This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives.
STORAGE NAME: h7019a.PEL
DATE: 1/25/2022
HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: HB 7019 PCB GOS 22-08 OGSR/Technology Systems/State University or a Florida
College System Institution
SPONSOR(S): Government Operations Subcommittee, Fetterhoff
TIED BILLS: None IDEN./SIM. BILLS: SB 7004
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY
CHIEF
Orig. Comm.: Government Operations
Subcommittee
17 Y, 0 N Landry Toliver
1) Post-Secondary Education & Lifelong Learning
Subcommittee
17 Y, 0 N Wolff Kiner
2) State Affairs Committee
SUMMARY ANALYSIS
The Open Government Sunset Review Act requires the Legislature to review each public record and each
public meeting exemption five years after enactment. If the Legislature does not reenact the exemption, it
automatically repeals on October 2
nd
of the fifth year after enactment.
State universities and Florida College System (FCS) institutions maintain records pertaining to information
technology (I.T.) security, processes and practices, risk assessments, and security incidents, such as
investigations into security breaches.
Current law provides a public record exemption for certain information held by a state university or FCS
institution related to I.T. security or potential breaches of security, as well as I.T. security program risk
assessments, evaluations, and audits held by the university or institution. Such information is confidential and
exempt from public records requirements. Specifically, current law exempts the following records held by state
universities and FCS institutions:
Records which identify detection, investigation, or response practices for suspected or confirmed I.T. security
incidents, including suspected or confirmed breaches, if the disclosure of such records would facilitate
unauthorized access to or unauthorized modification, disclosure, or destruction of data or I.T. resources; and
Those portions of risk assessments, evaluations, audits, and other reports of the university’s or institution’s
I.T. security program for its data, information, and I.T. resources which are held by the university or
institution, if the disclosure of such records would facilitate unauthorized access to or the unauthorized
modification, disclosure, or destruction of data or I.T. resources.
The records must be made available to the Auditor General, the Cybercrime Office of the Department of Law
Enforcement, the Board of Governors in the case of a state university, the State Board of Education in the case
of an FCS institution; and a state or federal agency for security purposes or in furtherance of the agency’s
official duties.
Current law also provides a public meeting exemption for portions of meetings where such data or I.T. security
matters are discussed.
This bill saves from repeal the public record exemption and public meeting exemption, which will repeal on
October 2, 2022, if this bill does not become law.
This bill does not appear to have a fiscal impact on state or local governments. STORAGE NAME: h7019a.PEL PAGE: 2
DATE: 1/25/2022
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Background
Open Government Sunset Review Act
The Open Government Sunset Review Act (Act)
1
sets forth a legislative review process for newly
created or substantially amended public record or public meeting exemptions. It requires an automatic
repeal of the exemption on October 2nd of the fifth year after creation or substantial amendment,
unless the Legislature reenacts the exemption.
2
The Act provides that a public record or public meeting exemption may be created or maintained only if
it serves an identifiable public purpose. In addition, it may be no broader than is necessary to meet one
of the following purposes:
Allow the state or its political subdivisions to effectively and efficiently administer a
governmental program, which administration would be significantly impaired without the
exemption.
Protect sensitive personal information that, if released, would be defamatory or would
jeopardize an individual’s safety; however, only the identity of an individual may be exempted
under this provision.
Protect trade or business secrets.
3
If, and only if, in reenacting an exemption that will repeal, the exemption is expanded (essentially
creating a new exemption), then a public necessity statement and a two-thirds vote for passage are
required.
4
If the exemption is reenacted with grammatical or stylistic changes that do not expand the
exemption, if the exemption is narrowed, or if an exception to the exemption is created
then a public
necessity statement and a two-thirds vote for passage are not required.
State Universities and Florida College System Institutions
State universities and colleges maintain records pertaining to information technology (I.T.) security,
processes and practices, risk assessments, and security incidents, such as investigations into security
breaches. Public disclosure of this information presents a significant security risk and would likely
reveal weaknesses within the State University System and Florida College System (FCS) computer
networks, raising the potential for exploitation.
Public Record and Public Meeting Exemptions under Review
In 2017, the Legislature created an exemption from public records requirements for certain information
held by a state university or FCS institution related to I.T. security or potential breaches of security, as
well as I.T. security program risk assessments, evaluations, and audits held by the university or
institution.
5
Such information is confidential and exempt
6
from public records requirements.
Specifically, current law exempts the following records held by state universities and FCS institutions:
Records which identify detection, investigation, or response practices for suspected or
confirmed I.T. security incidents, including suspected or confirmed breaches, if the disclosure of
1
Section 119.15, F.S.
2
Section 119.15(3), F.S.
3
Section 119.15(6)(b), F.S.
4
Section 24(c), Art. I, FLA. CONST.
5
Chapter 2017-109, L.O.F.; codified as section 1004.055, F.S.
6
There is a difference between records the Legislature designates as exempt from public record requirements and those the Legislature
deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under certain circumstances.
