Can a Florida public agency hire a third-party cybersecurity firm to do penetration testing on its computers, knowing that during the test the vendor might see records (like Social Security numbers and law enforcement officers' home addresses) that are confidential or exempt under Florida's public records law?

Subject

Public records, cybersecurity testing

Plain-English summary

The Pompano Beach Police & Firefighters' Retirement System wanted to hire a cybersecurity firm to attempt to break into its computer systems (penetration testing) to find vulnerabilities. The catch was that during the test, the vendor would have potential access to records that were confidential or exempt under Florida's public records law: Social Security numbers of agency employees, plus home addresses, phone numbers, dates of birth, and photographs of active and former law enforcement officers and certified firefighters. The Board's legal counsel asked whether Chapter 119 forbade the engagement.

The AG concluded that the engagement was permissible, with conditions. Two distinct legal categories applied. For confidential SSN data, the agency could disclose to a vendor under § 119.071(5)(a)(6)(g) if the testing was "for the purpose of the administration" of the pension fund. The AG cited Black's Law Dictionary's broad definition of "administration" and noted that federal NIST standards and Florida Administrative Code rules treated penetration testing as a recognized administrative practice. For merely exempt (not confidential) records about law enforcement personnel and firefighters, prior AG opinions had established that exempt records may be disclosed when there is a "substantial policy need" and the disclosure does not undermine the purpose of the exemption. The AG concluded that vendor access for cybersecurity testing under a confidentiality agreement was consistent with the safety-protection purpose underlying the law-enforcement-record exemption.

The AG flagged that the actual procurement, contract terms, and security safeguards were beyond the scope of the opinion and required the Board's own due diligence.

Currency note

This opinion was issued in 2019. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

Common questions

What is penetration testing?

A specialized assessment in which an authorized third party attempts to break into an organization's information systems to identify vulnerabilities that adversaries could exploit. NIST defines it that way in Special Publication 800-53.

What is the difference between confidential and exempt records under Florida law?

Confidential records are not subject to public inspection at all and may only be released to persons or organizations specifically designated in statute. WFTV, Inc. v. School Bd. of Seminole. Exempt records are not subject to mandatory public disclosure but may be voluntarily disclosed by the custodian agency when there is a substantial policy need and the disclosure is not inconsistent with the exemption's purpose. Rameses, Inc. v. Demings.

What was confidential here?

Social Security numbers under § 119.071(4)(a)1. SSNs of current and former agency employees held by the employing agency are "confidential and exempt."

What was merely exempt?

Home addresses, telephone numbers, dates of birth, and photographs of active or former sworn law enforcement personnel under § 119.071(4)(d)2. The same applied to current or former firefighters certified under § 633.408.

What rule lets the agency disclose SSNs to a vendor?

§ 119.071(5)(a)(6)(g) permits disclosure when "for the purpose of the administration of a pension fund administered for the agency employee's retirement fund, deferred compensation plan, or defined contribution plan." The AG read "administration" broadly enough to include cybersecurity testing necessary to protect the data.

What evidence supported treating penetration testing as "administration"?

The AG cited two threads. First, § 282.318(4)(d) required state agencies to conduct comprehensive risk assessments every three years (with private vendor involvement permitted). Second, Florida Administrative Code Rule 1S-2.004 expressly identified "penetration testing" as an "appropriate" security procedure for Supervisors of Elections. Plus, NIST SP 800-53 listed penetration testing as a recommended security control for federal information systems.

What rule lets the agency disclose merely exempt records to a vendor?

The "substantial policy need" framework. AG Op. 96-36 (1996) approved disclosure of exempt criminal investigative information to a private summary-and-analysis vendor under a confidentiality agreement, on the theory that the disclosure was not inconsistent with the exemption's purpose. The same logic supports vendor access for cybersecurity testing.

What is the purpose of the law-enforcement-record exemption?

Protecting officers' safety. The AG concluded that limited vendor access for cybersecurity testing, under a confidentiality agreement, did not undermine that purpose. The agency was using the disclosure to make the records more secure overall.

What did the agency need to do to comply?

