Florida’s governor has signed a bill that allows state agencies not to release details of data breaches and security audits if that information would “facilitate the unauthorized access, modification, disclosure or destruction of data”.
The new law, which went into effect on Friday, requires that agencies still release details of breaches to a group of state law enforcement and audit bureaus, including the Florida Department of Law Enforcement and the state inspector general.
“Records held by a state agency which identify detection, investigation, or response practices for suspected or confirmed information technology security incidents, including suspected or confirmed breaches, are confidential and exempt from s. 38 119.07(1) and s. 24(a), Art. I of the State Constitution, if the disclosure of such records would facilitate unauthorized access to or the unauthorized modification, disclosure, or destruction of: a. Data or information, whether physical or virtual; or b. Information technology resources,” the text of the law says.
The approval of the bill by Florida Gov. Rick Scott comes at a time when data breaches are a daily occurrence. Large retailers, health care companies, and government agencies all are targeted constantly by attackers looking to harvest customer payment and identity information. Earlier this year, a data breach hit the University of Central Florida, affecting 63,000 people.
The law does not exempt agencies from disclosing that a breach occurred, or what data was compromised, or how many people are affected, but allows them to keep specific details of attack methods and vulnerabilities confidential. The reasoning is that those details could be used by other attackers and aren’t necessary for disclosure. The exemption also applies to information from external security audits.
“Disclosure of a record, including a computer forensic analysis, or other information that would reveal weaknesses in a state agency’s data security could compromise the future security of that agency or other entities if such information were available upon conclusion of an investigation or once an investigation ceased to be active,” the law says.
“The disclosure of such a record or information could compromise the security of state agencies and make those state agencies susceptible to future data incidents or breaches.”
Florida’s new law is retroactive.