Florida Senate - 2026 SB 1440
By Senator Martin
33-01811-26 20261440__
1 A bill to be entitled
2 An act relating to public records; amending s.
3 494.00125, F.S.; providing an exemption from public
4 records requirements for information received by the
5 Office of Financial Regulation pursuant to certain
6 cybersecurity event provisions relating to information
7 systems and customer information of loan originators,
8 mortgage brokers, and mortgage lenders and for
9 information received by the office as a result of
10 investigations and examinations of such cybersecurity
11 events; providing for future legislative review and
12 repeal of the exemption; providing a statement of
13 public necessity; amending s. 560.129, F.S.; providing
14 an exemption from public records requirements for
15 information received by the office pursuant to certain
16 cybersecurity event provisions relating to information
17 systems and customer information of money services
18 businesses and for information received by the office
19 as a result of investigations and examinations of such
20 cybersecurity events; providing for future legislative
21 review and repeal of the exemption; providing a
22 statement of public necessity; amending s. 655.0171,
23 F.S.; providing an exemption from public records
24 requirements for customer personal information
25 received by the office relating to breaches of
26 security of financial institutions or received by the
27 office as a result of investigations of such breaches
28 under certain circumstances; providing exceptions;
29 providing definitions; providing for future
30 legislative review and repeal of the exemption;
31 providing a statement of public necessity; amending s.
32 655.057, F.S.; providing an exemption from public
33 records requirements for certain information received
34 by the office pursuant to applications for authority
35 to organize new financial institutions and for certain
36 information relating to specified persons; providing
37 exceptions; defining the term “personal identifying
38 information”; providing for future legislative review
39 and repeal of the exemption; providing a statement of
40 public necessity; providing a contingent effective
41 date.
42
43 Be It Enacted by the Legislature of the State of Florida:
44
45 Section 1. Subsection (4) is added to section 494.00125,
46 Florida Statutes, to read:
47 494.00125 Public records exemptions.—
48 (4) INFORMATION SECURITY; CYBERSECURITY.—All information
49 received by the office pursuant to s. 494.00123, or received by
50 the office as result of an investigation by the office or a law
51 enforcement agency of a cybersecurity event pursuant to s.
52 494.00123, is confidential and exempt from s. 119.07(1) and s.
53 24(a), Art. I of the State Constitution, until such time as the
54 investigation is completed or ceases to be active. The public
55 records exemption of the information received by the office
56 under this subsection shall be construed in conformity with s.
57 119.071(2)(c). This subsection is subject to the Open Government
58 Sunset Review Act in accordance with s. 119.15 and shall stand
59 repealed on October 2, 2031, unless reviewed and saved from
60 repeal through reenactment by the Legislature.
61 Section 2. (1) The Legislature finds that it is a public
62 necessity that information on cybersecurity events submitted to
63 or obtained by the Office of Financial Regulation pursuant to s.
64 494.00123, Florida Statutes, or as a result of an investigation
65 by the office which involve information security programs of
66 loan originators, mortgage brokers, and mortgage lenders and
67 nonpublic personal data of customers of such loan originators,
68 mortgage brokers, and mortgage lenders be made confidential and
69 exempt from public disclosure.
70 (2)(a) Premature or unrestricted release of information on
71 cybersecurity events, as defined in s. 494.00123(1), Florida
72 Statutes, could compromise ongoing investigations, expose system
73 vulnerabilities, and hinder the office’s ability to protect
74 consumers and regulate financial institutions effectively.
75 Disclosure of such information could also place affected
76 individuals at heightened risk of identity theft and financial
77 fraud while revealing trade secrets, proprietary data, and
78 technical safeguards that could be exploited by malicious
79 actors.
80 (b) Protecting information on cybersecurity events ensures
81 that entities cooperate fully with regulators, encourages
82 accurate reporting of security incidents, and maintains the
83 overall integrity of the financial and cybersecurity
84 infrastructure of this state.
