Levinthal v. Federal Election Commission , 219 F. Supp. 3d 1 ( 2016 )

                           UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
_________________________________________
)
Dave Levinthal, et al.,                   )
)
Plaintiffs,                         )
)
v.                          )                 Civil No. 15-cv-01624 (APM)
)
Federal Election Commission,              )
)
Defendant.                          )
)
_________________________________________ )
MEMORANDUM OPINION
I.     INTRODUCTION
Plaintiffs Dave Levinthal and the Center for Public Integrity bring this suit under the
Freedom of Information Act (“FOIA”). On July 6, 2015, Plaintiffs submitted a FOIA request to
Defendant Federal Election Commission seeking:           (1) a copy of a study that assesses
vulnerabilities in the Commission’s information technology (“IT”) systems and makes
recommendations to address those vulnerabilities; and (2) any emails and documents related to the
study. Defendant produced non-exempt materials related to the study, but withheld the study itself.
Plaintiffs brought this suit claiming that Defendant violated FOIA by failing to produce the study.
Upon consideration of the parties’ submissions and the record evidence, the court grants
Defendant’s Motion for Summary Judgment and denies Plaintiffs’ Cross-Motion for Summary
Judgment.
II.      BACKGROUND
As required by Local Civil Rule 7(h)(1), Defendant Federal Election Commission
(“Commission” or “Defendant”) submitted a detailed statement of undisputed material facts.
See Def.’s Mot. for Summ. J., ECF No. 13 [hereinafter Def.’s Mot.], Def.’s Stmt. of Material Facts,
ECF No. 13-1 [hereinafter Def.’s Stmt.]. Plaintiffs, for their part, responded with a bare-boned
counter-statement that did not dispute Defendant’s factual assertions. Pls.’ Cross-Mot. for Summ.
J., ECF No. 14 [hereinafter Pls.’ Mot.], Pls.’ Stmt. of Material Facts, ECF No. 14-1 [hereinafter
Pls.’ Stmt.]. 1 Accordingly, the court treats Defendant’s proffered facts, recited below, as conceded
by Plaintiffs. See SEC v. Banner Fund Int’l, 

, 616 (D.C. Cir. 2000) (“If the party
opposing the motion fails to comply with [the] local rule, then ‘the district court is under no
obligation to sift through the record’ and should ‘[i]nstead . . . deem as admitted the moving party’s
facts that are uncontroverted by the nonmoving party’s Rule [LCvR 7.1(h)] statement.’”
(alterations in original) (quoting Jackson v. Finnegan, Henderson, Farabow, Garrett & Dunner,

, 154 (D.D.C. 1996)).
A.       Factual Background
In Fiscal Year 2014, the Commission hired an outside contractor, SD Solutions, LLC, to
determine whether there were vulnerabilities in the Commission’s IT systems and, if there were,
to provide remedial recommendations. Def.’s Stmt. ¶ 5; Def.’s Mot., Decl. of Alec Palmer, ECF
No. 13-2 [hereinafter Palmer Decl.], ¶ 7. The Commission ordered the study to assist it in deciding
whether to implement newly developed information security guidelines published by the U.S.
Department of Commerce’s National Institute of Standards and Technology (“NIST”). Def.’s
1
Plaintiffs later submitted a more fulsome statement of facts with their Reply Brief, see Pls.’ Reply, ECF No. 18, Pls.’
Stmt. of Genuine Issues of Fact, ECF No. 18-1, but that statement came too late, see LCvR 7(h)(1) (“T]he Court may
assume that facts identified by the moving party in its statement of material facts are admitted, unless such a fact is
controverted in the statement of genuine issues filed in opposition to the motion.” (emphasis added)).
2
Stmt. ¶ 6; Palmer Decl. ¶ 7. In preparing its report, SD Solutions examined the Commission’s
“physical and virtual information technology assets” and recommended measures for the
Commission to protect its infrastructure from “wrongful interference, circumvention, or unlawful
action by unauthorized persons.” Palmer Decl. ¶ 8. Furthermore, it assessed the “vulnerabilities
to unlawful breach present in the Commission’s technological infrastructure, describing sensitive
Commission systems and recommending specific security measures to address the vulnerabilities.”

