CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 1 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to public records and public meetings; 2
creating s. 119.0725, F.S.; providing definitions; 3
providing an exemption from public records 4
requirements for certain cybersecurity insurance 5
information, critical infrastructure information, and 6
certain cybersecurity -related information held by an 7
agency; providing an exemption from public meetings 8
requirements for portions of a meeting that would 9
reveal certain cybersecurity-related information held 10
by an agency; requiring the recording and 11
transcription of exempt portions of such meetings; 12
providing an exemption from public records 13
requirements for such recordings and transcripts; 14
providing retroactive appl ication; authorizing the 15
disclosure of confidential and exempt information 16
under certain circumstances; authorizing agencies to 17
report certain cybersecurity information in the 18
aggregate; providing for future legislative review and 19
repeal of the exemptions; amending ss. 98.015 and 20
282.318, F.S.; conforming provisions to changes made 21
by the act; providing a statement of public necessity; 22
providing a contingent effective date. 23
24
Be It Enacted by the Legislature of the State of Florida: 25
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 2 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
26
Section 1. Section 119.0725, Florida Statutes, is created 27
to read: 28
119.0725 Agency cybersecurity information; public records 29
exemption; public meetings exemption. — 30
(1) As used in this section, the term: 31
(a) "Breach" means unauthorized access of data in 32
electronic form containing personal information. Good faith 33
access of personal information by an employee or agent of an 34
agency does not constitute a breach, provided that the 35
information is not used for a purpose unrelated to the business 36
or subject to further unautho rized use. 37
(b) "Critical infrastructure" means existing and proposed 38
information technology and operational technology systems and 39
assets, whether physical or virtual, the incapacity or 40
destruction of which would negatively affect security, economic 41
security, public health, or public safety. 42
(c) "Cybersecurity" has the same meaning as in s. 43
282.0041. 44
(d) "Data" has the same meaning as in s. 282.0041. 45
(e) "Incident" means a violation or imminent threat of 46
violation, whether such violation is accident al or deliberate, 47
of information technology resources, security, policies, or 48
practices. As used in this paragraph, the term "imminent threat 49
of violation" means a situation in which the agency has a 50
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 3 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
factual basis for believing that a specific incident is about to 51
occur. 52
(f) "Information technology" has the same meaning as in s. 53
282.0041. 54
(g) "Operational technology" means the hardware and 55
software that cause or detect a change through the direct 56
monitoring or control of physical devices, systems, proce sses, 57
or events. 58
(2) The following information held by an agency is 59
confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 60
of the State Constitution: 61
(a) Coverage limits and deductible or self -insurance 62
amounts of insurance or other risk mitiga tion coverages acquired 63
for the protection of information technology systems, 64
operational technology systems, or data of an agency. 65
(b) Information relating to critical infrastructure. 66
(c) Network schematics, hardware and software 67
configurations, or encryption information or information that 68
identifies detection, investigation, or response practices for 69
suspected or confirmed cybersecurity incidents, including 70
suspected or confirmed breaches, if the disclosure of such 71
information would facilitate unau thorized access to or 72
unauthorized modification, disclosure, or destruction of: 73
1. Data or information, whether physical or virtual; or 74
2. Information technology resources, which include an 75
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 4 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
agency's existing or proposed information technology systems. 76
(3) Any portion of a meeting that would reveal information 77
made confidential and exempt under subsection (2) is exempt from 78
s. 286.011 and s. 24(b), Art. I of the State Constitution. An 79
exempt portion of a meeting may not be off the record and must 80
be recorded and transcribed. The recording and transcript are 81
confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 82
of the State Constitution. 83
(4) The public records exemptions contained in this 84
section apply to information held by an agency before, on, or 85
after July 1, 2022. 86
(5)(a) Information made confidential and exempt pursuant 87
to this section shall be made available to a law enforcement 88
agency, the Auditor General, the Cybercrime Office of the 89
Department of Law Enforcement, the Florida Digital Service 90
within the Department of Management Services, and, for agencies 91
under the jurisdiction of the Governor, the Chief Inspector 92
General. 93
(b) Such confidential and exempt information may be 94
disclosed by an agency in the furtherance of its official dut ies 95
and responsibilities or to another agency or governmental entity 96
in the furtherance of its statutory duties and responsibilities. 97
(6) Agencies may report information about cybersecurity 98
incidents in the aggregate. 99
(7) This section is subject to the Open Government Sunset 100
