Supreme Court, insofar as to issues appealed, denied a petition to compel the New York City Department of Citywide Administration [DCAS] to disclose records requested by the Freedom Foundation [Foundation] pursuant to the Freedom of Information Law [FOIL (Public Officers Law §84 et seq)], and dismissed the proceeding Foundation had brought pursuant to CPLR Article 78. The Appellate Division unanimously affirmed the Supreme Court's ruling.
Foundation is a 501(c)(3) corporation that opposes public employee unions and the Appellate Division's decision notes that "As part of its mission, [Foundation] contacts represented public employees to inform them of their rights to opt out of union membership".
An employee of Foundation had submitted a FOIL request [the "May request"] to DCAS. This initial request "for each City of New York employee who is currently employed in a position covered by a collective bargaining agreement with American Federation of State, County and Municipal Employees (AFSCME) District Council 37" [DC 37], the employee's name, office mailing address, job title, hire date, agency/department, work email address, work telephone number, and bargaining unit".
DCAS's Records Access Officer (RAO) denied this FOIL Request on two grounds: 1) the disclosure would constitute an "unwarranted invasion of personal privacy" within the meaning of Public Officers Law §§87(2)(b) and 89(2)(b)(iii) and 2) the disclosure would "create a serious security risk to the City of New York's critical information technology assets" within the meaning of Public Officers Law §87(2)(i). Foundation did not administratively appeal this denial.
In the following September another employee of Foundation submitted a second FOIL request [the September request] to DCAS seeking, "for all New York City employees" [i.e. not limited to members of DC 37], the employee's name, age, gender, office mailing address, work email address, job title, job code, salary, salary schedule, bargaining unit name/number/identifier, hire date, and agency/department. The employee said that the "information will not be used for solicitation or fund-raising purposes." Foundation's was not identified in this second FOIL Request. The RAO denied this second request because it was "essentially identical" to the initial [May] FOIL Request, noting that the metadata of this second FOIL Request indicated this "second employee" was the "author" of the May initial request. As there was no administrative appeal of the May FOIL Request, the RAO found that "[t]he determination is now final[,] and the request cannot be revived by resubmission." This second Foundation employee timely appealed this second denial.
Subsequently DCAS's General Counsel affirmed the RAO's determination because the September FOIL Request "sought the same information" as the May FOIL Request, which was denied and not appealed within the requisite 30 days".
In addition, the General Counsel affirmed on the grounds that (1) Foundation's "intention . . . is to use the requested information to solicit, request, importune, entreat and seek New York City employees to abandon union membership," such that "disclosure ... would constitute an unwarranted invasion of personal privacy under Public Officers Law §89(2)(b)(iii)" and (2) such "disclosure would create a substantial risk to the information technology infrastructure of the City of New York, including computer hardware, software, and data," pursuant to Public Officers Law §87(2)(i). General Counsel also contended Foundation's petition was time-barred because it sought review of DCAS's denial of the substantially similar May FOIL Request.
DCAS also argued that it properly withheld the information pursuant to FOIL's solicitation and cybersecurity exemptions, contending the "requested mass release of all New York City employees' email addresses would relinquish control of the City's information technology assets and jeopardize the security of those assets and of City infrastructure" by "mak[ing] it substantially easier for threat actors to successfully attack City ... employees" in "[p]hishing and other email-based attacks," which could give "threat actors access to the City's network, systems, and confidential information."
Supreme Court denied this second petition and dismissed the proceeding. Foundation appealed.
The Appellate Division, assuming, without deciding, that the two requests were sufficiently dissimilar "to avoid this limitations issue", agreed with Supreme Court that DCAS carried its burden to show that the information sought was barred by FOIL's solicitation exemption.