refers to SD Solutions’ final report and its related documents, collectively,
as the “NIST Study.” Def.’s Stmt. ¶ 8; Palmer Decl. ¶ 18.
The NIST Study consists of two parts. The first part is an overview memorandum prepared
by the Commission’s Office of the Chief Information Officer. The overview memorandum lists
measures the Office has used in the past to address IT vulnerabilities, summarizes SD Solutions’
final report, and discusses “the practicalities of implementing the [NIST] guidelines should the
Commission adopt the recommendations in the Final Report.” Def.’s Stmt. ¶ 10; Palmer Decl.
¶¶ 2, 9, 10. The overview memorandum includes two appendices: (1) an abridged version of the
full final report, and (2) a summary of both the recommendations in the report and the personnel
and financial resources that would be required to satisfy each recommendation. 

11.
The second part of the NIST Study is the final report itself. As discussed, the report
describes the Commission’s IT network, assesses the security of each system and identifies the
vulnerabilities therein, and contains recommendations for security measures to address the
identified vulnerabilities. 

14.
B.      Procedural Background
Plaintiff Dave Levinthal is an investigative journalist employed by Plaintiff the Center for
Public Integrity. See Pls.’ Mot. at 1; Def.’s Mot. at 3; Def.’s Stmt. ¶ 4. On July 6, 2015, Plaintiffs
3
submitted a FOIA request to the Commission, seeking: (1) “a copy of the 2015 National Institute
of Standards and Technology Report—also known as the NIST study—pertaining to the Federal
Election Commission’s operations,” and (2) “any FEC emails, memoranda, correspondence or
other documents that, in any form or fashion, mention or refer to this National Institute of
Standards and Technology report, by name or otherwise.” Def.’s Stmt. ¶ 38; Def.’s Mot., Decl. of
Robert M. Kahn, ECF No. 13-3 [hereinafter Kahn Decl.], ¶ 6 & Ex. A [hereinafter FOIA Request].
On August 18, 2015, the Commission denied Plaintiffs’ request for a copy of the NIST
Study, but granted their request for documents that mention or refer to the study, subject to
applicable FOIA exemptions. Kahn Decl. ¶ 7 & Ex. C (Email from Robert M. Kahn to Dave
Levinthal (Aug. 18, 2015)). The Commission eventually produced more than 1,450 pages of non-
exempt records, and non-exempt portions of records, that mentioned or referred to the NIST Study.
Jt. Status Rep., ECF No. 11.
Plaintiffs filed an administrative appeal challenging the decision to withhold the NIST
Study, asserting that it “is likely to contain information that directly benefits the public’s
understanding of Federal Election Commission capabilities and operations during a high-profile
election season.” Kahn Decl. ¶ 8 & Ex. C. In September 2015, the Commission denied Plaintiffs’
appeal. 

& Ex. F (Email from Robert M. Kahn to Dave Levinthal (Sept. 30, 2015)).
Plaintiffs filed their Complaint in this court on October 5, 2015, challenging only
Defendant’s non-disclosure of the NIST Study. See Compl., ECF No. 1. On March 17, 2016,
Defendant filed a Motion for Summary Judgment, claiming that the NIST Study is exempt from
disclosure both as a law enforcement record under FOIA Exemption 7(E) and as deliberative
material under FOIA Exemption 5. Def.’s Mot. at 10–21. On April 8, 2016, Plaintiffs filed a
Cross-Motion for Summary Judgment, which contests categorizing the NIST Study as a law
4
enforcement record under Exemption 7(E). See Pls.’ Mot at 4. Additionally, although Plaintiffs
concede the applicability of Exemption 5, they argue that the Commission has failed to meet its
obligation under FOIA to release any “reasonably segregable non-exempt information.” 

