Florida Senate - 2018                                    SB 1880
       
       
        
       By Senator Broxson
       
       
       
       
       
       1-01213B-18                                           20181880__
    1                        A bill to be entitled                      
    2         An act relating to public records; creating s.
    3         627.352, F.S.; providing an exemption from public
    4         records requirements for certain records held by the
    5         Citizens Property Insurance Corporation which identify
    6         detection, investigation, or response practices for
    7         suspected or confirmed information technology security
    8         incidents; creating an exemption from public records
    9         requirements for certain portions of risk assessments,
   10         evaluations, audits, and other reports of the
   11         corporation’s information technology security program;
   12         creating an exemption from public meetings
   13         requirements for portions of public meetings which
   14         would reveal such data and information; providing an
   15         exemption from public records requirements for a
   16         specified period for the recording and transcript of a
   17         closed meeting; authorizing disclosure of confidential
   18         and exempt information to certain agencies and
   19         officers; providing for future legislative review and
   20         repeal; providing a statement of public necessity;
   21         providing retroactive application; providing an
   22         effective date.
   23          
   24  Be It Enacted by the Legislature of the State of Florida:
   25  
   26         Section 1. Section 627.352, Florida Statutes, is created to
   27  read:
   28         627.352Security of data and information technology in
   29  Citizens Property Insurance Corporation.—
   30         (1)The following data and information from technology
   31  systems owned by, under contract with, or maintained by Citizens
   32  Property Insurance Corporation are confidential and exempt from
   33  s. 119.07(1) and s. 24(a), Art. I of the State Constitution:
   34         (a)Records held by the corporation which identify
   35  detection, investigation, or response practices for suspected or
   36  confirmed information technology security incidents, including
   37  suspected or confirmed breaches, if the disclosure of such
   38  records would facilitate unauthorized access to or unauthorized
   39  modification, disclosure, or destruction of:
   40         1.Data or information, whether physical or virtual; or
   41         2.Information technology resources, including:
   42         a.Information relating to the security of the
   43  corporation’s technologies, processes, and practices designed to
   44  protect networks, computers, data processing software, and data
   45  from attack, damage, or unauthorized access; or
   46         b.Security information, whether physical or virtual, which
   47  relates to the corporation’s existing or proposed information
   48  technology systems.
   49         (b)Those portions of risk assessments, evaluations,
   50  audits, and other reports of the corporation’s information
   51  technology security program for its data, information, and
   52  information technology resources which are held by the
   53  corporation, if the disclosure of such records would facilitate
   54  unauthorized access to or the unauthorized modification,
   55  disclosure, or destruction of:
   56         1.Data or information, whether physical or virtual; or
   57         2.Information technology resources, which include:
   58         a.Information relating to the security of the
   59  corporation’s technologies, processes, and practices designed to
   60  protect networks, computers, data processing software, and data
   61  from attack, damage, or unauthorized access; or
   62         b.Security information, whether physical or virtual, which
   63  relates to the corporation’s existing or proposed information
   64  technology systems.
   65         (2)Those portions of a public meeting as specified in s.
   66  286.011 which would reveal data and information described in
   67  subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
   68  of the State Constitution. No exempt portion of an exempt
   69  meeting may be off the record. All exempt portions of such a
   70  meeting must be recorded and transcribed. The recording and
   71  transcript of the meeting must remain confidential and exempt
   72  from disclosure under s. 119.07(1) and s. 24(a), Art. I of the
   73  State Constitution unless a court of competent jurisdiction,
   74  following an in camera review, determines that the meeting was
   75  not restricted to the discussion of data and information made
   76  confidential and exempt by this section. In the event of such a
   77  judicial determination, only that portion of the transcript
   78  which reveals nonexempt data and information may be disclosed to
   79  a third party.
   80         (3)The records and portions of public meeting recordings
   81  and transcripts described in subsection (2) must be available to
   82  the Auditor General, the Cybercrime Office of the Department of
   83  Law Enforcement, and the Office of Insurance Regulation. Such
   84  records and portions of meetings, recordings, and transcripts
   85  may be made available to a state or federal agency for security
   86  purposes or in furtherance of the agency’s official duties.
   87         (4)The exemptions listed in this section apply to such
   88  records or portions of public meetings, recordings, and
