Florida Senate - 2022                        COMMITTEE AMENDMENT
       Bill No. CS for SB 1694
       
       
       
       
       
       
                                Ì570256-Î570256                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  03/02/2022           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Appropriations (Hutson) recommended the
       following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Section 119.0725, Florida Statutes, is created
    6  to read:
    7         119.0725Agency cybersecurity information; public records
    8  exemption; public meetings exemption.—
    9         (1)As used in this section, the term:
   10         (a)“Breach” means unauthorized access of data in
   11  electronic form containing personal information. Good faith
   12  access of personal information by an employee or agent of an
   13  agency does not constitute a breach, provided that the
   14  information is not used for a purpose unrelated to the business
   15  or subject to further unauthorized use.
   16         (b)“Critical infrastructure” means existing and proposed
   17  information technology and operational technology systems and
   18  assets, whether physical or virtual, the incapacity or
   19  destruction of which would negatively affect security, economic
   20  security, public health, or public safety.
   21         (c)“Cybersecurity” has the same meaning as in s. 282.0041.
   22         (d)“Data” has the same meaning as in s. 282.0041.
   23         (e)“Incident” means a violation or imminent threat of
   24  violation, whether such violation is accidental or deliberate,
   25  of information technology resources, security, policies, or
   26  practices. As used in this paragraph, the term “imminent threat
   27  of violation” means a situation in which the agency has a
   28  factual basis for believing that a specific incident is about to
   29  occur.
   30         (f)“Information technology” has the same meaning as in s.
   31  282.0041.
   32         (g)“Operational technology” means the hardware and
   33  software that cause or detect a change through the direct
   34  monitoring or control of physical devices, systems, processes,
   35  or events.
   36         (2)The following information held by an agency is
   37  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   38  of the State Constitution:
   39         (a)Coverage limits and deductible or self-insurance
   40  amounts of insurance or other risk mitigation coverages acquired
   41  for the protection of information technology systems,
   42  operational technology systems, or data of an agency.
   43         (b)Information relating to critical infrastructure.
   44         (c)Network schematics, hardware and software
   45  configurations, or encryption information or information that
   46  identifies detection, investigation, or response practices for
   47  suspected or confirmed cybersecurity incidents, including
   48  suspected or confirmed breaches, if the disclosure of such
   49  information would facilitate unauthorized access to or
   50  unauthorized modification, disclosure, or destruction of:
   51         1.Data or information, whether physical or virtual; or
   52         2.Information technology resources, which include an
   53  agency’s existing or proposed information technology systems.
   54         (3)Any portion of a meeting that would reveal information
   55  made confidential and exempt under subsection (2) is exempt from
   56  s. 286.011 and s. 24(b), Art. I of the State Constitution. An
   57  exempt portion of a meeting may not be off the record and must
   58  be recorded and transcribed. The recording and transcript are
   59  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   60  of the State Constitution.
   61         (4)The public records exemptions contained in this section
   62  apply to information held by an agency before, on, or after July
   63  1, 2022.
   64         (5)(a)Information made confidential and exempt pursuant to
   65  this section shall be made available to a law enforcement
   66  agency, the Auditor General, the Cybercrime Office of the
   67  Department of Law Enforcement, the Florida Digital Service
   68  within the Department of Management Services, and, for agencies
   69  under the jurisdiction of the Governor, the Chief Inspector
   70  General.
   71         (b)Such confidential and exempt information may be
   72  disclosed by an agency in the furtherance of its official duties
   73  and responsibilities or to another agency or governmental entity
   74  in the furtherance of its statutory duties and responsibilities.
   75         (6)Agencies may report information about cybersecurity
   76  incidents in the aggregate.
   77         (7)This section is subject to the Open Government Sunset
   78  Review Act in accordance with s. 119.15 and shall stand repealed
   79  on October 2, 2027, unless reviewed and saved from repeal
   80  through reenactment by the Legislature.
   81         Section 2. Subsection (13) of section 98.015, Florida
   82  Statutes, is amended to read:
   83         98.015 Supervisor of elections; election, tenure of office,
   84  compensation, custody of registration-related documents, office
   85  hours, successor, seal; appointment of deputy supervisors;
   86  duties; public records exemption.—
   87         (13)(a)Portions of records held by a supervisor of
   88  elections which contain network schematics, hardware and
   89  software configurations, or encryption, or which identify
   90  detection, investigation, or response practices for suspected or
   91  confirmed information technology security incidents, including
   92  suspected or confirmed breaches, are confidential and exempt
   93  from s. 119.07(1) and s. 24(a), Art. I of the State
   94  Constitution, if the disclosure of such records would facilitate
   95  unauthorized access to or the unauthorized modification,
   96  disclosure, or destruction of:
   97         1.Data or information, whether physical or virtual; or
   98         2.Information technology resources as defined in s.