III.   LEGAL STANDARD
A court shall grant summary judgment “if the movant shows that there is no genuine
dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R.
Civ. P. 56(a). To make this determination, the court must “view the facts and draw reasonable
inferences in the light most favorable to the [non-moving] party.” Scott v. Harris, 

,
378 (2007) (internal quotation mark omitted). A dispute is “genuine” only if a reasonable fact-
finder could find for the nonmoving party, and a fact is “material” only if it is capable of affecting
the outcome of litigation. Anderson v. Liberty Lobby, Inc., 

, 248–49 (1986). A non-
material factual dispute cannot prevent the court from granting summary judgment. 

Most FOIA cases are appropriately decided on motions for summary judgment.
See Defenders of Wildlife v. U.S. Border Patrol, 

, 87 (D.D.C. 2009). A court
may award summary judgment in a FOIA case by relying on the information included in the
agency’s affidavits or declarations if they are “relatively detailed and non-conclusory,” SafeCard
Servs., Inc. v. SEC, 

, 1200 (D.C. Cir. 1991) (internal quotation marks omitted), and
if they describe “the documents and the justifications for nondisclosure with reasonably specific
detail, demonstrate that the information withheld logically falls within the claimed exemption, and
are not controverted by either contrary evidence in the record nor by evidence of agency bad faith,”
Military Audit Project v. Casey, 

, 738 (D.C. Cir. 1981).
The agency bears the burden of demonstrating that each FOIA exemption applies, and its
determinations are subject to de novo review in district court. U.S. Dep’t of Justice v. Reporters
5
Comm. for Freedom of the Press, 

, 755 (1989) (citing 5 U.S.C. § 552(a)(4)(B)). To
prevail on a motion for summary judgment, the agency must demonstrate that “each document that
falls within the class requested either has been produced, is unidentifiable, or is wholly exempt
from the Act’s inspection requirements.” Goland v. Cent. Intelligence Agency, 

, 352
(D.C. Cir. 1978); see also Students Against Genocide v. Dep’t of State, 

, 833 (D.C.
Cir. 2001).
IV.      DISCUSSION
A.     FOIA Exemption 7(E)
The court first considers whether the NIST Study is exempt from disclosure under FOIA
Exemption 7(E). Def.’s Mot at 10–17; Pls.’ Mot. at 3–4.
Under Exemption 7(E), an agency may withhold information (1) “compiled for law
enforcement purposes” if (2) its release “would disclose techniques and procedures for law
enforcement investigations or prosecutions, or would disclose guidelines for law enforcement
investigations or prosecutions,” and (3) such “disclosure could reasonably be expected to risk
circumvention of the law.” 5 U.S.C. § 552(b)(7)(E). Exemption 7(E) “sets a relatively low bar
for the agency to justify withholding,” Blackwell v. FBI, 

, 42 (D.C. Cir. 2011), and
“where an agency ‘specializes in law enforcement, its decision to invoke [E]xemption 7 is entitled
to deference,’” Lardner v. Dep’t of Justice, 

, 31 (D.D.C. 2009) (quoting
Campbell v. Dep’t of Justice, 

, 32 (D.C. Cir. 1998)). This does not excuse an agency,
however, from the requirement of describing its “justifications for withholding the information
n with specific detail.” Am. Civil Liberties Union v. Dep’t of Def., 

, 619 (D.C. Cir.
2011).
6
In this case, Plaintiffs offer a single argument challenging Defendant’s invocation of
Exemption 7(E): the NIST Study was not “compiled for law enforcement purposes.” Pls.’ Mot.
at 4.2 The court has little trouble rejecting that contention.
A record is “compiled for law enforcement purposes” so long as there is (1) a rational
“nexus” between the record and the agency’s law enforcement duties, and (2) a connection
between the subject of the record and a possible security risk or violation of federal law.
See 

; see also Pratt v. Webster, 

, 420 (D.C. Cir. 1982). The
latter requirement must be satisfied “to establish that the agency acted within its principal function
of law enforcement, rather than merely engaging in a general monitoring of individuals’ activities.”

