Chapman v. Chicago Department of Finance , 2022 IL App (1st) 200547 ( 2022 )

FIRST DISTRICT
FIRST DIVISION
February 14, 2022
No. 1-20-0547
MATT CHAPMAN,                                    )       Appeal from the
)       Circuit Court of
Plaintiff-Appellee,                      )       Cook County
)
v.                                               )       No. 18 CH 14043
)
THE CHICAGO DEPARTMENT OF                        )       The Honorable
FINANCE,                                         )       Sanjay T. Tailor,
)       Judge Presiding.
Defendant-Appellant.
JUSTICE COGHLAN delivered the judgment of the court, with opinion.
Presiding Justice Hyman and Justice Walker concurred in the judgment and opinion.
OPINION
¶1          Following a bench trial, the trial court granted plaintiff Matt Chapman’s Freedom of
Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2018)) request directed at defendant the
Chicago Department of Finance (Department), seeking disclosure of an “index of the tables and
columns within each table” of the Citation Administration and Adjudication System (CANVAS),
a system used to store, process, and track citation information for parking tickets, speed-light
camera tickets, stoplight traffic tickets, booting, and towing tickets. On appeal, the Department
argues that the requested information was exempt from disclosure because it constituted a “file
layout” and its dissemination “would jeopardize” the security of the CANVAS system and
database. We affirm.
¶2                                     I. BACKGROUND
¶3          On August 30, 2018, Chapman submitted the following to the Department:
“To Whom It May Concern:
1-20-0547
Pursuant to the Illinois Freedom of Information Act, I hereby request the
following records:
An index of the tables and columns within each table of CANVAS. Please
include the column data type as well.
Per the CANVAS specifications, the database in question is Oracle, so the
below SQL query will likely yield the records pursuant to this request:
select utc .column_name as colname, uo.object_name as tablename, utc.data_type
from user_objects uo
join user_tab_columns utc on uo.object_name = utc.table_name where
uo.object_type = ‘TABLE’
The requested documents will be made available to the general public, and
this request is not being made for commercial purposes.
***
Sincerely,
Matt Chapman – Free Our Info, NFP”
On September 12, 2018, the Department notified Chapman of its decision to deny his request,
stating that the requested records were exempt from disclosure because the “dissemination of [the]
pieces of network information could jeopardize the security of the systems of the City of Chicago.”
On September 17, 2018, Chapman disputed the Department’s decision, arguing that “database
schemas are specifically releasable through FOIA.” 1 On October 2, 2018, after consulting with the
City of Chicago’s (City) law department, the Department reiterated its decision to deny the FOIA
request.
1
Chapman stated that the released records would be added to Chicago’s public “Data Dictionary”
(a/k/a “metalicious”) and “will be used for further research of parking tickets.”
-2-
1-20-0547
¶4          On November 1, 2018, Chapman filed a complaint, asserting a “willful violation of the
Freedom of Information Act, to respond to [his] Freedom of Information Act requests seeking
records regarding database schema information of CANVAS, a system used to store parking ticket
information.” The parties filed cross-motions for summary judgment. The Department’s motion
included the affidavit of Bruce Coffing, chief information security officer with the city’s
Department of Innovation and Technology (DoIT), attesting that the “[r]elease of the requested
information, especially in combination with the information already made public about the
CANVAS system, would jeopardize the security of not only the CANVAS system and database,
but also the data contained therein.” Chapman’s motion included the affidavit of Thomas Ptacek,
an information and software security “vulnerability researcher,” attesting that “[w]ith respect to
the security of a computer application backed by a database, knowledge of the ‘schema’—the
collection of tables and their constituent columns—would, in a competently built system, be of
marginal value to the adversary.” Following a hearing, the trial court denied the cross-motions for
summary judgment, finding a factual issue regarding the meaning of “marginal value” as stated in
Ptacek’s affidavit. At trial, both Coffing and Ptacek testified.
¶5          Coffing has worked in cybersecurity for about 22 years. He testified that the CANVAS
system stores “sensitive information,” consisting of “first name and last name of the primary
vehicle owners and the secondary vehicle owner, driver’s license numbers, addresses, whether or
not there is handicap parking related to that individual, [and] information about who wrote the
tickets.” Coffing stated that CANVAS is a “competently built system” that was built based on the
best practices in the industry.
