(1) As used in this section, the term:(a) “Breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of an agency does not constitute a breach, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
(b) “Critical infrastructure” means existing and proposed information technology and operational technology systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect security, economic security, public health, or public safety.
(c) “Cybersecurity” has the same meaning as in s. 282.0041. (d) “Data” has the same meaning as in s. 282.0041. (e) “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of information technology resources, security, policies, or practices. As used in this paragraph, the term “imminent threat of violation” means a situation in which the agency has a factual basis for believing that a specific incident is about to occur.
(f) “Information technology” has the same meaning as in s. 282.0041. (g) “Operational technology” means the hardware and software that cause or detect a change through the direct monitoring or control of physical devices, systems, processes, or events.
(2) The following information held by an agency is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution:(a) Coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages acquired for the protection of information technology systems, operational technology systems, or data of an agency.
(b) Information relating to critical infrastructure.
(c) Cybersecurity incident information reported pursuant to s. 282.318 or s. 282.3185. (d) Network schematics, hardware and software configurations, or encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches, if the disclosure of such information would facilitate unauthorized access to or unauthorized modification, disclosure, or destruction of:1. Data or information, whether physical or virtual; or
2. Information technology resources, which include an agency’s existing or proposed information technology systems.
(3) Any portion of a meeting that would reveal information made confidential and exempt under subsection (2) is exempt from s. 286.011 and s. 24(b), Art. I of the State Constitution. An exempt portion of a meeting may not be off the record and must be recorded and transcribed. The recording and transcript are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution. (4) The public records exemptions contained in this section apply to information held by an agency before, on, or after July 1, 2022.
(5)(a) Information made confidential and exempt pursuant to this section shall be made available to a law enforcement agency, the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Florida Digital Service within the Department of Management Services, and, for agencies under the jurisdiction of the Governor, the Chief Inspector General.
(b) Such confidential and exempt information may be disclosed by an agency in the furtherance of its official duties and responsibilities or to another agency or governmental entity in the furtherance of its statutory duties and responsibilities.
(6) Agencies may report information about cybersecurity incidents in the aggregate.
(7) This section is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2027, unless reviewed and saved from repeal through reenactment by the Legislature.