   89  transcripts held by the corporation before, on, or after July 1,
   90  2018.
   91         (5)This section is subject to the Open Government Sunset
   92  Review Act in accordance with s. 119.15 and shall stand repealed
   93  on October 2, 2022, unless reviewed and saved from repeal
   94  through reenactment by the Legislature.
   95         Section 2. (1)(a) The Legislature finds that it is a public
   96  necessity that the following data or information from technology
   97  systems owned, under contract, or maintained by the corporation
   98  be confidential and exempt from s. 119.07(1), Florida Statutes,
   99  and s. 24(a), Article I of the State Constitution:
  100         1.Records held by the corporation which identify
  101  detection, investigation, or response practices for suspected or
  102  confirmed information technology security incidents, including
  103  suspected or confirmed breaches, if the disclosure of such
  104  records would facilitate unauthorized access to or unauthorized
  105  modification, disclosure, or destruction of:
  106         a.Data or information, whether physical or virtual; or
  107         b.Information technology resources, which include:
  108         (I)Information relating to the security of the
  109  corporation’s technologies, processes, and practices designed to
  110  protect networks, computers, data processing software, and data
  111  from attack, damage, or unauthorized access; or
  112         (II)Security information, whether physical or virtual,
  113  which relates to the corporation’s existing or proposed
  114  information technology systems.
  115         2.Those portions of risk assessments, evaluations, audits,
  116  and other reports of the corporation’s information technology
  117  security program for its data, information, and information
  118  technology resources which are held by the corporation, if the
  119  disclosure of such records would facilitate unauthorized access
  120  to or the unauthorized modification, disclosure, or destruction
  121  of:
  122         a.Data or information, whether physical or virtual; or
  123         b.Information technology resources, which include:
  124         (I)Information relating to the security of the
  125  corporation’s technologies, processes, and practices designed to
  126  protect networks, computers, data processing software, and data
  127  from attack , damage, or unauthorized access; or
  128         (II)Security information, whether physical or virtual,
  129  which relates to the corporation’s existing or proposed
  130  information technology systems.
  131         (b)The Legislature also finds that those portions of a
  132  public meeting as specified in s. 286.011, Florida Statutes,
  133  which would reveal data and information described in subsection
  134  (1) are exempt from s. 286.011, Florida Statutes, and s. 24(b),
  135  Article I of the State Constitution. The recording and
  136  transcript of the meeting must remain confidential and exempt
  137  from disclosure under s. 119.07(1), Florida Statutes, and s.
  138  24(a), Article I of the State Constitution unless a court of
  139  competent jurisdiction, following an in camera review,
  140  determines that the meeting was not restricted to the discussion
  141  of data and information made confidential and exempt by this
  142  section. In the event of such a judicial determination, only
  143  that portion of the transcript which reveals nonexempt data and
  144  information may be disclosed to a third party.
  145         (c)The Legislature further finds that it is a public
  146  necessity that records held by the corporation which identify
  147  detection, investigation, or response practices for suspected or
  148  confirmed information technology security incidents, including
  149  suspected or confirmed breaches, be made confidential and exempt
  150  from s. 119.07(1), Florida Statutes, and s. 24(a), Article I of
  151  the State Constitution if the disclosure of such records would
  152  facilitate unauthorized access to or the unauthorized
  153  modification, disclosure, or destruction of:
  154         1.Data or information, whether physical or virtual; or
  155         2.Information technology resources, which include:
  156         a.Information relating to the security of the
  157  corporation’s technologies, processes, and practices designed to
  158  protect networks, computers, data processing software, and data
  159  from attack, damage, or unauthorized access; or
  160         b.Security information, whether physical or virtual, which
  161  relates to the corporation’s existing or proposed information
  162  technology systems.
  163         (d)Such records must be made confidential and exempt for
  164  the following reasons:
  165         1.Records held by the corporation which identify
  166  information technology detection, investigation, or response
  167  practices for suspected or confirmed information technology
  168  security incidents or breaches are likely to be used in the
  169  investigations of the incidents or breaches. The release of such
  170  information could impede the investigation and impair the
  171  ability of reviewing entities to effectively and efficiently
  172  execute their investigative duties. In addition, the release of
  173  such information before an active investigation is completed
  174  could jeopardize the ongoing investigation.
  175         2.An investigation of an information technology security
  176  incident or breach is likely to result in the gathering of
  177  sensitive personal information, including identification numbers
