ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 1 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1
An act relating to public records and public meetings; 2
creating s. 119.0725, F.S.; providing definitions; 3
providing an exemption from public records 4
requirements for certain cybersecurity insurance 5
information, critical infrastructure information, 6
cybersecurity incident information, and certain 7
cybersecurity-related information held by an agency; 8
providing an exemption from public meetings 9
requirements for portions of a meeting that would 10
reveal certain cybersecurity -related information held 11
by an agency; requiring the recording and 12
transcription of exempt portions of such meetings; 13
providing an exemption from public records 14
requirements for such record ings and transcripts; 15
providing retroactive application; authorizing the 16
disclosure of confidential and exempt information 17
under certain circumstances; authorizing agencies to 18
report certain cybersecurity information in the 19
aggregate; providing for future legislative review and 20
repeal of the exemptions; amending ss. 98.015 and 21
282.318, F.S.; conforming provisions to changes made 22
by the act; providing a statement of public necessity; 23
providing a contingent effective date. 24
25
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 2 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Be It Enacted by the Legislatur e of the State of Florida: 26
27
Section 1. Section 119.0725, Florida Statutes, is created 28
to read: 29
119.0725 Agency cybersecurity information; public records 30
exemption; public meetings exemption. — 31
(1) As used in this section, the term: 32
(a) "Breach" means unauthorized access of data in 33
electronic form containing personal information. Good faith 34
access of personal information by an employee or agent of an 35
agency does not constitute a breach, provided that the 36
information is not used for a purpose unrelat ed to the business 37
or subject to further unauthorized use. 38
(b) "Critical infrastructure" means existing and proposed 39
information technology and operational technology systems and 40
assets, whether physical or virtual, the incapacity or 41
destruction of which would negatively affect security, economic 42
security, public health, or public safety. 43
(c) "Cybersecurity" has the same meaning as in s. 44
282.0041. 45
(d) "Data" has the same meaning as in s. 282.0041. 46
(e) "Incident" means a violation or imminent threat of 47
violation, whether such violation is accidental or deliberate, 48
of information technology resources, security, policies, or 49
practices. As used in this paragraph, the term "imminent threat 50
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 3 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of violation" means a situation in which the agency has a 51
factual basis for believing that a specific incident is about to 52
occur. 53
(f) "Information technology" has the same meaning as in s. 54
282.0041. 55
(g) "Operational technology" means the hardware and 56
software that cause or detect a change through the direct 57
monitoring or control of physical devices, systems, processes, 58
or events. 59
(2) The following information held by an agency is 60
confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 61
of the State Constitution: 62
(a) Coverage limits and deductible or self -insurance 63
amounts of insurance or other risk mitigation coverages acquired 64
for the protection of information technology systems, 65
operational technology systems, or data of an agency. 66
(b) Information relating to critical infrastructure. 67
(c) Cybersecurity incident information reported pursuant 68
to s. 282.318 or s. 282.3185. 69
(d) Network schematics, hardware and software 70
configurations, or encryption information or information that 71
identifies detection, investigation, or response practices for 72
suspected or confirmed cybersecurity incidents, including 73
suspected or confirmed breaches, if the disclosure of such 74
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 4 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information would facilitate unauthorized access to or 75
unauthorized modification, disclosure, or destruction of: 76
1. Data or informat ion, whether physical or virtual; or 77
2. Information technology resources, which include an 78
agency's existing or proposed information technology systems. 79
(3) Any portion of a meeting that would reveal information 80
made confidential and exempt under subse ction (2) is exempt from 81
s. 286.011 and s. 24(b), Art. I of the State Constitution. An 82
exempt portion of a meeting may not be off the record and must 83
be recorded and transcribed. The recording and transcript are 84
confidential and exempt from s. 119.07(1) an d s. 24(a), Art. I 85
of the State Constitution. 86
(4) The public records exemptions contained in this 87
section apply to information held by an agency before, on, or 88
after July 1, 2022. 89
(5)(a) Information made confidential and exempt pursuant 90
to this section shall be made available to a law enforcement 91
agency, the Auditor General, the Cybercrime Office of the 92
Department of Law Enforcement, the Florida Digital Service 93
within the Department of Management Services, and, for agencies 94
under the jurisdiction of the Governor, the Chief Inspector 95
General. 96
(b) Such confidential and exempt information may be 97
disclosed by an agency in the furtherance of its official duties 98
and responsibilities or to another agency or governmental entity 99
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 5 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
in the furtherance of its statut ory duties and responsibilities. 100
(6) Agencies may report information about cybersecurity 101