. The NIST Study satisfies both requirements.
First, the NIST Study meets the rational “nexus” requirement because a federal agency,
like the Commission, cannot effectively carry out its law enforcement function unless it has a
secure and reliable IT system. The Commission is responsible for investigating violations of the
Federal Election Campaign Act.              See Def.’s Mot. at 5–6; Def.’s Stmt. ¶¶ 1–3; 52 U.S.C.
§ 30109(a)(1)–(2). Its IT system contains sensitive information related to investigations, including
“subpoenas, requests for information and documents, reports of investigation, and responses to
Commission-issued subpoenas and requests.” Palmer Decl. ¶ 17. The system also contains a
“confidential scoring system, the Enforcement Priority System, which identifies significant cases
for enforcement[.]” 

In short, the Commission’s IT system is central to its law
2
The court, therefore, treats as conceded the remaining elements of Exemption 7(E)—namely, that the exempted
record (1) “would disclose techniques and procedures for law enforcement investigations or prosecutions, or would
disclose guidelines for law enforcement investigations or prosecutions” and (2), if disclosed, “could reasonably be
expected to risk circumvention of the law.” 5 U.S.C. § 552(b)(7)(E). See Wilkins v. Jackson, 

,
162 (D.D.C. 2010) (“It is well established that if a plaintiff fails to respond to an argument raised in a motion for
summary judgment, it is proper to treat that argument as conceded.”); Sykes v. Dudas, 

, 202
(D.D.C. 2008) (“[W]hen a party responds to some but not all arguments raised on a Motion for Summary Judgment,
a court may fairly view the unacknowledged arguments as conceded.”).
7
enforcement function. See 

information systems network allows it to fulfill
its statutory obligation to administer and enforce campaign finance laws.”).
The NIST Study in turn was designed to promote the integrity of that system and thus itself
serves a law enforcement function. The study’s purpose was to “assess the vulnerabilities of the
Commission’s information technology systems” and to make “recommendations about how the
Commission could protect its systems from wrongful interference, circumvention, or unlawful
action by authorized persons.” Palmer Decl. ¶¶ 7, 8. A study designed to evaluate and improve a
critical law enforcement tool, such as an IT system, easily meets the rational nexus requirement.
Second, there is a connection between the NIST Study and a possible security risk or
violation of federal law. According to the Commission’s Chief Information Officer, Alec Palmer,
the NIST Study is the type of assessment “that, if publicly disclosed, could be used by persons
with malicious objectives to do great harm.” 

Palmer asserts that “information contained
in the NIST Study could be used to gain unlawful access to the Commission’s technology systems,
obtain and manipulate sensitive and confidential data about candidates, officeholders, party
committees, and others who interact with the Commission, or obtain and manipulate data stored
within the Commission’s systems regarding [Commission] enforcement matters.” 

explains that a person with access to the NIST Study “could use the information contained
[therein] to seriously threaten the Commission’s ability to fulfill its civil enforcement and other
statutory duties.” 

attests that the NIST Study “provides a blueprint to the
Commission’s networks” and that its public disclosure “could thus enable hackers to bypass the
Commission’s current protection mechanisms.”          

This court observed in Long v.
Immigration and Customs Enforcement, 

, 53 (D.D.C. 2015), that “[j]udges are
not cyber specialists, and it would be the height of judicial irresponsibility for a court to blithely
8
disregard . . . a claimed risk” of a cyber-attack or a security breach. The court will not disregard
such risk in this case. Accordingly, the court finds that the NIST Study satisfies the second prong
of the “compiled for law enforcement purposes” inquiry.
Plaintiffs offer two rejoinders. First, they contend that the NIST Study is not “compiled
for a law enforcement purpose” because “[i]t is not connected to an investigation.” Pls.’ Mot. at
4. That argument misconstrues the law. The Court of Appeals consistently has held that records
do not have to be linked to a specific investigation to be properly withheld under Exemption 7(E).
For instance, in Tax Analysts v. Internal Revenue Service (IRS), the court held that IRS materials
related to law enforcement activities “outside of the context of a specific investigation” met the
threshold for materials “compiled for law enforcement purposes” under Exemption 7(E). See 

, 73, 78–79 (D.C. Cir. 2002).         In so holding, it observed that Congress amended
Exemption 7 in 1986 to make clear that 7(E) “was not limited to records or information addressing
only individual violations of the law.” 

