The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Appropriations
BILL: CS/CS/SB 1694
INTRODUCER: Appropriations Committee; Military and Veterans Affairs, Space, and Domestic Security
Committee; and Senator Hutson
SUBJECT: Public Records and Public Meetings/Cybersecurity Incident or Ransomware Incident
DATE: March 2, 2022
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Lloyd Caldwell MS Fav/CS
2. Hunter/Davis Sadberry AP Fav/CS
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/CS/SB 1694 adds language to section 282.3185, Florida Statutes, as created by CS/CS/SB
1670, to create a public records and meetings exemption for information relating to a
cybersecurity incident or ransomware incident held by a political subdivision
1
or state agency to
the extent that a disclosure of such information would facilitate unauthorized access to or the
unauthorized modification, disclosure, or destruction of physical or virtual data or information
technology resources as defined in the exemption. It also provides a general public records
exemption for coverage limits and deductible or self-insurance amounts of insurance or other
risk mitigation coverages acquired for the protection of IT systems, operational technology
systems, or data of an agency. The bill:
Allows for information that has been made confidential and exempt under
section 119.07(1), Florida Statutes, and Article I, section 24(a) of the State Constitution to be
disclosed in limited circumstances by a political subdivision or state agency in the
furtherance of its or the other agency’s official or statutory duties or responsibilities;
Requires that any portion of a meeting, as well as transcripts and recordings of said meeting,
that includes the discussion of the referenced cybersecurity or ransomware incident
information also be made exempt from sections 286.011 and 119.07(1), Florida Statutes, and
Article I, section 24(a) of the State Constitution;
1
“Political subdivision” means a separate agency or unit of local government created or established by law and includes, but
is not limited to, the following and the officers thereof: authority, board, branch, bureau, city, commission, consolidated
government, county, department, district, institution, metropolitan government, municipality, office, officer, public
corporation, town, or village. Section 11.45(1)(k), F.S.
REVISED: BILL: CS/CS/SB 1694 Page 2
Prohibits any portion of an exempt public meeting from being off the record; and
Requires any portion of an exempted public meeting to be recorded and transcribed.
The exemption provided under the bill shall stand repealed effective October 2, 2027, unless
reviewed and saved from repeal through reenactment by the Legislature.
The bill provides a statement of public necessity that the public records exemption is necessary
as disclosure of information relating to cybersecurity and ransomware incidents held by a
political subdivision or the state could include information that could facilitate unauthorized
access to, or modification, disclosure or destruction of information, information technology, or
information resources. The bill includes a statement of public necessity for the closure of
portions of public meetings where confidential and exempt information is disclosed making the
meeting exempt from section 286.011, Florida Statutes.
The effective date of this act is the same date on which CS/CS/SB 1670 or similar legislation
takes effect, if such legislation takes effect in the same legislative session or an extension thereof
and becomes a law.
II. Present Situation:
Access to Public Records - Generally
The Florida Constitution provides that the public has the right to inspect or copy records made or
received in connection with official governmental business.
2
The right to inspect or copy applies
to the official business of any public body, officer, or employee of the state, including all three
branches of state government, local governmental entities, and any person acting on behalf of the
government.
3
Additional requirements and exemptions related to public records are found in various statutes
and rules, depending on the branch of government involved. For instance, s. 11.0431, F.S.,
provides public access requirements for legislative records. Relevant exemptions are codified in
s. 11.0431(2)-(3), F.S., and adopted in the rules of each house of the legislature.
4
Florida Rule of
Judicial Administration 2.420 governs public access to judicial branch records.
5
Lastly, ch. 119,
F.S., known as the Public Records Act, provides requirements for public records held by
agencies.
2
FLA. CONST. art. I, s. 24(a).
3
Id.
4
See Rule 1.48, Rules and Manual of the Florida Senate, (2020-2022) and Rule 14.1, Rules of the Florida House of
Representatives, Edition 1, (2020-2022)
5
State v. Wooten, 260 So. 3d 1060 (Fla. 4
th
DCA 2018). BILL: CS/CS/SB 1694 Page 3
Agency Records – The Public Records Act
The Public Records Act provides that all state, county, and municipal records are open for
personal inspection and copying by any person, and that providing access to public records is a
duty of each agency.
