ENROLLED
       2014 Legislature                           CS for CS for SB 1526
       
       
       
       
       
       
                                                             20141526er
    1  
    2         An act relating to public records; amending s.
    3         501.171, F.S.; creating an exemption from public
    4         records requirements for information received by the
    5         Department of Legal Affairs pursuant to a notice of a
    6         data breach or pursuant to certain investigations;
    7         authorizing disclosure under certain circumstances;
    8         defining the term “proprietary information”; providing
    9         for future review and repeal of the exemption under
   10         the Open Government Sunset Review Act; providing a
   11         statement of public necessity; providing a contingent
   12         effective date.
   13          
   14  Be It Enacted by the Legislature of the State of Florida:
   15  
   16         Section 1. Subsection (11) is added to section 501.171,
   17  Florida Statutes, as created by SB 1524, 2014 Regular Session,
   18  to read:
   19         501.171 Security of confidential personal information.—
   20         (11) PUBLIC RECORDS EXEMPTION.—
   21         (a) All information received by the department pursuant to
   22  a notification required by this section, or received by the
   23  department pursuant to an investigation by the department or a
   24  law enforcement agency, is confidential and exempt from s.
   25  119.07(1) and s. 24(a), Art. I of the State Constitution, until
   26  such time as the investigation is completed or ceases to be
   27  active. This exemption shall be construed in conformity with s.
   28  119.071(2)(c).
   29         (b) During an active investigation, information made
   30  confidential and exempt pursuant to paragraph (a) may be
   31  disclosed by the department:
   32         1. In the furtherance of its official duties and
   33  responsibilities;
   34         2. For print, publication, or broadcast if the department
   35  determines that such release would assist in notifying the
   36  public or locating or identifying a person that the department
   37  believes to be a victim of a data breach or improper disposal of
   38  customer records, except that information made confidential and
   39  exempt by paragraph (c) may not be released pursuant to this
   40  subparagraph; or
   41         3. To another governmental entity in the furtherance of its
   42  official duties and responsibilities.
   43         (c) Upon completion of an investigation or once an
   44  investigation ceases to be active, the following information
   45  received by the department shall remain confidential and exempt
   46  from s. 119.07(1) and s. 24(a), Art. I of the State
   47  Constitution:
   48         1. All information to which another public records
   49  exemption applies.
   50         2. Personal information.
   51         3. A computer forensic report.
   52         4. Information that would otherwise reveal weaknesses in a
   53  covered entity’s data security.
   54         5. Information that would disclose a covered entity’s
   55  proprietary information.
   56         (d) For purposes of this subsection, the term “proprietary
   57  information” means information that:
   58         1. Is owned or controlled by the covered entity.
   59         2. Is intended to be private and is treated by the covered
   60  entity as private because disclosure would harm the covered
   61  entity or its business operations.
   62         3. Has not been disclosed except as required by law or a
   63  private agreement that provides that the information will not be
   64  released to the public.
   65         4. Is not publicly available or otherwise readily
   66  ascertainable through proper means from another source in the
   67  same configuration as received by the department.
   68         5. Includes:
   69         a. Trade secrets as defined in s. 688.002.
   70         b. Competitive interests, the disclosure of which would
   71  impair the competitive business of the covered entity who is the
   72  subject of the information.
   73         (e) This subsection is subject to the Open Government
   74  Sunset Review Act in accordance with s. 119.15 and shall stand
   75  repealed on October 2, 2019, unless reviewed and saved from
   76  repeal through reenactment by the Legislature.
   77         Section 2. The Legislature finds that it is a public
   78  necessity that all information received by the Department of
   79  Legal Affairs pursuant to a notification of a violation of s.
   80  501.171, Florida Statutes, or received by the department
   81  pursuant to an investigation by the department or a law
   82  enforcement agency, be made confidential and exempt from s.
   83  119.07(1), Florida Statutes, and s. 24(a), Article I of the
   84  State Constitution for the following reasons:
   85         (1) A notification of a violation of s. 501.171, Florida
   86  Statutes, is likely to result in an investigation of such
   87  violation because a data breach is likely the result of criminal
   88  activity that may lead to further criminal activity. The
   89  premature release of such information could frustrate or thwart
   90  the investigation and impair the ability of the Department of
   91  Legal Affairs to effectively and efficiently administer s.
   92  501.171, Florida Statutes. In addition, release of such
   93  information before completion of an active investigation could
   94  jeopardize the ongoing investigation.
   95         (2) The Legislature finds that it is a public necessity to
   96  continue to protect from public disclosure all information to
   97  which another public record exemption applies once an
   98  investigation is completed or ceases to be active. Release of
   99  such information by the Department of Legal Affairs would undo
  100  the specific statutory exemption protecting that information.
  101         (3) An investigation of a data breach or improper disposal
  102  of customer records is likely to result in the gathering of
  103  sensitive personal information, including social security
  104  numbers, identification numbers, and personal financial and
  105  health information. Such information could be used for the
  106  purpose of identity theft. In addition, release of such
  107  information could subject possible victims of the data breach or
  108  improper disposal of customer records to further financial harm.
  109  Furthermore, matters of personal health are traditionally
  110  private and confidential concerns between the patient and the
  111  health care provider. The private and confidential nature of
  112  personal health matters pervades both the public and private
  113  health care sectors.
  114         (4) Release of a computer forensic report or other
  115  information that would otherwise reveal weaknesses in a covered
  116  entity’s data security could compromise the future security of
  117  that entity, or other entities, if such information were
  118  available upon conclusion of an investigation or once an
  119  investigation ceased to be active. The release of such report or
  120  information could compromise the security of current entities
  121  and make those entities susceptible to future data breaches.
  122  Release of such report or information could result in the
  123  identification of vulnerabilities and further breaches of that
  124  system.
  125         (5) Notices received by the Department of Legal Affairs and
  126  information received during an investigation of a data breach
  127  are likely to contain proprietary information, including trade
  128  secrets, about the security of the breached system. The release
  129  of the proprietary information could result in the
  130  identification of vulnerabilities and further breaches of that
  131  system. In addition, a trade secret derives independent,
  132  economic value, actual or potential, from being generally
  133  unknown to, and not readily ascertainable by, other persons who
  134  might obtain economic value from its disclosure or use. Allowing
  135  public access to proprietary information, including a trade
  136  secret, through a public records request could destroy the value
  137  of the proprietary information and cause a financial loss to the
  138  covered entity submitting the information. Release of such
  139  information could give business competitors an unfair advantage
  140  and weaken the position of the entity supplying the proprietary
  141  information in the marketplace.
  142         Section 3. 
  143