The AG specified two findings the Board would need to make: (1) that the penetration testing was "for the purpose of the administration of a pension fund," to fit the SSN-disclosure exception, and (2) that there was a "substantial policy need" for the testing, to justify the incidental exposure of merely exempt records. The Board would also need a confidentiality agreement with the vendor and a properly scoped contract.

Did the opinion approve the specific contract or process?

No. The AG explicitly noted that procurement authority, contract provisions, and security safeguards for the testing operations were beyond the scope of the opinion. The Board was responsible for its own due diligence on those issues.

Background and statutory framework

Confidential vs. exempt records

Florida's public records statute, Chapter 119, distinguishes between two categories of non-public records:

• Confidential: not subject to any public inspection and only releasable to entities listed in the statute (WFTV).
• Exempt: not subject to mandatory public disclosure but capable of voluntary release for legitimate agency purposes (Rameses).

This distinction matters because the AG's analysis differs for each category.

SSN confidentiality and the pension-administration exception

§ 119.071(4)(a)1 makes SSNs of current and former agency employees confidential. § 119.071(5) lists permissible disclosures, including § 119.071(5)(a)(6)(g): SSNs may be disclosed "for the purpose of the administration" of the agency's pension fund, deferred compensation plan, or defined contribution plan.

The AG's reading: penetration testing aimed at protecting pension-administration data is itself a form of pension administration. Black's Law Dictionary defines "administration" as "management or performance of the executive duties of a government, institution, or business; collectively, all the actions that are involved in managing the work of an organization."

Sources for treating cybersecurity as administration

• § 282.318(4)(d): state agencies must conduct comprehensive risk assessments (which can use private vendors) every three years.
• Fla. Admin. Code R. 74-2.002: requires identification and documentation of asset vulnerabilities.
• Fla. Admin. Code R. 1S-2.004: identifies penetration testing as an "appropriate" security procedure for Supervisors of Elections.
• NIST Special Publication 800-53: lists penetration testing among recommended security controls for federal information systems.

Law enforcement and firefighter exemption

§ 119.071(4)(d)2 exempts home addresses, telephone numbers, dates of birth, and photographs of active or former sworn law enforcement personnel and certified firefighters. § 119.071(4)(d)3 requires a custodian agency to maintain the exemption when the person or employing agency submits a written request.

The Board had received written maintenance requests from the employing agencies. So those records were exempt, not confidential.

The "substantial policy need" framework

Prior AG opinions (90-50, 96-36, plus other cited 14-07, 10-37, 05-38) established that exempt records may be disclosed when there is a substantial policy need and the disclosure does not undermine the exemption's purpose. AG Op. 96-36 specifically approved disclosure of exempt criminal investigative information to a private vendor under a confidentiality agreement, where the disclosure was used to compile and summarize the information for the agency's own use.

The 2019 opinion extended that logic to cybersecurity testing. The exemption protected officer safety; testing the security of the systems holding those records advanced that same protective purpose.

Required Board determinations

To rely on this opinion, the Board needed to:

1. Determine that the penetration testing was for the purpose of the administration of the pension fund (for the SSN exception).
2. Determine that there was a substantial policy need for the testing (for the merely exempt records).
3. Execute a confidentiality and non-disclosure agreement with the vendor.

Citations

• Ch. 119, Fla. Stat. (Florida Public Records Law)
• § 119.071(4)(a)1, Fla. Stat. (SSNs confidential)
• § 119.071(4)(d)2, Fla. Stat. (law enforcement and firefighter records exempt)
• § 119.071(4)(d)3, Fla. Stat. (custodian must maintain exemption on request)
• § 119.071(5)(a)(6)(g), Fla. Stat. (pension-administration disclosure exception)
• § 282.318(4)(d), Fla. Stat. (state agency risk assessment)
• Fla. Const. art. I, § 24(a) (constitutional public records access)
• Fla. Admin. Code R. 1S-2.004 (penetration testing as appropriate security procedure)
• WFTV, Inc. v. School Bd. of Seminole, 874 So. 2d 48 (Fla. 5th DCA 2004)
• Rameses, Inc. v. Demings, 29 So. 3d 418 (Fla. 5th DCA 2010)
• Fla. AG Ops. 90-50, 96-36, 05-38, 10-37, 14-07
• NIST Special Publication 800-53 (security controls)
• FIPS PUB 200 (minimum security requirements)

