Florida Senate - 2016                                     SB 624
       
       
        
       By Senator Hays
       
       
       
       
       
       11-00620A-16                                           2016624__
    1                        A bill to be entitled                      
    2         An act relating to public records; amending s.
    3         282.318, F.S.; creating exemptions from public records
    4         requirements for information held by a state agency
    5         relating to the detection or investigation of or
    6         response to any suspected or confirmed security
    7         breaches and the results of external audits and
    8         evaluations of a state agency’s information technology
    9         security program; authorizing disclosure of
   10         confidential and exempt information to certain
   11         agencies and officers; providing for retroactive
   12         application; providing for future legislative review
   13         and repeal of the exemptions; providing statements of
   14         public necessity; providing an effective date.
   15          
   16  Be It Enacted by the Legislature of the State of Florida:
   17  
   18         Section 1. Paragraph (i) of subsection (4) of section
   19  282.318, Florida Statutes, is amended, present subsection (5) of
   20  that section is renumbered as subsection (6), and a new
   21  subsection (5) is added to that section, to read:
   22         282.318 Security of data and information technology.—
   23         (4) Each state agency head shall, at a minimum:
   24         (i) Develop a process for detecting, reporting, and
   25  responding to threats, breaches, or information technology
   26  security incidents that are consistent with the security rules,
   27  guidelines, and processes established by the Agency for State
   28  Technology.
   29         1. All information technology security incidents and
   30  breaches must be reported to the Agency for State Technology.
   31         2. For information technology security breaches, state
   32  agencies shall provide notice in accordance with s. 501.171.
   33         3. Information held by a state agency relating to the
   34  detection, investigation, or response to any suspected or
   35  confirmed security incidents, including suspected or confirmed
   36  breaches, which, if disclosed, could facilitate the unauthorized
   37  access to or the unauthorized modification, disclosure, or
   38  destruction of data or information technology resources is
   39  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   40  of the State Constitution, except that such information shall be
   41  available to the Auditor General, the Agency for State
   42  Technology, the Cybercrime Office of the Department of Law
   43  Enforcement, and, for state agencies under the jurisdiction of
   44  the Governor, the Chief Inspector General. This exemption
   45  applies to such information held by a state agency before, on,
   46  or after the effective date of this exemption. This subparagraph
   47  is subject to the Open Government Sunset Review Act in
   48  accordance with s. 119.15 and shall stand repealed on October 2,
   49  2021, unless reviewed and saved from repeal through reenactment
   50  by the Legislature.
   51         (5)The results of external audits and evaluations of a
   52  state agency’s information technology security program for the
   53  data, information, and information technology resources of the
   54  state agency are confidential and exempt from s. 119.07(1) and
   55  s. 24(a), Art. I of the State Constitution, except that such
   56  information shall be available to the Auditor General, the
   57  Cybercrime Office of the Department of Law Enforcement, the
   58  Agency for State Technology, and, for agencies under the
   59  jurisdiction of the Governor, the Chief Inspector General; and
   60  may be made available to other state agencies for information
   61  technology security purposes. This exemption applies to such
   62  information held by a state agency before, on, or after the
   63  effective date of this exemption. This subsection is subject to
   64  the Open Government Sunset Review Act in accordance with s.
   65  119.15 and shall stand repealed on October 2, 2021, unless
   66  reviewed and saved from repeal through reenactment by the
   67  Legislature.
   68         Section 2. (1) The Legislature finds that it is a public
   69  necessity that information relating to the detection or
   70  investigation of or response to any suspected or confirmed
   71  security incidents, including suspected or confirmed breaches,
   72  which, if disclosed, could facilitate the unauthorized access to
   73  or unauthorized modification, disclosure, or destruction of data
   74  or information technology resources be made confidential and
   75  exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
   76  Article I of the State Constitution for the following reasons:
   77         (a) Information held by a state agency relating to security
   78  incidents or breaches is likely to result in an investigation of
   79  the incident or breach. The release of such information could
   80  impede the investigation and impair the ability of reviewing
   81  entities to effectively and efficiently execute their
   82  investigative duties. In addition, release of such information
   83  before completion of an active investigation could jeopardize
   84  the ongoing investigation.
   85         (b)An investigation of an information technology security
   86  incident or breach is likely to result in the gathering of
   87  sensitive personal information, including social security
   88  numbers, identification numbers, and personal financial and
   89  health information. Such information could be used for the
   90  purpose of identity theft. In addition, release of such
   91  information could subject possible victims of the incident or
   92  breach to further financial harm. Furthermore, matters of
   93  personal health are traditionally private and confidential
   94  concerns between the patient and the health care provider. The
   95  private and confidential nature of personal health matters
   96  pervades both the public and private health care sectors.
   97         (c) Release of a computer forensic report or other
   98  information that would reveal weaknesses in a covered entity’s
   99  data security could compromise the future security of that
  100  entity, or other entities, if such information were available
  101  upon conclusion of an investigation or once an investigation
  102  ceased to be active. The release of such report or information
  103  could compromise the security of current entities and make those
  104  entities susceptible to future data incidents or breaches.
  105         (d) Information held by an agency relating to the detection
  106  or investigation of or response to a suspected or conformed
  107  security incident or breach is likely to contain proprietary
  108  information, including trade secrets, about the security of the
  109  system at issue. The release of the proprietary information
  110  could result in the identification of vulnerabilities and
  111  further breaches of that system. In addition, a trade secret has
  112  independent, economic value, actual or potential, in its being
  113  generally unknown to, and not readily ascertainable by, other
  114  persons who might obtain economic value from its disclosure or
  115  use. Allowing public access to proprietary information,
  116  including a trade secret, through a public records request could
  117  destroy the value of the proprietary information and cause a
  118  financial loss to the covered entity submitting the information.
  119  Release of such information could give business competitors an
  120  unfair advantage and weaken the position of the entity supplying
  121  the proprietary information in the marketplace.
  122         (e)The disclosure of such information could potentially
  123  compromise the confidentiality, integrity, and availability of
  124  state agency data and information technology resources, which
  125  would significantly impair the administration of vital
  126  governmental programs. It is necessary that this information be
  127  made confidential in order to protect the technology systems,
  128  resources, and data of state agencies. The Legislature further
  129  finds that this public records exemption be given retroactive
  130  application because it is remedial in nature.
  131         (2) The Legislature also finds that it is a public
  132  necessity that the results of external audits and evaluations of
  133  a state agency’s information technology security program for the
  134  data, information, and information technology resources of the
  135  state agency be made confidential and exempt from s. 119.07(1),
  136  Florida Statutes, and s. 24(a), Article I of the State
  137  Constitution. A state agency may find it valuable, prudent, or
  138  even critical to have an independent entity conduct an audit and
  139  evaluation of the agency’s information technology program or
  140  related systems. Such audits would likely include an analysis of
  141  the current state of the state agency’s information technology
  142  program or systems which could clearly identify vulnerabilities
  143  or gaps in current systems or processes and propose
  144  recommendations to remedy identified vulnerabilities. The
  145  disclosure of such information would jeopardize the information
  146  technology security of the state agency, and compromise the
  147  integrity and availability of agency data and information
  148  technology resources, which would significantly impair the
  149  administration of governmental programs. It is necessary that
  150  this information be made confidential and exempt from public
  151  records requirements in order to protect agency technology
  152  systems, resources, and data. The Legislature further finds that
  153  this public records exemption be given retroactive application
  154  because it is remedial in nature.
  155         Section 3. This act shall take effect upon becoming a law.