Florida Statutes 119.0725 – Agency cybersecurity information; public records exemption; public meetings exemption
Current as of: 2023 | Check for updates
|
Other versions
(1) As used in this section, the term:
(a) “Breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of an agency does not constitute a breach, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Terms Used In Florida Statutes 119.0725
- Agency: means any state, county, district, authority, or municipal officer, department, division, board, bureau, commission, or other separate unit of government created or established by law including, for the purposes of this chapter, the Commission on Ethics, the Public Service Commission, and the Office of Public Counsel, and any other public or private agency, person, partnership, corporation, or business entity acting on behalf of any public agency. See Florida Statutes 119.011
- Assets: (1) The property comprising the estate of a deceased person, or (2) the property in a trust account.
- Information technology resources: means data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training. See Florida Statutes 119.011
- Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
- Public records: means all documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material, regardless of the physical form, characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency. See Florida Statutes 119.011
- Transcript: A written, word-for-word record of what was said, either in a proceeding such as a trial or during some other conversation, as in a transcript of a hearing or oral deposition.
(b) “Critical infrastructure” means existing and proposed information technology and operational technology systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect security, economic security, public health, or public safety.
(c) “Cybersecurity” has the same meaning as in s. 282.0041.
(d) “Data” has the same meaning as in s. 282.0041.
(e) “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of information technology resources, security, policies, or practices. As used in this paragraph, the term “imminent threat of violation” means a situation in which the agency has a factual basis for believing that a specific incident is about to occur.
(f) “Information technology” has the same meaning as in s. 282.0041.
(g) “Operational technology” means the hardware and software that cause or detect a change through the direct monitoring or control of physical devices, systems, processes, or events.
(2) The following information held by an agency is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution:
(a) Coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages acquired for the protection of information technology systems, operational technology systems, or data of an agency.
(b) Information relating to critical infrastructure.
(d) Network schematics, hardware and software configurations, or encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches, if the disclosure of such information would facilitate unauthorized access to or unauthorized modification, disclosure, or destruction of:
1. Data or information, whether physical or virtual; or
2. Information technology resources, which include an agency’s existing or proposed information technology systems.
(3) Any portion of a meeting that would reveal information made confidential and exempt under subsection (2) is exempt from s. 286.011 and s. 24(b), Art. I of the State Constitution. An exempt portion of a meeting may not be off the record and must be recorded and transcribed. The recording and transcript are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution.
(4) The public records exemptions contained in this section apply to information held by an agency before, on, or after July 1, 2022.
(5)(a) Information made confidential and exempt pursuant to this section shall be made available to a law enforcement agency, the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Florida Digital Service within the Department of Management Services, and, for agencies under the jurisdiction of the Governor, the Chief Inspector General.
(b) Such confidential and exempt information may be disclosed by an agency in the furtherance of its official duties and responsibilities or to another agency or governmental entity in the furtherance of its statutory duties and responsibilities.
(6) Agencies may report information about cybersecurity incidents in the aggregate.
(7) This section is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2027, unless reviewed and saved from repeal through reenactment by the Legislature.