6
Section 119.011(12), F.S., defines “public records” to include:
All documents, papers, letters, maps, books, tapes, photographs, films,
sound recordings, data processing software, or other material, regardless of
the physical form, characteristics, or means of transmission, made or
received pursuant to law or ordinance or in connections with the transaction
of official business by any agency.
The Florida Supreme Court has interpreted this definition to encompass all materials made or
received by an agency in connection with official business that are used to “perpetuate,
communicate, or formalize knowledge of some type.”
7
The Florida Statutes specify conditions under which public access to public records must be
provided. The Public Records Act guarantees every person’s right to inspect and copy any public
record at any reasonable time, under reasonable conditions, and under supervision by the
custodian of the public record.
8
A violation of the Public Records Act may result in civil or
criminal liability.
9
The Legislature may exempt public records from public access requirements by passing a
general law by a two-thirds vote of both the House and the Senate.
10
The exemption must state
with specificity the public necessity justifying the exemption and must be no broader than
necessary to accomplish the stated purpose of the exemption.
11
General exemptions from the public records requirements are contained in the Public Records
Act.
12
Specific exemptions often are placed in the substantive statutes relating to a particular
agency or program.
13
6
Section 119.011(2), F.S., defines “agency” as “any state, county, district, authority, or municipal officer, department,
division, board, bureau, commission, or other separate unit of government created or established by law including, for the
purposes of this chapter, the Commission on Ethics, the Public Service Commission, and the Office of Public Counsel, and
any other public or private agency, person, partnership, corporation, or business entity acting on behalf of any public
agency.”
7
Shevin v. Byron, Harless, Schaffer, Reid and Assoc., Inc., 379 So. 2d 633, 640 (Fla. 1980).
8
Section 119.07(1)(a), F.S.
9
Section 119.10, F.S. Public records laws are found throughout the Florida Statutes, as are the penalties for violating those
laws.
10
FLA. CONST. art. I, s. 24(c).
11
Id. See, e.g., Halifax Hosp. Medical Center v. News-Journal Corp., 724 So. 2d 567 (Fla. 1999) (holding that a public
meetings exemption was unconstitutional because the statement of public necessity did not define important terms and did
not justify the breadth of the exemption); Baker County Press, Inc. v. Baker County Medical Services, Inc., 870 So. 2d 189
(Fla. 1st DCA 2004) (holding that a statutory provision written to bring another party within an existing public records
exemption is unconstitutional without a public necessity statement).
12
See, e.g., s. 119.071, F.S.
13
See, e.g., s. 213.053(2)(a), F.S., (exempting from public disclosure information contained in tax returns received by the
Department of Revenue). BILL: CS/CS/SB 1694 Page 4
When creating a public records exemption, the Legislature may provide that a record is “exempt”
or “confidential and exempt.” There is a difference between records the Legislature has
determined to be exempt from the Public Records Act and those that the Legislature has
determined to be exempt from the Public Records Act and confidential.
14
Records designated as
“confidential and exempt” are not subject to inspection by the public and may only be released
under the circumstances defined by statute.
15
Records designated as “exempt” may be released at
the discretion of the records custodian under certain circumstances.
16
Current Cybersecurity Information Exemptions
Statutory exemptions for state agencies and utilities owned or operated by local governments
related to information technology are contained in ss. 282.318(5) through (10) and
119.0713(5), F.S., respectively. The current statutory language does not directly address
information related to cybersecurity incidents or ransomware incidents.
Portions of records held by a state agency
17
that contain network schematics, hardware and
software configurations, or encryption, or that identify detection, investigation, or response
practices for suspected or confirmed cybersecurity
18
incidents,
19
including suspected or
confirmed breaches,
20
are confidential and exempt
21
from public record requirements if the
disclosure of such records would facilitate unauthorized access to or the unauthorized
modification, disclosure, or destruction of:
Data
22
or information, whether physical or virtual; or
14
WFTV, Inc. v. The Sch. Bd. of Seminole County, 874 So. 2d 48, 53 (Fla. 5
th
DCA 2004).
15
Id.
16
Williams v. City of Minneola, 575 So. 2d 683 (Fla. 5th DCA 1991).