85 (3) It is therefore a public necessity that all information
86 received by the office pursuant to s. 494.00123, Florida
87 Statutes, or through an investigation by the office or a law
88 enforcement agency of a cybersecurity event pursuant to s.
89 494.00123, Florida Statutes, be made confidential and exempt
90 from s. 119.07(1), Florida Statutes, and s. 24(a), Article I of
91 the State Constitution.
92 Section 3. Subsection (7) of section 560.129, Florida
93 Statutes, is renumbered as subsection (8), and a new subsection
94 (7) is added to that section, to read:
95 560.129 Confidentiality.—
96 (7) All information received by the office pursuant to s.
97 560.1311 or as a result of an investigation by the office or a
98 law enforcement agency is confidential and exempt from s.
99 119.07(1) and s. 24(a), Art. I of the State Constitution, until
100 such time as the investigation is completed or ceases to be
101 active. This exemption shall be construed in conformity with s.
102 119.071(2)(c). This subsection is subject to the Open Government
103 Sunset Review Act in accordance with s. 119.15 and shall stand
104 repealed on October 2, 2031, unless reviewed and saved from
105 repeal through reenactment by the Legislature.
106 Section 4. The Legislature finds that it is a public
107 necessity that information related to cybersecurity incidents,
108 data breaches, and information security programs submitted to or
109 obtained by the Office of Financial Regulation be made
110 confidential and exempt from public disclosure. Premature or
111 unrestricted release of such information could compromise
112 ongoing investigations, expose system vulnerabilities, and
113 hinder the office’s ability to protect consumers and regulate
114 money services businesses effectively. Disclosure could also
115 place affected individuals at heightened risk of identity theft
116 and financial fraud while revealing trade secrets, proprietary
117 data, and technical safeguards that could be exploited by
118 malicious actors. Protecting this information ensures that
119 entities cooperate fully with regulators, encourages accurate
120 reporting of security incidents, and maintains the overall
121 integrity of this state’s financial and cybersecurity
122 infrastructure.
123 Section 5. Subsection (6) is added to section 655.0171,
124 Florida Statutes, as created by SB 540, 2026 Regular Session, to
125 read:
126 655.0171 Requirements for customer data security and for
127 notices of security breaches.—
128 (6) PUBLIC RECORDS EXEMPTION.—
129 (a) All information received by the office pursuant to a
130 notification required by this section, or received by the office
131 pursuant to an investigation by the office or a law enforcement
132 agency under this section, is confidential and exempt from s.
133 119.07(1) and s. 24(a), Art. I of the State Constitution, until
134 such time as the investigation is completed or ceases to be
135 active. This exemption shall be construed in conformity with s.
136 119.071(2)(c).
137 (b) During an active investigation, information made
138 confidential and exempt pursuant to paragraph (a) may be
139 disclosed by the office:
140 1. In the furtherance of its official duties and
141 responsibilities;
142 2. For print, publication, or broadcast if the office
143 determines that such release would assist in notifying the
144 public or locating or identifying a person that the office
145 believes to be a victim of a data breach or improper disposal of
146 customer records, except that information made confidential and
147 exempt by paragraph (c) may not be released pursuant to this
148 subparagraph; or
149 3. To another governmental entity in the furtherance of its
150 official duties and responsibilities.
151 (c) Upon completion of an investigation or once an
152 investigation ceases to be active, the following information
153 received by the office remains confidential and exempt from s.
154 119.07(1) and s. 24(a), Art. I of the State Constitution:
155 1. All information to which another public records
156 exemption applies.
157 2. Personal information.
158 3. A computer forensic report.
159 4. Information that would otherwise reveal weaknesses in a
160 financial institution’s data security.
161 5. Information that would disclose a financial
162 institution’s proprietary information.
163 a. As used in this subparagraph, the term “proprietary
164 information” means information that:
165 (I) Is owned or controlled by the financial institution.
