This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives.
STORAGE NAME: h7019c.SAC
DATE: 2/1/2022
HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: HB 7019 PCB GOS 22-08 OGSR/Technology Systems/State University or a Florida
College System Institution
SPONSOR(S): Government Operations Subcommittee, Fetterhoff
TIED BILLS: None IDEN./SIM. BILLS: SB 7004
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
Orig. Comm.: Government Operations
Subcommittee
17 Y, 0 N Landry Toliver
1) Post-Secondary Education & Lifelong Learning
Subcommittee
17 Y, 0 N Wolff Kiner
2) State Affairs Committee 20 Y, 1 N Landry Williamson
SUMMARY ANALYSIS
The Open Government Sunset Review Act requires the Legislature to review each public record and each
public meeting exemption five years after enactment. If the Legislature does not reenact the exemption, it
automatically repeals on October 2nd of the fifth year after enactment.
State universities and Florida College System (FCS) institutions maintain records pertaining to information
technology (I.T.) security, processes and practices, risk assessments, and security incidents, such as
investigations into security breaches.
Current law provides a public record exemption for certain information held by a state university or FCS
institution related to I.T. security or potential breaches of security, as well as I.T. security program risk
assessments, evaluations, and audits held by the university or institution. Specifically, the following records
held by state universities and FCS institutions are confidential and exempt from public record requirements:
Records that identify detection, investigation, or response practices for suspected or confirmed I.T.
security incidents, including suspected or confirmed breaches, if the disclosure of such records would
facilitate unauthorized access to or unauthorized modification, disclosure, or destruction of data or I.T.
resources; and
Those portions of risk assessments, evaluations, audits, and other reports of the university’s or
institution’s I.T. security program for its data, information, and I.T. resources if the disclosure of such
records would facilitate unauthorized access to or the unauthorized modification, disclosure, or
destruction of data or I.T. resources.
The records must be made available to the Auditor General, the Cybercrime Office of the Department of Law
Enforcement, the Board of Governors in the case of a state university, the State Board of Education in the case
of an FCS institution; and a state or federal agency for security purposes or in furtherance of the agency’s
official duties.
Current law also provides a public meeting exemption for portions of meetings wherein such records are
discussed.
This bill saves from repeal the public record exemption and public meeting exemption, which will repeal on
October 2, 2022, if this bill does not become law.
This bill does not appear to have a fiscal impact on state or local governments. STORAGE NAME: h7019c.SAC PAGE: 2
DATE: 2/1/2022
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Background
Open Government Sunset Review Act
The Open Government Sunset Review Act (Act)
1
sets forth a legislative review process for newly
created or substantially amended public record or public meeting exemptions. It requires an automatic
repeal of the exemption on October 2nd of the fifth year after creation or substantial amendment,
unless the Legislature reenacts the exemption.
2
The Act provides that a public record or public meeting exemption may be created or maintained only if
it serves an identifiable public purpose. In addition, it may be no broader than is necessary to meet one
of the following purposes:
Allow the state or its political subdivisions to effectively and efficiently administer a
governmental program, which administration would be significantly impaired without the
exemption.
Protect sensitive personal information that, if released, would be defamatory or would
jeopardize an individual’s safety; however, only the identity of an individual may be exempted
under this provision.
Protect trade or business secrets.
3
If, and only if, in reenacting an exemption that will repeal, the exemption is expanded (essentially
creating a new exemption), then a public necessity statement and a two-thirds vote for passage are
required.
4
If the exemption is reenacted with grammatical or stylistic changes that do not expand the
exemption, if the exemption is narrowed, or if an exception to the exemption is created
then a public
necessity statement and a two-thirds vote for passage are not required.
State Universities and Florida College System Institutions
State universities and colleges maintain records pertaining to information technology (I.T.) security,
processes and practices, risk assessments, and security incidents, such as investigations into security
breaches. Public disclosure of this information presents a significant security risk and would likely
reveal weaknesses within the State University System and Florida College System (FCS) computer
networks, raising the potential for exploitation.
Public Record and Public Meeting Exemptions under Review
In 2017, the Legislature created an exemption from public records requirements for certain information
held by a state university or FCS institution related to I.T. security or potential breaches of security, as
well as I.T. security program risk assessments, evaluations, and audits held by the university or
institution.
5
Specifically, the following records held by state universities and FCS institutions are
confidential and exempt
6
from public record requirements:
Records which identify detection, investigation, or response practices for suspected or
confirmed I.T. security incidents, including suspected or confirmed breaches, if the disclosure of
1
Section 119.15, F.S.
2
Section 119.15(3), F.S.
3
Section 119.15(6)(b), F.S.
4
Section 24(c), Art. I, FLA. CONST.
5
Chapter 2017-109, L.O.F.; codified as s. 1004.055, F.S.
6
There is a difference between records the Legislature designates as exempt from public record requirements and those the Legislature
deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under certain circumstances.
