Florida Senate - 2023 CS for SB 1648
By the Committee on Commerce and Tourism; and Senator Bradley
577-03496-23 20231648c1
1 A bill to be entitled
2 An act relating to public records; amending s.
3 501.173, F.S.; providing an exemption from public
4 records requirements for information relating to
5 investigations by the Department of Legal Affairs and
6 law enforcement agencies of certain data privacy
7 violations; providing for future legislative review
8 and repeal of the exemption; providing a statement of
9 public necessity; providing a contingent effective
10 date.
11
12 Be It Enacted by the Legislature of the State of Florida:
13
14 Section 1. Subsection (13) is added to section 501.173,
15 Florida Statutes, as created by SB 262 or similar legislation,
16 to read:
17 501.173 Consumer data privacy.—
18 (13) PUBLIC RECORDS EXEMPTION.—
19 (a) All information received by the department pursuant to
20 a notification of a violation under this section, or received by
21 the department pursuant to an investigation by the department or
22 a law enforcement agency of a violation of this section, is
23 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
24 of the State Constitution, until such time as the investigation
25 is completed or ceases to be active. This exemption shall be
26 construed in conformity with s. 119.071(2)(c).
27 (b) During an active investigation, information made
28 confidential and exempt pursuant to paragraph (a) may be
29 disclosed by the department:
30 1. In the furtherance of its official duties and
31 responsibilities;
32 2. For print, publication, or broadcast if the department
33 determines that such release would assist in notifying the
34 public or locating or identifying a person that the department
35 believes to be a victim of a data breach or improper use or
36 disposal of customer records, except that information made
37 confidential and exempt by paragraph (c) may not be released
38 pursuant to this subparagraph; or
39 3. To another governmental entity in the furtherance of its
40 official duties and responsibilities.
41 (c) Upon completion of an investigation or once an
42 investigation ceases to be active, the following information
43 received by the department shall remain confidential and exempt
44 from s. 119.07(1) and s. 24(a), Art. I of the State
45 Constitution:
46 1. All information to which another public records
47 exemption applies.
48 2. Personal information.
49 3. A computer forensic report.
50 4. Information that would otherwise reveal weaknesses in
51 the data security of a controller, processor, or third party.
52 5. Information that would disclose the proprietary
53 information of a controller, processor, or third party.
54 (d) For purposes of this subsection, the term “proprietary
55 information” means information that:
56 1. Is owned or controlled by the controller, processor, or
57 third party.
58 2. Is intended to be private and is treated by the
59 controller, processor, or third party as private because
60 disclosure would harm the controller, processor, or third party
61 or its business operations.
62 3. Has not been disclosed except as required by law or a
63 private agreement that provides that the information will not be
64 released to the public.
65 4. Is not publicly available or otherwise readily
66 ascertainable through proper means from another source in the
67 same configuration as received by the department.
68 5. Includes:
69 a. Trade secrets as defined in s. 688.002.
70 b. Competitive interests, the disclosure of which would
71 impair the competitive advantage of the controller, processor,
72 or third party who is the subject of the information.
73 (e) This subsection is subject to the Open Government
74 Sunset Review Act in accordance with s. 119.15 and shall stand
75 repealed on October 2, 2028, unless reviewed and saved from
76 repeal through reenactment by the Legislature.
77 Section 2. The Legislature finds that it is a public
78 necessity that all information received by the Department of
79 Legal Affairs pursuant to a notification of a violation of s.
80 501.173, Florida Statutes, or received by the department
81 pursuant to an investigation by the department or a law
82 enforcement agency of a violation of s. 501.173, Florida
83 Statutes, be made confidential and exempt from s. 119.07(1),
84 Florida Statutes, and s. 24(a), Article I of the State
85 Constitution for the following reasons:
86 (1) A notification of a violation of s. 501.173, Florida
87 Statutes, may result in an investigation of such violation. The
88 premature release of such information could frustrate or thwart
89 the investigation and impair the ability of the department to
90 effectively and efficiently administer s. 501.173, Florida
91 Statutes. In addition, release of such information before
92 completion of an active investigation could jeopardize the
93 ongoing investigation.
94 (2) Release of information to which another public record
95 exemption applies once an investigation is completed or ceases
96 to be active would undo the specific statutory exemption
97 protecting that information.
98 (3) An investigation of a violation of s. 501.173, Florida
99 Statutes, is likely to result in the gathering of sensitive
100 personal information, including identification numbers, unique
101 identifiers, professional or employment-related information, and
102 personal financial information. Such information could be used
103 for the purpose of identity theft. The release of such
104 information could subject possible victims of data privacy
105 violations to further harm.
106 (4) Notices received by the department and information
107 received during an investigation of a violation of s. 501.173,
108 Florida Statutes, are likely to contain proprietary information.
109 Such information, including trade secrets, derives independent,
110 economic value, actual or potential, from being generally
111 unknown to, and not readily ascertainable by, other persons who
112 might obtain economic value from its disclosure or use. Allowing
113 public access to proprietary information, including a trade
114 secret, through a public records request could destroy the value
115 of the proprietary information and cause a financial loss to the
116 controller, processor, or third party. Release of such
117 information could give business competitors an unfair advantage.
118 (5) Information received by the department may contain a
119 computer forensic report or information that could reveal
120 weaknesses in the data security of a controller, processor, or
121 third party. The release of this information could result in the
122 identification of vulnerabilities in the cybersecurity system of
123 the controller, processor, or third party and be used to harm
124 the controller, processor, or third party and clients.
125 (6) The harm that may result from the release of
126 information received by the department pursuant to a
127 notification or investigation by the department or a law
128 enforcement agency of a violation of s. 501.173, Florida
129 Statutes, could impair the effective and efficient
130 administration of the investigation and thus, outweighs the
131 public benefit that may be derived from the disclosure of the
132 information.
133 Section 3. This act shall take effect on the same date that
134 SB 262 or similar legislation takes effect, if such legislation
135 is adopted in the same legislative session or an extension
136 thereof and becomes a law.