(2) The State Chief Information Officer shall adopt rules allowing a state agency to request an exemption from the requirements of subsection (1) of this section when:
(a) The release of publishable data would subject the agency’s information systems to a substantial risk of cyberattack; or
(b) The state agency is purchasing software or vendor services and industry practices do not support downstream processing and dissemination activities. [2017 c.720 §5]