166 (II) Is intended to be private and is treated by the
167 financial institution as private because disclosure would harm
168 the financial institution or its business operations.
169 (III) Has not been disclosed except as required by law or a
170 private agreement that provides that the information will not be
171 released to the public.
172 (IV) Is not publicly available or otherwise readily
173 ascertainable through proper means from another source in the
174 same configuration as received by the office.
175 b. The term includes:
176 (I) Trade secrets as defined in s. 688.002.
177 (II) Competitive interests, the disclosure of which would
178 impair the competitive business of the financial institution
179 that is the subject of the information.
180 (d) As used in this subsection, the term “customer records”
181 means any material, regardless of the physical form, on which
182 personal information is recorded or preserved by any means,
183 including, but not limited to, written or spoken words,
184 graphically depicted, printed, or electromagnetically
185 transmitted which are provided by an individual in this state to
186 a financial institution for the purpose of purchasing or leasing
187 a product or obtaining a service.
188 (e) This subsection is subject to the Open Government
189 Sunset Review Act in accordance with s. 119.15 and shall stand
190 repealed on October 2, 2031, unless reviewed and saved from
191 repeal through reenactment by the Legislature.
192 Section 6. The Legislature finds that it is a public
193 necessity that all information received by the Office of
194 Financial Regulation pursuant to a notification of a violation
195 of s. 655.0171, Florida Statutes, or received by the Department
196 of Legal Affairs pursuant to an investigation by the department
197 or a law enforcement agency relating to a violation of s.
198 655.0171, Florida Statutes, be made confidential and exempt from
199 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the
200 State Constitution for the following reasons:
201 (1) A notification of a violation of s. 655.0171, Florida
202 Statutes, is likely to result in an investigation. The premature
203 release of such information could frustrate or thwart the
204 investigation and impair the ability of the office to
205 effectively and efficiently administer s. 655.0171, Florida
206 Statutes. In addition, release of such information before
207 completion of an active investigation could jeopardize the
208 ongoing investigation.
209 (2) The Legislature finds that it is a public necessity to
210 continue to protect from public disclosure all information to
211 which another public record exemption applies once an
212 investigation is completed or ceases to be active. Release of
213 such information by the office would undo the specific statutory
214 exemption protecting that information.
215 (3) An investigation of a data breach or improper disposal
216 of customer records is likely to result in the gathering of
217 sensitive personal information, including social security
218 numbers, identification numbers, and personal financial
219 information of customers of financial institutions. Such
220 information could be used for the purpose of identity theft, and
221 release of such information could subject possible victims of
222 the data breach or improper disposal of customer records to
223 further financial harm.
224 (4) Release of a computer forensic report or other
225 information that would otherwise reveal weaknesses in a covered
226 financial institution’s data security could compromise the
227 future security of that financial institution, or other
228 financial institutions, if such information were available upon
229 conclusion of an investigation or once an investigation ceased
230 to be active. The release of such report or information could
231 compromise the security of current financial institutions and
232 make those financial institutions susceptible to future data
233 breaches. Release of such report or information could result in
234 the identification of vulnerabilities and further breaches of
235 that system.
236 (5) Notices received by the office and information received
237 during an investigation of a data breach are likely to contain
238 proprietary information, including trade secrets, about the
239 security of the breached system. The release of the proprietary
240 information could result in the identification of
241 vulnerabilities and further breaches of that system. In
242 addition, a trade secret derives independent, economic value,
243 actual or potential, from being generally unknown to, and not
244 readily ascertainable by, other persons. Allowing public access
245 to proprietary information, including a trade secret, through a
246 public records request could destroy the value of the
247 proprietary information and cause a financial loss to the
248 financial institution submitting the information. Release of
249 such information could give business competitors an unfair
250 advantage and weaken the position of the financial institution
251 supplying the proprietary information in the marketplace.