¶6          Coffing also testified that he is responsible for protecting the CANVAS system from a
“cyberattack,” which occurs when an unauthorized user of the CANVAS system “is attempting to
achieve a goal that is not in alignment for business purposes for that system.” To prevent a
-3-
1-20-0547
cyberattack, “a layer of defense” is employed, consisting of “numerous controls that all build upon
each other to provide a defense against adversaries.” One layer of defense includes “limiting the
information that’s known about a system, so that the adversary has less to capture in their efforts
to perform recognizance about the system.” By restricting the information that is available, an
attacker would have to be more “noisy,” which alerts defenders that an attack is underway. The
activity of an “attacker” who has precise information about the target system “may blend in and
look like normal activity in the system.” Attacks made by people with more knowledge of the
system are more precise and effective than attacks made by people who are just conducting
recognizance.
¶7          Coffing stated that Chapman requested a “file layout” because “table names and column
names” are “the information that the database management system uses to create the structure of
the database” that stores the data. He explained that using file layouts or source listings, “threat
actor[s] would perform recognizance on a target or a system and *** would use this information
to more precisely craft their attacks, again to limit the noise that they would make to limit the
likelihood of them being detected.” He stated that Chapman’s request undermines “the layer
defense” strategy because, “by addressing the information that’s available on the system,” more
information is available “for a threat actor to perform recognizance again to more precisely tailor
their attacks.” Coffing acknowledged that Chapman’s request did not seek any of the actual data
in the field, such as parking ticket, red light camera, or speed camera data.
¶8          Coffing next explained “SQL” or “sequel for short,” which stands for “structured query
language” and “is the language that a database management system uses.” A SQL injection is a
type of cybersecurity attack. “A threat actor would attempt to use sequel to create a sequel
statement, which is an instruction, and it would attempt to inject that into an existing interface that
is expecting *** a field that says ‘last name’ ” and then “force the system to do something that it
-4-
1-20-0547
was not intended to do” but “something that the threat actor wants the system to do.” “[I]f you
have more information about the database, the table names, the column names, you know where
to look for what you are going after” and “you can precisely write your attack, your SQL Injection,
when you are entering into that field.” Regarding the CANVAS system specifically, a SQL
injection is a threat because it “could allow a threat actor to gain access to the data in the system
*** to exfiltrate data to find out information about *** our constituents to use for whatever
purposes they have.” Information in the system could also be modified, such as changing a ticket
from not paid to paid, or from $500 to $1. A threat actor “could do something to delete or otherwise
modify the data to make it unusable for the system and, therefore, impairing the City’s ability to
manage citations.”
¶9            Coffing also explained that “Zero-day” is another type of an attack and refers “to those
vulnerabilities that aren’t known except to the attacker *** so, therefore, the defenders don’t have
the opportunity to defend against them.” He opined that “by making public more information about
a system, it gives a threat actor more at their disposal to attempt to attack.”
¶ 10          On cross-examination, Coffing agreed that the FOIA request was “for the listing of tables
in the CANVAS database, what the fields are in those tables, and a general description of the type
of data in each field.” He explained that “if you precisely know what that field name is, then you
can more precisely craft your attack and you are not going to make noise you are going to go
undetected or less detected than if you don’t have that information.” Without the information, an
attacker would have “to make some guesses” and “those inaccurate guesses are going to generate
errors, they are going to generate logs,” which “are the things that defenders look for to try to
determine whether or not there is a threat actor in the environment.” Coffing stated that “[o]ne of
the things that helps us defend that system is not making this information available.” He did not
“want to make it easier for the bad guys and bad gals out there to attack our system and *** put
-5-
1-20-0547
our constituents’ private data at risk.” According to Coffing, someone who knows any of the field
names within CANVAS with the proper training could attempt to change data in the system or do
any of the other attacks that he described.
¶ 11          Ptacek testified that he has worked in the information and software security field for 25