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 5 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Review Act in accordance with s. 119.15 and shall stand repealed 101
on October 2, 2027, unless reviewed and saved from repeal 102
through reenactment by the Legislature. 103
Section 2. Subsection (13) of section 98.015, Florida 104
Statutes, is amended to read: 105
98.015 Supervisor of elections; election, tenure of 106
office, compensation, custody of registration -related documents, 107
office hours, successor, seal; appointment of deputy 108
supervisors; duties; public records exemption .— 109
(13)(a) Portions of records held by a supervisor of 110
elections which contain network schematics, hardware and 111
software configurations, or encryption, or which identify 112
detection, investigation, or response practices for suspected or 113
confirmed information technology securi ty incidents, including 114
suspected or confirmed breaches, are confidential and exempt 115
from s. 119.07(1) and s. 24(a), Art. I of the State 116
Constitution, if the disclosure of such records would facilitate 117
unauthorized access to or the unauthorized modificatio n, 118
disclosure, or destruction of: 119
1. Data or information, whether physical or virtual; or 120
2. Information technology resources as defined in s. 121
119.011(9), which includes: 122
a. Information relating to the security of a supervisor of 123
elections' technolog y, processes, and practices designed to 124
protect networks, computers, data processing software, and data 125
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 6 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
from attack, damage, or unauthorized access; or 126
b. Security information, whether physical or virtual, 127
which relates to a supervisor of elections' exis ting or proposed 128
information technology systems. 129
(b) The portions of records made confidential and exempt 130
in paragraph (a) shall be available to the Auditor General and 131
may be made available to another governmental entity for 132
information technology secur ity purposes or in the furtherance 133
of the entity's official duties. 134
(c) The public record exemption in paragraph (a) applies 135
to records held by a supervisor of elections before, on, or 136
after the effective date of the exemption. 137
(d) This subsection is s ubject to the Open Government 138
Sunset Review Act in accordance with s. 119.15 and shall stand 139
repealed on October 2, 2026, unless reviewed and saved from 140
repeal through reenactment by the Legislature. 141
Section 3. Subsections (6) and (11) of section 282.3 18, 142
Florida Statutes, are renumbered as subsections (5) and (10), 143
respectively, and present subsections (5), (7), (8), (9), and 144
(10) of that section are amended to read: 145
282.318 Cybersecurity. — 146
(5) Portions of records held by a state agency which 147
contain network schematics, hardware and software 148
configurations, or encryption, or which identify detection, 149
investigation, or response practices for suspected or confirmed 150
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 7 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity incidents, including suspected or confirmed 151
breaches, are confidential an d exempt from s. 119.07(1) and s. 152
24(a), Art. I of the State Constitution, if the disclosure of 153
such records would facilitate unauthorized access to or the 154
unauthorized modification, disclosure, or destruction of: 155
(a) Data or information, whether physica l or virtual; or 156
(b) Information technology resources, which includes: 157
1. Information relating to the security of the agency's 158
technologies, processes, and practices designed to protect 159
networks, computers, data processing software, and data from 160
attack, damage, or unauthorized access; or 161
2. Security information, whether physical or virtual, 162
which relates to the agency's existing or proposed information 163
technology systems. 164
(6)(7) Those portions of a public meeting as specified in 165
s. 286.011 which would reveal records which are confidential and 166
exempt under subsection (5) or subsection (6) are exempt from s. 167
286.011 and s. 24(b), Art. I of the State Constitution. No 168
exempt portion of an exempt meeting may be off the record. All 169
exempt portions of such meeting shall be recorded and 170
transcribed. Such recordings and transcripts are confidential 171
and exempt from disclosure under s. 119.07(1) and s. 24(a), Art. 172
I of the State Constitution unless a court of competent 173
jurisdiction, after an in camera review, d etermines that the 174
meeting was not restricted to the discussion of data and 175
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 8 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information made confidential and exempt by this section. In the 176
event of such a judicial determination, only that portion of the 177
recording and transcript which reveals nonexempt d ata and 178
information may be disclosed to a third party. 179
(7)(8) The portions of records made confidential and 180
exempt in subsections (5) and, (6), and (7) shall be available 181
to the Auditor General, the Cybercrime Office of the Department 182
of Law Enforcement, the Florida Digital Service within the 183
department, and, for agencies under the jurisdiction of the 184
Governor, the Chief Inspector General. Such portions of records 185
may be made available to a local government, another state 186
agency, or a federal agency for cybersecurity purposes or in 187
furtherance of the state agency's official duties. 188