incidents in the aggregate. 102
(7) This section is subject to the Open Government Sunset 103
Review Act in accordance with s. 119.15 and shall stand repealed 104
on October 2, 2027, unless reviewed and saved from repeal 105
through reenactment by the Legislature. 106
Section 2. Subsection (13) of section 98.015, Florida 107
Statutes, is amended to read: 108
98.015 Supervisor of elections; election, tenure of 109
office, compensation, custod y of registration-related documents, 110
office hours, successor, seal; appointment of deputy 111
supervisors; duties; public records exemption .— 112
(13)(a) Portions of records held by a supervisor of 113
elections which contain network schematics, hardware and 114
software configurations, or encryption, or which identify 115
detection, investigation, or response practices for suspected or 116
confirmed information technology security incidents, including 117
suspected or confirmed breaches, are confidential and exempt 118
from s. 119.07(1) and s. 24(a), Art. I of the State 119
Constitution, if the disclosure of such records would facilitate 120
unauthorized access to or the unauthorized modification, 121
disclosure, or destruction of: 122
1. Data or information, whether physical or virtual; or 123
2. Information technology resources as defined in s. 124
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 6 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
119.011(9), which includes: 125
a. Information relating to the security of a supervisor of 126
elections' technology, processes, and practices designed to 127
protect networks, computers, data processing software, and da ta 128
from attack, damage, or unauthorized access; or 129
b. Security information, whether physical or virtual, 130
which relates to a supervisor of elections' existing or proposed 131
information technology systems. 132
(b) The portions of records made confidential and exempt 133
in paragraph (a) shall be available to the Auditor General and 134
may be made available to another governmental entity for 135
information technology security purposes or in the furtherance 136
of the entity's official duties. 137
(c) The public record exemption in paragraph (a) applies 138
to records held by a supervisor of elections before, on, or 139
after the effective date of the exemption. 140
(d) This subsection is subject to the Open Government 141
Sunset Review Act in accordance with s. 119.15 and shall stand 142
repealed on October 2, 2026, unless reviewed and saved from 143
repeal through reenactment by the Legislature. 144
Section 3. Subsections (6) and (11) of section 282.318, 145
Florida Statutes, are renumbered as subsections (5) and (10), 146
respectively, and present subsectio ns (5), (7), (8), (9), and 147
(10) of that section are amended to read: 148
282.318 Cybersecurity. — 149
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 7 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(5) Portions of records held by a state agency which 150
contain network schematics, hardware and software 151
configurations, or encryption, or which identify detecti on, 152
investigation, or response practices for suspected or confirmed 153
cybersecurity incidents, including suspected or confirmed 154
breaches, are confidential and exempt from s. 119.07(1) and s. 155
24(a), Art. I of the State Constitution, if the disclosure of 156
such records would facilitate unauthorized access to or the 157
unauthorized modification, disclosure, or destruction of: 158
(a) Data or information, whether physical or virtual; or 159
(b) Information technology resources, which includes: 160
1. Information relating to the security of the agency's 161
technologies, processes, and practices designed to protect 162
networks, computers, data processing software, and data from 163
attack, damage, or unauthorized access; or 164
2. Security information, whether physical or virtual, 165
which relates to the agency's existing or proposed information 166
technology systems. 167
(6)(7) Those portions of a public meeting as specified in 168
s. 286.011 which would reveal records which are confidenti al and 169
exempt under subsection (5) or subsection (6) are exempt from s. 170
286.011 and s. 24(b), Art. I of the State Constitution. No 171
exempt portion of an exempt meeting may be off the record. All 172
exempt portions of such meeting shall be recorded and 173
transcribed. Such recordings and transcripts are confidential 174
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 8 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
and exempt from disclosure under s. 119.07(1) and s. 24(a), Art. 175
I of the State Constitution unless a court of competent 176
jurisdiction, after an in camera review, determines that the 177
meeting was not rest ricted to the discussion of data and 178
information made confidential and exempt by this section. In the 179
event of such a judicial determination, only that portion of the 180
recording and transcript which reveals nonexempt data and 181
information may be disclosed to a third party. 182
(7)(8) The portions of records made confidential and 183
exempt in subsections (5) and, (6), and (7) shall be available 184
to the Auditor General, the Cybercrime Office of the Department 185
of Law Enforcement, the Florida Digital Service within the 186
department, and, for agencies under the jurisdiction of the 187
Governor, the Chief Inspector General. Such portions of records 188
may be made available to a local government, another state 189
agency, or a federal agency for cybersecurity purposes or in 190
furtherance of the state agency's official duties. 191
(8)(9) The exemptions contained in subsections (5) and, 192
(6), and (7) apply to records held by a state agency before, on, 193
or after the effective date of this exemption. 194
