WeVote

Bill

Bill

SB 7020

OGSR/Agency Cybersecurity Information

2025 Regular Session Introduced by Nick DiCeglie

Extends state cybersecurity information confidentiality in public records and meetings for one year (to Oct 2, 2026) and aligns sunset reviews for related exemptions.

Chapter No. 2025-27
0
WeVote Research Nonpartisan
Bill Summary · SB 7020

SB 7020 — OGSR/Agency Cybersecurity Information (Chapter No. 2025‑27)

Status: Enacted (Chapter No. 2025‑27). Approved by Governor May 16, 2025. Effective date: October 1, 2025.
Introduced: March 13, 2025. Sponsor: Governmental Oversight and Accountability Committee.

Purpose / Intent

To extend, for one additional year, existing public-record and public‑meeting confidentiality protections for certain cybersecurity-related information held by state agencies and to align the sunset (Open Government Sunset Review) dates for related exemptions so they can be reviewed together in 2026. The stated policy objective is to prevent disclosure of information that could facilitate unauthorized access to or compromise of government IT systems and data.

Key provisions

  • Extends by one year the repeal date (from October 2, 2025 to October 2, 2026) of the confidentiality provisions in:
    • Section 282.318(5), Florida Statutes — makes confidential & exempt portions of risk assessments, evaluations, external audits, and other cybersecurity program reports when disclosure would facilitate unauthorized access, modification, disclosure, or destruction of:
    • Data or information (physical or virtual), or
    • IT resources, including information about security technologies, processes, practices, or security information about existing/proposed IT systems.
    • Section 282.318(6), Florida Statutes — exempts from public‑meetings law any portion of a meeting that would reveal the above confidential information.
  • Moves up by one year (to October 2, 2026) the sunset review date and repeal date for the confidentiality/exemptions in s. 119.0725(2) and (3), F.S. That statute currently protects, among other items:
    • Coverage limits and deductible/self‑insurance amounts for cyber or other risk‑mitigation coverages for IT/operational technology/data;
    • Information relating to critical infrastructure;
    • Cybersecurity incident information reported under ss. 282.318 or 282.3185, F.S.;
    • Network schematics, hardware/software configurations, encryption details, and detection/investigation/response practices for incidents.
  • Does not modify the substance of the exemptions — only delays their scheduled repeal/sunset and aligns review timing.

Who is affected

  • State agencies and their records custodians (executive branch) — the specified cybersecurity materials remain confidential and exempt from public inspection.
  • Local governments to the extent they report incidents under ss. 282.318/282.3185.
  • Insurance providers and risk managers (information about coverage limits/deductibles).
  • Members of the public, media, and government transparency advocates (continued limitation on access).
  • Auditors or contractors who prepare cybersecurity assessments (records remain protected).

Fiscal and procedural notes

  • Fiscal impact: bill analysis states no expected effect on state or local revenues/expenditures.
  • Legislative history highlights: favorably reported as a committee bill; passed both chambers (Senate 37‑0; House 116‑0); enrolled and approved by Governor; chaptered as 2025‑27.
  • Next review: The exemptions will be subject to Open Government Sunset Review in 2026 (scheduled repeal if not extended again).

Bottom line

SB 7020 does not create new confidentiality categories; it simply extends existing public-record and meeting exemptions for specific cybersecurity information by one year (to Oct. 2, 2026) and synchronizes related sunset review dates so the Legislature can consider them together in 2026.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.