A Florida bill shielding state cybersecurity information from public disclosure is now the law of the land.
Gov. Rick Scott signed S.B. 624 Friday, following months of negotiation. The legislation, which was sponsored by state Sen. Alan Hays, creates a new exemption in the state’s public records law to let agencies withhold information about network breaches and security audits.
Florida’s Agency for State Technology worked with Hays to craft the bill and introduce it in October, and it passed the Legislature earlier this month.
“SB 624 ensures that we will be able to protect agencies’ most critical and important data,” Jason Allison, the agency’s executive director and state chief information officer, wrote in a statement. “We thank Senator Alan Haysfor sponsoring this bill and Governor Scott for signing it into law.”
State Chief Information Officer Danielle Alvarez previously told StateScoop that the legislation is an important proactive step for Florida to prevent any would-be cyberattackers from obtaining information about vulnerable spots in the state’s systems.
Open government advocates were initially concerned that the bill’s provisions were overly broad and could allow the state to shield all information about network breaches, instead of just the information that would prove useful to hackers. Barbara Petersen, president of the nonprofit First Amendment Foundation, worked frequently with lawmakers and the AST to refine its terms, ultimately reaching a compromise.
According to Alvarez, the bill will still let citizens request general information about network breaches or security audits, but will let agencies withhold specific technical details that would prove useful to attackers.
“All agencies possess valuable IT data,” Alvarez said in a statement. “If that data were to fall into the wrong hands, it could severely threaten and compromise essential applications that could lead to the destruction of data or IT resources.”
The AST also hailed Scott’s decision to sign H.B. 1033, a bill from Rep. Frank Artiles and Sen. Jeremy Ring that adds promoting state cybersecurity to the AST’s list of responsibilities and gives the agency the ability to hire private vendors to conduct security audits, in addition to establishing a series of plans for how agencies respond to security incidents.
Contact the reporter who wrote this story at email@example.com, or follow him on Twitter at @AlexKomaSNG.