Matter of Freedom Found. v. New York City Dept. of Citywide Admin. Servs. ( 2024 )

Matter of Freedom Found. v New York City Dept. of Citywide Admin. Servs. (2024 NY Slip Op 04483)

Matter of Freedom Found. v New York City Dept. of Citywide Admin. Servs.

2024 NY Slip Op 04483

Decided on September 19, 2024

Appellate Division, First Department

Published by New York State Law Reporting Bureau pursuant to Judiciary Law § 431.

This opinion is uncorrected and subject to revision before publication in the Official Reports.

Decided and Entered: September 19, 2024
Before: Moulton, J.P., Friedman, Kapnick, Shulman, Michael, JJ.
Index No. 152725/22 Appeal No. 2576 Case No. 2023-01154

Freedom Foundation, Monsey (Shella Alcabes of counsel), for appellant.

Sylvia O. Hinds-Radix, Corporation Counsel, New York (Amy McCamphill of counsel), for respondent.

Cohen Weiss and Simon LLP, New York (Eyad Asad, Hanan B. Kolko and Daniel M. Nesbitt of counsel), for amicus curiae.

Judgment (denominated an order), Supreme Court, New York County (Laurence L. Love, J.), entered on or about December 2, 2022, insofar as appealed from, denying the petition to compel respondent to disclose records requested by petitioner pursuant to the Freedom of Information Law (FOIL) (Public Officers Law § 84 et seq.), and dismissing the proceeding brought pursuant to CPLR article 78, unanimously affirmed, without costs.

Petitioner Freedom Foundation is a 501(c)(3) corporation that opposes public employee unions. As part of its mission, it contacts represented public employees to inform them of their rights to opt out of union membership.

On May 3, 2021, Foundation employee Eric Volz submitted a FOIL request to respondent New York City Department of Citywide Administrative Services (DCAS). This initial request (the May FOIL Request), which did not mention the Foundation, sought, "for each City of New York employee who is currently employed in a position covered by a collective bargaining agreement with American Federation of State, County and Municipal Employees (AFSCME) District Council 37" (DC 37), the employee's name, office mailing address, job title, hire date, agency/department, work email address, work telephone number, and bargaining unit.

On July 16, 2021, DCAS's Records Access Officer (RAO) denied the May FOIL Request on two grounds: 1) the disclosure would constitute an "unwarranted invasion of personal privacy" under Public Officers Law §§ 87(2)(b) and 89(2)(b)(iii) and 2) the disclosure would "create a serious security risk to the City of New York's critical information technology assets" under Public Officers Law § 87(2)(i).

The Foundation did not administratively appeal this denial.

On September 20, 2021, the Foundation, through employee Ben Straka, submitted a second FOIL request to DCAS (the September FOIL Request), seeking, "for all New York City employees" (i.e. not only members of DC 37), the employee's name, age, gender, office mailing address, work email address, job title, job code, salary, salary schedule, bargaining unit name/number/identifier, hire date, and agency/department. Straka stated that the "information will not be used for solicitation or fund-raising purposes." The Foundation was not mentioned in the September FOIL Request.

On September 28, 2021, the RAO denied this second request because it was "essentially identical" to the May FOIL Request. The RAO noted that the metadata of the May FOIL Request indicated that Straka was the "author" of that initial request. Since there was no administrative appeal of the May FOIL Request, the RAO stated that "[t]he determination is now final[,] and the request cannot be revived by resubmission." Straka timely sought an appeal of this second denial.

On or about November 29, 2021, DCAS's General Counsel affirmed the RAO's determination because the September FOIL Request "sought the same information" as the May FOIL Request, which was denied and not appealed within [*2]the requisite 30 days. Alternatively, the General Counsel affirmed on the grounds that 1) the Foundation's "intention . . . is to use the requested information to solicit, request, importune, entreat and seek New York City employees to abandon union membership," such that "disclosure . . . would constitute an[] unwarranted invasion of personal privacy under [Public Officers Law §] 89(2)(b)(iii)" and 2) "disclosure would create a substantial risk to the information technology infrastructure of the City of New York, including computer hardware, software, and data," pursuant to Public Officers Law § 87(2)(i).

The Foundation filed a CPLR article 78 petition seeking to compel DCAS to provide the information sought in the September FOIL Request.

In opposition, DCAS argued that the petition was time-barred because it sought review of DCAS's denial of the substantially similar May FOIL Request, for which the Foundation failed to exhaust its administrative remedies. DCAS alternatively argued that it properly withheld the information pursuant to FOIL's solicitation and cybersecurity exemptions.

DCAS submitted various materials generated by the Foundation concerning its hostility to public employee unions and its methods of outreach to public employee union members. For example, a June 28, 2021 press release from the Foundation described its nationwide "battle against government unions," which includes "educating public employees . . . of their rights to opt-out of their unions and stop paying dues" through "a robust outreach campaign consisting of in-person canvassing, postal mail and email appeals, . . . [and] social media." The press release quotes the Foundation's CEO touting the Foundation's success in "help[ing] nearly 100,000 public employees stop paying union dues" and "den[ying] union bosses more than $140 million."

To support its invocation of the cybersecurity exemption, DCAS submitted an affidavit of Paul Kim, the Deputy Chief Information Security Officer in the City's Cyber Command. Kim stated that the "requested mass release of all New York City employees' email addresses would relinquish control of the City's information technology assets and jeopardize the security of those assets and of City infrastructure" by "mak[ing] it substantially easier for threat actors to successfully attack City . . . employees" in "[p]hishing and other email-based attacks," which could give "threat actors access to the City's network, systems, and confidential information."