17
“State agency” means any official, officer, commission, board, authority, council, committee, or department of the
executive branch of state government; the Justice Administrative Commission; and the Public Service Commission. The term
includes the Department of Legal Affairs, The Department of Agriculture and Consumer Services, and the Department of
Financial Services. The term does not include university boards of trustees or state universities. See s. 282.0041(33), F.S.
18
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology
resources. See s. 282.0041(8), F.S.
19
“Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of
information technology resources, security, policies, or practices. An imminent threat of violation refers to a situation in
which the state agency has a factual basis for believing that a specific incident is about to occur. See s. 282.0041(19), F.S.
20
“Breach” means unauthorized access of data in electronic form containing personal information. Good faith access of
personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the
information is not used for a purpose unrelated to the business or subject to further unauthorized use. See s. 282.0041(3), F.S.
21
There is a difference between records the Legislature designates exempt from public record requirements and those the
Legislature deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under
certain circumstances. See WFTV, Inc. v. Sch. Bd. of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892
So.2d 1015 (Fla. 2004); City of Rivera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola,
575 So.2d 683, 687 (Fla. 5th DCA 1991). If the Legislature designates a record as confidential and exempt from public
disclosure, such record may not be released by the custodian of public records to anyone other than the persons or entities
specifically designated in statute. See Op. Att’y Gen. Fla. 04-09 (2004).
22
“Data” means a subset of structured information in a format that allows such information to be electronically retrieved and
transmitted. See s. 282.0041(9), F.S. BILL: CS/CS/SB 1694 Page 5
Information technology (IT) resources,
23
which includes:
o Information relating to the security of the agency’s technologies, processes, and practices
designed to protect networks, computers, data processing software, and data from attack,
damage, or unauthorized access; or
o Security information, whether physical or virtual, which relates to the agency’s existing
or proposed IT
24
systems.
25,26
In addition, any portion of a public meeting that would reveal any of the above-described
confidential and exempt records is exempt from public meeting requirements. Any portion of an
exempt meeting must be recorded and transcribed. The recordings and transcripts are
confidential and exempt from public record requirements unless a court of competent
jurisdiction, following an in camera review, determines that the meeting was not restricted to the
discussion of confidential and exempt data and information. If such a judicial determination
occurs, only the portion of the recording or transcript that reveals nonexempt data may be
disclosed.
27
The confidential and exempt cybersecurity information must be available to the Auditor General,
the Cybercrime Office within the Florida Department of Law Enforcement (FDLE), the Florida
Digital Service (FLDS),
28
and for agencies under the jurisdiction of the Governor, the Chief
Inspector General. In addition, the records may be made available to a local government, another
state agency, or a federal agency for cybersecurity purposes or in the furtherance of the state
agency’s official duties.
29
Information related to the security of a utility
30
owned or operated by a unit of local
government
31
that is designed to protect the utility’s networks, computers, programs, and data
from attack, damage or unauthorized access, is exempt from public record requirements to the
extent disclosure of such information would facilitate the alteration, disclosure, or destruction of
data or IT resources.
32
23
“Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. See s. 282.0041(22), F.S.
24
“Information technology” means equipment, hardware, software, firmware, programs, systems, networks, infrastructure,
media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display,
store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange,
convert, converge, interface, switch, or disseminate information of any kind or form. See s. 282.0041(20), F.S.
25
Florida law provides a similar public record exemption for state university and Florida College System institutions. See
s 1004.055, F.S.
26
Section 282.318(5), F.S.
27
Section 282.318(7), F.S. Florida law provides a similar public meeting exemption for state university and Florida College
system institutions, see s. 1004.055, F.S.
28
Florida Digital Service (FLDS) (formerly the Division of State Technology) is a subdivision of the Department of
Management Services (DMS) and is charged with overseeing the state’s information technology (IT) resources.
Section 20.22(2)(b), F.S.
29
Section 282.318(8), F.S.
30
“Utility” means a person or entity that provides electricity, natural gas, telecommunications, water, chilled water, reuse
water, or wastewater. Section 119.011(15), F.S.
31
“Unit of local government” means a county, municipality, special district, local agency, authority, consolidated city -
county government, or any other local governmental body or public body corporate or politic authorized or created by general
or special law. Section 119.0713(2)(a), F.S.