Source

• Landing page: https://www.myfloridalegal.com/ag-opinions/public-records-cybersecurity-testing
• Original PDF: https://www.myfloridalegal.com/print/pdf/node/1475

Original opinion text

Mr. Robert A. Sugarman
Legal Counsel to the Board of Trustees, Pompano Beach Police & Firefighters' Retirement System
100 Miracle Mile, Suite 300
Coral Gables, Florida 33134

RE: PUBLIC RECORDS – BOARD OF TRUSTEES OF THE POMPANO BEACH POLICE & FIREFIGHTERS' RETIREMENT SYSTEM – ENGAGING CYBERSECURITY VENDOR TO CONDUCT PENETRATION TESTING OF AGENCY'S ELECTRONIC DATA STORAGE SYSTEMS – whether chapter 119 precludes an agency covered by that chapter from engaging a vendor to conduct penetration testing of the agency's electronic data storage systems for the purpose of detecting and remedying vulnerabilities that would permit unauthorized persons ("hackers") to have access to information that is exempt from disclosure under sections 119.071(4)(d)2.a & d and confidential under section 119.071(4)(a)1. Sections 119.071(4)(d)2.a & d and 119.071(4)(a)1, Fla. Stat.

Dear Mr. Sugarman:

This office has received your inquiry on behalf of the Board of Trustees of the Pompano Beach Police & Firefighters' Retirement System ("Trustees"), which you have described as "a local law defined benefit pension plan established by the City of Pompano Beach, Florida . . . to provide eligible police officers and firefighters and their survivors with retirement, death and disability benefits."

Specifically, you have asked for an opinion addressing the following [rephrased] question:

Does chapter 119 preclude "an agency covered by that chapter" from engaging a "vendor to conduct penetration testing of the agency's electronic data storage systems for the purpose of detecting and remedying vulnerabilities" where such testing would potentially allow the vendor "to have access to information that is exempt from disclosure under sections 119.071(4)(d)2.a & d, Florida Statutes (2018), and confidential under section 119.071(4)(a)1., Florida Statutes" (pertaining to social security numbers)?

In sum:

If the Trustees determine that the vendor penetration testing will be "for the purpose of the administration of a pension fund" within the meaning of section 119.071(5), then it appears that any incidental disclosure to the cybersecurity vendor conducting penetration testing under a confidentiality and non-disclosure agreement would not violate chapter 119, Florida Statutes. Additionally, potential access to or incidental release of exempt information about law enforcement personnel and firefighters to a vendor under a confidentiality agreement, for the purpose of ascertaining and ensuring its cybersecurity, would not appear to be inconsistent with the purpose underlying the exemption (i.e., ensuring the safety of such personnel), if the Trustees determine there is a "substantial policy need" to undertake the vendor penetration testing (as ultimately proposed to be implemented).

In asking this question, you have briefly described the proposed vendor services:

In order to protect the sensitive and confidential information described above and otherwise protect the integrity of [its] computer data systems, the Retirement System, at the recommendation of its computer consultant, desires to engage a third-party cybersecurity vendor to conduct penetration testing. This testing will determine the security of the information stored in the Retirement System's database. In conducting such testing, the third party will attempt to penetrate ("hack") the Retirement System's electronic data storage systems. The purpose of the penetration testing is to detect any system vulnerabilities and remedy them, thereby ensuring the safeguarding of the sensitive and confidential information. However, if the vendor is successful in penetrating the Retirement System's database security measures, the vendor will be able to inspect and copy the sensitive and confidential information protected by the statutory sections cited above. The vendor will sign a confidentiality and non-disclosure agreement.

Potential Vendor Access to Social Security Numbers

As observed in your request, under section 119.071(4)(a)1, "[t]he social security numbers of all current and former agency employees which are held by the employing agency are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution."

"If information is made confidential in the statutes, the information is not subject to inspection by the public and may only be released to the persons or organizations designated in the statute." However, section 119.071(5), Florida Statutes, provides certain exceptions to this general rule of confidentiality. As applicable here, it provides that "[s]ocial security numbers held by an agency may be disclosed if: . . . [t]he disclosure of the social security number is for the purpose of the administration of a pension fund administered for the agency employee's retirement fund, deferred compensation plan, or defined contribution plan."

