The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Appropriations
BILL: CS/CS/SB 1694
INTRODUCER: Appropriations Committee; Military and Veterans Affairs, Space, and Domestic Security
Committee; and Senator Hutson
SUBJECT: Public Records and Public Meetings/Cybersecurity Incident or Ransomware Incident
DATE: March 2, 2022 REVISED:
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Lloyd Caldwell MS Fav/CS
2. Hunter/Davis Sadberry AP Fav/CS
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/CS/SB 1694 adds language to section 282.3185, Florida Statutes, as created by CS/CS/SB
1670, to create a public records and meetings exemption for information relating to a
cybersecurity incident or ransomware incident held by a political subdivision1 or state agency to
the extent that a disclosure of such information would facilitate unauthorized access to or the
unauthorized modification, disclosure, or destruction of physical or virtual data or information
technology resources as defined in the exemption. It also provides a general public records
exemption for coverage limits and deductible or self-insurance amounts of insurance or other
risk mitigation coverages acquired for the protection of IT systems, operational technology
systems, or data of an agency. The bill:
Allows for information that has been made confidential and exempt under
section 119.07(1), Florida Statutes, and Article I, section 24(a) of the State Constitution to be
disclosed in limited circumstances by a political subdivision or state agency in the
furtherance of its or the other agency’s official or statutory duties or responsibilities;
Requires that any portion of a meeting, as well as transcripts and recordings of said meeting,
that includes the discussion of the referenced cybersecurity or ransomware incident
information also be made exempt from sections 286.011 and 119.07(1), Florida Statutes, and
Article I, section 24(a) of the State Constitution;
1
“Political subdivision” means a separate agency or unit of local government created or established by law and includes, but
is not limited to, the following and the officers thereof: authority, board, branch, bureau, city, commission, consolidated
government, county, department, district, institution, metropolitan government, municipality, office, officer, public
corporation, town, or village. Section 11.45(1)(k), F.S.
�BILL: CS/CS/SB 1694 Page 2
Prohibits any portion of an exempt public meeting from being off the record; and
Requires any portion of an exempted public meeting to be recorded and transcribed.
The exemption provided under the bill shall stand repealed effective October 2, 2027, unless
reviewed and saved from repeal through reenactment by the Legislature.
The bill provides a statement of public necessity that the public records exemption is necessary
as disclosure of information relating to cybersecurity and ransomware incidents held by a
political subdivision or the state could include information that could facilitate unauthorized
access to, or modification, disclosure or destruction of information, information technology, or
information resources. The bill includes a statement of public necessity for the closure of
portions of public meetings where confidential and exempt information is disclosed making the
meeting exempt from section 286.011, Florida Statutes.
The effective date of this act is the same date on which CS/CS/SB 1670 or similar legislation
takes effect, if such legislation takes effect in the same legislative session or an extension thereof
and becomes a law.
II. Present Situation:
Access to Public Records - Generally
The Florida Constitution provides that the public has the right to inspect or copy records made or
received in connection with official governmental business.2 The right to inspect or copy applies
to the official business of any public body, officer, or employee of the state, including all three
branches of state government, local governmental entities, and any person acting on behalf of the
government.3
Additional requirements and exemptions related to public records are found in various statutes
and rules, depending on the branch of government involved. For instance, s. 11.0431, F.S.,
provides public access requirements for legislative records. Relevant exemptions are codified in
s. 11.0431(2)-(3), F.S., and adopted in the rules of each house of the legislature.4 Florida Rule of
Judicial Administration 2.420 governs public access to judicial branch records.5 Lastly, ch. 119,
F.S., known as the Public Records Act, provides requirements for public records held by
agencies.
2
FLA. CONST. art. I, s. 24(a).
3
Id.
4
See Rule 1.48, Rules and Manual of the Florida Senate, (2020-2022) and Rule 14.1, Rules of the Florida House of
Representatives, Edition 1, (2020-2022)
5
State v. Wooten, 260 So. 3d 1060 (Fla. 4th DCA 2018).
