An Exception to Florida Sunshine Laws – Helping Cybersecurity Secrecy


By: Jeremy W. Rogers

For the legally uninitiated, in hearing the term “sunshine laws,” it would be easy to misunderstand what exactly that would entail. This is especially so in Florida where tourism boards and state marketing inundate the eyes and ears with all forms of advertising centered on the wonderful weather. Florida is, after all, known as the “Sunshine State.” Even when it rains, you may hear it referred to as “liquid sunshine.” What are sunshine laws, then? Obviously, there is no statute in Florida mandating that sunshine be the order of each day. Sunshine laws are, rather, statutes that govern public access to government records. They exist in a number of states, and are sometimes known as open records laws, public records laws, or FOIA laws (after the federal Freedom of Information Act).

In Florida, there are multiple statute sections covering open access to government records. The openness of records in Florida dates back to the original passage of Chapter 119 in 1909. Over the years, decisional law has interpreted Florida’s sunshine laws very liberally. Any question is answered in favor of openness, while exceptions are construed narrowly. This is particularly true in more recent years as technology has evolved at a tremendous pace. Seemingly every government related document, in any form including electronic, is open to review by anyone who goes through proper channels to obtain it. It is somewhat surprising to many, frankly, just how comprehensive and inclusive Florida’s open records laws are interpreted. They can include the more obvious records, such as official reports, down to the more questionable such as emails or texts, to the more personal such as personnel records. The records do, however, need to relate in some way or fashion to governmental official business, but, again, the laws are interpreted very broadly.

The exceptions to the laws are limited. They do cover, for example, information related to medical records, security, active criminal investigations, and some personal identification records. Importantly, the laws apply to all units of state, county, and local government as well as entities or individuals acting on behalf of any public agency.

The overarching policy of openness belies the necessity for comprehensive and strong security measures to combat and help prevent cyberattacks against government and government-related agencies and agents. As noted above, any independent contractor of a government entity or agency may fall within the definition of an agent working on behalf of a public entity, thus having the sunshine laws apply to its records. One can easily imagine the issues that may arise if records regarding cybersecurity, network breaches, detection methodology, response practices, security audits, etc. were available to the public. This would have the very real potential, and likelihood, of exposing information about vulnerable spots in the state’s or agent’s systems to cyberattackers. Once this information is obtained, there is untold havoc that could be inflicted.

Fortunately, this loophole in the sunshine laws was closed by § 282.318, Florida Statutes which exempts such information and records from Florida’s sunshine laws. This exemption would seem to go against what is the norm for public records in Florida. However, to its credit, the legislature has historically exempted from availability matters that may jeopardize public safety or may negatively affect personal privacy or security. The cyber matters discussed herein certainly fall within those categories. What is somewhat different, however, is that this particular potential loophole was closed proactively rather than reactively. In other words, this was addressed prior to the advent of significant security issues from disclosure under the sunshine laws. This is opposed to changing the laws afterward. These measures will certainly not prevent cyberattacks, but they help to avoid a situation where the key is being handed to them on a platter.

If you have any questions or would like more information, please contact Jeremy W. Rogers at