"Administration" is defined as the "management or performance of the executive duties of a government, institution, or business; collectively, all the actions that are involved in managing the work of an organization." Black's Law Dictionary (10th ed. 2014). While you have cited no statute addressing the proposed cybersecurity testing of the subject computer systems as applied to the Pompano Beach Police & Firefighters' Retirement System, there are statutory and rule provisions affecting state agencies and Supervisors of Elections which contemplate cybersecurity risk assessments to identify threats to information technology resources.

For example, section 282.318(4)(d), Florida Statutes—which establishes information technology services management requirements for state agencies—provides, among other things, that each "state agency head shall, at a minimum: . . . (d) Conduct, and update every 3 years, a comprehensive risk assessment, which may be completed by a private sector vendor, to determine the security threats to the data, information, and information technology resources, including mobile devices and print environments, of the agency."

Further, rule 1S-2.004 of the Florida Administrative Code, which applies to Supervisors of Elections, does identify "penetration testing" as an "appropriate" security procedure.

Penetration testing is a "specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries." Pursuant to the Federal Information Security Act, 40 U.S.C. § 1331, the National Institute for Standards and Technology ("NIST") has published standards that provide minimum information security requirements for non-defense federal information systems maintained by federal agencies. In conjunction with federal defense and intelligence agencies, and to implement these minimum security standards, NIST has published NIST Special Publication 800-53, which sets forth information security controls. Penetration testing is among the recommended controls for implementing the minimum security standards.

If the Trustees determine the vendor penetration testing will be "for the purpose of the administration of a pension fund" within the meaning of section 119.071(5), then it appears that any incidental disclosure to the cybersecurity vendor conducting penetration testing under a confidentiality and non-disclosure agreement would not violate chapter 119, Florida Statutes.

Potential Vendor Access to Exempt Employee Information

Section 119.071 also provides, in subsection (4)(d)2, that the "home addresses, telephone numbers, dates of birth, and photographs of active or former sworn . . . law enforcement personnel" and the "home addresses, telephone numbers, dates of birth, and photographs of current or former firefighters certified in compliance with s. 633.408" are "exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution." Under section 119.071(4)(d)3., Florida Statutes, an agency that is not the employer of, but is the custodian of records pertaining to, one of the persons enumerated in section 119.071(4)(d), Florida Statutes, is required to maintain such person's exemption if the person or his or her employing agency submits a written request to the custodian. In your letter, you have indicated that "[t]he employing agencies of the members have submitted a written request for maintenance of the exemption under subsection 119.071(4)(d)3 of the Florida Statutes."

Notwithstanding these statutory provisions, a distinction is made between public records that are "exempt" from disclosure and records that are "confidential." "If records are not confidential but are only exempt from the Public Records Act, the exemption does not prohibit the showing of such information." Based upon this distinction, this office has concluded that, in cases when there is a statutory or substantial policy need to disclose exempt information to a requesting agency or entity, the information may be disclosed.

For example, in Florida Attorney General Opinion 96-36, the City of North Miami Police Department was interested in contracting with a company that compiled, integrated, synthesized, and summarized raw police and other data from a variety of sources and provided informational reports to law enforcement in a format that was "helpful and user friendly." Observing that the "release of exempt criminal investigative information to a company that compiles and summarizes raw police data and provides informational reports to law enforcement in a format that is helpful and user friendly" was "not inconsistent with the purpose underlying the exemption for active criminal investigative information," this office concluded "that the police department may release active criminal investigative information exempted by section 119.07(3)(b) [now 119.071(2)(c)1], Florida Statutes, to the company for the purpose of compiling, synthesizing, and summarizing such information for the police department."

As applied here, information about law enforcement personnel and firefighters is exempt from disclosure in the interest of ensuring the safety of such personnel. Potential access to or incidental release of such information to a vendor under a confidentiality agreement, for the purpose of ascertaining and ensuring its cybersecurity, would not appear to be inconsistent with the purpose underlying the exemption, if the Trustees determine there is a "substantial policy need" to undertake the vendor penetration testing (as ultimately proposed to be implemented).

Sincerely,

Ashley Moody
Attorney General

AM/tlm