   99  119.011(9), which includes:
  100         a.Information relating to the security of a supervisor of
  101  elections’ technology, processes, and practices designed to
  102  protect networks, computers, data processing software, and data
  103  from attack, damage, or unauthorized access; or
  104         b.Security information, whether physical or virtual, which
  105  relates to a supervisor of elections’ existing or proposed
  106  information technology systems.
  107         (b)The portions of records made confidential and exempt in
  108  paragraph (a) shall be available to the Auditor General and may
  109  be made available to another governmental entity for information
  110  technology security purposes or in the furtherance of the
  111  entity’s official duties.
  112         (c)The public record exemption in paragraph (a) applies to
  113  records held by a supervisor of elections before, on, or after
  114  the effective date of the exemption.
  115         (d)This subsection is subject to the Open Government
  116  Sunset Review Act in accordance with s. 119.15 and shall stand
  117  repealed on October 2, 2026, unless reviewed and saved from
  118  repeal through reenactment by the Legislature.
  119         Section 3. Subsections (6) and (11) of section 282.318,
  120  Florida Statutes, are renumbered as subsections (5) and (10),
  121  respectively, and present subsections (5), (7), (8), (9), and
  122  (10) of that section are amended to read:
  123         282.318 Cybersecurity.—
  124         (5)Portions of records held by a state agency which
  125  contain network schematics, hardware and software
  126  configurations, or encryption, or which identify detection,
  127  investigation, or response practices for suspected or confirmed
  128  cybersecurity incidents, including suspected or confirmed
  129  breaches, are confidential and exempt from s. 119.07(1) and s.
  130  24(a), Art. I of the State Constitution, if the disclosure of
  131  such records would facilitate unauthorized access to or the
  132  unauthorized modification, disclosure, or destruction of:
  133         (a)Data or information, whether physical or virtual; or
  134         (b)Information technology resources, which includes:
  135         1.Information relating to the security of the agency’s
  136  technologies, processes, and practices designed to protect
  137  networks, computers, data processing software, and data from
  138  attack, damage, or unauthorized access; or
  139         2.Security information, whether physical or virtual, which
  140  relates to the agency’s existing or proposed information
  141  technology systems.
  142         (6)(7) Those portions of a public meeting as specified in
  143  s. 286.011 which would reveal records which are confidential and
  144  exempt under subsection (5) or subsection (6) are exempt from s.
  145  286.011 and s. 24(b), Art. I of the State Constitution. No
  146  exempt portion of an exempt meeting may be off the record. All
  147  exempt portions of such meeting shall be recorded and
  148  transcribed. Such recordings and transcripts are confidential
  149  and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
  150  I of the State Constitution unless a court of competent
  151  jurisdiction, after an in camera review, determines that the
  152  meeting was not restricted to the discussion of data and
  153  information made confidential and exempt by this section. In the
  154  event of such a judicial determination, only that portion of the
  155  recording and transcript which reveals nonexempt data and
  156  information may be disclosed to a third party.
  157         (7)(8) The portions of records made confidential and exempt
  158  in subsections (5) and, (6), and (7) shall be available to the
  159  Auditor General, the Cybercrime Office of the Department of Law
  160  Enforcement, the Florida Digital Service within the department,
  161  and, for agencies under the jurisdiction of the Governor, the
  162  Chief Inspector General. Such portions of records may be made
  163  available to a local government, another state agency, or a
  164  federal agency for cybersecurity purposes or in furtherance of
  165  the state agency’s official duties.
  166         (8)(9) The exemptions contained in subsections (5) and,
  167  (6), and (7) apply to records held by a state agency before, on,
  168  or after the effective date of this exemption.
  169         (9)(10) Subsections (5) and, (6), and (7) are subject to
  170  the Open Government Sunset Review Act in accordance with s.
  171  119.15 and shall stand repealed on October 2, 2025, unless
  172  reviewed and saved from repeal through reenactment by the
  173  Legislature.
  174         Section 4. (1)The Legislature finds that it is a public
  175  necessity that the following information held by an agency be
  176  made confidential and exempt from s. 119.07(1), Florida
  177  Statutes, and s. 24(a), Article I of the State Constitution:
  178         (a)Coverage limits and deductible or self-insurance
  179  amounts of insurance or other risk mitigation coverages acquired
  180  for the protection of information technology systems,
  181  operational technology systems, or data of an agency.
  182         (b)Information relating to critical infrastructure.