�BILL: CS/CS/SB 1694 Page 3
Agency Records – The Public Records Act
The Public Records Act provides that all state, county, and municipal records are open for
personal inspection and copying by any person, and that providing access to public records is a
duty of each agency.6
Section 119.011(12), F.S., defines “public records” to include:
All documents, papers, letters, maps, books, tapes, photographs, films,
sound recordings, data processing software, or other material, regardless of
the physical form, characteristics, or means of transmission, made or
received pursuant to law or ordinance or in connections with the transaction
of official business by any agency.
The Florida Supreme Court has interpreted this definition to encompass all materials made or
received by an agency in connection with official business that are used to “perpetuate,
communicate, or formalize knowledge of some type.”7
The Florida Statutes specify conditions under which public access to public records must be
provided. The Public Records Act guarantees every person’s right to inspect and copy any public
record at any reasonable time, under reasonable conditions, and under supervision by the
custodian of the public record.8 A violation of the Public Records Act may result in civil or
criminal liability.9
The Legislature may exempt public records from public access requirements by passing a
general law by a two-thirds vote of both the House and the Senate.10 The exemption must state
with specificity the public necessity justifying the exemption and must be no broader than
necessary to accomplish the stated purpose of the exemption.11
General exemptions from the public records requirements are contained in the Public Records
Act.12 Specific exemptions often are placed in the substantive statutes relating to a particular
agency or program.13
6
Section 119.011(2), F.S., defines “agency” as “any state, county, district, authority, or municipal officer, department,
division, board, bureau, commission, or other separate unit of government created or established by law including, for the
purposes of this chapter, the Commission on Ethics, the Public Service Commission, and the Office of Public Counsel, and
any other public or private agency, person, partnership, corporation, or business entity acting on behalf of any public
agency.”
7
Shevin v. Byron, Harless, Schaffer, Reid and Assoc., Inc., 379 So. 2d 633, 640 (Fla. 1980).
8
Section 119.07(1)(a), F.S.
9
Section 119.10, F.S. Public records laws are found throughout the Florida Statutes, as are the penalties for violating those
laws.
10
FLA. CONST. art. I, s. 24(c).
11
Id. See, e.g., Halifax Hosp. Medical Center v. News-Journal Corp., 724 So. 2d 567 (Fla. 1999) (holding that a public
meetings exemption was unconstitutional because the statement of public necessity did not define important terms and did
not justify the breadth of the exemption); Baker County Press, Inc. v. Baker County Medical Services, Inc., 870 So. 2d 189
(Fla. 1st DCA 2004) (holding that a statutory provision written to bring another party within an existing public records
exemption is unconstitutional without a public necessity statement).
12
See, e.g., s. 119.071, F.S.
13
See, e.g., s. 213.053(2)(a), F.S., (exempting from public disclosure information contained in tax returns received by the
Department of Revenue).
�BILL: CS/CS/SB 1694 Page 4
When creating a public records exemption, the Legislature may provide that a record is “exempt”
or “confidential and exempt.” There is a difference between records the Legislature has
determined to be exempt from the Public Records Act and those that the Legislature has
determined to be exempt from the Public Records Act and confidential.14 Records designated as
“confidential and exempt” are not subject to inspection by the public and may only be released
under the circumstances defined by statute.15 Records designated as “exempt” may be released at
the discretion of the records custodian under certain circumstances.16
Current Cybersecurity Information Exemptions
Statutory exemptions for state agencies and utilities owned or operated by local governments
related to information technology are contained in ss. 282.318(5) through (10) and
119.0713(5), F.S., respectively. The current statutory language does not directly address
information related to cybersecurity incidents or ransomware incidents.
Portions of records held by a state agency17 that contain network schematics, hardware and
software configurations, or encryption, or that identify detection, investigation, or response
practices for suspected or confirmed cybersecurity18 incidents,19 including suspected or
confirmed breaches,20 are confidential and exempt21 from public record requirements if the
disclosure of such records would facilitate unauthorized access to or the unauthorized
modification, disclosure, or destruction of:
Data22 or information, whether physical or virtual; or
14
WFTV, Inc. v. The Sch. Bd. of Seminole County, 874 So. 2d 48, 53 (Fla. 5th DCA 2004).
15
Id.
16
Williams v. City of Minneola, 575 So. 2d 683 (Fla. 5th DCA 1991).
