The latest “Exemptions, Explained” blog post is the last of the four security-related exemptions. Section 708(b)(4) covers information technology security (or cybersecurity); Appeals Officer Berk Demiral provides the legal analysis. This exemption is rarely utilized, cited in just 108 appeals as of October 3, 2023. 

Section 708(b)(4) protects a “record regarding computer hardware, software and networks, including administrative or technical records, which, if disclosed, would be reasonably likely to jeopardize computer security.”

The intent behind this exemption is obvious; the release of a record should not lead to the unauthorized use of or access to an agency’s computer systems, network, or hardware.

There are two important points of consideration when assessing the applicability of the exemption under Section 708(b)(4).

Mere speculation of a security risk is not sufficient

As with all security exemptions, the agency must prove that the exemption applies by a preponderance of the evidence. Although the agencies may meet their burden to prove the exemption’s application by submitting affidavits or attestations, the Commonwealth Court has held that “[a]n agency must offer more than speculation or conjecture to establish the security-related exemptions….”[1]

For example, recently, an agency sufficiently defended its decision to withhold a record based on the computer security exemption by submitting an attestation “which provide[ed] extensive detail regarding the multiple possible ways that an actor with bad intent could use the invoice information to compromise or infiltrate the [Agency’s], and ultimately the Commonwealth’s, [Information Technology] systems.”[2] Specifically, the agency provided a verified statement from its Information Technology Security Risk Manager, who stated that, if disclosed, the responsive information would directly lead to cybercriminals identifying particular equipment, such as routers, firewalls, and other computer equipment, and reveal vulnerable information such as account information, contacts, and purchasing information. Such identification and revelation would then allow bad actors to engage in phishing attacks, upload malware to corrupt existing software or place an “imposter” device within the agency’s network.   

In contrast, an agency providing only conclusory and speculative evidence regarding potential risks will not succeed in meeting its burden of proving that the cybersecurity exemption is applicable. An agency must show that the risk of harm caused by the potential disclosure is more than mere speculation; the risk must be substantial, demonstrable, and real or apparent.[3]

In other words, the purported evidence of a potential security threat must be tangible and not easily discredited. As an example, an agency failed to prove that the cybersecurity exemption applied when it claimed that granting access to phone numbers and email addresses of employees would pose a security risk, but a review of the County’s website showed that a large portion of employees highlighted in their various official capacities had their County email addresses and telephone numbers listed for the public’s viewing and use.[4]

In sum, a persuasive attestation or an affidavit will likely come from a person with the skills and information necessary to comment on cybersecurity matters and include a description and explanation of alleged risks and how they directly relate to the potential disclosure of the withheld information. Whereas, if the agency’s evidence is readily discredited, merely states the language of the security exemption without providing relevant background facts, or fails to explain the basis and correlation between the risk and the disclosure, then such evidence will likely fall short of establishing the cybersecurity exemption.

Financial aspects of IT record may not be exempt

It is important to note that the RTKL explicitly and specifically makes financial records public.[5] As such, if financial records are responsive to a request, the computer security exemption only permits the agencies to redact portions directly implicated as causing the security risk. The agencies may not withhold the entirety of the record from public access.

For example, although an agency may meet the burden to prove that the list of items on purchase order invoices is exempt, it has to grant access to the remainder of the responsive invoices without obscuring the dates, quantity figures, and dollar amounts for each item.[6]  

---

[1] California Borough v. Rothey, 185 A.3d 456, 468 (Pa. Commw. Ct. 2018)

[2] Holloway v. Pennsylvania Dep’t of General Services, OOR Dkt. AP 2023-1478, 2023 PA O.O.R.D. LEXIS 1671.

[3] McGinnis v. Neshaminy School District, OOR AP Dkt. 2019-2239, 2020 PA O.O.R.D. LEXIS 1475.

[4] Mezzacappa v. Northampton County, OOR AP Dkt. 2022-2077, 2022 PA O.O.R.D. LEXIS 2501.

[5] 65 P.S. § 67.708(c).

[6] See Holloway ; see also Nolen v. Pa. Office of Admin., OOR Dkt. AP 2018-0377, 2018 PA O.O.R.D. LEXIS 524.

---