasing the ability of persons to harm
209 individuals in this state. The recent cybersecurity hacking and
210 shutdown of the Colonial Pipeline by the criminal enterprise
211 DarkSide in 2021 and the infiltration of the Bowman Avenue Dam
212 in Rye Brook, New York, by Iranian hackers in 2013 provide
213 evidence that such criminal capabilities exist. These events
214 also show the crippling effect that cyberattacks on critical
215 infrastructure may have. Further, the release of network
216 schematics, hardware and software configurations, or encryption
217 information or information that identifies detection,
218 investigation, or response practices for suspected or confirmed
219 cybersecurity incidents, including suspected or confirmed
220 breaches, would facilitate unauthorized access to or the
221 unauthorized modification, disclosure, or destruction of data or
222 information, whether physical or virtual, or information
223 technology resources. Such information also includes proprietary
224 information about the security of an agency’s system. The
225 disclosure of such information could compromise the integrity of
226 an agency’s data, information, or information technology
227 resources, which would significantly impair the administration
228 of vital governmental programs. Therefore, this information
229 should be made confidential and exempt in order to protect the
230 agency’s data, information, and information technology
231 resources.
232 (2) The Legislature also finds that it is a public
233 necessity that any portion of a meeting that would reveal the
234 confidential and exempt information be made exempt from s.
235 286.011, Florida Statutes, and s. 24(b), Article I of the State
236 Constitution, and that any recordings and transcripts of the
237 closed portion of a meeting be made confidential and exempt from
238 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
239 State Constitution. The failure to close that portion of a
240 meeting at which confidential and exempt information would be
241 revealed, and prevent the disclosure of the recordings and
242 transcripts of those portions of a meeting, would defeat the
243 purpose of the underlying public records exemption and could
244 result in the release of highly sensitive information related to
245 the cybersecurity of an agency system.
246 (3) For these reasons, the Legislature finds that these
247 public records and public meetings exemptions are of the utmost
248 importance and are a public necessity.
249 Section 5. This act shall take effect on the same date that
250 SB 1670 or similar legislation takes effect, if such legislation
251 is adopted in the same legislative session or an extension
252 thereof and becomes law.
253
254 ================= T I T L E A M E N D M E N T ================
255 And the title is amended as follows:
256 Delete everything before the enacting clause
257 and insert:
258 A bill to be entitled
259 An act relating to public records and public meetings;
260 creating s. 119.0725, F.S.; providing definitions;
261 providing an exemption from public records
262 requirements for certain cybersecurity insurance
263 information, critical infrastructure information, and
264 certain cybersecurity-related information held by an
265 agency; providing an exemption from public meetings
266 requirements for portions of a meeting that would
267 reveal certain cybersecurity-related information held
268 by an agency; requiring the recording and
269 transcription of exempt portions of such meetings;
270 providing an exemption from public records
271 requirements for such recordings and transcripts;
272 providing retroactive application; authorizing the
273 disclosure of confidential and exempt information
274 under certain circumstances; authorizing agencies to
275 report certain cybersecurity information in the
276 aggregate; providing for future legislative review and
277 repeal of the exemptions; amending ss. 98.015 and
278 282.318, F.S.; conforming provisions to changes made
279 by the act; providing a statement of public necessity;
280 providing a contingent effective date.