Florida Senate - 2022 CS for CS for SB 1694
By the Committees on Appropriations; and Military and Veterans
Affairs, Space, and Domestic Security; and Senator Hutson
576-03524-22 20221694c2
1 A bill to be entitled
2 An act relating to public records and public meetings;
3 creating s. 119.0725, F.S.; providing definitions;
4 providing an exemption from public records
5 requirements for certain cybersecurity insurance
6 information, critical infrastructure information, and
7 certain cybersecurity-related information held by an
8 agency; providing an exemption from public meetings
9 requirements for portions of a meeting that would
10 reveal certain cybersecurity-related information held
11 by an agency; requiring the recording and
12 transcription of exempt portions of such meetings;
13 providing an exemption from public records
14 requirements for such recordings and transcripts;
15 providing retroactive application; authorizing the
16 disclosure of confidential and exempt information
17 under certain circumstances; authorizing agencies to
18 report certain cybersecurity information in the
19 aggregate; providing for future legislative review and
20 repeal of the exemptions; amending ss. 98.015 and
21 282.318, F.S.; conforming provisions to changes made
22 by the act; providing a statement of public necessity;
23 providing a contingent effective date.
24
25 Be It Enacted by the Legislature of the State of Florida:
26
27 Section 1. Section 119.0725, Florida Statutes, is created
28 to read:
29 119.0725 Agency cybersecurity information; public records
30 exemption; public meetings exemption.—
31 (1) As used in this section, the term:
32 (a) “Breach” means unauthorized access of data in
33 electronic form containing personal information. Good faith
34 access of personal information by an employee or agent of an
35 agency does not constitute a breach, provided that the
36 information is not used for a purpose unrelated to the business
37 or subject to further unauthorized use.
38 (b) “Critical infrastructure” means existing and proposed
39 information technology and operational technology systems and
40 assets, whether physical or virtual, the incapacity or
41 destruction of which would negatively affect security, economic
42 security, public health, or public safety.
43 (c) “Cybersecurity” has the same meaning as in s. 282.0041.
44 (d) “Data” has the same meaning as in s. 282.0041.
45 (e) “Incident” means a violation or imminent threat of
46 violation, whether such violation is accidental or deliberate,
47 of information technology resources, security, policies, or
48 practices. As used in this paragraph, the term “imminent threat
49 of violation” means a situation in which the agency has a
50 factual basis for believing that a specific incident is about to
51 occur.
52 (f) “Information technology” has the same meaning as in s.
53 282.0041.
54 (g) “Operational technology” means the hardware and
55 software that cause or detect a change through the direct
56 monitoring or control of physical devices, systems, processes,
57 or events.
58 (2) The following information held by an agency is
59 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
60 of the State Constitution:
61 (a) Coverage limits and deductible or self-insurance
62 amounts of insurance or other risk mitigation coverages acquired
63 for the protection of information technology systems,
64 operational technology systems, or data of an agency.
65 (b) Information relating to critical infrastructure.
66 (c) Network schematics, hardware and software
67 configurations, or encryption information or information that
68 identifies detection, investigation, or response practices for
69 suspected or confirmed cybersecurity incidents, including
70 suspected or confirmed breaches, if the disclosure of such
71 information would facilitate unauthorized access to or
72 unauthorized modification, disclosure, or destruction of:
73 1. Data or information, whether physical or virtual; or
74 2. Information technology resources, which include an
75 agency’s existing or proposed information technology systems.
76 (3) Any portion of a meeting that would reveal information
77 made confidential and exempt under subsection (2) is exempt from
78 s. 286.011 and s. 24(b), Art. I of the State Constitution. An
79 exempt portion of a meeting may not be off the record and must
80 be recorded and transcribed. The recording and transcript are
81 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
82 of the State Constitution.
83 (4) The public records exemptions contained in this section
84 apply to information held by an agency before, on, or after July
85 1, 2022.
86 (5)(a) Information made confidential and exempt pursuant to
87 this section shall be made available to a law enforcement
88 agency, the Auditor General, the Cybercrime Office of the
89 Department of Law Enforcement, the Florida Digital Service
90 within the Department of Management Services, and, for agencies
91 under the jurisdiction of the Governor, the Chief Inspector
92 General.
93 (b) Such confidential and exempt information may be
94 disclosed by an agency in the furtherance of its official duties
95 and responsibilities or to another agency or governmental entity
96 in the furtherance of its statutory duties and responsibilities.