years. As a “vulnerability researcher,” he looks for and helps fix identified vulnerabilities in
systems. In other words, he “hacks systems for a living.” Ptacek has never worked with the
CANVAS system, but his general statements “apply to virtually any application built on these
types of technologies.”
¶ 12          Ptacek interpreted the FOIA request as seeking “the schema of the database that backs the
CANVAS application, the tables and the columns of those tables.” He defined the “schema” as “a
term of art *** use[d] to describe all of the fields and the database that sit behind these
applications.” Ptacek would not describe the “schema” as the blueprint of the database or a file
layout, explaining that the schema “is simply the names of the spread sheets and the column
matters *** there is a lot more information that would go into the configuration of the database,
and how that database was used than simply the column headers and the names of those tables.”
¶ 13          Ptacek stated that the “system that could be attacked solely with the schema would by
definition be incompetently built” and potential attackers would not be successful in breaching the
security of the system because they had the schema. He explained some of the ways that the
security of a system could be jeopardized. For example, an attacker could perform a SQL injection
“if [he] knew the specific information about the configuration of the system itself, what operating
system it was running on, [and] the version of the orbital database that it was using.” As to the
CANVAS system, he “could enter a citation number, like a ticket number, and get all of the
information about that ticket.” If an “application was susceptible or vulnerable to a SQL Injection
attack, instead of entering simply the citation number for that ticket, [he] would enter a number
-6-
1-20-0547
and then in sequel language for every other record in the database.” “If the application was
vulnerable then it would honor the additional instructions that [he] gave it and would return not
just the ticket information but also all other data in the database.” The best practices to defend
against a SQL injection in the citation field “would be to not allow anything but a number in that
field.”
¶ 14             Ptacek also explained that the schema would be “one of the first things you would get from
an attack, the product of an attack and not a predicate of an attack.” Ptacek stated that in his
“professional experience doing this for 25 years I’ve never asked for a database schema before I
start an attack” and “can’t imagine a situation where having the schema would determine whether
or not I would bother or take the time to attack the system.”
¶ 15             Ptacek testified that a vulnerability in the database must exist to break into it. A publicly
available schema “is not considered a vulnerability in the system.” Knowledge of the schema in
conjunction with publicly available information “would not make it easier to attack the system.”
In fact, federal database schemas are publicly available on data.gov. He explained that, “[i]f the
schema for an application was unexpectedly disclosed, it would not be normal partial best practices
to purport a vulnerability or an incident in that system simply as a result of the schema being
disclosed.”
¶ 16             As to the phrase “marginal value to the adversary” used in his affidavit, Ptacek elaborated
that, “based on [his] 25 years of experience doing precisely this kind of work, [he] could not think
of a thing [he] would do with that information that would allow [him] to in any way more
effectively attack or compromise the system or do so more precisely or quietly.” But he explained
that having the schema has some value in helping plan an attack because, for example, it “would
help isolate the systems that would contain Social Security information so I wouldn’t have to take
the time to attack lots of other applications.”
-7-
1-20-0547
¶ 17           Regarding “noise,” Ptacek stated that “it is the source code that would allow you to not
make noise as an attacker,” not the schema. With the source code, an attacker “would be
substantially less noisy, but not with the schema, it wouldn’t help.” “The source code is valuable
and the schema I would say as an attacker is not valuable.” Ptacek testified that he “cannot think
of a way which publicly disclosing the schema would jeopardize the security of that system.”
¶ 18           On January 9, 2020, the trial court entered judgment for Chapman and ordered the
Department “to produce the requested records by Feb. 10, 2020.” At the Department’s request,
“the production of all requested records [was] stayed pending the outcome of appeal.”
¶ 19                                            II. ANALYSIS
¶ 20           In construing the FOIA and the applicability of any exemption, we are guided by familiar
statutory interpretation principles. “The primary objective in statutory construction is to ascertain
and give effect to the intent of the legislature.” Haage v. Zavala, 

