FL
Florida House Bill H7057

Florida 2022 Regular Session

Florida House Bill H7057 Compare Versions

OldNewDifferences
11
2-ENROLLED
3-CS/HB 7057, Engrossed 1 2022 Legislature
2+
3+CS/HB 7057, Engrossed 1 2022
44
55
66
77 CODING: Words stricken are deletions; words underlined are additions.
8-hb7057-03-er
8+hb7057-02-e1
99 Page 1 of 12
1010 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1111
1212
1313
14- 1
14+A bill to be entitled 1
1515 An act relating to public records and public meetings; 2
1616 creating s. 119.0725, F.S.; providing definitions; 3
1717 providing an exemption from public records 4
1818 requirements for certain cybersecurity insurance 5
1919 information, critical infrastructure information, 6
2020 cybersecurity incident information, and certain 7
2121 cybersecurity-related information held by an agency; 8
2222 providing an exemption from public meetings 9
2323 requirements for portions of a meeting that would 10
2424 reveal certain cybersecurity -related information held 11
2525 by an agency; requiring the recording and 12
2626 transcription of exempt portions of such meetings; 13
2727 providing an exemption from public records 14
2828 requirements for such record ings and transcripts; 15
2929 providing retroactive application; authorizing the 16
3030 disclosure of confidential and exempt information 17
3131 under certain circumstances; authorizing agencies to 18
3232 report certain cybersecurity information in the 19
3333 aggregate; providing for future legislative review and 20
3434 repeal of the exemptions; amending ss. 98.015 and 21
3535 282.318, F.S.; conforming provisions to changes made 22
3636 by the act; providing a statement of public necessity; 23
3737 providing a contingent effective date. 24
3838 25
39-ENROLLED
40-CS/HB 7057, Engrossed 1 2022 Legislature
39+
40+CS/HB 7057, Engrossed 1 2022
4141
4242
4343
4444 CODING: Words stricken are deletions; words underlined are additions.
45-hb7057-03-er
45+hb7057-02-e1
4646 Page 2 of 12
4747 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
4848
4949
5050
5151 Be It Enacted by the Legislatur e of the State of Florida: 26
5252 27
5353 Section 1. Section 119.0725, Florida Statutes, is created 28
5454 to read: 29
5555 119.0725 Agency cybersecurity information; public records 30
5656 exemption; public meetings exemption. — 31
5757 (1) As used in this section, the term: 32
5858 (a) "Breach" means unauthorized access of data in 33
5959 electronic form containing personal information. Good faith 34
6060 access of personal information by an employee or agent of an 35
6161 agency does not constitute a breach, provided that the 36
6262 information is not used for a purpose unrelat ed to the business 37
6363 or subject to further unauthorized use. 38
6464 (b) "Critical infrastructure" means existing and proposed 39
6565 information technology and operational technology systems and 40
6666 assets, whether physical or virtual, the incapacity or 41
6767 destruction of which would negatively affect security, economic 42
6868 security, public health, or public safety. 43
6969 (c) "Cybersecurity" has the same meaning as in s. 44
7070 282.0041. 45
7171 (d) "Data" has the same meaning as in s. 282.0041. 46
7272 (e) "Incident" means a violation or imminent threat of 47
7373 violation, whether such violation is accidental or deliberate, 48
7474 of information technology resources, security, policies, or 49
7575 practices. As used in this paragraph, the term "imminent threat 50
76-ENROLLED
77-CS/HB 7057, Engrossed 1 2022 Legislature
76+
77+CS/HB 7057, Engrossed 1 2022
7878
7979
8080
8181 CODING: Words stricken are deletions; words underlined are additions.
82-hb7057-03-er
82+hb7057-02-e1
8383 Page 3 of 12
8484 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8585
8686
8787
8888 of violation" means a situation in which the agency has a 51
8989 factual basis for believing that a specific incident is about to 52
9090 occur. 53
9191 (f) "Information technology" has the same meaning as in s. 54
9292 282.0041. 55
9393 (g) "Operational technology" means the hardware and 56
9494 software that cause or detect a change through the direct 57
9595 monitoring or control of physical devices, systems, processes, 58
9696 or events. 59
9797 (2) The following information held by an agency is 60
9898 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 61
9999 of the State Constitution: 62