See WFTV, Inc. v. The School Board of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892 So.2d 1015 (Fla. 2004);
City of Riviera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola, 575 So.2d 687 (Fla. 5th DCA
1991). If the Legislature designates a record as confidential and exempt from public disclosure, such record may not be released by the
custodian of public records to anyone other than the persons or entities specifically designated in statute. See Attorney General
Opinion 85-62 (August 1, 1985). STORAGE NAME: h7019a.PEL PAGE: 3
DATE: 1/25/2022
such records would facilitate unauthorized access to or unauthorized modification, disclosure, or
destruction of data or I.T. resources;
7
and
Those portions of risk assessments, evaluations, audits, and other reports of the university’s or
FCS institution’s I.T. security program for its data, information, and I.T. resources which are
held by the university or institution, if the disclosure of such records would facilitate
unauthorized access to or the unauthorized modification, disclosure, or destruction of data or
I.T. resources.
8
The records must be made available to the following persons and entities:
The Auditor General;
The Cybercrime Office of the Department of Law Enforcement;
The Board of Governors in the case of a state university;
The State Board of Education in the case of a FCS institution; and
A state or federal agency for security purposes or in furtherance of the agency’s official duties.
9
The Legislature also created a public meeting exemption for portions of otherwise public meetings
where such data or I.T. security matters are discussed.
10
The 2017 public necessity statement
11
for the exemptions provides that the Legislature finds that the
public record and public meeting exemptions are necessary because:
Disclosure of a record, including a computer forensic analysis, or other information
that would reveal weaknesses in a state university's or Florida College System
institution's data security could compromise that security in the future if such
information were available upon conclusion of an investigation or once an
investigation ceased to be active… Such records are likely to contain proprietary
information about the security of the system at issue. The disclosure of such
information could result in the identification of vulnerabilities and further breaches
of that system. In addition, the release of such information could give business
competitors an unfair advantage and weaken the security technology supplier
supplying the proprietary information in the marketplace… The disclosure of such
records could potentially compromise the confidentiality, integrity, and availability
of state university and Florida College System institution data and information
technology resources, which would significantly impair the administration of vital
educational programs.
12
Pursuant to the Open Government Sunset Review Act, the exemptions will repeal on October 2, 2022,
unless reenacted by the Legislature.
13
During the 2021 interim, the House Government Operations Subcommittee staff sent of Florida’s public
postsecondary educational institutions a questionnaire as part of its review under the Open
Government Sunset Review Act. All 12 universities and 16 of the 28 FCS institutions responded to the
questionnaire. Respondents indicated that the exemptions are functioning well and there hasn’t been
7
Information technology resources includes information relating to the security of the university’s or institution’s technologies,
processes, and practices designed to protect networks, computers, data processing software, and data from attack, damage, or
unauthorized access and security information, whether physical or virtual, which relates to the university’s or institution’s existing or
proposed information technology systems. Section 1004.055(1)(a)2., F.S.
8
Section 1004.055(1), F.S.
9
Section 1004.055(3), F.S.
10
Section 1004.055(2), F.S.
11
Article I, s. 24(c), FLA. CONST., requires each public record exemption to “state with specificity the public necessity justifying the
exemption.”
12
Section 2, Chapter 2017-109, L.O.F.
13
Section 1004.0962(6), F.S. STORAGE NAME: h7019a.PEL PAGE: 4
DATE: 1/25/2022
any litigation concerning the exemptions.
14
All respondents requested that the exemptions be retained,
with an overwhelming majority requesting to enact the exemptions as is.
15
Effect of the Bill
The bill removes the scheduled repeal date of the public record exemption and public meeting
exemption; thereby, maintaining the public record exemption for certain information held by a state
university or FCS institution related to I.T. security or potential breaches of security, as well as I.T.
security program risk assessments, evaluations, and audits held by the institution, and the public
meeting exemption for portions of a meeting where matters specifically exempted from disclosure are
discussed.
B. SECTION DIRECTORY:
Section 1: Amends s. 1004.055, F.S., to remove the scheduled repeal date of the public record
exemption.
Section 2: Provides an effective date of October 1, 2022.
II. FISCAL ANALYSIS & ECONOMIC IMPACT STATEMENT
A. FISCAL IMPACT ON STATE GOVERNMENT:
1. Revenues:
None.
2. Expenditures:
None.
B. FISCAL IMPACT ON LOCAL GOVERNMENTS:
1. Revenues:
None.
2. Expenditures:
None.
C. DIRECT ECONOMIC IMPACT ON PRIVATE SECTOR:
None.
D. FISCAL COMMENTS:
None.
III. COMMENTS
A. CONSTITUTIONAL ISSUES:
1. Applicability of Municipality/County Mandates Provision:
14
Open Government Sunset Review Questionnaire, Security of Post-Secondary Data, responses on file with the Government
Operations Subcommittee.
15
Id. STORAGE NAME: h7019a.PEL PAGE: 5
DATE: 1/25/2022
Not applicable. The bill does not appear to affect county or municipal governments.
2. Other:
None.
B. RULE-MAKING AUTHORITY:
None.
C. DRAFTING ISSUES OR OTHER COMMENTS:
None.
IV. AMENDMENTS/ COMMITTEE SUBSTITUTE CHANGES
None.