Florida Senate - 2025 SB 7020
By the Committee on Governmental Oversight and Accountability
585-02586-25 20257020__
1 A bill to be entitled
2 An act relating to a review under the Open Government
3 Sunset Review Act; amending s. 119.0725, F.S., which
4 provides exemptions from public records requirements
5 for agency cybersecurity information held by a state
6 agency and exemptions from public meetings
7 requirements for portions of meetings which would
8 reveal confidential and exempt information; revising
9 the date of the scheduled repeal of such exemptions;
10 amending s. 282.318, F.S., which provides exemptions
11 from public records and public meetings requirements
12 for portions of risk assessments, evaluations,
13 external audits, and other reports of a state agency’s
14 cybersecurity program for the data, information, and
15 information technology resources of that state agency
16 which are held by a state agency and for portions of a
17 public meeting which would reveal such confidential
18 and exempt records; extending the date of the
19 scheduled repeal of such exemptions; providing an
20 effective date.
21
22 Be It Enacted by the Legislature of the State of Florida:
23
24 Section 1. Section 119.0725, Florida Statutes, is amended
25 to read:
26 119.0725 Agency cybersecurity information; public records
27 exemption; public meetings exemption.—
28 (1) As used in this section, the term:
29 (a) “Breach” means unauthorized access of data in
30 electronic form containing personal information. Good faith
31 access of personal information by an employee or agent of an
32 agency does not constitute a breach, provided that the
33 information is not used for a purpose unrelated to the business
34 or subject to further unauthorized use.
35 (b) “Critical infrastructure” means existing and proposed
36 information technology and operational technology systems and
37 assets, whether physical or virtual, the incapacity or
38 destruction of which would negatively affect security, economic
39 security, public health, or public safety.
40 (c) “Cybersecurity” has the same meaning as in s. 282.0041.
41 (d) “Data” has the same meaning as in s. 282.0041.
42 (e) “Incident” means a violation or imminent threat of
43 violation, whether such violation is accidental or deliberate,
44 of information technology resources, security, policies, or
45 practices. As used in this paragraph, the term “imminent threat
46 of violation” means a situation in which the agency has a
47 factual basis for believing that a specific incident is about to
48 occur.
49 (f) “Information technology” has the same meaning as in s.
50 282.0041.
51 (g) “Operational technology” means the hardware and
52 software that cause or detect a change through the direct
53 monitoring or control of physical devices, systems, processes,
54 or events.
55 (2) The following information held by an agency is
56 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
57 of the State Constitution:
58 (a) Coverage limits and deductible or self-insurance
59 amounts of insurance or other risk mitigation coverages acquired
60 for the protection of information technology systems,
61 operational technology systems, or data of an agency.
62 (b) Information relating to critical infrastructure.
63 (c) Cybersecurity incident information reported pursuant to
64 s. 282.318 or s. 282.3185.
65 (d) Network schematics, hardware and software
66 configurations, or encryption information or information that
67 identifies detection, investigation, or response practices for
68 suspected or confirmed cybersecurity incidents, including
69 suspected or confirmed breaches, if the disclosure of such
70 information would facilitate unauthorized access to or
71 unauthorized modification, disclosure, or destruction of:
72 1. Data or information, whether physical or virtual; or
73 2. Information technology resources, which include an
74 agency’s existing or proposed information technology systems.
75 (3) Any portion of a meeting that would reveal information
76 made confidential and exempt under subsection (2) is exempt from
77 s. 286.011 and s. 24(b), Art. I of the State Constitution. An
78 exempt portion of a meeting may not be off the record and must
79 be recorded and transcribed. The recording and transcript are
80 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
81 of the State Constitution.
82 (4) The public records exemptions contained in this section
83 apply to information held by an agency before, on, or after July
84 1, 2022.
85 (5)(a) Information made confidential and exempt pursuant to
86 this section shall be made available to a law enforcement
87 agency, the Auditor General, the Cybercrime Office of the
88 Department of Law Enforcement, the Florida Digital Service
89 within the Department of Management Services, and, for agencies
90 under the jurisdiction of the Governor, the Chief Inspector
91 General.
92 (b) Such confidential and exempt information may be
93 disclosed by an agency in the furtherance of its official duties
94 and responsibilities or to another agency or governmental entity
95 in the furtherance of its statutory duties and responsibilities.
96 (6) Agencies may report information about cybersecurity
97 incidents in the aggregate.
98 (7) This section is subject to the Open Government Sunset
99 Review Act in accordance with s. 119.15 and shall stand repealed
100 on October 2, 2026 2027, unless reviewed and saved from repeal
101 through reenactment by the Legislature.
102 Section 2. Subsection (9) of section 282.318, Florida
103 Statutes, is amended, and subsections (5) and (6) of that
104 section are republished, to read:
105 282.318 Cybersecurity.—
106 (5) The portions of risk assessments, evaluations, external
107 audits, and other reports of a state agency’s cybersecurity
108 program for the data, information, and information technology
109 resources of the state agency which are held by a state agency
110 are confidential and exempt from s. 119.07(1) and s. 24(a), Art.
111 I of the State Constitution if the disclosure of such portions
112 of records would facilitate unauthorized access to or the
113 unauthorized modification, disclosure, or destruction of:
114 (a) Data or information, whether physical or virtual; or
115 (b) Information technology resources, which include:
116 1. Information relating to the security of the agency’s
117 technologies, processes, and practices designed to protect
118 networks, computers, data processing software, and data from
119 attack, damage, or unauthorized access; or
120 2. Security information, whether physical or virtual, which
121 relates to the agency’s existing or proposed information
122 technology systems.
123
124 For purposes of this subsection, “external audit” means an audit
125 that is conducted by an entity other than the state agency that
126 is the subject of the audit.
127 (6) Those portions of a public meeting as specified in s.
128 286.011 which would reveal records which are confidential and
129 exempt under subsection (5) are exempt from s. 286.011 and s.
130 24(b), Art. I of the State Constitution. No exempt portion of an
131 exempt meeting may be off the record. All exempt portions of
132 such meeting shall be recorded and transcribed. Such recordings
133 and transcripts are confidential and exempt from disclosure
134 under s. 119.07(1) and s. 24(a), Art. I of the State
135 Constitution unless a court of competent jurisdiction, after an
136 in camera review, determines that the meeting was not restricted
137 to the discussion of data and information made confidential and
138 exempt by this section. In the event of such a judicial
139 determination, only that portion of the recording and transcript
140 which reveals nonexempt data and information may be disclosed to
141 a third party.
142 (9) Subsections (5) and (6) are subject to the Open
143 Government Sunset Review Act in accordance with s. 119.15 and
144 shall stand repealed on October 2, 2026 2025, unless reviewed
145 and saved from repeal through reenactment by the Legislature.
146 Section 3. This act shall take effect July 1, 2025.