More recently, in Blackwell v. Federal Bureau
of Investigation, the Court of Appeals held that the FBI had properly withheld methods of data
collection, organization, and presentation contained in certain reports under Exemption 

. The methods were developed for the FBI to meet the agency’s “investigative needs,”
rather than linked to a specific investigation. 

Defendant correctly points out, Def.’s Mot. at 11, 13–14, courts in this
District repeatedly have held that information connected to law enforcement databases qualifies
for exemption under 7(E). See, e.g., 

(holding that requests for metadata
and database schema of law enforcement information databases qualify for exemption under 7(E));
Strunk v. U.S. Dep’t of State, 

, 146–48 (D.D.C. 2012) (holding that computer
transaction and function codes that reveal how to navigate and retrieve information from a law
9
enforcement database were properly withheld under Exemption 7(E)); Miller v. U.S. Dep’t of
Justice, 

, 29 (D.D.C. 2012) (holding that numerical codes used to identify
information and individuals, as well as codes “relate[d] to procedures concerning the use of law
enforcement resources and databases . . . [and] case program and access codes[,]” were properly
withheld under Exemption 7(E)); Skinner v. U.S. Dep’t of Justice, 

, 113–14
(D.D.C. 2012) (holding that user access codes that facilitated access to a law enforcement database
were properly redacted under Exemption 7(E)), aff’d sub nom. Skinner v. Bureau of Alcohol,
Tobacco, Firearms & Explosives, No. 12-5319, 

(D.C. Cir. May 31, 2013)).
Thus, the fact that the NIST Study does not pertain to a particular investigation does not place it
outside Exemption 7(E).
Second, Plaintiffs argue that Exemption 7(E) is inapplicable because Defendant “has not
established that the vulnerabilities described in the NIST Study still exist.” Pls.’ Mot. at 4. More
specifically, Plaintiffs argue that, even if Exemption 7(E) applies “to portions of the NIST Study,
to the extent that facts on the ground have changed since the preparation of the report, disclosure
of previous vulnerabilities would not fall under Exemption 7(E).” 

That argument is a
nonstarter. Again, the Palmer Declaration, which the court described above, amply supports
Defendant’s contention that the public release of the NIST Study—or any portion of it—would
run the risk of compromising the Commission’s law enforcement function. According to Palmer,
if released, unauthorized readers of the NIST Study could “gain unlawful access to the
Commission’s technology systems, obtain and manipulate sensitive and confidential data about
candidates, officeholders, party committees, and others who interact with the Commission, or
obtain and manipulate data stored within the Commission’s systems regarding [Commission]
enforcement matters.” 

Additionally, Palmer states that an unauthorized individual or
10
government armed with the NIST Study could “seriously threaten the Commission’s ability to
fulfill its civil enforcement and other statutory duties” and “alter the disclosure data that the
Commission makes available on its public website, thereby providing false disclosure information
that could adversely influence the outcome of an election.” 

Further, disclosing the
NIST Study could allow hackers to gain access to the Commission’s networks, enabling them to
“distort or prevent access to campaign finance reports,” or “expose sensitive information about
parties regulated by the Commission.” 