See WFTV, Inc. v. The School Board of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892 So.2d 1015 (Fla. 2004);
City of Riviera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola, 575 So.2d 687 (Fla. 5th DCA
1991). If the Legislature designates a record as confidential and exempt from public disclosure, such record may not be released by the
custodian of public records to anyone other than the persons or entities specifically designated in statute. See Attorney General
Opinion 85-62 (August 1, 1985). STORAGE NAME: h7019c.SAC PAGE: 3
DATE: 2/1/2022
such records would facilitate unauthorized access to or unauthorized modification, disclosure, or
destruction of data or I.T. resources;
7
and
Those portions of risk assessments, evaluations, audits, and other reports of the university’s or
FCS institution’s I.T. security program for its data, information, and I.T. resources if the
disclosure of such records would facilitate unauthorized access to or the unauthorized
modification, disclosure, or destruction of data or I.T. resources.
8
The records must be made available to the following persons and entities:
The Auditor General;
The Cybercrime Office of the Department of Law Enforcement;
The Board of Governors in the case of a state university;
The State Board of Education in the case of a FCS institution; and
A state or federal agency for security purposes or in furtherance of the agency’s official duties.
9
The Legislature also created a public meeting exemption for those portions of meetings wherein such
confidential and exempt records are discussed. All exempt portions of the meeting must be recorded
and transcribed. The recording and transcript are confidential and exempt from public record
requirements. However, if a court of competent jurisdiction determines through an in camera inspection
that the meeting was not restricted to the discussion of the confidential and exempt records, then those
portions of the transcript unrelated to the public record exemption may be disclosed.
10
The 2017 public necessity statement
11
for the exemptions provides that the Legislature finds that the
public record and public meeting exemptions are necessary because:
Disclosure of a record, including a computer forensic analysis, or other information
that would reveal weaknesses in a state university's or Florida College System
institution's data security could compromise that security in the future if such
information were available upon conclusion of an investigation or once an
investigation ceased to be active… Such records are likely to contain proprietary
information about the security of the system at issue. The disclosure of such
information could result in the identification of vulnerabilities and further breaches
of that system. In addition, the release of such information could give business
competitors an unfair advantage and weaken the security technology supplier
supplying the proprietary information in the marketplace… The disclosure of such
records could potentially compromise the confidentiality, integrity, and availability
of state university and Florida College System institution data and information
technology resources, which would significantly impair the administration of vital
educational programs.
12
Pursuant to the Open Government Sunset Review Act, the exemptions will repeal on October 2, 2022,
unless reenacted by the Legislature.
13
During the 2021 interim, the House Government Operations Subcommittee staff sent questionnaires to
Florida’s public postsecondary educational institutions as part of its review under the Open Government
Sunset Review Act. All 12 universities and 16 of the 28 FCS institutions responded to the
questionnaire. Respondents indicated that the exemptions are functioning well and that there had not
7
Information technology resources includes information relating to the security of the university’s or institution’s technologies,
processes, and practices designed to protect networks, computers, data processing software, and data from attack, damage, or
unauthorized access and security information, whether physical or virtual, which relates to the university’s or institution’s existing or
proposed information technology systems. Section 1004.055(1)(a)2., F.S.
8
Section 1004.055(1), F.S.
9
Section 1004.055(3), F.S.
10
Section 1004.055(2), F.S.
11
Article I, s. 24(c), FLA. CONST., requires each public record exemption to “state with specificity the public necessity justifying the
exemption.”
12
Section 2, Chapter 2017-109, L.O.F.
13
Section 1004.0962(6), F.S. STORAGE NAME: h7019c.SAC PAGE: 4
DATE: 2/1/2022
been any litigation concerning the exemptions.
14
All respondents requested that the exemptions be
retained, with an overwhelming majority requesting to maintain the exemptions as is.
15
Effect of the Bill
The bill removes the scheduled repeal date of the public record exemption and public meeting
exemption; thereby, maintaining the public record exemption for certain information held by a state
university or FCS institution related to I.T. security or potential breaches of security, as well as I.T.
security program risk assessments, evaluations, and audits, and the public meeting exemption for
portions of a meeting wherein such confidential and exempt records are discussed.
B. SECTION DIRECTORY:
Section 1: Amends s. 1004.055, F.S., to remove the scheduled repeal date of the public record
exemption and public meeting exemption.
Section 2: Provides an effective date of October 1, 2022.
II. FISCAL ANALYSIS & ECONOMIC IMPACT STATEMENT
A. FISCAL IMPACT ON STATE GOVERNMENT:
1. Revenues:
None.
2. Expenditures:
None.
B. FISCAL IMPACT ON LOCAL GOVERNMENTS:
1. Revenues:
None.
2. Expenditures:
None.
C. DIRECT ECONOMIC IMPACT ON PRIVATE SECTOR:
None.
D. FISCAL COMMENTS:
None.
III. COMMENTS
A. CONSTITUTIONAL ISSUES:
1. Applicability of Municipality/County Mandates Provision:
Not applicable. The bill does not appear to affect county or municipal governments.
14
Open Government Sunset Review Questionnaire, Security of Post-Secondary Data, responses on file with the Government
Operations Subcommittee.
15
Id. STORAGE NAME: h7019c.SAC PAGE: 5
DATE: 2/1/2022
2. Other:
None.
B. RULE-MAKING AUTHORITY:
None.
C. DRAFTING ISSUES OR OTHER COMMENTS:
None.
IV. AMENDMENTS/ COMMITTEE SUBSTITUTE CHANGES
None.