A new bill filed in the Florida Senate could soon allow state agencies to shield information about cyberattacks and network security breaches from the public eye.
State Sen. Alan Hays introduced S.B. 624 on Oct. 22 in an effort to create an exemption to the state’s public records law for “suspected or confirmed breaches” of Florida’s networks, as well as the results of audits and investigations into the state’s cyber defenses.
“People might think ‘oh my gosh, the government’s trying to be secretive,’” Hays told StateScoop. “You bet your boots we’re trying to be secretive, so we can protect your private information.”
It’s a measure that Hays said the state’s Agency for State Technology brought to him directly, and he said officials with the group stressed that the bill includes “critical safeguards.” An agency spokeswoman declined to comment on the bill.
Hays added that he’s unaware of any specific records requests that might have prompted the agency to call for action, noting that he believes the bill is merely a “preventive measure.”
However, open government advocates worry that the bill may unnecessarily hide information that the public has a right to access. Barbara Petersen, president of the nonprofit Florida First Amendment Foundation, said she has an array of concerns after evaluating the bill for the technology agency’s staff a few days ago.
“I understand and am sympathetic to the need to protect information relating to cybersecurity,” Petersen said. “We all know what’s been going on both in the private sector and the public sector, but we also want to make sure that the exemption is as narrow and as specific as we can make it be.”
Petersen said the bill, as written, would allow agencies to hide the results of its audits and investigations about the state’s cyber welfare.
“We have a right to know that the vulnerabilities exist, and I think we have a right to know what our government is doing to protect us,” Petersen said. “What it comes down to is between giving us enough information so we can reassure ourselves that government is doing what government should be doing, without providing too much information that the cyberattackers that will be able to use to create even more harm.”
But Hays defended the legislation.
“It’s not that we’re trying to keep information from the public that they have a purpose to know, but we’re trying to do everything we can to prevent any violation of the security of our IT systems,” Hays said.
Petersen also suggested the bill may not be constitutional, noting that the open records provisions included in Florida’s constitution require specific exemptions passed by the Legislature to shield any type of government record from disclosure. The bill might struggle to meet that standard, she said.
One solution might be to provide more concrete definitions of terms in the bill, even ones as simple as “data,” to explain what kind of information the government is hoping to protect, Petersen said.
Another might be “tightening up” the language governing the results of audits and investigations, according to Petersen. The bill currently states that any information about network breaches should be exempt if its disclosure “could facilitate the unauthorized access to or the unauthorized modification, disclosure, or destruction of data or information technology resources,” and Petersen hopes to see that same standard applied to the findings of state cybersecurity probes.
“If it’s not sensitive, it should be released,” Petersen said. “We don’t have to get the details of that necessarily, but we should at least know that they’re doing everything they should be doing in a competent manner.”
Petersen notes that the fact that the technology agency reached out to her at all about these issues is a “good sign” and they’re “amenable” to some of these remedies.
As staffers work to reconcile these disputes, Hays said he believes the committee process for the measure will start “pretty soon” and that it should move through the Legislature quickly.
He added, “To me, it’s one of those common-sense measures,” Hays said. “Once they find out what the bill actually does, then I think we should get it passed no problem.”
But Petersen warns that a more prudent course of action might be to make more wholesale changes to the measure, as local governments and state universities weigh efforts to pass similar bills.
“They all have the same problem,” Petersen said. “What I suggested is that we have one exemption in the state of Florida, all government entities, and that way we have the same standard applying to everybody. But that’s fallen on deaf ears.”
Contact the reporter who wrote this story at email@example.com, or follow him on Twitter at @AlexKomaSNG.