The court also found that the information was exempt from disclosure under the cybersecurity exemption, noting that the Court of Appeals has explained that although FOIL is "'liberally construed and its exemptions narrowly interpreted'" to achieve its legislative purpose of maximizing public access to government records, "Courts must give an exemption its "natural and obvious meaning where such interpretation is consistent with the legislative intent and with the general purpose and manifest policy underlying FOIL" [See Matter of Appellate Advocates v New York State Dept. of Corr. & Community Supervision, 40 NY3d 547].
Although Foundation contended that the solicitation exemption applied only to records that a requester would use to raise money, including to solicit new dues-paying members and "it does not have dues-paying members" and the exemption does not apply to information for use in an "outreach campaign" that does not involve directly soliciting money, the Appellate Division rejected such arguments, explaining that the exemption bars release of lists of names and addresses "if such lists would be used for solicitation or fund-raising purposes" and the Foundation 's interpretation would render the word "fund-raising" superfluous.
Citing Matter of Luongo v Records Access Officer, Civilian Complaint Review Bd., 150 AD3d 13, the Appellate Division opined "Statutes should be interpreted in a manner designed to effectuate the legislature's intent, construing clear and unambiguous statutory language so as to give effect to the plain meaning of the words used".
The Appellate Division's decision also held that Foundation's intended use of the requested information to contact individual employees directly to urge them to stop paying union dues, "which it does not dispute that it plans to do", falls squarely within this definition. "[G]iven the nature and format of the information sought and [Foundation's] organizational purpose," the court opined that DCAS drew a "reasonable inference" that the Foundation intended to use the information for solicitation.
Additionally, the Appellate Division commented that "As an alternative basis for withholding the records, which was not addressed by Supreme Court", DCAS asserted that disclosure would jeopardize its capacity to guarantee the security of its information technology assets. Relying on Public Officers Law §87(2)(i), DCAS had argued that the mass release of employee email addresses would significantly increase the vulnerability of the City's systems to email-based cyberattacks.
The Foundation countered that this rationale would necessarily lead to no email addresses ever being disclosed via FOIL. It also contended that DCAS failed to explain how the mass disclosure of public employee email addresses poses a cybersecurity risk.
The Appellate Division held that DCAS "is correct that the requested information is covered by the cybersecurity exemption". This exemption's "expressed legislative intent was to protect against the risks of electronic attack, including damage to the [information technology] assets themselves, interference with the performance of agency computers and programs, and the unauthorized access to an agency's electronic data", noting the decision in Matter of TJS of N.Y., Inc. v New York State Dept. of Taxation & Fin., 89 AD3d 239, and citing Senate Introducer Memorandum in Support, [Bill Jacket, L 2011, Chapter 368, at 4-5].
Contrary to the Foundation's argument, the court said DCAS's General Counsel "articulat[ed] a particularized and specific justification for denying access"pursuant to the cybersecurity exemption by explaining that "disclosure would create a substantial risk to the information technology infrastructure of the City of New York, including computer hardware, software, and data."
The Appellate Division then referenced the City's Cyber Command's Deputy Chief Information Security Officer explaining that disclosing "all New York City employees' email addresses would relinquish control of the City's information technology assets and jeopardize the security of those assets and of City infrastructure" by "mak[ing] it substantially easier for threat actors to successfully attack City . . . employees" in "[p]hishing and other email-based attacks."*
While the Appellate Division commented that "it does not find that the Foundation has any intention of phishing or committing any other type of fraud" in seeking to advance its mission, it noted that "these facts only to point out the risks that can ensue from mass release of public employee contact information should the information fall into the wrong hands".
The Appellate Division then ruled that DCAS "articulate[d] a legitimate concern covered by the exemption"— that disclosure of email addresses could "breach or compromise [the agency's] information technology infrastructure" or enable attackers to "gain access to or manipulate information maintained by" DCAS.
* The decision noted that "Phishing and other confidence-based attempts at fraud prey on a target's trust." The Appellate Division's decision also noted that other information sought by Foundation concerning the employee's names, titles, and other employment-related information could be used in conjunction with an email address to dupe unsuspecting targets.
Click HERE to access the Appellate Division's decision posted on the Internet.