97 (6) Agencies may report information about cybersecurity
98 incidents in the aggregate.
99 (7) This section is subject to the Open Government Sunset
100 Review Act in accordance with s. 119.15 and shall stand repealed
101 on October 2, 2027, unless reviewed and saved from repeal
102 through reenactment by the Legislature.
103 Section 2. Subsection (13) of section 98.015, Florida
104 Statutes, is amended to read:
105 98.015 Supervisor of elections; election, tenure of office,
106 compensation, custody of registration-related documents, office
107 hours, successor, seal; appointment of deputy supervisors;
108 duties; public records exemption.—
109 (13)(a) Portions of records held by a supervisor of
110 elections which contain network schematics, hardware and
111 software configurations, or encryption, or which identify
112 detection, investigation, or response practices for suspected or
113 confirmed information technology security incidents, including
114 suspected or confirmed breaches, are confidential and exempt
115 from s. 119.07(1) and s. 24(a), Art. I of the State
116 Constitution, if the disclosure of such records would facilitate
117 unauthorized access to or the unauthorized modification,
118 disclosure, or destruction of:
119 1. Data or information, whether physical or virtual; or
120 2. Information technology resources as defined in s.
121 119.011(9), which includes:
122 a. Information relating to the security of a supervisor of
123 elections’ technology, processes, and practices designed to
124 protect networks, computers, data processing software, and data
125 from attack, damage, or unauthorized access; or
126 b. Security information, whether physical or virtual, which
127 relates to a supervisor of elections’ existing or proposed
128 information technology systems.
129 (b) The portions of records made confidential and exempt in
130 paragraph (a) shall be available to the Auditor General and may
131 be made available to another governmental entity for information
132 technology security purposes or in the furtherance of the
133 entity’s official duties.
134 (c) The public record exemption in paragraph (a) applies to
135 records held by a supervisor of elections before, on, or after
136 the effective date of the exemption.
137 (d) This subsection is subject to the Open Government
138 Sunset Review Act in accordance with s. 119.15 and shall stand
139 repealed on October 2, 2026, unless reviewed and saved from
140 repeal through reenactment by the Legislature.
141 Section 3. Subsections (6) and (11) of section 282.318,
142 Florida Statutes, are renumbered as subsections (5) and (10),
143 respectively, and present subsections (5), (7), (8), (9), and
144 (10) of that section are amended to read:
145 282.318 Cybersecurity.—
146 (5) Portions of records held by a state agency which
147 contain network schematics, hardware and software
148 configurations, or encryption, or which identify detection,
149 investigation, or response practices for suspected or confirmed
150 cybersecurity incidents, including suspected or confirmed
151 breaches, are confidential and exempt from s. 119.07(1) and s.
152 24(a), Art. I of the State Constitution, if the disclosure of
153 such records would facilitate unauthorized access to or the
154 unauthorized modification, disclosure, or destruction of:
155 (a) Data or information, whether physical or virtual; or
156 (b) Information technology resources, which includes:
157 1. Information relating to the security of the agency’s
158 technologies, processes, and practices designed to protect
159 networks, computers, data processing software, and data from
160 attack, damage, or unauthorized access; or
161 2. Security information, whether physical or virtual, which
162 relates to the agency’s existing or proposed information
163 technology systems.
164 (6)(7) Those portions of a public meeting as specified in
165 s. 286.011 which would reveal records which are confidential and
166 exempt under subsection (5) or subsection (6) are exempt from s.
167 286.011 and s. 24(b), Art. I of the State Constitution. No
168 exempt portion of an exempt meeting may be off the record. All
169 exempt portions of such meeting shall be recorded and
170 transcribed. Such recordings and transcripts are confidential
171 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
172 I of the State Constitution unless a court of competent
173 jurisdiction, after an in camera review, determines that the
174 meeting was not restricted to the discussion of data and
175 information made confidential and exempt by this section. In the
176 event of such a judicial determination, only that portion of the
177 recording and transcript which reveals nonexempt data and
178 information may be disclosed to a third party.
179 (7)(8) The portions of records made confidential and exempt
180 in subsections (5) and, (6), and (7) shall be available to the
181 Auditor General, the Cybercrime Office of the Department of Law
182 Enforcement, the Florida Digital Service within the department,
183 and, for agencies under the jurisdiction of the Governor, the
184 Chief Inspector General. Such portions of records may be made
185 available to a local government, another state agency, or a
186 federal agency for cybersecurity purposes or in furtherance of
187 the state agency’s official duties.