(9)(10) Subsections (5) and, (6), and (7) are subject to 195
the Open Government Sunset Review Act in accordance with s. 196
119.15 and shall stand repealed on October 2, 2025, unless 197
reviewed and saved from repeal through reenactment by the 198
Legislature. 199
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 9 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 4. (1) The Legislature finds that it is a public 200
necessity that the following information held by an agency be 201
made confidential and exempt from s. 119.07(1), Florida 202
Statutes, and s. 24(a), Article I of the State Constitution: 203
(a) Coverage limits and deductible or self -insurance 204
amounts of insurance or other risk mitigation coverages acquired 205
for the protection of information technology systems, 206
operational technology systems, or data of an agency. 207
(b) Information relating to critical infrastructure. 208
(c) Cybersecurity incident information reported pursuant 209
to s. 282.318, Florida Statutes, or s. 282.3185, Florida 210
Statutes. 211
(d) Network schematics, hardware and software 212
configurations, or encryption information or information that 213
identifies detection, investigation, or response practices fo r 214
suspected or confirmed cybersecurity incidents, including 215
suspected or confirmed breaches, if the disclosure of such 216
information would facilitate unauthorized access to or 217
unauthorized modification, disclosure, or destruction of: 218
1. Data or information , whether physical or virtual; or 219
2. Information technology resources, which include an 220
agency's existing or proposed information technology systems. 221
222
Release of such information could place an agency at greater 223
risk of breaches, cybersecurity incidents, and ransomware 224
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 10 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
attacks. If information related to the coverage limits and 225
deductible or self-insurance amounts of cybersecurity insurance 226
were disclosed, it could give cybercriminals an understanding of 227
the monetary sum an agency can afford or may be will ing to pay 228
as a result of a ransomware attack at the expense of the 229
taxpayer. In addition, critical infrastructure information is a 230
vital component of public safety and, if made publicly 231
available, could aid in the planning of, training for, and 232
execution of cyberattacks, thereby increasing the ability of 233
persons to harm individuals in this state. The recent 234
cybersecurity hacking and shutdown of the Colonial Pipeline by 235
the criminal enterprise DarkSide in 2021 and the infiltration of 236
the Bowman Avenue Dam i n Rye Brook, New York, by Iranian hackers 237
in 2013 provide evidence that such criminal capabilities exist. 238
These events also show the crippling effect that cyberattacks on 239
critical infrastructure may have. Further, cybersecurity 240
incident information reporte d pursuant to s. 282.318, Florida 241
Statutes, or s. 282.3185, Florida Statutes, could be used by 242
criminals to identify vulnerabilities that existed in an 243
agency's cybersecurity systems or protocols, thereby making the 244
agency further susceptible to additional cyberattacks. Lastly, 245
the release of network schematics, hardware and software 246
configurations, or encryption information or information that 247
identifies detection, investigation, or response practices for 248
suspected or confirmed cybersecurity incidents, inc luding 249
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 11 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
suspected or confirmed breaches, would facilitate unauthorized 250
access to or the unauthorized modification, disclosure, or 251
destruction of data or information, whether physical or virtual, 252
or information technology resources. Such information also 253
includes proprietary information about the security of an 254
agency's system. The disclosure of such information could 255
compromise the integrity of an agency's data, information, or 256
information technology resources, which would significantly 257
impair the administra tion of vital governmental programs. 258
Therefore, this information should be made confidential and 259
exempt in order to protect the agency's data, information, and 260
information technology resources. 261
(2) The Legislature also finds that it is a public 262
necessity that any portion of a meeting that would reveal the 263
confidential and exempt information be made exempt from s. 264
286.011, Florida Statutes, and s. 24(b), Article I of the State 265
Constitution, and that any recordings and transcripts of the 266
closed portion of a meeting be made confidential and exempt from 267
s. 119.07(1), Florida Statutes, and s. 24(a), Article I of the 268
State Constitution. The failure to close that portion of a 269
meeting at which confidential and exempt information would be 270
revealed, and prevent the disclosure of the recordings and 271
transcripts of those portions of a meeting, would defeat the 272
purpose of the underlying public records exemption and could 273
result in the release of highly sensitive information related to 274
ENROLLED
CS/HB 7057, Engrossed 1 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7057-03-er
Page 12 of 12
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the cybersecurity of an agency syste m. 275
(3) For these reasons, the Legislature finds that these 276
public records and public meetings exemptions are of the utmost 277
importance and are a public necessity. 278
Section 5. This act shall take effect on the same date 279
that HB 7055 or similar legislati on takes effect, if such 280
legislation is adopted in the same legislative session or an 281
extension thereof and becomes law. 282