  183         (c)Network schematics, hardware and software
  184  configurations, or encryption information or information that
  185  identifies detection, investigation, or response practices for
  186  suspected or confirmed cybersecurity incidents, including
  187  suspected or confirmed breaches, if the disclosure of such
  188  information would facilitate unauthorized access to or
  189  unauthorized modification, disclosure, or destruction of:
  190         1.Data or information, whether physical or virtual; or
  191         2.Information technology resources, which include an
  192  agency’s existing or proposed information technology systems.
  193  
  194  Release of such information could place an agency at greater
  195  risk of breaches, cybersecurity incidents, and ransomware
  196  attacks. Such information could be used by criminals to identify
  197  any vulnerabilities that may exist in an agency’s security
  198  system, thereby compromising the integrity of the agency’s
  199  information technology, operational technology, and data. If
  200  information related to the coverage limits and deductible or
  201  self-insurance amounts of cybersecurity insurance were
  202  disclosed, it could give cybercriminals an understanding of the
  203  monetary sum an agency can afford or may be willing to pay as a
  204  result of a ransomware attack at the expense of the taxpayer. In
  205  addition, critical infrastructure information is a vital
  206  component of public safety and, if made publicly available,
  207  could aid in the planning of, training for, and execution of
  208  cyberattacks, thereby increasing the ability of persons to harm
  209  individuals in this state. The recent cybersecurity hacking and
  210  shutdown of the Colonial Pipeline by the criminal enterprise
  211  DarkSide in 2021 and the infiltration of the Bowman Avenue Dam
  212  in Rye Brook, New York, by Iranian hackers in 2013 provide
  213  evidence that such criminal capabilities exist. These events
  214  also show the crippling effect that cyberattacks on critical
  215  infrastructure may have. Further, the release of network
  216  schematics, hardware and software configurations, or encryption
  217  information or information that identifies detection,
  218  investigation, or response practices for suspected or confirmed
  219  cybersecurity incidents, including suspected or confirmed
  220  breaches, would facilitate unauthorized access to or the
  221  unauthorized modification, disclosure, or destruction of data or
  222  information, whether physical or virtual, or information
  223  technology resources. Such information also includes proprietary
  224  information about the security of an agency’s system. The
  225  disclosure of such information could compromise the integrity of
  226  an agency’s data, information, or information technology
  227  resources, which would significantly impair the administration
  228  of vital governmental programs. Therefore, this information
  229  should be made confidential and exempt in order to protect the
  230  agency’s data, information, and information technology
  231  resources.
  232         (2)The Legislature also finds that it is a public
  233  necessity that any portion of a meeting that would reveal the
  234  confidential and exempt information be made exempt from s.
  235  286.011, Florida Statutes, and s. 24(b), Article I of the State
  236  Constitution, and that any recordings and transcripts of the
  237  closed portion of a meeting be made confidential and exempt from
  238  s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
  239  State Constitution. The failure to close that portion of a
  240  meeting at which confidential and exempt information would be
  241  revealed, and prevent the disclosure of the recordings and
  242  transcripts of those portions of a meeting, would defeat the
  243  purpose of the underlying public records exemption and could
  244  result in the release of highly sensitive information related to
  245  the cybersecurity of an agency system.
  246         (3)For these reasons, the Legislature finds that these
  247  public records and public meetings exemptions are of the utmost
  248  importance and are a public necessity.
  249         Section 5. This act shall take effect on the same date that
  250  SB 1670 or similar legislation takes effect, if such legislation
  251  is adopted in the same legislative session or an extension
  252  thereof and becomes law.
  253  
  254  ================= T I T L E  A M E N D M E N T ================
  255  And the title is amended as follows:
  256         Delete everything before the enacting clause
  257  and insert:
  258                        A bill to be entitled                      
  259         An act relating to public records and public meetings;
  260         creating s. 119.0725, F.S.; providing definitions;
  261         providing an exemption from public records
  262         requirements for certain cybersecurity insurance
  263         information, critical infrastructure information, and
  264         certain cybersecurity-related information held by an
  265         agency; providing an exemption from public meetings
  266         requirements for portions of a meeting that would
  267         reveal certain cybersecurity-related information held
  268         by an agency; requiring the recording and
  269         transcription of exempt portions of such meetings;
  270         providing an exemption from public records
  271         requirements for such recordings and transcripts;
  272         providing retroactive application; authorizing the
  273         disclosure of confidential and exempt information
  274         under certain circumstances; authorizing agencies to
  275         report certain cybersecurity information in the
  276         aggregate; providing for future legislative review and
  277         repeal of the exemptions; amending ss. 98.015 and
  278         282.318, F.S.; conforming provisions to changes made
  279         by the act; providing a statement of public necessity;
  280         providing a contingent effective date.