17
“State agency” means any official, officer, commission, board, authority, council, committee, or department of the
executive branch of state government; the Justice Administrative Commission; and the Public Service Commission. The term
includes the Department of Legal Affairs, The Department of Agriculture and Consumer Services, and the Department of
Financial Services. The term does not include university boards of trustees or state universities. See s. 282.0041(33), F.S.
18
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology
resources. See s. 282.0041(8), F.S.
19
“Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of
information technology resources, security, policies, or practices. An imminent threat of violation refers to a situation in
which the state agency has a factual basis for believing that a specific incident is about to occur. See s. 282.0041(19), F.S.
20
“Breach” means unauthorized access of data in electronic form containing personal information. Good faith access of
personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the
information is not used for a purpose unrelated to the business or subject to further unauthorized use. See s. 282.0041(3), F.S.
21
There is a difference between records the Legislature designates exempt from public record requirements and those the
Legislature deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under
certain circumstances. See WFTV, Inc. v. Sch. Bd. of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892
So.2d 1015 (Fla. 2004); City of Rivera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola,
575 So.2d 683, 687 (Fla. 5th DCA 1991). If the Legislature designates a record as confidential and exempt from public
disclosure, such record may not be released by the custodian of public records to anyone other than the persons or entities
specifically designated in statute. See Op. Att’y Gen. Fla. 04-09 (2004).
22
“Data” means a subset of structured information in a format that allows such information to be electronically retrieved and
transmitted. See s. 282.0041(9), F.S.
�BILL: CS/CS/SB 1694 Page 5
Information technology (IT) resources,23 which includes:
o Information relating to the security of the agency’s technologies, processes, and practices
designed to protect networks, computers, data processing software, and data from attack,
damage, or unauthorized access; or
o Security information, whether physical or virtual, which relates to the agency’s existing
or proposed IT24 systems.25,26
In addition, any portion of a public meeting that would reveal any of the above-described
confidential and exempt records is exempt from public meeting requirements. Any portion of an
exempt meeting must be recorded and transcribed. The recordings and transcripts are
confidential and exempt from public record requirements unless a court of competent
jurisdiction, following an in camera review, determines that the meeting was not restricted to the
discussion of confidential and exempt data and information. If such a judicial determination
occurs, only the portion of the recording or transcript that reveals nonexempt data may be
disclosed.27
The confidential and exempt cybersecurity information must be available to the Auditor General,
the Cybercrime Office within the Florida Department of Law Enforcement (FDLE), the Florida
Digital Service (FLDS),28 and for agencies under the jurisdiction of the Governor, the Chief
Inspector General. In addition, the records may be made available to a local government, another
state agency, or a federal agency for cybersecurity purposes or in the furtherance of the state
agency’s official duties.29
Information related to the security of a utility30 owned or operated by a unit of local
government31 that is designed to protect the utility’s networks, computers, programs, and data
from attack, damage or unauthorized access, is exempt from public record requirements to the
extent disclosure of such information would facilitate the alteration, disclosure, or destruction of
data or IT resources.32
23
“Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. See s. 282.0041(22), F.S.
24
“Information technology” means equipment, hardware, software, firmware, programs, systems, networks, infrastructure,
media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display,
store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange,
convert, converge, interface, switch, or disseminate information of any kind or form. See s. 282.0041(20), F.S.
25
Florida law provides a similar public record exemption for state university and Florida College System institutions. See
s 1004.055, F.S.
26
Section 282.318(5), F.S.
27
Section 282.318(7), F.S. Florida law provides a similar public meeting exemption for state university and Florida College
system institutions, see s. 1004.055, F.S.
28
Florida Digital Service (FLDS) (formerly the Division of State Technology) is a subdivision of the Department of
Management Services (DMS) and is charged with overseeing the state’s information technology (IT) resources.
Section 20.22(2)(b), F.S.
29
Section 282.318(8), F.S.
30
“Utility” means a person or entity that provides electricity, natural gas, telecommunications, water, chilled water, reuse
water, or wastewater. Section 119.011(15), F.S.
31
“Unit of local government” means a county, municipality, special district, local agency, authority, consolidated city -
county government, or any other local governmental body or public body corporate or politic aut