, ¶ 44. “The most
reliable indicator of legislative intent is the language of the statute, given its plain and ordinary
meaning.” In re Appointment of Special Prosecutor, 

, ¶ 23. “Each word, clause,
and sentence of a statute must be given a reasonable meaning, if possible, and should not be
rendered superfluous.” Haage, 

, ¶ 44. A “court may consider the reason for the
law, the problems sought to be remedied, the purposes to be achieved [citations], and the
consequences of construing the statute one way or another [citations].” 

¶ 21           In section 1 of the FOIA, the Illinois legislature expressed its intent in enacting the statute,
stating that it is “the public policy of the State of Illinois that access by all persons to public records
promotes the transparency and accountability of public bodies at all levels of government” and it
“is a fundamental obligation of government to operate openly and provide public records as
expediently and efficiently as possible in compliance with this Act.” 5 ILCS 140/1 (West 2018).
To achieve the legislature’s intent, the FOIA “is to be liberally construed to achieve the goal of
-8-
1-20-0547
providing the public with easy access to government information,” and “exceptions to disclosure
are to be construed narrowly so as not to defeat the intended statutory purpose.” In re Appointment
of Special Prosecutor, 

, ¶ 25. “Thus, when a public body receives a proper request
for information, it must comply with that request unless one of FOIA’s narrow statutory
exemptions applies.” 

¶ 22          The Department claims that “section 7(1)(o) expressly exempts the records Chapman
requested.” Section 7(1)(o) exempts from disclosure:
“(o) Administrative or technical information associated with automated data
processing operations, including but not limited to software, operating protocols, computer
program abstracts, file layouts, source listings, object modules, load modules, user guides,
documentation pertaining to all logical and physical design of computerized systems,
employee manuals, and any other information that, if disclosed, would jeopardize the
security of the system or its data or the security of materials exempt under this Section.” 5
ILCS 140/7(1)(o) (West 2018).
“Any public body that asserts that a record is exempt from disclosure has the burden of proving
by clear and convincing evidence that it is exempt.” 

 § 1.2. Whether an exemption applies under
the FOIA is a question of statutory construction, which we review de novo. Chicago Public Media
v. Cook County Office of the President, 

, ¶ 22; Turner v. Joliet Police
Department, 

, ¶ 20.
¶ 23          The Department interprets section 7(1)(o) as providing a per se exemption from disclosure
for “file layouts,” which it claims was the information that Chapman requested. The Department
argues that the phrase “would jeopardize the security of the system or its data or the security of
materials exempt under this Section” modifies only the catchall phrase “any other information”
and not “file layouts” based on an application of the last antecedent canon of statutory
-9-
1-20-0547
interpretation.
¶ 24          “The last antecedent doctrine, a long-recognized grammatical canon of statutory
construction, provides that relative or qualifying words, phrases, or clauses are applied to the words
or phrases immediately preceding them and are not construed as extending to or including other
words, phrases, or clauses more remote, unless the intent of the legislature, as disclosed by the
context and reading of the entire statute, requires such an extension or inclusion.” In re E.B., 

, 467 (2008). Canons of statutory construction only apply if the language of the statute
is ambiguous. See Palm v. Holocker, 

, ¶ 21; Salier v. Delta Real Estate
Investments, LLC, 

, ¶ 36 (“Where the text of a statute is clear and
unambiguous, *** we need not resort to canons of statutory construction ***.”). But, here, the
Department contends the opposite. The Department argues that “the plain language of section
7(1)(o) is a clear indication of the General Assembly’s intent to expressly exempt file layouts from
FOIA’s disclosure requirements without proof that disclosing such information ‘would jeopardize
the security of the system.’ ” (Emphasis added.) Thus, the Department, as confirmed during oral
arguments, does not contend that the statute is ambiguous. For that reason, we need not resort to
the last antecedent canon of statutory construction to interpret section 7(1)(o) as urged by the
Department.
¶ 25          In Lieber v. Board of Trustees of Southern Illinois University, 