32
Section 119.0713 (5)(a)1., F.S. BILL: CS/CS/SB 1694 Page 6
In addition, information related to the security of existing or proposed IT systems or industrial
control technology systems of a utility owned or operated by a unit of local government is
exempt from public record requirements to the extent disclosure would facilitate unauthorized
access to, and the alternation or destruction of, such IT systems in a manner that would adversely
impact the safe and reliable operations of the IT systems and the utility.
33
Current law also provides a public record exemption for certain cybersecurity information held
by supervisor of elections that mirrors the public record exemption for state agencies, as
described above.
34
The confidential and exempt information must be made available to the
Auditor General and may be made available to another governmental entity for cybersecurity
purposes or in the furtherance of the entity’s official duties.
35
Open Meetings Laws
The Florida Constitution provides that the public has a right to access governmental meetings.
36
Each collegial body must provide notice of its meetings to the public and permit the public to
attend any meeting at which official acts are taken or at which public business is transacted or
discussed.
37
This applies to the meetings of any collegial body of the executive branch of state
government, counties, municipalities, school districts, or special districts.
38
Public policy regarding access to government meetings also is addressed in the Florida Statutes.
Section 286.011, F.S., known as the “Government in the Sunshine Law,”
39
or the “Sunshine
Law,”
40
requires all meetings of any board or commission of any state or local agency or
authority at which official acts are to be taken be open to the public.
41
The board or commission
must provide the public reasonable notice of such meetings.
42
Public meetings may not be held at
any location that discriminates on the basis of sex, age, race, creed, color, origin, or economic
status or which operates in a manner that unreasonably restricts the public’s access to the
facility.
43
Minutes of a public meeting must be promptly recorded and open to public
inspection.
44
Failure to abide by open meetings requirements will invalidate any resolution, rule,
33
Section 119.0713(5)(a)2., F.S.
34
Section 98.015(13)(a), F.S.
35
Section 98.015(13)(b), F.S.
36
FLA. CONST. art. I, s. 24(b).
37
Id.
38
Id. Meetings of the Legislature are governed by Article III, section 4(e) of the Florida Constitution, which states: “The
rules of procedure of each house shall further provide that all prearranged gatherings, between more than two members of the
legislature, or between the governor, the president of the senate, or the speaker of the house of representatives, the purpose of
which is to agree upon formal legislative action that will be taken at a subsequent time, or at which formal legislative action
is taken, regarding pending legislation or amendments, shall be reasonably open to the public.”
39
Times Pub. Co. v. Williams, 222 So. 2d 470, 472 (Fla. 2d DCA 1969).
40
Board of Public Instruction of Broward County v. Doran, 224 So. 2d 693, 695 (Fla. 1969).
41
Section 286.011(1)-(2), F.S.
42
Id.
43
Section 286.011(6), F.S.
44
Section 286.011(2), F.S. BILL: CS/CS/SB 1694 Page 7
or formal action adopted at a meeting.
45
A public officer or member of a governmental entity
who violates the Sunshine Law is subject to civil and criminal penalties.
46
The Legislature may create an exemption to open meetings requirements by passing a general
law by at least a two-thirds vote of each house of the Legislature.
47
The exemption must
explicitly lay out the public necessity justifying the exemption and must be no broader than
necessary to accomplish the stated purpose of the exemption.
48
A statutory exemption that does
not meet these two criteria may be unconstitutional and may not be judicially saved.
49
The Open Government Sunset Review Act (act) prescribes a legislative review process for newly
created or substantially amended public records exemptions,
50
with specified exceptions.
51
It
requires the automatic repeal of such exemption on October 2nd of the fifth year after creation or
substantial amendment, unless the Legislature reenacts the exemption.
52
The act provides that a
public records exemption may be created or maintained only if it serves an identifiable public
purpose and is no broader than is necessary to meet such public purpose.
53
Open Government Sunset Review Act
The provisions of s. 119.15, F.S., known as the Open Government Sunset Review Act
54
(act),
prescribe a legislative review process for newly created or substantially amended
55
public
records or open meetings exemptions, with specified exceptions.
56
The Act requires the repeal of
such exemption on October 2nd of the fifth year after creation or substantial amendment, unless
the Legislature reenacts the exemption.
57
45
Section 286.011(1), F.S.