252 Section 7. Subsections (6) through (14) of section 655.057,
253 Florida Statutes, are renumbered as subsections (7) through
254 (15), respectively, and a new subsection (6) is added to that
255 section, to read:
256 655.057 Records; limited restrictions upon public access.—
257 (6)(a) The following information received by the office
258 pursuant to an application for authority to organize a new
259 financial institution is confidential and exempt from s.
260 119.07(1) and s. 24(a), Art. I of the State Constitution:
261 1. Personal financial information.
262 2. A driver license number, a passport number, a military
263 identification number, or any other number or code issued on a
264 government document used to verify identity.
265 3. Books and records of a current or proposed financial
266 institution.
267 4. The proposed financial institution’s proposed business
268 plan.
269 (b) The personal identifying information of a proposed
270 officer or proposed director who is currently employed by, or
271 actively participates in the affairs of, another financial
272 institution received by the office pursuant to an application
273 for authority to organize a new financial institution under
274 chapters 655-667 is exempt from s. 119.07(1) and s. 24(a), Art.
275 I of the State Constitution until the application is approved
276 and the charter is issued. As used in this paragraph, the term
277 “personal identifying information” means names, home addresses,
278 e-mail addresses, telephone numbers, names of relatives, work
279 experience, professional licensing and educational backgrounds,
280 and photographs.
281 (c) This subsection is subject to the Open Government
282 Sunset Review Act in accordance with s. 119.15 and is repealed
283 October 2, 2031, unless reviewed and saved from repeal through
284 reenactment by the Legislature.
285 Section 8. (1)(a) The Legislature finds that it is a
286 public necessity that information received by the Office of
287 Financial Regulation pursuant to an application for authority to
288 organize a new financial institution pursuant to the Financial
289 Institutions Codes, chapters 655-667, Florida Statutes, be made
290 confidential and exempt from s. 119.07(1), Florida Statutes, and
291 s. 24(a), Article I of the State Constitution to the extent that
292 disclosure would reveal:
293 1. Personal financial information;
294 2. A driver license number, a passport number, a military
295 identification number, or any other number or code issued on a
296 government document used to verify identity;
297 3. Books and records of a current or proposed financial
298 institution; or
299 4. A proposed financial institution’s business plan and any
300 attached supporting documentation.
301 (b) The Legislature further finds that it is a public
302 necessity that the personal identifying information of a
303 proposed officer or proposed director who is currently employed
304 by, or actively participates in the affairs of, another
305 financial institution be made confidential and exempt from s.
306 119.07(1), Florida Statutes, and s. 24(a), Article I of the
307 State Constitution for the duration of the application process,
308 until the application is approved and a charter is issued.
309 (2) The office may receive sensitive personal, financial,
310 and business information in conjunction with its duties related
311 to the review of applications for the organization or
312 establishment of new financial institutions. The exemptions from
313 public records requirements provided under subsection (1) are
314 necessary to ensure the office’s ability to administer its
315 regulatory duties while preventing unwarranted damage to the
316 proposed financial institution or certain proposed officers or
317 proposed directors of financial institutions in this state. The
318 release of information that could lead to the identification of
319 an individual involved in the potential establishment of a new
320 financial institution may subject such individual to retribution
321 and jeopardize his or her current employment with, or
322 participation in the affairs of, another financial institution.
323 Thus, the public availability of such information has a chilling
324 effect on the establishment of new financial institutions.
325 Further, the public availability of the books and financial
326 records of a current or proposed financial institution in this
327 state presents an unnecessary risk of harm to the business
328 operations of such institution. Finally, the public availability
329 of a proposed financial institution’s business plan may cause
330 competitive harm to its future business operations and presents
331 an unfair competitive advantage for existing financial
332 institutions that are not required to release such information.
333 Section 9. This act shall take effect on the same date that
334 SB 540 or similar legislation takes effect, if such legislation
335 is adopted in the same legislative session or an extension
336 thereof and becomes a law.