, 409 (1997),
a case relied heavily upon by the Department in its brief and during oral arguments, the Illinois
Supreme Court determined whether information requested from a university was exempt from
disclosure based on privacy expectations. Lieber, an apartment building owner near the
university’s campus, requested from the university disclosure of the names and addresses of
incoming freshman who had contacted the school inquiring about housing. 

. The
university had previously supplied him with the information, but this practice was later changed.
- 10 -
1-20-0547

. Lieber filed a FOIA request for the information, which the university denied. 

 at 405-
06. Lieber then sought judicial review of the denial. 

. In response, the university asserted
that the requested information was exempt from disclosure under section 7(1)(b) of FOIA. 

¶ 26          Section 7(1)(b) of the version of FOIA in effect at the time of Lieber exempted
“(b) Information that, if disclosed, would constitute a clearly unwarranted invasion
of personal privacy, unless the disclosure is consented to in writing by the individual
subjects of the information. *** Information exempted under this subsection (b) shall
include but is not limited to:
(i) files and personal information maintained with respect to ***
students[.]” 5 ILCS 140/7(1)(b) (West 1994).
In interpreting that section, the appellate court applied a balancing test, considering “an
individualized assessment of whether disclosure of the information would invade anyone’s
personal privacy.” Lieber, 

. Based on the statute’s “clear and unambiguous
language,” the supreme court determined that a per se approach was better suited than the case-
by-case balancing approach. 

 The court explained that the “per se rule applies to the specific
exemptions set forth in the subsections of section 7(1)(b) of the Act (5 ILCS 140/7(1)(b) (West
1994)), which pertains to ‘[i]nformation that, if disclosed, would constitute a clearly unwarranted
invasion of personal privacy,’ just as it does to the other exemptions in section 7.” 

.
Ultimately, the court concluded that the names and addresses of accepted individuals, but who
were not “students” because they had not yet enrolled in the university, were not exempt from
public disclosure. 

.
¶ 27          After oral argument was held in this case, our supreme court decided Mancini Law Group,
P.C. v. Schaumburg Police Department, 

, which we allowed the Department to
cite as additional authority. We disagree with the Department’s argument that Mancini “adopted
- 11 -
1-20-0547
as part of its holding Lieber’s construction of the section 7 exemptions to require a ‘per se’
approach.” Because the public body in Mancini Law Group, as here, relied on Lieber, the court
provided “a detailed discussion of Lieber,” reciting the case’s facts and holding. Id. ¶¶ 23-34. In
any event, Mancini Law Group is not dispositive.
¶ 28           In Mancini Law Group, the plaintiff sent a commercial FOIA request to the police
department, seeking disclosure of traffic accident reports for all motor vehicle accidents that
occurred within the village for a specified period of time. Id. ¶ 3. The police department provided
redacted accident reports, asserting that the redacted information, including home addresses, was
“private information” exempt from disclosure under section 7(1)(b) of FOIA. Id. Mancini Law
Group filed suit, alleging that the police department “had willfully and intentionally violated FOIA
by refusing to produce unredacted accident reports.” Id. ¶ 4. The supreme court recognized that,
since Lieber, the legislature amended the statute by adding “the exemption for private
information,” which the court explained, “indicates that the legislature decided to break with
Lieber on this basis” (holding that names and addresses were subject to disclosure) “and afford
protection to a broader category of information that was not previously deemed to be exempt.” Id.
¶ 36. The court, though, considered Lieber not for its exemption analysis but on a separate waiver
issue. Id.
¶ 29          In Lieber, the case analyzed a different exemption under a prior version of the statute. In
addition, the plain and ordinary language of the exemption in Lieber is markedly different from
section 7(1)(o). Significantly, the relevant statutory language in Lieber stated that the
“[i]nformation exempted under this subsection (b) shall include” and then enumerated five
different categories of information. (Emphases added.) 5 ILCS 140/7(1)(b) (West 1994); see
Gibson v. Illinois State Board of Education, 