188 (8)(9) The exemptions contained in subsections (5) and,
189 (6), and (7) apply to records held by a state agency before, on,
190 or after the effective date of this exemption.
191 (9)(10) Subsections (5) and, (6), and (7) are subject to
192 the Open Government Sunset Review Act in accordance with s.
193 119.15 and shall stand repealed on October 2, 2025, unless
194 reviewed and saved from repeal through reenactment by the
195 Legislature.
196 Section 4. (1) The Legislature finds that it is a public
197 necessity that the following information held by an agency be
198 made confidential and exempt from s. 119.07(1), Florida
199 Statutes, and s. 24(a), Article I of the State Constitution:
200 (a) Coverage limits and deductible or self-insurance
201 amounts of insurance or other risk mitigation coverages acquired
202 for the protection of information technology systems,
203 operational technology systems, or data of an agency.
204 (b) Information relating to critical infrastructure.
205 (c) Network schematics, hardware and software
206 configurations, or encryption information or information that
207 identifies detection, investigation, or response practices for
208 suspected or confirmed cybersecurity incidents, including
209 suspected or confirmed breaches, if the disclosure of such
210 information would facilitate unauthorized access to or
211 unauthorized modification, disclosure, or destruction of:
212 1. Data or information, whether physical or virtual; or
213 2. Information technology resources, which include an
214 agency’s existing or proposed information technology systems.
215
216 Release of such information could place an agency at greater
217 risk of breaches, cybersecurity incidents, and ransomware
218 attacks. Such information could be used by criminals to identify
219 any vulnerabilities that may exist in an agency’s security
220 system, thereby compromising the integrity of the agency’s
221 information technology, operational technology, and data. If
222 information related to the coverage limits and deductible or
223 self-insurance amounts of cybersecurity insurance were
224 disclosed, it could give cybercriminals an understanding of the
225 monetary sum an agency can afford or may be willing to pay as a
226 result of a ransomware attack at the expense of the taxpayer. In
227 addition, critical infrastructure information is a vital
228 component of public safety and, if made publicly available,
229 could aid in the planning of, training for, and execution of
230 cyberattacks, thereby increasing the ability of persons to harm
231 individuals in this state. The recent cybersecurity hacking and
232 shutdown of the Colonial Pipeline by the criminal enterprise
233 DarkSide in 2021 and the infiltration of the Bowman Avenue Dam
234 in Rye Brook, New York, by Iranian hackers in 2013 provide
235 evidence that such criminal capabilities exist. These events
236 also show the crippling effect that cyberattacks on critical
237 infrastructure may have. Further, the release of network
238 schematics, hardware and software configurations, or encryption
239 information or information that identifies detection,
240 investigation, or response practices for suspected or confirmed
241 cybersecurity incidents, including suspected or confirmed
242 breaches, would facilitate unauthorized access to or the
243 unauthorized modification, disclosure, or destruction of data or
244 information, whether physical or virtual, or information
245 technology resources. Such information also includes proprietary
246 information about the security of an agency’s system. The
247 disclosure of such information could compromise the integrity of
248 an agency’s data, information, or information technology
249 resources, which would significantly impair the administration
250 of vital governmental programs. Therefore, this information
251 should be made confidential and exempt in order to protect the
252 agency’s data, information, and information technology
253 resources.
254 (2) The Legislature also finds that it is a public
255 necessity that any portion of a meeting that would reveal the
256 confidential and exempt information be made exempt from s.
257 286.011, Florida Statutes, and s. 24(b), Article I of the State
258 Constitution, and that any recordings and transcripts of the
259 closed portion of a meeting be made confidential and exempt from
260 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
261 State Constitution. The failure to close that portion of a
262 meeting at which confidential and exempt information would be
263 revealed, and prevent the disclosure of the recordings and
264 transcripts of those portions of a meeting, would defeat the
265 purpose of the underlying public records exemption and could
266 result in the release of highly sensitive information related to
267 the cybersecurity of an agency system.
268 (3) For these reasons, the Legislature finds that these
269 public records and public meetings exemptions are of the utmost
270 importance and are a public necessity.
271 Section 5. This act shall take effect on the same date that
272 SB 1670 or similar legislation takes effect, if such legislation
273 is adopted in the same legislative session or an extension
274 thereof and becomes law.