Florida Senate - 2023                             CS for SB 1648
       
       
        
       By the Committee on Commerce and Tourism; and Senator Bradley
       
       
       
       
       
       577-03496-23                                          20231648c1
    1                        A bill to be entitled                      
    2         An act relating to public records; amending s.
    3         501.173, F.S.; providing an exemption from public
    4         records requirements for information relating to
    5         investigations by the Department of Legal Affairs and
    6         law enforcement agencies of certain data privacy
    7         violations; providing for future legislative review
    8         and repeal of the exemption; providing a statement of
    9         public necessity; providing a contingent effective
   10         date.
   11          
   12  Be It Enacted by the Legislature of the State of Florida:
   13  
   14         Section 1. Subsection (13) is added to section 501.173,
   15  Florida Statutes, as created by SB 262 or similar legislation,
   16  to read:
   17         501.173 Consumer data privacy.—
   18         (13)PUBLIC RECORDS EXEMPTION.—
   19         (a)All information received by the department pursuant to
   20  a notification of a violation under this section, or received by
   21  the department pursuant to an investigation by the department or
   22  a law enforcement agency of a violation of this section, is
   23  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   24  of the State Constitution, until such time as the investigation
   25  is completed or ceases to be active. This exemption shall be
   26  construed in conformity with s. 119.071(2)(c).
   27         (b)During an active investigation, information made
   28  confidential and exempt pursuant to paragraph (a) may be
   29  disclosed by the department:
   30         1.In the furtherance of its official duties and
   31  responsibilities;
   32         2.For print, publication, or broadcast if the department
   33  determines that such release would assist in notifying the
   34  public or locating or identifying a person that the department
   35  believes to be a victim of a data breach or improper use or
   36  disposal of customer records, except that information made
   37  confidential and exempt by paragraph (c) may not be released
   38  pursuant to this subparagraph; or
   39         3.To another governmental entity in the furtherance of its
   40  official duties and responsibilities.
   41         (c)Upon completion of an investigation or once an
   42  investigation ceases to be active, the following information
   43  received by the department shall remain confidential and exempt
   44  from s. 119.07(1) and s. 24(a), Art. I of the State
   45  Constitution:
   46         1.All information to which another public records
   47  exemption applies.
   48         2.Personal information.
   49         3.A computer forensic report.
   50         4.Information that would otherwise reveal weaknesses in
   51  the data security of a controller, processor, or third party.
   52         5.Information that would disclose the proprietary
   53  information of a controller, processor, or third party.
   54         (d)For purposes of this subsection, the term “proprietary
   55  information” means information that:
   56         1.Is owned or controlled by the controller, processor, or
   57  third party.
   58         2.Is intended to be private and is treated by the
   59  controller, processor, or third party as private because
   60  disclosure would harm the controller, processor, or third party
   61  or its business operations.
   62         3.Has not been disclosed except as required by law or a
   63  private agreement that provides that the information will not be
   64  released to the public.
   65         4.Is not publicly available or otherwise readily
   66  ascertainable through proper means from another source in the
   67  same configuration as received by the department.
   68         5.Includes:
   69         a.Trade secrets as defined in s. 688.002.
   70         b.Competitive interests, the disclosure of which would
   71  impair the competitive advantage of the controller, processor,
   72  or third party who is the subject of the information.
   73         (e)This subsection is subject to the Open Government
   74  Sunset Review Act in accordance with s. 119.15 and shall stand
   75  repealed on October 2, 2028, unless reviewed and saved from
   76  repeal through reenactment by the Legislature.
   77         Section 2. The Legislature finds that it is a public
   78  necessity that all information received by the Department of
   79  Legal Affairs pursuant to a notification of a violation of s.
   80  501.173, Florida Statutes, or received by the department
   81  pursuant to an investigation by the department or a law
   82  enforcement agency of a violation of s. 501.173, Florida
   83  Statutes, be made confidential and exempt from s. 119.07(1),
   84  Florida Statutes, and s. 24(a), Article I of the State
   85  Constitution for the following reasons:
   86         (1)A notification of a violation of s. 501.173, Florida
   87  Statutes, may result in an investigation of such violation. The
   88  premature release of such information could frustrate or thwart
   89  the investigation and impair the ability of the department to
   90  effectively and efficiently administer s. 501.173, Florida
   91  Statutes. In addition, release of such information before
   92  completion of an active investigation could jeopardize the
   93  ongoing investigation.
   94         (2)Release of information to which another public record
   95  exemption applies once an investigation is completed or ceases
   96  to be active would undo the specific statutory exemption
   97  protecting that information.
   98         (3)An investigation of a violation of s. 501.173, Florida
   99  Statutes, is likely to result in the gathering of sensitive
  100  personal information, including identification numbers, unique
  101  identifiers, professional or employment-related information, and
  102  personal financial information. Such information could be used
  103  for the purpose of identity theft. The release of such
  104  information could subject possible victims of data privacy
  105  violations to further harm.
  106         (4)Notices received by the department and information
  107  received during an investigation of a violation of s. 501.173,
  108  Florida Statutes, are likely to contain proprietary information.
  109  Such information, including trade secrets, derives independent,
  110  economic value, actual or potential, from being generally
  111  unknown to, and not readily ascertainable by, other persons who
  112  might obtain economic value from its disclosure or use. Allowing
  113  public access to proprietary information, including a trade
  114  secret, through a public records request could destroy the value
  115  of the proprietary information and cause a financial loss to the
  116  controller, processor, or third party. Release of such
  117  information could give business competitors an unfair advantage.
  118         (5)Information received by the department may contain a
  119  computer forensic report or information that could reveal
  120  weaknesses in the data security of a controller, processor, or
  121  third party. The release of this information could result in the
  122  identification of vulnerabilities in the cybersecurity system of
  123  the controller, processor, or third party and be used to harm
  124  the controller, processor, or third party and clients.
  125         (6)The harm that may result from the release of
  126  information received by the department pursuant to a
  127  notification or investigation by the department or a law
  128  enforcement agency of a violation of s. 501.173, Florida
  129  Statutes, could impair the effective and efficient
  130  administration of the investigation and thus, outweighs the
  131  public benefit that may be derived from the disclosure of the
  132  information.
  133         Section 3. This act shall take effect on the same date that
  134  SB 262 or similar legislation takes effect, if such legislation
  135  is adopted in the same legislative session or an extension
  136  thereof and becomes a law.