46
Section 286.011(3), F.S.
47
FLA. CONST. art. I, s. 24(c).
48
Id.
49
Halifax Hosp. Medical Center v. New-Journal Corp., 724 So. 2d 567 (Fla. 1999). In Halifax Hospital, the Florida Supreme
Court found that a public meetings exemption was unconstitutional because the statement of public necessity did not define
important terms and did not justify the breadth of the exemption. Id. at 570. The Florida Supreme Court also declined to
narrow the exemption in order to save it. Id. In Baker County Press, Inc. v. Baker County Medical Services, Inc., 870 So. 2d
189 (Fla. 1st DCA 2004), the court found that the intent of a public records statute was to create a public records exemption.
The Baker County Press court found that since the law did not contain a public necessity statement, it was unconstitutional.
Id. at 196.
50
Section 119.15, F.S. An exemption is substantially amended if the amendment expands the scope of the exemption to
include more records or information or to include meetings as well as records (s. 119.15(4)(b), F.S.). The requirements of the
act do not apply to an exemption that is required by federal law or that applies solely to the Legislature or the State Court
System (s. 119.15(2), F.S.).
51
Section 119.15(2)(a) and (b), F.S., provide that exemptions that are required by federal law or are applicable solely to the
Legislature or the State Court System are not subject to the Open Government Sunset Review Act.
52
Section 119.15(3), F.S.
53
Section 119.15(6)(b), F.S.
54
Section 119.15, F.S.
55
An exemption is considered to be substantially amended if it is expanded to include more records or information or to
include meetings as well as records. Section 119.15(4)(b), F.S.
56
Section 119.15(2)(a) and (b), F.S., provides that exemptions required by federal law or applicable solely to the Legislature
or the State Court System are not subject to the Open Government Sunset Review Act.
57
Section 119.15(3), F.S. BILL: CS/CS/SB 1694 Page 8
The Act provides that a public records or open meetings exemption may be created or
maintained only if it serves an identifiable public purpose and is no broader than is necessary.
58
An exemption serves an identifiable purpose if it meets one of the following purposes and the
Legislature finds that the purpose of the exemption outweighs open government policy and
cannot be accomplished without the exemption:
It allows the state or its political subdivisions to effectively and efficiently administer a
governmental program, and administration would be significantly impaired without the
exemption;
59
It protects sensitive, personal information, the release of which would be defamatory, cause
unwarranted damage to the good name or reputation of the individual, or would jeopardize
the individual’s safety. If this public purpose is cited as the basis of an exemption, however,
only personal identifying information is exempt;
60
or
It protects information of a confidential nature concerning entities, such as trade or business
secrets.
61
The act also requires specified questions to be considered during the review process.
62
In
examining an exemption, the act directs the Legislature to question the purpose and necessity of
reenacting the exemption.
If the exemption is continued and expanded, then a public necessity statement and a two-thirds
vote for passage are required.
63
If the exemption is continued without substantive changes or if
the exemption is continued and narrowed, then a public necessity statement and a two-thirds vote
for passage are not required. If the Legislature allows an exemption to expire, the previously
exempt records will remain exempt unless otherwise provided by law.
64
III. Effect of Proposed Changes:
A public records and meeting exemption is added to s. 282.3185, F.S., as newly created in the
linked substantive bill, CS/CS/SB1670, as subsection (3).
Public Records Exemption
The public records exemption under the bill makes confidential and exempt from public records
inspection and copying those records held by a state agency or political subdivision relating to
58
Section 119.15(6)(b), F.S.
59
Section 119.15(6)(b)1., F.S.
60
Section 119.15(6)(b)2., F.S.
61
Section 119.15(6)(b)3., F.S.
62
Section 119.15(6)(a), F.S. The specified questions are:
What specific records or meetings are affected by the exemption?
Whom does the exemption uniquely affect, as opposed to the general public?
What is the identifiable public purpose or goal of the exemption?
Can the information contained in the records or discussed in the meeting be readily obtained by alternative means?
If so, how?
Is the record or meeting protected by another exemption?
Are there multiple exemptions for the same type of record or meeting that it would be appropriate to merge?
63
See generally s. 119.15, F.S.
