ENROLLED
       2022 Legislature                                         SB 7004
       
       
       
       
       
       
                                                             20227004er
    1  
    2         An act relating to a review under the Open Government
    3         Sunset Review Act; amending s. 1004.055, F.S., which
    4         provides exemptions from public records and public
    5         meetings requirements for specified data or
    6         information from technology systems owned, under
    7         contract, or maintained by a state university or a
    8         Florida College System institution and portions of
    9         meetings which would reveal such data and information;
   10         removing the scheduled repeal of the exemptions;
   11         providing an effective date.
   12          
   13  Be It Enacted by the Legislature of the State of Florida:
   14  
   15         Section 1. Section 1004.055, Florida Statutes, is amended
   16  to read:
   17         1004.055 Security of data and information technology in
   18  state postsecondary education institutions.—
   19         (1) All of the following data or information from
   20  technology systems owned, under contract, or maintained by a
   21  state university or a Florida College System institution is
   22  confidential and exempt from s. 119.07(1) and s. 24(a), Art. I
   23  of the State Constitution:
   24         (a) Records held by the university or institution which
   25  identify detection, investigation, or response practices for
   26  suspected or confirmed information technology security
   27  incidents, including suspected or confirmed breaches, if the
   28  disclosure of such records would facilitate unauthorized access
   29  to or unauthorized modification, disclosure, or destruction of:
   30         1. Data or information, whether physical or virtual; or
   31         2. Information technology resources, which include:
   32         a. Information relating to the security of the university’s
   33  or institution’s technologies, processes, and practices designed
   34  to protect networks, computers, data processing software, and
   35  data from attack, damage, or unauthorized access; or
   36         b. Security information, whether physical or virtual, which
   37  relates to the university’s or institution’s existing or
   38  proposed information technology systems.
   39         (b) Those portions of risk assessments, evaluations,
   40  audits, and other reports of the university’s or institution’s
   41  information technology security program for its data,
   42  information, and information technology resources which are held
   43  by the university or institution, if the disclosure of such
   44  records would facilitate unauthorized access to or the
   45  unauthorized modification, disclosure, or destruction of:
   46         1. Data or information, whether physical or virtual; or
   47         2. Information technology resources, which include:
   48         a. Information relating to the security of the university’s
   49  or institution’s technologies, processes, and practices designed
   50  to protect networks, computers, data processing software, and
   51  data from attack, damage, or unauthorized access; or
   52         b. Security information, whether physical or virtual, which
   53  relates to the university’s or institution’s existing or
   54  proposed information technology systems.
   55         (2) Those portions of a public meeting as specified in s.
   56  286.011 which would reveal data and information described in
   57  subsection (1) are exempt from s. 286.011 and s. 24(b), Art. I
   58  of the State Constitution. No exempt portion of an exempt
   59  meeting may be off the record. All exempt portions of such a
   60  meeting must be recorded and transcribed. The recording and
   61  transcript of the meeting must remain confidential and exempt
   62  from disclosure under s. 119.07(1) and s. 24(a), Art. 1 of the
   63  State Constitution unless a court of competent jurisdiction,
   64  following an in camera review, determines that the meeting was
   65  not restricted to the discussion of data and information made
   66  confidential and exempt by this section. In the event of such a
   67  judicial determination, only that portion of the transcript
   68  which reveals nonexempt data and information may be disclosed to
   69  a third party.
   70         (3) The records and portions of public meeting recordings
   71  and transcripts described in subsection (1) must be available to
   72  the Auditor General; the Cybercrime Office of the Department of
   73  Law Enforcement; for a state university, the Board of Governors;
   74  and for a Florida College System institution, the State Board of
   75  Education. Such records and portions of meetings, recordings,
   76  and transcripts may be made available to a state or federal
   77  agency for security purposes or in furtherance of the agency’s
   78  official duties.
   79         (4) The exemptions listed in this section apply to such
   80  records or portions of public meetings, recordings, and
   81  transcripts held by the university or institution before, on, or
   82  after June 14, 2017.
   83         (5) This section is subject to the Open Government Sunset
   84  Review Act in accordance with s. 119.15 and shall stand repealed
   85  on October 2, 2022, unless reviewed and saved from repeal
   86  through reenactment by the Legislature.
   87         Section 2. This act shall take effect October 1, 2022.