(1) All information received by the department pursuant to a notification of a violation under this part, or received by the department pursuant to an investigation by the department or a law enforcement agency of a violation of this part, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, until such time as the investigation is completed or ceases to be active. This exemption shall be construed in conformity with s. 119.071(2)(c). (2) During an active investigation, information made confidential and exempt pursuant to subsection (1) may be disclosed by the department:(a) In the furtherance of its official duties and responsibilities;
(b) For print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or an improper use or disposal of customer records, except that information made confidential and exempt by subsection (3) may not be released pursuant to this paragraph; or
(c) To another governmental entity in the furtherance of its official duties and responsibilities.
(3) Upon completion of an investigation or once an investigation ceases to be active, the following information received by the department shall remain confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution:(a) All information to which another public records exemption applies.
(b) Personal information.
(c) A computer forensic report.
(d) Information that would otherwise reveal weaknesses in the data security of a controller, processor, or third party.
(e) Information that would disclose the proprietary information of a controller, processor, or third party.
(4) For purposes of this section, the term “proprietary information” means information that:(a) Is owned or controlled by the controller, processor, or third party.
(b) Is intended to be private and is treated by the controller, processor, or third party as private because disclosure would harm the controller, processor, or third party or its business operations.
(c) Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public.
(d) Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the department.
(e) Includes:1. Trade secrets as defined in s. 688.002. 2. Competitive interests, the disclosure of which would impair the competitive advantage of the controller, processor, or third party who is the subject of the information.
(5) This section is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2028, unless reviewed and saved from repeal through reenactment by the Legislature.