(8)(9) The exemptions contained in subsections (5) and, 189
(6), and (7) apply to records held by a state agency before, on, 190
or after the effective date of this exemption. 191
(9)(10) Subsections (5) and, (6), and (7) are subject to 192
the Open Government Sunset Review Act in accordance with s. 193
119.15 and shall stand repealed on Oc tober 2, 2025, unless 194
reviewed and saved from repeal through reenactment by the 195
Legislature. 196
Section 4. (1) The Legislature finds that it is a public 197
necessity that the following information held by an agency be 198
made confidential and exempt from s. 11 9.07(1), Florida 199
Statutes, and s. 24(a), Article I of the State Constitution: 200
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 9 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) Coverage limits and deductible or self -insurance 201
amounts of insurance or other risk mitigation coverages acquired 202
for the protection of information technology systems, 203
operational technology systems, or data of an agency. 204
(b) Information relating to critical infrastructure. 205
(c) Network schematics, hardware and software 206
configurations, or encryption information or information that 207
identifies detection, investigation, or r esponse practices for 208
suspected or confirmed cybersecurity incidents, including 209
suspected or confirmed breaches, if the disclosure of such 210
information would facilitate unauthorized access to or 211
unauthorized modification, disclosure, or destruction of: 212
1. Data or information, whether physical or virtual; or 213
2. Information technology resources, which include an 214
agency's existing or proposed information technology systems. 215
216
Release of such information could place an agency at greater 217
risk of breaches, cybe rsecurity incidents, and ransomware 218
attacks. Such information could be used by criminals to identify 219
any vulnerabilities that may exist in an agency's security 220
system, thereby compromising the integrity of the agency's 221
information technology, operational t echnology, and data. If 222
information related to the coverage limits and deductible or 223
self-insurance amounts of cybersecurity insurance were 224
disclosed, it could give cybercriminals an understanding of the 225
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 10 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
monetary sum an agency can afford or may be willing to pay as a 226
result of a ransomware attack at the expense of the taxpayer. In 227
addition, critical infrastructure information is a vital 228
component of public safety and, if made publicly available, 229
could aid in the planning of, training for, and execution of 230
cyberattacks, thereby increasing the ability of persons to harm 231
individuals in this state. The recent cybersecurity hacking and 232
shutdown of the Colonial Pipeline by the criminal enterprise 233
DarkSide in 2021 and the infiltration of the Bowman Avenue Dam 234
in Rye Brook, New York, by Iranian hackers in 2013 provide 235
evidence that such criminal capabilities exist. These events 236
also show the crippling effect that cyberattacks on critical 237
infrastructure may have. Further, the release of network 238
schematics, hardware an d software configurations, or encryption 239
information or information that identifies detection, 240
investigation, or response practices for suspected or confirmed 241
cybersecurity incidents, including suspected or confirmed 242
breaches, would facilitate unauthorized access to or the 243
unauthorized modification, disclosure, or destruction of data or 244
information, whether physical or virtual, or information 245
technology resources. Such information also includes proprietary 246
information about the security of an agency's syste m. The 247
disclosure of such information could compromise the integrity of 248
an agency's data, information, or information technology 249
resources, which would significantly impair the administration 250
CS/HB 7057 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7057-01-c1
Page 11 of 11
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of vital governmental programs. Therefore, this information 251
should be made confidential and exempt in order to protect the 252
agency's data, information, and information technology 253
resources. 254
(2) The Legislature also finds that it is a public 255
necessity that any portion of a meeting that would reveal the 256
confidential and exempt information be made exempt from s. 257
286.011, Florida Statutes, and s. 24(b), Article I of the State 258
Constitution, and that any recordings and transcripts of the 259
closed portion of a meeting be made confidential and exempt from 260
s. 119.07(1), Florida S tatutes, and s. 24(a), Article I of the 261
State Constitution. The failure to close that portion of a 262
meeting at which confidential and exempt information would be 263
revealed, and prevent the disclosure of the recordings and 264
transcripts of those portions of a m eeting, would defeat the 265
purpose of the underlying public records exemption and could 266
result in the release of highly sensitive information related to 267
the cybersecurity of an agency system. 268
(3) For these reasons, the Legislature finds that these 269
public records and public meetings exemptions are of the utmost 270
importance and are a public necessity. 271
Section 5. This act shall take effect on the same date 272
that HB 7055 or similar legislation takes effect , if such 273
legislation is adopted in the same legisla tive session or an 274
extension thereof and becomes law. 275