Florida Senate - 2025 SB 7020 By the Committee on Governmental Oversight and Accountability 585-02586-25 20257020__ 1 A bill to be entitled 2 An act relating to a review under the Open Government 3 Sunset Review Act; amending s. 119.0725, F.S., which 4 provides exemptions from public records requirements 5 for agency cybersecurity information held by a state 6 agency and exemptions from public meetings 7 requirements for portions of meetings which would 8 reveal confidential and exempt information; revising 9 the date of the scheduled repeal of such exemptions; 10 amending s. 282.318, F.S., which provides exemptions 11 from public records and public meetings requirements 12 for portions of risk assessments, evaluations, 13 external audits, and other reports of a state agencys 14 cybersecurity program for the data, information, and 15 information technology resources of that state agency 16 which are held by a state agency and for portions of a 17 public meeting which would reveal such confidential 18 and exempt records; extending the date of the 19 scheduled repeal of such exemptions; providing an 20 effective date. 21 22 Be It Enacted by the Legislature of the State of Florida: 23 24 Section 1.Section 119.0725, Florida Statutes, is amended 25 to read: 26 119.0725Agency cybersecurity information; public records 27 exemption; public meetings exemption. 28 (1)As used in this section, the term: 29 (a)Breach means unauthorized access of data in 30 electronic form containing personal information. Good faith 31 access of personal information by an employee or agent of an 32 agency does not constitute a breach, provided that the 33 information is not used for a purpose unrelated to the business 34 or subject to further unauthorized use. 35 (b)Critical infrastructure means existing and proposed 36 information technology and operational technology systems and 37 assets, whether physical or virtual, the incapacity or 38 destruction of which would negatively affect security, economic 39 security, public health, or public safety. 40 (c)Cybersecurity has the same meaning as in s. 282.0041. 41 (d)Data has the same meaning as in s. 282.0041. 42 (e)Incident means a violation or imminent threat of 43 violation, whether such violation is accidental or deliberate, 44 of information technology resources, security, policies, or 45 practices. As used in this paragraph, the term imminent threat 46 of violation means a situation in which the agency has a 47 factual basis for believing that a specific incident is about to 48 occur. 49 (f)Information technology has the same meaning as in s. 50 282.0041. 51 (g)Operational technology means the hardware and 52 software that cause or detect a change through the direct 53 monitoring or control of physical devices, systems, processes, 54 or events. 55 (2)The following information held by an agency is 56 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 57 of the State Constitution: 58 (a)Coverage limits and deductible or self-insurance 59 amounts of insurance or other risk mitigation coverages acquired 60 for the protection of information technology systems, 61 operational technology systems, or data of an agency. 62 (b)Information relating to critical infrastructure. 63 (c)Cybersecurity incident information reported pursuant to 64 s. 282.318 or s. 282.3185. 65 (d)Network schematics, hardware and software 66 configurations, or encryption information or information that 67 identifies detection, investigation, or response practices for 68 suspected or confirmed cybersecurity incidents, including 69 suspected or confirmed breaches, if the disclosure of such 70 information would facilitate unauthorized access to or 71 unauthorized modification, disclosure, or destruction of: 72 1.Data or information, whether physical or virtual; or 73 2.Information technology resources, which include an 74 agencys existing or proposed information technology systems. 75 (3)Any portion of a meeting that would reveal information 76 made confidential and exempt under subsection (2) is exempt from 77 s. 286.011 and s. 24(b), Art. I of the State Constitution. An 78 exempt portion of a meeting may not be off the record and must 79 be recorded and transcribed. The recording and transcript are 80 confidential and exempt from s. 119.07(1) and s. 24(a), Art. I 81 of the State Constitution. 82 (4)The public records exemptions contained in this section 83 apply to information held by an agency before, on, or after July 84 1, 2022. 85 (5)(a)Information made confidential and exempt pursuant to 86 this section shall be made available to a law enforcement 87 agency, the Auditor General, the Cybercrime Office of the 88 Department of Law Enforcement, the Florida Digital Service 89 within the Department of Management Services, and, for agencies 90 under the jurisdiction of the Governor, the Chief Inspector 91 General. 92 (b)Such confidential and exempt information may be 93 disclosed by an agency in the furtherance of its official duties 94 and responsibilities or to another agency or governmental entity 95 in the furtherance of its statutory duties and responsibilities. 96 (6)Agencies may report information about cybersecurity 97 incidents in the aggregate. 98 (7)This section is subject to the Open Government Sunset 99 Review Act in accordance with s. 119.15 and shall stand repealed 100 on October 2, 2026 2027, unless reviewed and saved from repeal 101 through reenactment by the Legislature. 102 Section 2.Subsection (9) of section 282.318, Florida 103 Statutes, is amended, and subsections (5) and (6) of that 104 section are republished, to read: 105 282.318Cybersecurity. 106 (5)The portions of risk assessments, evaluations, external 107 audits, and other reports of a state agencys cybersecurity 108 program for the data, information, and information technology 109 resources of the state agency which are held by a state agency 110 are confidential and exempt from s. 119.07(1) and s. 24(a), Art. 111 I of the State Constitution if the disclosure of such portions 112 of records would facilitate unauthorized access to or the 113 unauthorized modification, disclosure, or destruction of: 114 (a)Data or information, whether physical or virtual; or 115 (b)Information technology resources, which include: 116 1.Information relating to the security of the agencys 117 technologies, processes, and practices designed to protect 118 networks, computers, data processing software, and data from 119 attack, damage, or unauthorized access; or 120 2.Security information, whether physical or virtual, which 121 relates to the agencys existing or proposed information 122 technology systems. 123 124 For purposes of this subsection, external audit means an audit 125 that is conducted by an entity other than the state agency that 126 is the subject of the audit. 127 (6)Those portions of a public meeting as specified in s. 128 286.011 which would reveal records which are confidential and 129 exempt under subsection (5) are exempt from s. 286.011 and s. 130 24(b), Art. I of the State Constitution. No exempt portion of an 131 exempt meeting may be off the record. All exempt portions of 132 such meeting shall be recorded and transcribed. Such recordings 133 and transcripts are confidential and exempt from disclosure 134 under s. 119.07(1) and s. 24(a), Art. I of the State 135 Constitution unless a court of competent jurisdiction, after an 136 in camera review, determines that the meeting was not restricted 137 to the discussion of data and information made confidential and 138 exempt by this section. In the event of such a judicial 139 determination, only that portion of the recording and transcript 140 which reveals nonexempt data and information may be disclosed to 141 a third party. 142 (9)Subsections (5) and (6) are subject to the Open 143 Government Sunset Review Act in accordance with s. 119.15 and 144 shall stand repealed on October 2, 2026 2025, unless reviewed 145 and saved from repeal through reenactment by the Legislature. 146 Section 3.This act shall take effect July 1, 2025.