  178  and personal financial and health information. Such information
  179  could be used to commit identity theft or other crimes. In
  180  addition, release of such information could subject possible
  181  victims of the security incident or breach to further harm.
  182         3.Disclosure of a record, including a computer forensic
  183  analysis, or other information that would reveal weaknesses in
  184  the corporation’s data security could compromise that security
  185  in the future if such information were available upon conclusion
  186  of an investigation or once an investigation ceased to be
  187  active.
  188         4.Such records are likely to contain proprietary
  189  information about the security of the system at issue. The
  190  disclosure of such information could result in the
  191  identification of vulnerabilities and further breaches of that
  192  system. In addition, the release of such information could give
  193  business competitors an unfair advantage and weaken the security
  194  technology supplier supplying the proprietary information in the
  195  marketplace.
  196         5.The disclosure of such records could potentially
  197  compromise the confidentiality, integrity, and availability of
  198  the corporation’s data and information technology resources. It
  199  is a public necessity that this information be made confidential
  200  in order to protect the technology systems, resources, and data
  201  of the corporation. The Legislature further finds that this
  202  public records exemption be given retroactive application
  203  because it is remedial in nature.
  204         (2)(a)The Legislature also finds that it is a public
  205  necessity that portions of risk assessments, evaluations,
  206  audits, and other reports of the corporation’s information
  207  technology security program for its data, information, and
  208  information technology resources which are held by the
  209  corporation be made confidential and exempt from s. 119.07(1),
  210  Florida Statutes, and s. 24(a), Article I of the State
  211  Constitution if the disclosure of such portions of records would
  212  facilitate unauthorized access to or the unauthorized
  213  modification, disclosure, or destruction of:
  214         1.Data or information, whether physical or virtual; or
  215         2.Information technology resources, which include:
  216         a.Information relating to the security of the
  217  corporation’s technologies, processes, and practices designed to
  218  protect networks, computers, data processing software, and data
  219  from attack, damage, or unauthorized access; or
  220         b.Security information, whether physical or virtual, which
  221  relates to the corporation’s existing or proposed information
  222  technology systems.
  223         (b)The Legislature finds that it is valuable, prudent, and
  224  critical to the corporation to have an independent entity
  225  conduct a risk assessment, an audit, or an evaluation or
  226  complete a report of the corporation’s information technology
  227  program or related systems. Such documents would likely include
  228  an analysis of the corporation’s current information technology
  229  program or systems which could clearly identify vulnerabilities
  230  or gaps in current systems or processes and propose
  231  recommendations to remedy identified vulnerabilities.
  232         (3)(a)The Legislature further finds that it is a public
  233  necessity that those portions of a public meeting which could
  234  reveal information described in this section be made exempt from
  235  s. 286.011, Florida Statutes, and s. 24(b), Article I of the
  236  State Constitution. It is a public necessity that such meetings
  237  be made exempt from the open meetings requirements in order to
  238  protect the corporation’s information technology systems,
  239  resources, and data. The information disclosed during portions
  240  of meetings would clearly identify the corporation’s information
  241  technology systems and its vulnerabilities. This disclosure
  242  would jeopardize the information technology security of the
  243  corporation and compromise the integrity and availability of the
  244  corporation’s data and information technology resources.
  245         (b)The Legislature further finds that it is a public
  246  necessity that the recording and transcript of those portions of
  247  meetings specified in paragraph (a) be made confidential and
  248  exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
  249  Article I of the State Constitution unless a court determines
  250  that the meeting was not restricted to the discussion of data
  251  and information made confidential and exempt by this act. It is
  252  a public necessity that the resulting recordings and transcripts
  253  be made confidential and exempt from the public records
  254  requirements in order to protect the corporation’s information
  255  technology systems, resources, and data. The disclosure of such
  256  recordings and transcripts would clearly identify the
  257  corporation’s information technology systems and its
  258  vulnerabilities. This disclosure would jeopardize the
  259  information technology security of the corporation and
  260  compromise the integrity and availability of the corporation’s
  261  data and information technology resources.
  262         (c)The Legislature further finds that this public meeting
  263  and public records exemption must be given retroactive
  264  application because it is remedial in nature.
  265         Section 3. This act shall take effect upon becoming a law.