100100 (a) Coverage limits and deductible or self -insurance 63
101101 amounts of insurance or other risk mitigation coverages acquired 64
102102 for the protection of information technology systems, 65
103103 operational technology systems, or data of an agency. 66
104104 (b) Information relating to critical infrastructure. 67
105105 (c) Cybersecurity incident information reported pursuant 68
106106 to s. 282.318 or s. 282.3185. 69
107107 (d) Network schematics, hardware and software 70
108108 configurations, or encryption information or information that 71
109109 identifies detection, investigation, or response practices for 72
110110 suspected or confirmed cybersecurity incidents, including 73
111111 suspected or confirmed breaches, if the disclosure of such 74
112-ENROLLED
113-CS/HB 7057, Engrossed 1 2022 Legislature
112+
113+CS/HB 7057, Engrossed 1 2022
114114
115115
116116
117117 CODING: Words stricken are deletions; words underlined are additions.
118-hb7057-03-er
118+hb7057-02-e1
119119 Page 4 of 12
120120 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
121121
122122
123123
124124 information would facilitate unauthorized access to or 75
125125 unauthorized modification, disclosure, or destruction of: 76
126126 1. Data or information, whether physic al or virtual; or 77
127127 2. Information technology resources, which include an 78
128128 agency's existing or proposed information technology systems. 79
129129 (3) Any portion of a meeting that would reveal information 80
130130 made confidential and exempt under subsection (2) is exempt from 81
131131 s. 286.011 and s. 24(b), Art. I of the State Constitution. An 82
132132 exempt portion of a meeting may not be off the record and must 83
133133 be recorded and transcribed. The recording and transcript are 84
134134 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 85
135135 of the State Constitution. 86
136136 (4) The public records exemptions contained in this 87
137137 section apply to information held by an agency before, on, or 88
138138 after July 1, 2022. 89
139139 (5)(a) Information made confidential and exempt pursuant 90
140140 to this section shall be made avai lable to a law enforcement 91
141141 agency, the Auditor General, the Cybercrime Office of the 92
142142 Department of Law Enforcement, the Florida Digital Service 93
143143 within the Department of Management Services, and, for agencies 94
144144 under the jurisdiction of the Governor, the Chie f Inspector 95
145145 General. 96
146146 (b) Such confidential and exempt information may be 97
147147 disclosed by an agency in the furtherance of its official duties 98
148148 and responsibilities or to another agency or governmental entity 99
149-ENROLLED
150-CS/HB 7057, Engrossed 1 2022 Legislature
149+
150+CS/HB 7057, Engrossed 1 2022
151151
152152
153153
154154 CODING: Words stricken are deletions; words underlined are additions.
155-hb7057-03-er
155+hb7057-02-e1
156156 Page 5 of 12
157157 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
158158
159159
160160
161161 in the furtherance of its statutory duties and resp onsibilities. 100
162162 (6) Agencies may report information about cybersecurity 101
163163 incidents in the aggregate. 102
164164 (7) This section is subject to the Open Government Sunset 103
165165 Review Act in accordance with s. 119.15 and shall stand repealed 104
166166 on October 2, 2027, unless revi ewed and saved from repeal 105
167167 through reenactment by the Legislature. 106
168168 Section 2. Subsection (13) of section 98.015, Florida 107
169169 Statutes, is amended to read: 108
170170 98.015 Supervisor of elections; election, tenure of 109
171171 office, compensation, custody of registration -related documents, 110
172172 office hours, successor, seal; appointment of deputy 111
173173 supervisors; duties; public records exemption .— 112
174174 (13)(a) Portions of records held by a supervisor of 113
175175 elections which contain network schematics, hardware and 114
176176 software configurations, o r encryption, or which identify 115
177177 detection, investigation, or response practices for suspected or 116
178178 confirmed information technology security incidents, including 117
179179 suspected or confirmed breaches, are confidential and exempt 118
180180 from s. 119.07(1) and s. 24(a), Art . I of the State 119
181181 Constitution, if the disclosure of such records would facilitate 120