, 18 (1997) (“The exemptions of
section 7 are clearly written and explicitly state that information contained in any of the subsections
- 12 -
1-20-0547
of section 7(1)(b) is exempt.”). Because the legislature did not include the directive “shall include”
language in section 7(1)(o), the Department’s reliance on the per se approach enunciated in Lieber
as to section 7(1)(b) is misplaced.
¶ 30         Likewise, Mancini Law Group does not compel a finding that the requested “schema” was
a protected record falling within an exemption. Mancini Law Group recognized that subsequent
amendments to the FOIA since Lieber demonstrated the legislature’s intent to provide broader
protection from disclosure of “private information,” noting that “the legislature later clarified that
home addresses are exempt information.” Mancini Law Group, 

, ¶¶ 36-37. As this
court has recognized, “Lieber involved statutory language that is no longer in effect; it was decided
in an era when privacy expectations were different.” Timpone v. Illinois Student Assistance
Comm’n, 

, ¶ 35. Here, no such privacy concerns are implicated because,
as the parties’ experts acknowledged, Chapman did not request any of the actual data in the fields.
¶ 31         In this case, the relevant exemption pertains to “administrative or technical information
associated with automated data processing operations.” We are mindful that section 7(1) explicitly
sets forth categories of public records that are exempt from disclosure. Lieber, 

.
In other words, if the requested information falls within the enumerated categories provided in
section 7(1)(a) through (jj), then it “shall be exempt from inspection and copying.” 5 ILCS
140/7(1) (West 2018). But where, as in section 7(1)(o), additional requirements are expressly
provided, those requirements must be satisfied before the requested information may be classified
as “exempt from inspection and copying.” See Mancini Law Group, 

, ¶ 16
(reiterating that public records are “ ‘presumed to be open and accessible’ ” (quoting Illinois
Education Ass’n v. Illinois State Board of Education, 

, 462 (2003))). Therefore, the
phrase “if disclosed, would jeopardize the security of the system or its data or the security of
- 13 -
1-20-0547
materials exempt under this Section” imposes an additional requirement (“would jeopardize”) that
must be demonstrated before a public body may exempt information from disclosure.
¶ 32         We find that, under the plain and ordinary language of section 7(1)(o), the reasonable
meaning of “if disclosed, would jeopardize” must apply to every item listed, not only to the catchall
phrase of “and any other information” as urged by the Department. See DG Enterprises, LLC-Will
Tax, LLC v. Cornelius, 

, ¶ 31 (“generally the use of a conjunctive such as ‘and’
indicates that the legislature intended that all of the listed requirements be met” (emphasis in
original)); People v. Lattimore, 

, ¶ 105 (a list of statutes following the
conjunction “or” that was preceded with a comma modified only the type of adjudication following
the “or” rather than all of the adjudications). Under the Department’s proposed per se
interpretation, the items separately listed in section 7(1)(o), which include user guides and
employee manuals, would never be disclosed to the public. A blanket prohibition against
disclosure of the items separately listed in section 7(1)(o) runs contrary to the principle that
exceptions are to be read narrowly and would frustrate the legislature’s goal in enacting the FOIA
of providing “the public with easy access to government information.” In re Appointment of
Special Prosecutor, 

, ¶ 25; see Lucy Parsons Labs v. City of Chicago Mayor’s
Office, 

, ¶ 18 (all doubts should be resolved “in favor of disclosure in
light of the public policy underlying” the FOIA); see also 5 ILCS 140/2(c) (West 2018) (public
records subject to disclosure include “electronic data processing records”); Hites v. Waubonsee
Community College, 

