SPONSOR:   

Sen. Bushweller & Rep. K. Williams

 

Sens. Henry, Hocker, Peterson, Pettyjohn & Simpson;

Reps. Baumbach, Briggs King, Carson & Mitchell

 

DELAWARE STATE SENATE

148th GENERAL ASSEMBLY

 

SENATE BILL NO. 258

 

 

AN ACT TO AMEND TITLE 29 OF THE DELAWARE CODE RELATING TO THE FREEDOM OF INFORMATION ACT.

 

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

 

        Section 1.  Amend § 10002(l)(17)a., Title 29 of the Delaware Code, by making insertions as shown by underline and deletions as shown by strike through as follows:

        § 10002 Definitions.

(l) "Public record" is information of any kind, owned, made, used, retained, received, produced, composed, drafted or otherwise compiled or collected, by any public body, relating in any way to public business, or in any way of public interest, or in any way related to public purposes, regardless of the physical form or characteristic by which such information is stored, recorded or reproduced. For purposes of this chapter, the following records shall not be deemed public:

(17)a. The following records, which, if copied or inspected, could jeopardize the security of any structure owned by the State or any of its political subdivisions, or could facilitate the planning of a terrorist attack, or could endanger the life or physical safety of an individual:

7. Information technology (IT) infrastructure details, including but not limited to file layouts, data dictionaries, source code, logical and physical design of IT systems and interfaces, detailed hardware and software inventories, network architecture and schematics, vulnerability reports, and any other information that, if disclosed, could jeopardize the security or integrity of an information and technology system owned, operated or maintained by the State or any public body subject to the requirements of this Chapter.

SYNOPSIS

The Delaware Freedom of Information Act, 29 Del. C. Ch. 100 (“FOIA”) currently exempts from the definition of public record those documents that could jeopardize security of the state, “[f]acilitate the planning of a terrorist attack,” or “endanger the life or physical safety of an individual.” 29 Del. C. § 10002 (l)(17)(a)(2).  While the current provision includes “telecommunications network facilities and switching equipment,” the provision has not been updated since its adoption in 2002 in response to the September 11, 2001 terrorist attacks, and it may not sufficiently protect the State’s information security systems from FOIA requests that are designed to facilitate a cyber security attack.  This legislation adds language that allows the Department of Technology and Information, as well as other public bodies subject to FOIA, to refrain from disclosing information about the underpinnings of our state computer network and systems.  This information in the hands of a requestor increases the risk of a cyber attack and may allow a requesting party to obtain confidential data about the State’s citizens (including confidential payroll, medical, academic, and personnel records).  This exemption is similar to the existing provisions that exempt the State from withholding blueprint and alarm system data that would allow a burglar to break into a physical building. 

 

Author: Senator Bushweller