Florida Senate - 2025                                    SB 7020
       
       
        
       By the Committee on Governmental Oversight and Accountability
       
       
       
       
       
       585-02586-25                                          20257020__
    1                        A bill to be entitled                      
    2         An act relating to a review under the Open Government
    3         Sunset Review Act; amending s. 119.0725, F.S., which
    4         provides exemptions from public records requirements
    5         for agency cybersecurity information held by a state
    6         agency and exemptions from public meetings
    7         requirements for portions of meetings which would
    8         reveal confidential and exempt information; revising
    9         the date of the scheduled repeal of such exemptions;
   10         amending s. 282.318, F.S., which provides exemptions
   11         from public records and public meetings requirements
   12         for portions of risk assessments, evaluations,
   13         external audits, and other reports of a state agency’s
   14         cybersecurity program for the data, information, and
   15         information technology resources of that state agency
   16         which are held by a state agency and for portions of a
   17         public meeting which would reveal such confidential
   18         and exempt records; extending the date of the
   19         scheduled repeal of such exemptions; providing an
   20         effective date.
   21          
   22  Be It Enacted by the Legislature of the State of Florida:
   23  
   24         Section 1. Section 119.0725, Florida Statutes, is amended
   25  to read:
   26         119.0725 Agency cybersecurity information; public records
   27  exemption; public meetings exemption.—
   28         (1) As used in this section, the term:
   29         (a) “Breach” means unauthorized access of data in
   30  electronic form containing personal information. Good faith
   31  access of personal information by an employee or agent of an
   32  agency does not constitute a breach, provided that the
   33  information is not used for a purpose unrelated to the business
   34  or subject to further unauthorized use.
   35         (b) “Critical infrastructure” means existing and proposed
   36  information technology and operational technology systems and
   37  assets, whether physical or virtual, the incapacity or
   38  destruction of which would negatively affect security, economic
   39  security, public health, or public safety.
   40         (c) “Cybersecurity” has the same meaning as in s. 282.0041.
   41         (d) “Data” has the same meaning as in s. 282.0041.
   42         (e) “Incident” means a violation or imminent threat of
   43  violation, whether such violation is accidental or deliberate,
   44  of information technology resources, security, policies, or
   45  practices. As used in this paragraph, the term “imminent threat
   46  of violation” means a situation in which the agency has a
   47  factual basis for believing that a specific incident is about to
   48  occur.
   49         (f) “Information technology” has the same meaning as in s.
   50  282.0041.
   51         (g) “Operational technology” means the hardware and
   52  software that cause or detect a change through the direct
   53  monitoring or control of physical devices, systems, processes,
   54  or events.
   55         (2) The following information held by an agency is
   56  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   57  of the State Constitution:
   58         (a) Coverage limits and deductible or self-insurance
   59  amounts of insurance or other risk mitigation coverages acquired
   60  for the protection of information technology systems,
   61  operational technology systems, or data of an agency.
   62         (b) Information relating to critical infrastructure.
   63         (c) Cybersecurity incident information reported pursuant to
   64  s. 282.318 or s. 282.3185.
   65         (d) Network schematics, hardware and software
   66  configurations, or encryption information or information that
   67  identifies detection, investigation, or response practices for
   68  suspected or confirmed cybersecurity incidents, including
   69  suspected or confirmed breaches, if the disclosure of such
   70  information would facilitate unauthorized access to or
   71  unauthorized modification, disclosure, or destruction of:
   72         1. Data or information, whether physical or virtual; or
   73         2. Information technology resources, which include an
   74  agency’s existing or proposed information technology systems.
   75         (3) Any portion of a meeting that would reveal information
   76  made confidential and exempt under subsection (2) is exempt from
   77  s. 286.011 and s. 24(b), Art. I of the State Constitution. An
   78  exempt portion of a meeting may not be off the record and must
   79  be recorded and transcribed. The recording and transcript are
   80  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   81  of the State Constitution.
   82         (4) The public records exemptions contained in this section
   83  apply to information held by an agency before, on, or after July
   84  1, 2022.
   85         (5)(a) Information made confidential and exempt pursuant to
   86  this section shall be made available to a law enforcement
   87  agency, the Auditor General, the Cybercrime Office of the
   88  Department of Law Enforcement, the Florida Digital Service
   89  within the Department of Management Services, and, for agencies
   90  under the jurisdiction of the Governor, the Chief Inspector
   91  General.
   92         (b) Such confidential and exempt information may be
   93  disclosed by an agency in the furtherance of its official duties
   94  and responsibilities or to another agency or governmental entity
   95  in the furtherance of its statutory duties and responsibilities.
   96         (6) Agencies may report information about cybersecurity
   97  incidents in the aggregate.
   98         (7) This section is subject to the Open Government Sunset
   99  Review Act in accordance with s. 119.15 and shall stand repealed
  100  on October 2, 2026 2027, unless reviewed and saved from repeal
  101  through reenactment by the Legislature.
  102         Section 2. Subsection (9) of section 282.318, Florida
  103  Statutes, is amended, and subsections (5) and (6) of that
  104  section are republished, to read:
  105         282.318 Cybersecurity.—
  106         (5) The portions of risk assessments, evaluations, external
  107  audits, and other reports of a state agency’s cybersecurity
  108  program for the data, information, and information technology
  109  resources of the state agency which are held by a state agency
  110  are confidential and exempt from s. 119.07(1) and s. 24(a), Art.
  111  I of the State Constitution if the disclosure of such portions
  112  of records would facilitate unauthorized access to or the
  113  unauthorized modification, disclosure, or destruction of:
  114         (a) Data or information, whether physical or virtual; or
  115         (b) Information technology resources, which include:
  116         1. Information relating to the security of the agency’s
  117  technologies, processes, and practices designed to protect
  118  networks, computers, data processing software, and data from
  119  attack, damage, or unauthorized access; or
  120         2. Security information, whether physical or virtual, which
  121  relates to the agency’s existing or proposed information
  122  technology systems.
  123  
  124  For purposes of this subsection, “external audit” means an audit
  125  that is conducted by an entity other than the state agency that
  126  is the subject of the audit.
  127         (6) Those portions of a public meeting as specified in s.
  128  286.011 which would reveal records which are confidential and
  129  exempt under subsection (5) are exempt from s. 286.011 and s.
  130  24(b), Art. I of the State Constitution. No exempt portion of an
  131  exempt meeting may be off the record. All exempt portions of
  132  such meeting shall be recorded and transcribed. Such recordings
  133  and transcripts are confidential and exempt from disclosure
  134  under s. 119.07(1) and s. 24(a), Art. I of the State
  135  Constitution unless a court of competent jurisdiction, after an
  136  in camera review, determines that the meeting was not restricted
  137  to the discussion of data and information made confidential and
  138  exempt by this section. In the event of such a judicial
  139  determination, only that portion of the recording and transcript
  140  which reveals nonexempt data and information may be disclosed to
  141  a third party.
  142         (9) Subsections (5) and (6) are subject to the Open
  143  Government Sunset Review Act in accordance with s. 119.15 and
  144  shall stand repealed on October 2, 2026 2025, unless reviewed
  145  and saved from repeal through reenactment by the Legislature.
  146         Section 3. This act shall take effect July 1, 2025.