, ¶ 68 (“Illinois courts permit disclosure of
electronic records under FOIA”).
¶ 33         Because we find that the phrase “if disclosed, would jeopardize” applies to every item
enumerated in section 7(1)(o), we need not determine whether the information Chapman requested
was a “file layout” or falls within the catchall of “any other information,” as both are subject to
- 14 -
1-20-0547
the “would jeopardize” requirement. See Hites, 

, ¶ 71 (adopting the
following analogy of a database to a file cabinet: “[T]he database is akin to a file cabinet, and the
data that populates the database is like the files. FOIA permits a proper request for a single file,
some of the files, or all of the files.”).
¶ 34           The Department next argues that it was only required to establish by clear and convincing
evidence the possibility that disclosure of the requested information could cause harm. 2 We
disagree.
¶ 35           This court’s decision in Chicago Sun-Times v. Chicago Transit Authority, 

, ¶ 39, is instructive regarding the meaning of “could” and “would” in the context of
an exemption to the disclosure of information under the FOIA. In that case, the Sun-Times sought
disclosure under the FOIA of surveillance video of the Chicago Transit Authority’s (CTA) subway
platform that showed one customer pushing another customer off the platform. Id. ¶ 1. The CTA
asserted that the “security measures” exemption of section 7(1)(v) of the FOIA applied, which
exempts “ ‘security measures *** that are designed to identify, prevent, or respond to potential
attacks upon a community’s population or systems, facilities, or installations, the destruction or
contamination of which would constitute a clear and present danger to the health or safety of the
community, but only to the extent that disclosure could reasonably be expected to jeopardize the
effectiveness of the measures.’ ” (Emphasis added.) Id. ¶ 7 (quoting 5 ILCS 140/7(1)(v) (West
2016)). The CTA argued that public disclosure of the requested information “could jeopardize the
2
Chapman argues that the Department forfeited this claim because it failed to raise this theory in
response to his motion for summary judgment and only argued it on “the eve of trial.” Although the trial
court noted that “this defense theory, which is being advanced today for the first time, which is that a ‘file
layout’ or ‘source listing’ is exempt without regard to *** whether disclosure would jeopardize security of
the system,” the trial court, nonetheless, ruled “as a matter of law that that theory is at odds with the plain
language of the statute.” Therefore, the issue has not been forfeited because it was ruled upon by the trial
court. See Village of Palatine v. Palatine Associates, LLC, 

, ¶ 64 (issues raised
for the first time on appeal are waived).
- 15 -
1-20-0547
effectiveness of its security cameras.” 

 Interpreting the language of section 7(1)(v), this court
concluded that the statute did “not require an agency to prove, by clear and convincing evidence,
that releasing a particular record would in fact diminish the effectiveness of its security measures”;
rather, “the agency must meet the lesser burden to show that it could reasonably be expected that
the release of the record could jeopardize the effectiveness of the agency’s security measures.”
(Emphases added.) Id. ¶ 44. This court explained that the “General Assembly knew the difference
between the use of the term could instead of would; it had used the word ‘would’ in other FOIA
exemptions.” (Emphases in original.) Id. ¶ 43.
¶ 36          In this case, unlike in Chicago Sun-Times, the legislature used the word “would” and not
“could.” Based on Chicago Sun-Times, the Department bears the burden of satisfying the higher
standard that disclosure of the schema “would” jeopardize the security of the CANVAS system.
In other words, the Department must demonstrate by clear and convincing evidence more than the
possibility of a threat to the security of the CANVAS system.
¶ 37          Under the “clear and convincing evidence” standard, the proof offered by the plaintiff
“must ‘leave[ ] no reasonable doubt in the mind of the trier of fact as to the truth of the proposition
in question.’ ” Metropolitan Capital Bank & Trust v. Feiner, 

, ¶ 39
(quoting Parsons v. Winter, 

, 359 (1986)). We will not reverse the trial court’s
finding of “clear and convincing evidence” unless it is against the manifest weight of the evidence.
See Indeck Energy Services, Inc. v. DePodesta, 

