Florida Senate - 2014 CS for SB 1526
By the Committee on Judiciary; and Senator Thrasher
590-03545-14 20141526c1
1 A bill to be entitled
2 An act relating to public records; amending s.
3 501.171, F.S.; creating an exemption from public
4 records requirements for information received by the
5 Department of Legal Affairs pursuant to a notice of a
6 data breach or pursuant to certain investigations;
7 authorizing disclosure under certain circumstances;
8 defining the term “proprietary information”; providing
9 for future review and repeal of the exemption under
10 the Open Government Sunset Review Act; providing a
11 statement of public necessity; providing a contingent
12 effective date.
13
14 Be It Enacted by the Legislature of the State of Florida:
15
16 Section 1. Subsection (11) is added to section 501.171,
17 Florida Statutes, as created by SB 1524, 2014 Regular Session,
18 to read:
19 501.171 Security of confidential personal information.—
20 (11) PUBLIC RECORDS EXEMPTION.—
21 (a) All information received by the department pursuant to
22 a notification required by this section, or received by the
23 department pursuant to an investigation by the department or a
24 law enforcement agency, is confidential and exempt from s.
25 119.07(1) and s. 24(a), Art. I of the State Constitution, until
26 such time as the investigation is completed or ceases to be
27 active. This exemption shall be construed in conformity with s.
28 119.071(2)(c).
29 (b) During an active investigation, information made
30 confidential and exempt pursuant to paragraph (a) may be
31 disclosed by the department:
32 1. In the furtherance of its official duties and
33 responsibilities;
34 2. For print, publication, or broadcast if the department
35 determines that such release would assist in notifying the
36 public or locating or identifying a person that the department
37 believes to be a victim of a data breach or improper disposal of
38 customer records; or
39 3. To another governmental entity in the furtherance of its
40 official duties and responsibilities.
41 (c) Upon completion of an investigation or once an
42 investigation ceases to be active, the following information
43 received by the department shall remain confidential and exempt
44 from s. 119.07(1) and s. 24(a), Art. I of the State
45 Constitution:
46 1. All information to which another public records
47 exemption applies.
48 2. Personal information.
49 3. A computer forensic report.
50 4. Information that would otherwise reveal weaknesses in a
51 covered entity’s data security.
52 5. Information that would disclose a covered entity’s
53 proprietary information.
54 (d) For purposes of this subsection, the term “proprietary
55 information” means information that:
56 1. Is owned or controlled by the covered entity.
57 2. Is intended to be private and is treated by the covered
58 entity as private because disclosure would harm the covered
59 entity or its business operations.
60 3. Has not been disclosed except as required by law or a
61 private agreement that provides that the information will not be
62 released to the public.
63 4. Is not publicly available or otherwise readily
64 ascertainable through proper means from another source in the
65 same configuration as received by the department.
66 5. Includes:
67 a. Trade secrets as defined in s. 688.002.
68 b. Competitive interests, the disclosure of which would
69 impair the competitive business of the covered entity who is the
70 subject of the information.
71 (e) This subsection is subject to the Open Government
72 Sunset Review Act in accordance with s. 119.15 and shall stand
73 repealed on October 2, 2019, unless reviewed and saved from
74 repeal through reenactment by the Legislature.
75 Section 2. The Legislature finds that it is a public
76 necessity that all information received by the Department of
77 Legal Affairs pursuant to a notification of a violation of s.
78 501.171, Florida Statutes, or received by the department
79 pursuant to an investigation by the department or a law
80 enforcement agency, be made confidential and exempt from s.
81 119.07(1), Florida Statutes, and s. 24(a), Article I of the
82 State Constitution for the following reasons:
83 (1) A notification of a violation of s. 501.171, Florida
84 Statutes, is likely to result in an investigation of such
85 violation because a data breach is likely the result of criminal
86 activity that may lead to further criminal activity. The
87 premature release of such information could frustrate or thwart
88 the investigation and impair the ability of the Department of
89 Legal Affairs to effectively and efficiently administer s.
90 501.171, Florida Statutes. In addition, release of such
91 information before completion of an active investigation could
92 jeopardize the ongoing investigation.
93 (2) The Legislature finds that it is a public necessity to
94 continue to protect from public disclosure all information to
95 which another public record exemption applies once an
96 investigation is completed or ceases to be active. Release of
97 such information by the Department of Legal Affairs would undo
98 the specific statutory exemption protecting that information.
99 (3) An investigation of a data breach or improper disposal
100 of customer records is likely to result in the gathering of
101 sensitive personal information, including social security
102 numbers, identification numbers, and personal financial and
103 health information. Such information could be used for the
104 purpose of identity theft. In addition, release of such
105 information could subject possible victims of the data breach or
106 improper disposal of customer records to further financial harm.
107 Furthermore, matters of personal health are traditionally
108 private and confidential concerns between the patient and the
109 health care provider. The private and confidential nature of
110 personal health matters pervades both the public and private
111 health care sectors.
112 (4) Release of a computer forensic report or other
113 information that would otherwise reveal weaknesses in a covered
114 entity’s data security could compromise the future security of
115 that entity, or other entities, if such information were
116 available upon conclusion of an investigation or once an
117 investigation ceased to be active. The release of such report or
118 information could compromise the security of current entities
119 and make those entities susceptible to future data breaches.
120 Release of such report or information could result in the
121 identification of vulnerabilities and further breaches of that
122 system.
123 (5) Notices received by the Department of Legal Affairs and
124 information received during an investigation of a data breach
125 are likely to contain proprietary information, including trade
126 secrets, about the security of the breached system. The release
127 of the proprietary information could result in the
128 identification of vulnerabilities and further breaches of that
129 system. In addition, a trade secret derives independent,
130 economic value, actual or potential, from being generally
131 unknown to, and not readily ascertainable by, other persons who
132 might obtain economic value from its disclosure or use. Allowing
133 public access to proprietary information, including a trade
134 secret, through a public records request could destroy the value
135 of the proprietary information and cause a financial loss to the
136 covered entity submitting the information. Release of such
137 information could give business competitors an unfair advantage
138 and weaken the position of the entity supplying the proprietary
139 information in the marketplace.
140 Section 3.
141