64
Section 119.15(7), F.S. BILL: CS/CS/SB 1694 Page 9
cybersecurity or ransomware incidents to the extent that disclosure of such information would
facilitate unauthorized access to the unauthorized modification, disclosure, or destruction of:
Data or information, whether physical or virtual; or
Information technology resources, including but not limited to:
o Security of local government resources, processes, and practices designed to protect
networks, computers, data processing software, and data from attack, damage, or
unauthorized access; and
o Information relating to a local government’s existing or proposed information technology
systems.
Information that is made confidential and exempt may be disclosed by another a state agency or
political subdivision or to another state agency or political subdivision in furtherance of its
official duties and responsibilities.
Public Meetings Exemption
The bill also creates a meetings exemption establishing that any portion of a meeting that would
reveal information that has been made confidential and exempt under this bill is exempt from
s. 286.011, F.S. and s. 24(b), Art. I of the State Constitution. The bill prohibits any portion of an
exempted meeting from being off the record and requires a recording and transcript of any closed
meeting. The recording and the transcript are also confidential and exempt under
s. 119.07(1), F.S. and s. 24(a), Art. I of the State Constitution.
Review Date
The exemptions created under the bill are subject to the Open Government Sunshine Review Act
and shall stand repealed as of October 2, 2027, unless reviewed and saved from repeal through
reenactment by the Legislature.
Statement of Important Public Necessity and Importance
The Legislature finds that this public records and meetings exemption serves an important public
necessity as the information held by a political subdivision or a state agency related to
cybersecurity or ransomware incidents, if released, could allow others to identify vulnerabilities
in the computer network systems of state agencies and political subdivisions. Identification of
these vulnerabilities could facilitate the unauthorized access, modification, disclosure, or
destruction of data, information, or information technology in government network systems and
could impair the administration of vital programs.
The Legislature also finds that the public meetings exemption in the bill is a public necessity and
that any portion of a meeting in which confidential and exempt information is discussed should
be exempt from s. 286.011, F.S., and s. 24(b), Art. I of the State Constitution. The failure to close
that portion of the meeting would defeat the underlying purpose of the exemption and could
result in the release of highly sensitive information relating to cybersecurity incidents and
ransomware incidents in state or political subdivision computer network systems.
The Legislature states the public records and meetings exemptions are of the utmost importance
and are a public necessity. BILL: CS/CS/SB 1694 Page 10
The public records exemption shall take effect upon the same date as the effective date of
CS/CS/SB 1670 or similar legislation, if such legislation is adopted in the same legislative
session or an extension thereof and becomes law.
IV. Constitutional Issues:
A. Municipality/County Mandates Restrictions:
None.
B. Public Records/Open Meetings Issues:
Vote Requirement
Article I, s. 24(c) of the State Constitution requires a two-thirds vote of the members
present and voting for final passage of a bill creating or expanding an exemption to the
public records and meetings requirements. This bill enacts new public records and
meeting exemptions covering cybersecurity and ransomware incidents where information
such as computer network systems, local government technology, data, and transcripts or
recordings of any portions of meetings in which the covered subjects or data and its
impact on state agencies and local governments is discussed.
Public Necessity Statement
Article I, s. 24(c) of the State Constitution requires a bill creating or expanding an
exemption to the public records requirements to state with specificity the public necessity
justifying the exemption. Section 2 of the bill contains statements of public necessity for
the exemption by the Legislature, including a finding this exemption serves an important
public necessity as information held by a political subdivision or a state agency as
relating to cybersecurity or ransomware incidents, if released, could allow others to
identify vulnerabilities in these computer network systems and facilitate further
unauthorized breaches into the state’s or political subdivision’s data, information,
information technology resources. Identification of additional vulnerabilities of political
subdivisions and state agencies are identified specifically in CS/CS/SB 1670 should the
data and resources from a cybersecurity or ransomware incident not be protected as are
the potentially consequences should such information be publicly available.
The bill also provides a statement of public necessity for closed public meetings when
confidential and exempt information relating to the cybersecurity and ransomware
incidents are discussed. Any recordings and transcripts from these meetings in which
exempt information is discussed is also made confidential and exempt. The meetings
exemption is drawn to close only that portion of any meeting in which the confidential
information is discussed and requires that closed meetings be transcribed and recorded.