24. Palmer’s Declaration credibly demonstrates
that disclosure of any portion of the NIST Study would pose a present and genuine security threat
to the Commission’s law enforcement function. Accordingly, the court rejects Plaintiffs’ argument
that the NIST Study is not exempt under 7(E).
B.      FOIA Exemption 5 and Segregability
Defendant also invokes FOIA Exemption 5 to withhold the NIST Study. Def.’s Mot. at
17. Exemption 5 shields disclosure of “inter-agency or intra-agency memorandums or letters
which would not be available by law to a party other than an agency in litigation with the agency.”
5 U.S.C. § 552(b)(5). Exemption 5 has been interpreted to incorporate the three traditional civil
discovery privileges—the attorney work product privilege, the deliberative process privilege, and
the attorney-client privilege. Burka v. U.S. Dep’t of Health & Human Servs., 

, 518
(D.C. Cir. 1996). Here, Defendant asserts the deliberate process privilege as the basis for invoking
Exemption 5. Def.’s Mot. at 17–21; see Tax Analysts v. IRS, 

, 616 (D.C. Cir. 1997)
(describing the deliberative process privilege as covering records that are both “predecisional” and
“deliberative”).
Plaintiffs do not contest the applicability of the deliberative process privilege to the NIST
Study. See Pls.’ Mot. at 5 (“Plaintiffs do not doubt that the NIST Study contains predecisional
11
recommendations.”). Instead, they challenge whether Defendant has satisfied its duty to segregate
and produce non-exempt factual material contained within the NIST Study. 

argue that Defendant “has not established that [the factual material is] actually
‘inextricably entwined’ with deliberations.” Id.; see Mead Data Cent., Inc. v. U.S. Dep’t of the
Air Force, 

, 260 (D.C. Cir. 1977) (collecting cases and explaining that “[i]t has long
been a rule in this Circuit that non-exempt portions of a document must be disclosed unless they
are inextricably intertwined with exempt portions”). The court disagrees.
Because “the focus of FOIA is information, not documents . . . an agency cannot justify
withholding an entire document simply by showing that it contains some exempt material.” Mead
Data 

. FOIA therefore requires that “[a]ny reasonably segregable portion
of [the] record shall be provided to any person requesting such record after deletion of the portions
which are exempt.” 5 U.S.C. § 552(b). An agency must provide a “detailed justification” and not
just make “conclusory statements” to support its segregability determination. Mead Data 

. Agencies, however, “are entitled to a presumption that they complied with the
obligation to disclose reasonably segregable material,” which can be overcome by contrary
evidence produced by the requester. Sussman v. U.S. Marshals Serv., 

, 1117 (D.C.
Cir. 2007).
The Palmer Declaration provides a “detailed justification” for the Commission’s decision
that no part of the NIST Report is segregable, and Plaintiffs have not offered any evidence to the
contrary.     According to Palmer, the Commission’s Office of the Chief Information Officer
conducted a line-by-line analysis of the NIST Study to determine if any portion could be
segregated and released without jeopardizing the security of its networks. Palmer Decl. ¶¶ 25–27.
Palmer observes that the “factual descriptions of the Commission’s information technology
12
systems and their vulnerabilities in the Final Report form the basis of the Report’s analysis[] . . .
and they reflect the need for the recommended protocols that constitute the core of the NIST
Study.” 

If the factual content of the NIST Study were publicly disclosed, Palmer explains,
it “would effectively release many of the NIST Study’s recommendations, as well as the substance
of the vulnerability analysis that [the Office of the Chief Information Officer] submitted to the
Commission for its determination on whether to accept those recommendations.” 

“The
factual descriptions expose the Commission to risk of a security breach of its network and
information technology systems.” 

clearly establishes that the factual portions of the NIST Study are
“inextricably intertwined” with its deliberative elements. Mead Data 

. It
also sets forth with “reasonable specificity” why those factual portions cannot be segregated.
Armstrong v. Exec. Office of the President, 

, 578–79 (D.C. Cir. 1996). Accordingly,
the court rejects Plaintiffs’ argument that Defendant has not met its duty of segregability.
V.     CONCLUSION
For the foregoing reasons, the court grants Defendant’s Motion for Summary Judgment
and denies Plaintiffs’ Cross-Motion for Summary Judgment. A separate final order accompanies
this Memorandum Opinion.
Dated: November 23, 2016                              Amit P. Mehta
United States District Judge
13