182182 unauthorized access to or the unauthorized modification, 121
183183 disclosure, or destruction of: 122
184184 1. Data or information, whether physical or virtual; or 123
185185 2. Information technology resources as defined in s. 124
186-ENROLLED
187-CS/HB 7057, Engrossed 1 2022 Legislature
186+
187+CS/HB 7057, Engrossed 1 2022
188188
189189
190190
191191 CODING: Words stricken are deletions; words underlined are additions.
192-hb7057-03-er
192+hb7057-02-e1
193193 Page 6 of 12
194194 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
195195
196196
197197
198198 119.011(9), which includes: 125
199199 a. Information relating to the security of a supervisor of 126
200200 elections' technology, processes, and practices designed to 127
201201 protect networks, computers, data processing software, and data 128
202202 from attack, damage, or unauthorized access; or 129
203203 b. Security information, whether physical or virtual, 130
204204 which relates to a supervisor of elections' existing or proposed 131
205205 information technology systems. 132
206206 (b) The portions of records made confidential and exempt 133
207207 in paragraph (a) shall be available to the Auditor General and 134
208208 may be made available to another governmental entity for 135
209209 information technology security purposes or in the furtherance 136
210210 of the entity's official duties. 137
211211 (c) The public record exemption in paragraph (a) a pplies 138
212212 to records held by a supervisor of elections before, on, or 139
213213 after the effective date of the exemption. 140
214214 (d) This subsection is subject to the Open Government 141
215215 Sunset Review Act in accordance with s. 119.15 and shall stand 142
216216 repealed on October 2, 2026 , unless reviewed and saved from 143
217217 repeal through reenactment by the Legislature. 144
218218 Section 3. Subsections (6) and (11) of section 282.318, 145
219219 Florida Statutes, are renumbered as subsections (5) and (10), 146
220220 respectively, and present subsections (5), (7), (8), ( 9), and 147
221221 (10) of that section are amended to read: 148
222222 282.318 Cybersecurity. — 149
223-ENROLLED
224-CS/HB 7057, Engrossed 1 2022 Legislature
223+
224+CS/HB 7057, Engrossed 1 2022
225225
226226
227227
228228 CODING: Words stricken are deletions; words underlined are additions.
229-hb7057-03-er
229+hb7057-02-e1
230230 Page 7 of 12
231231 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
232232
233233
234234
235235 (5) Portions of records held by a state agency which 150
236236 contain network schematics, hardware and software 151
237237 configurations, or encryption, or which identify detection, 152
238238 investigation, or response practices for suspected or confirmed 153
239239 cybersecurity incidents, including suspected or confirmed 154
240240 breaches, are confidential and exempt from s. 119.07(1) and s. 155
241241 24(a), Art. I of the State Constitution, if the disclosure of 156
242242 such records would facil itate unauthorized access to or the 157
243243 unauthorized modification, disclosure, or destruction of: 158
244244 (a) Data or information, whether physical or virtual; or 159
245245 (b) Information technology resources, which includes: 160
246246 1. Information relating to the security of th e agency's 161
247247 technologies, processes, and practices designed to protect 162
248248 networks, computers, data processing software, and data from 163
249249 attack, damage, or unauthorized access; or 164
250250 2. Security information, whether physical or virtual, 165
251251 which relates to the agency's existing or proposed information 166
252252 technology systems. 167
253253 (6)(7) Those portions of a public meeting as specified in 168
254254 s. 286.011 which would reveal records which are confidential and 169
255255 exempt under subsection (5) or subsection (6) are exempt from s. 170
256256 286.011 and s. 24(b), Art. I of the State Constitution. No 171
257257 exempt portion of an exempt meeting may be off the record. All 172
258258 exempt portions of such meeting shall be recorded and 173
259259 transcribed. Such recordings and transcripts are confidential 174
260-ENROLLED
261-CS/HB 7057, Engrossed 1 2022 Legislature
260+
261+CS/HB 7057, Engrossed 1 2022
262262
263263
264264
265265 CODING: Words stricken are deletions; words underlined are additions.