The Legislature states that public records and meetings exemptions in the bill are of the
utmost importance and are a public necessity.
BILL: CS/CS/SB 1694 Page 11
Breadth of Exemption
Article I, s. 24(c) of the State Constitution requires an exemption to the public records
requirements to be no broader than necessary to accomplish the stated purpose of the law.
The purpose of the proposed exemption is to protect data that may have been involved in
data breaches, mitigate future data breaches that may involve the same entity, and ensure
the security of the existing computer systems, computer network, or electronic devices.
This bill draws a narrow exemption for specific types of data and information technology
tools held by state agencies and local governments. Furthermore, the bill requires the
transcription of any closed meeting as a record of events should there be any questions
later and, for certain meetings, a recording is also required.
C. Trust Funds Restrictions:
None.
D. State Tax or Fee Increases:
None.
E. Other Constitutional Issues:
None.
V. Fiscal Impact Statement:
A. Tax/Fee Issues:
None.
B. Private Sector Impact:
If information is protected from public release, more individuals or entities that are the
subject of cybersecurity attacks or ransomware incidents may come forward to law
enforcement or state agencies for assistance.
C. Government Sector Impact:
The bill could have an insignificant negative fiscal impact on the state and local
governments because staff responsible for complying with public record requests may
require training related to creation of the public record exemption. In addition, state and
local governments could incur costs associated with redacting the confidential and
exempt information prior to releasing a record. The costs, however, would be absorbed,
as they are part of the day-to-day responsibilities of the agencies.
Disclosure of cybersecurity and ransomware incidents can expose state agencies and
political subdivisions to future attacks as such information and data can make these
entities vulnerable helping to facilitate the unauthorized access to or modification of state BILL: CS/CS/SB 1694 Page 12
and local governmental entity computer networks and systems. Release of data and
information can result in further data breaches as these vulnerabilities become public.
If information is protected from public release, more individuals or entities that are the
subject of cybersecurity attacks or ransomware incidents may come forward to law
enforcement or state agencies for assistance.
VI. Technical Deficiencies:
None.
VII. Related Issues:
None.
VIII. Statutes Affected:
This bill substantially amends section 282.3185 of the Florida Statutes, as created by CS/SB
1670.
IX. Additional Information:
A. Committee Substitute – Statement of Substantial Changes:
(Summarizing differences between the Committee Substitute and the prior version of the bill.)
CS/CS by Appropriations on February 28, 2022:
The committee substitute adds a general public record exemption in ch. 119, F.S., for
information held by an agency before, on, or after July 1, 2022, regarding the coverage
limits and deductible or self-insurance amounts of insurance or other risk mitigation.
CS by Military and Veterans Affairs, Space, and Domestic Security on February 8,
2022:
CS/SB 1694 narrows the public records and meetings exemption for information relating
to a cybersecurity incident or ransomware incident held by a political subdivision or state
agency to the extent that a disclosure of such information would facilitate unauthorized
access to or the unauthorized modification, disclosure, or destruction of physical or
virtual data or information technology resources as defined in the exemption.
CS/SB 1694:
Allows for information which has been made confidential and exempt under s.
119.07(1), F.S., and Art. I, of the State Constitution to be disclosed in limited
circumstances by a political subdivision or state agency in the furtherance of it’s or
the other agency’s official duties;
Prohibits any portion of an exempt public meeting from being off the record;
Requires any portion of an exempted public meeting to be recorded and transcribed;
Maintains the repeal effective date of October 2, 2027, unless reviewed and saved
from repeal through reenactment by the Legislature; BILL: CS/CS/SB 1694 Page 13
Provides a revised statement of public necessity that the public records exemption is
necessary as disclosure of information relating to cybersecurity and ransomware
incidents held by a political subdivision or the state could include information that
could facilitate unauthorized access to, or modification, disclosure or destruction of
information, information technology, or information resources;
Includes a statement of public necessity relating to the closure of public meetings
where any portion of a meeting in which this confidential and exempt information is
discussed be made exempt from s. 286.011, F.S., including any recordings or
transcripts; and
Adds the linked substantive bill number, CS/SB 1670.
B. Amendments:
None.
This Senate Bill Analysis does not reflect the intent or official position of the bill’s introducer or the Florida Senate.