, ¶ 56 (trial court’s factual findings
will not be reversed unless the findings are against the manifest weight of the evidence); In re
Commitment of Tunget, 

, ¶ 35 (a “clear and convincing evidence” finding
warrants reversal if that determination was against the manifest weight of the evidence). A trial
court’s finding “is against the manifest weight of the evidence only if an opposite conclusion is
clearly evident.” DePodesta, 

, ¶ 56.
- 16 -
1-20-0547
¶ 38            The trial court’s finding that the Department failed to demonstrate by clear and convincing
evidence that the exemption from disclosure provided in section 7(1)(o) applied to Chapman’s
FOIA request was not against the manifest weight of the evidence. Ptacek testified that the attack
of a system would not be facilitated by knowing the schema, the public disclosure of the schema
was “not considered a vulnerability in the system,” and an attacker knowing the schema would not
be substantially less “noisy.” Ptacek explained that knowing the source code is valuable to an
attacker, not the schema. He also explained that an “incompetently built” system “could be
attacked solely with the schema,” but Coffing affirmed that the CANVAS system was competently
built.
¶ 39            With respect to Coffing’s testimony, the trial court found that he “summarily testified that
if a threat actor knows the name of a field he can more precisely plan and execute an attack without
making noise and thereby avoid detection.” The trial court also found that “he really didn’t go into
it more beyond that, as far as explaining how that would work, at least not in a way that the Court
found persuasive.” Instead, the trial court found “persuasive Mr. Ptacek’s argument that the
schema is the product of the attack not the predicate of the attack.”
¶ 40            Under the FOIA, the Department, not Chapman, had “the burden of proving by clear and
convincing evidence” that section 7(1)(o) applied to exempt the requested information. 5 ILCS
140/1.2 (West 2018). Although Coffing described the approaches and methods that could
hypothetically be employed to plan and initiate an attack of the CANVAS system’s security, the
trial court’s finding that he failed to testify persuasively that disclosure of the schema “would
jeopardize the security of the system or its data” was not “unreasonable, arbitrary, or not based on
the evidence presented” (Best v. Best, 

, 350 (2006)). Construing the exemption
narrowly, as we must, and given the high burden imposed on the Department to prove that section
7(1)(o) applied by clear and convincing evidence, we agree with the trial court that the information
- 17 -
1-20-0547
requested by Chapman was subject to disclosure under the facts of this case. See In re Appointment
of Special Prosecutor, 

, ¶ 25. Therefore, the Department must comply with
Chapman’s FOIA request and disclose “an index of the tables and columns within each table of
CANVAS.” Disclosure of that information is consistent with the purpose of the FOIA and the
presumption that public records are open and accessible to any person. 

 Because we find in favor
of Chapman, we need not consider his claim that the requested records were also accessible under
section 5 of the FOIA (5 ILCS 140/5 (West 2018)), titled “List of records available from public
body.”
¶ 41                                      III. CONCLUSION
¶ 42            The Department must provide the information Chapman requested because the information
was not exempt from disclosure under section 7(1)(o) of the FOIA.
¶ 43            Affirmed.
- 18 -
1-20-0547
No. 1-20-0547
Cite as:                 Chapman v. Chicago Department of Finance, 

Decision Under Review:   Appeal from the Circuit Court of Cook County, No. 18-CH-
14043; the Hon. Sanjay T. Tailor, Judge, presiding.
Attorneys                Celia Meza, Acting Corporation Counsel, of Chicago (Benna
for                      Ruth Solomon, Myriam Zreczny Kasper, and Elizabeth Mary
Appellant:               Tisher, Assistant Corporation Counsel, of counsel), for
appellant.
Attorneys                Joshua Burday, Matthew Topic, and Merrick Wayne, of Loevy
for                      & Loevy, of Chicago, for appellee.
Appellee:
- 19 -