Another “Exemptions, Explained” blog post, another security-related exemption. This one, Section 708(b)(3), centers on infrastructure and the legal analysis is provided by Appeals Officer Bandy Jarosz. This exemption is sparingly used, cited in just 301 appeals as of June 10, 2023.  Recently, it is offered as a rationale by agencies in denying access requests for information related to elections, surveillance of state liquor stores, and levee certifications. 

Section 708(b)(3) protects a “record, the disclosure of which creates a reasonable likelihood of endangering the safety or the physical security of a building, public utility, resource, infrastructure, facility or information storage system, which may include:

(i) documents or data relating to computer hardware, source files, software and system networks that could jeopardize computer security by exposing a vulnerability in preventing, protecting against, mitigating or responding to a terrorist act;

(ii) lists of infrastructure, resources and significant special events, including those defined by the Federal Government in the National Infrastructure Protections, which are deemed critical due to their nature and which result from risk analysis; threat assessments; consequences assessments; antiterrorism protective measures and plans; counterterrorism measures and plans; and security and response needs assessments; and

(iii) building plans or infrastructure records that expose or create vulnerability through disclosure of the location, configuration or security of critical systems, including public utility systems, structural elements, technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage and gas systems.”

As noted in previous posts, security should not be threatened by the release of a record.  Releasing information or records that could lead to the penetration of cyber or physical structures are not intended for public viewing.

Much of the relevant caselaw discusses the burden of proof an agency must satisfy to prove that the exemption applies.

• An agency must demonstrate a specific threat of endangerment to the safety or physical security of certain structures that is reasonably likely to result from the disclosure of a record.[1]
• The OOR must “look to the likelihood that disclosure would cause the alleged harm, requiring more than speculation.”[2]

For example, in  Allegheny Cty. Dist. Attorney’s Office v. Wereschagin, 257 A.3d 1280 (Pa. Commw. Ct. 2021), the Commonwealth Court held that the evidence submitted by the agency, taken as a whole, was sufficiently detailed enough to support the agency’s contention that releasing non location system information regarding a camera network system would put the physical security of the safety camera system in the district attorney’s office itself at risk.  The agency argued to the court that the system was currently subject to attacks, which revealed motivation to damage the system.  Id. at 1293.  The Requesters argued that cameras can be hacked without the hackers knowing the specific details of the cameras, so the release of such non location information would not increase the risk of hacking.  Id at 1292, 1298.  The court reasoned that the possibility of harm does not make the evidence speculative and the preponderance of evidence standard does not require absolute certainty.  Id. at 1298.  Thus, the court held the agency met its burden of proving that the infrastructure safety exemption applied.  Id. at 1300. 

Clearly, neither an OOR Appeals Officer nor a judge can be an expert in infrastructure security. Thus, the OOR and courts have wisely opined that they will not second guess the judgement of those more familiar with the security issues.  See Knauss v. Unionville-Chadds Ford Sch. Dist., OOR Dkt. AP 2009-0332, 2009 PA O.O. R.D. LEXIS 238 (holding the OOR would not substitute its judgement with an educator with years of experience regarding critical infrastructure and key resources of public school buildings).

---

[1] Smith Butz, LLC v. Pa. Dep’t of Envtl. Prot., 161 A.3d 1049, 1062 (Pa. Commw. 2017) (holding that the agency proved the disclosure of records that reflect the location and quantity of radioactive materials would be reasonably likely to jeopardize public security and/or safety, as the agency provided evidence of incidents involving theft or loss of nuclear and radioactive materials worldwide).

[2] California Borough v. Rothey, 185 A.3d 456, 468 (Pa. Commw. Ct. 2018) (holding that the existence of blind spots in a holding cell do not cause endangerment of safety and security when there was no explanation provided by the agency as to how the blind spots caused the endangerment when prisoners were secured and the cells were searched prior to entry).