266-hb7057-03-er
266+hb7057-02-e1
267267 Page 8 of 12
268268 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
269269
270270
271271
272272 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art. 175
273273 I of the State Constitution unless a court of competent 176
274274 jurisdiction, after an in camera review, determines that the 177
275275 meeting was not restricted to the discussion of data and 178
276276 information made confidential and exempt by this section. In the 179
277277 event of such a judicial determination, only that portion of the 180
278278 recording and transcript which reveals nonexempt data and 181
279279 information may be disclosed to a third party. 182
280280 (7)(8) The portions of records made c onfidential and 183
281281 exempt in subsections (5) and, (6), and (7) shall be available 184
282282 to the Auditor General, the Cybercrime Office of the Department 185
283283 of Law Enforcement, the Florida Digital Service within the 186
284284 department, and, for agencies under the jurisdiction o f the 187
285285 Governor, the Chief Inspector General. Such portions of records 188
286286 may be made available to a local government, another state 189
287287 agency, or a federal agency for cybersecurity purposes or in 190
288288 furtherance of the state agency's official duties. 191
289289 (8)(9) The exemptions contained in subsections (5) and, 192
290290 (6), and (7) apply to records held by a state agency before, on, 193
291291 or after the effective date of this exemption. 194
292292 (9)(10) Subsections (5) and, (6), and (7) are subject to 195
293293 the Open Government Sunset Review Act in a ccordance with s. 196
294294 119.15 and shall stand repealed on October 2, 2025, unless 197
295295 reviewed and saved from repeal through reenactment by the 198
296296 Legislature. 199
297-ENROLLED
298-CS/HB 7057, Engrossed 1 2022 Legislature
297+
298+CS/HB 7057, Engrossed 1 2022
299299
300300
301301
302302 CODING: Words stricken are deletions; words underlined are additions.
303-hb7057-03-er
303+hb7057-02-e1
304304 Page 9 of 12
305305 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
306306
307307
308308
309309 Section 4. (1) The Legislature finds that it is a public 200
310310 necessity that the following information held by an agency be 201
311311 made confidential and exempt from s. 119.07(1), Florida 202
312312 Statutes, and s. 24(a), Article I of the State Constitution: 203
313313 (a) Coverage limits and deductible or self -insurance 204
314314 amounts of insurance or other risk mitigation coverages acquired 205
315315 for the protection of information technology systems, 206
316316 operational technology systems, or data of an agency. 207
317317 (b) Information relating to critical infrastructure. 208
318318 (c) Cybersecurity incident information reported pursuant 209
319319 to s. 282.318, Florida Statutes, or s . 282.3185, Florida 210
320320 Statutes. 211
321321 (d) Network schematics, hardware and software 212
322322 configurations, or encryption information or information that 213
323323 identifies detection, investigation, or response practices for 214
324324 suspected or confirmed cybersecurity incidents, inclu ding 215
325325 suspected or confirmed breaches, if the disclosure of such 216
326326 information would facilitate unauthorized access to or 217
327327 unauthorized modification, disclosure, or destruction of: 218
328328 1. Data or information, whether physical or virtual; or 219
329329 2. Information tech nology resources, which include an 220
330330 agency's existing or proposed information technology systems. 221
331331 222
332332 Release of such information could place an agency at greater 223
333333 risk of breaches, cybersecurity incidents, and ransomware 224
334-ENROLLED
335-CS/HB 7057, Engrossed 1 2022 Legislature
334+
335+CS/HB 7057, Engrossed 1 2022
336336
337337
338338
339339 CODING: Words stricken are deletions; words underlined are additions.
340-hb7057-03-er
340+hb7057-02-e1
341341 Page 10 of 12
342342 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
343343
344344
345345
346346 attacks. If information related to the coverage limits and 225
347347 deductible or self-insurance amounts of cybersecurity insurance 226
348348 were disclosed, it could give cybercriminals an understanding of 227
349349 the monetary sum an agency can afford or may be willing to pay 228
