Actions: [3] HCPAC/HJC-HCPAC [6] DP/a-HJC [14] DNP-CS/DP [15] PASSED/H (46-19) [12] SHPAC-SHPAC [15] DP [18] PASSED/S (37-0) SGND BY GOV (Mar. 30) Ch. 67.
Scheduled: Not Scheduled
House Bill 232 (HB 232) amends the Inspection of Public Records Act to exempt from disclosure information that could be used to compromised infrastructure or information technology systems.Legislation Overview:
House Bill 232 (HB 232) amends two sections of the Inspections of Public Records Act (IPRA). First, the bill provides that information concerning critical infrastructure or information technology systems are not capable of public inspection. In order to qualify for the exception to IPRA, the information about these systems, if published, could reveal specific risk assessments, security procedures or vulnerabilities that could be used to unlawfully access or compromise such systems. HB 232 defines “critical infrastructure” as infrastructure or durable equipment that is required for the public health, safety or welfare of individuals or communities and includes dams, transportation infrastructure and infrastructure essential to the delivery of utility services. HB 232 has an emergency clause, to take effect immediately.Amendments:
On February 11, 2023, the House Consumer and Public Affairs Committee amended HB 232 by adding a definition for “information technology”. “Information technology” is defined as computers, storage, networking, services and processes used to create, exchange, process, secure and store electronic data.Committee Substitute:
3/7 The House Judiciary Committee Substitute for HB 232 (HJC CS/HB 232) amends the Inspection of Public Records Act (IPRA), enacts a new section of IPRA regarding disclosure of law enforcement records, excepts from disclosure certain information regarding information technology systems, submissions of grant programs, land leases and scholarship programs and proprietary technical or business information. First, it enacts a new section of the Tourism Department Act that provides that certain information obtained by the Tourism Department is not subject to inspection pursuant to IPRA. This information includes proprietary technical or business information related to marketing campaigns for the state, and a consumer’s information provided during an on-line transaction related to a product provided by the department or its contractors. Second, it adds two new exceptions to IPRA: (1) information concerning information technology systems is not subject to IPRA. However, this exception cannot be used to restrict requests for records stored using information technology systems, audits of such systems, or information to validate records received pursuant to IPRA. And (2) submissions in response to a competitive grant, land lease or scholarship and related scoring materials and evaluation reports, until finalists are publicly named or the award is announced. Third, it enacts a new section of IPRA to explain which law enforcement records are not subject to IPRA. It provides that law enforcement records are public records (with exceptions) and records must redact nonpublic information. Victim and witness information must be redacted before charges are filed in certain violent offenses. An accused person’s information must be redacted before charges are filed. A visual depiction of a dead body, or of great bodily harm must be redacted unless a law enforcement officer caused the death. Visual depictions of intimate body parts must be redacted, as must the depiction of the notification to a member of the public of a family member’s death. Confidential sources must be redacted as well as mental/medical records of a person unless relevant to a criminal investigation of a person elected to or employed by a public body. The committee substitute details the information needed to request video or audio calls from law enforcement. A person may request to hear audio or view video on-site, but making a copy of this media is subject to redaction. Fourth, it amends the definitions in IPRA by adding a definition for “information technology system”, and amends the definition for “protected personal identifier information” to include credit or debit card number, and a non-elected public employee’s home street address (but not the city, state or zip code). HJC CS/HB 232 has an emergency clause, to take effect immediately.