350350 as a result of a ransomware attack at the ex pense of the 229
351351 taxpayer. In addition, critical infrastructure information is a 230
352352 vital component of public safety and, if made publicly 231
353353 available, could aid in the planning of, training for, and 232
354354 execution of cyberattacks, thereby increasing the ability of 233
355355 persons to harm individuals in this state. The recent 234
356356 cybersecurity hacking and shutdown of the Colonial Pipeline by 235
357357 the criminal enterprise DarkSide in 2021 and the infiltration of 236
358358 the Bowman Avenue Dam in Rye Brook, New York, by Iranian hackers 237
359359 in 2013 provide evidence that such criminal capabilities exist. 238
360360 These events also show the crippling effect that cyberattacks on 239
361361 critical infrastructure may have. Further, cybersecurity 240
362362 incident information reported pursuant to s. 282.318, Florida 241
363363 Statutes, or s. 282.3 185, Florida Statutes, could be used by 242
364364 criminals to identify vulnerabilities that existed in an 243
365365 agency's cybersecurity systems or protocols, thereby making the 244
366366 agency further susceptible to additional cyberattacks. Lastly, 245
367367 the release of network schematic s, hardware and software 246
368368 configurations, or encryption information or information that 247
369369 identifies detection, investigation, or response practices for 248
370370 suspected or confirmed cybersecurity incidents, including 249
371-ENROLLED
372-CS/HB 7057, Engrossed 1 2022 Legislature
371+
372+CS/HB 7057, Engrossed 1 2022
373373
374374
375375
376376 CODING: Words stricken are deletions; words underlined are additions.
377-hb7057-03-er
377+hb7057-02-e1
378378 Page 11 of 12
379379 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
380380
381381
382382
383383 suspected or confirmed breaches, would facilitat e unauthorized 250
384384 access to or the unauthorized modification, disclosure, or 251
385385 destruction of data or information, whether physical or virtual, 252
386386 or information technology resources. Such information also 253
387387 includes proprietary information about the security of an 254
388388 agency's system. The disclosure of such information could 255
389389 compromise the integrity of an agency's data, information, or 256
390390 information technology resources, which would significantly 257
391391 impair the administration of vital governmental programs. 258
392392 Therefore, this information should be made confidential and 259
393393 exempt in order to protect the agency's data, information, and 260
394394 information technology resources. 261
395395 (2) The Legislature also finds that it is a public 262
396396 necessity that any portion of a meeting that would reveal the 263
397397 confidential and exempt information be made exempt from s. 264
398398 286.011, Florida Statutes, and s. 24(b), Article I of the State 265
399399 Constitution, and that any recordings and transcripts of the 266
400400 closed portion of a meeting be made confidential and exempt from 267
401401 s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the 268
402402 State Constitution. The failure to close that portion of a 269
403403 meeting at which confidential and exempt information would be 270
404404 revealed, and prevent the disclosure of the recordings and 271
405405 transcripts of those p ortions of a meeting, would defeat the 272
406406 purpose of the underlying public records exemption and could 273
407407 result in the release of highly sensitive information related to 274
408-ENROLLED
409-CS/HB 7057, Engrossed 1 2022 Legislature
408+
409+CS/HB 7057, Engrossed 1 2022
410410
411411
412412
413413 CODING: Words stricken are deletions; words underlined are additions.
414-hb7057-03-er
414+hb7057-02-e1
415415 Page 12 of 12
416416 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
417417
418418
419419
420420 the cybersecurity of an agency system. 275
421421 (3) For these reasons, the Legislature finds that these 276
422422 public records and public meetings exemptions are of the utmost 277
423423 importance and are a public necessity. 278
424424 Section 5. This act shall take effect on the same date 279
425425 that HB 7055 or similar legislation takes effect , if such 280
426426 legislation is adopted in th e same legislative session or an 281
427427 extension thereof and becomes law. 282