For its part, the Foundation submitted an affidavit of its Deputy Chief Litigation Counsel stating that the Foundation "does not . . . seek to obtain money from public employees," "does not request the information . . . for solicitation or fund-raising purposes," and only wishes to "inform public employees of their constitutional rights."

Supreme Court denied the petition and dismissed the proceeding.^[FN1] The court rejected DCAS's argument that the second FOIL request was duplicative [*3]and therefore time-barred, noting that the September FOIL Request sought information about a larger pool of employees, and a few more categories of information, than the May FOIL Request. On the merits, the court determined that DCAS properly withheld the requested information pursuant to the solicitation exemption, holding that "[t]here is no requirement that a solicitation involve money in any form." It did not reach DCAS's arguments based on the cybersecurity exemption.

We now affirm.

DCAS argues that this proceeding is time-barred because the Foundation failed to exhaust its administrative remedies by administratively appealing from DCAS's denial of the May FOIL Request, and because the Foundation's duplicative September FOIL Request did not restart the limitations period. The Foundation responds that its second request was distinct from its first request. Before commencing a CPLR article 78 proceeding, a FOIL petitioner must exhaust all administrative remedies, including the taking of an administrative appeal within 30 days of an agency's initial denial of the request (see Public Officers Law § 89[4][a]-[b]; Matter of Empire Ctr. for Pub. Policy, Inc. v N.Y.C. Office of Payroll Admin., 158 AD3d 529, 530 [1st Dept 2018], lv denied 31 NY3d 910 [2018]). An article 78 petition "must be commenced within four months" of the agency's denial of the administrative appeal (CPLR 217[1]). A duplicative FOIL request does "not extend or toll the statute of limitations on article 78 proceedings" (Matter of United Probation Officers Assn. v City of New York, 187 AD3d 456, 456 [1st Dept 2020]). Under certain circumstances, we have held that a second FOIL request, even if broader than the first, will not extend the time to commence an article 78 proceeding (see e.g. Matter of Stankevich v New York City Police Dept., 173 AD3d 507 [1st Dept 2019], lv denied 35 NY3d 902 [2020]). Here, while the two requests seek similar information about represented public employees, the second request seeks information about a larger cohort of such employees.

Assuming, without deciding, that the two requests are sufficiently dissimilar to avoid this limitations issue, we agree with Supreme Court that DCAS carried its burden to show that the information sought is barred by FOIL's solicitation exemption. We also find that the information is exempt from disclosure under the cybersecurity exemption.

As the Court of Appeals has explained, FOIL is "'liberally construed and its exemptions narrowly interpreted'" to achieve its legislative purpose of maximizing public access to government records (Matter of Town of Waterford v New York State Dept. of Envtl. Conservation, 18 NY3d 652, 657 [2012], quoting Matter of Capital Newspapers, Div. of Hearst Corp. v Whalen, 69 NY2d 246, 252 [1987]). Courts must give an exemption its "natural and obvious meaning where such interpretation is consistent with the legislative intent and with the general purpose and manifest policy underlying FOIL"[*4](Matter of Appellate Advocates v New York State Dept. of Corr. & Community Supervision, 40 NY3d 547, 551-552 [2023] [internal quotation marks omitted]).

As noted above, DCAS asserts that the requested information is exempt from FOIL because it "would constitute an unwarranted invasion of personal privacy" (Public Officers Law § 87[2][b]). "An unwarranted invasion of personal privacy includes . . . sale or release of lists of names and addresses if such lists would be used for solicitation or fund-raising purposes" (id. § 89[2][b][iii] [emphasis added]). "While FOIL does not require a party requesting information to show any particular need or purpose[,] a petitioner's motive or purpose in seeking the records becomes relevant if the petitioner's intended use of the requested material would run afoul of" that exemption (Matter of New York State Rifle & Pistol Assn., Inc. v Kelly, 55 AD3d 222, 225 [1st Dept 2008]). The Foundation concedes this point in its initial brief.

The Foundation argues that the solicitation exemption applies only to records that a requester would use to raise money, including to solicit new dues-paying members. It asserts that it does not have dues-paying members, and that the exemption does not apply to information for use in an "outreach campaign" that does not involve directly soliciting money. This argument fails, as the exemption bars release of lists of names and addresses "if such lists would be used for solicitation or fund-raising purposes" (Public Officers Law § 89[2][b][iii] [emphasis added]). The Foundation's interpretation would render the word "fund-raising" superfluous.

"Statutes should be interpreted in a manner designed to effectuate the legislature's intent, construing clear and unambiguous statutory language so as to give effect to the plain meaning of the words used" (Matter of Luongo v Records Access Officer, Civilian Complaint Review Bd., 150 AD3d 13, 19 [1st Dept 2017] [internal quotation marks omitted], lv denied 30 NY3d 908 [2017]). To "solicit" includes "to approach with a request or plea" and "to urge (something, such as one's cause) strongly" (Merriam-Webster.com Dictionary, solicit [https://www.merriam-webster.com/dictionary/solicit]). The plain meaning of "solicitation" is not limited to direct monetary requests, but more broadly includes "[t]he act or an instance of requesting or seeking to obtain something; a request or petition" (Black's Law Dictionary 1677 [11th ed 2019]).

The Foundation's intended use of the requested information to contact individual employees directly to urge them to stop paying union dues, which it does not dispute that it plans to do, falls squarely within this definition. "[G]iven the nature and format of the information sought and [the Foundation's] organizational purpose," DCAS drew a "reasonable inference" that the Foundation intended to use the information for solicitation (Matter of New York State Rifle & Pistol Assn., Inc. 55 AD3d at 225).

As an alternative [*5]basis for withholding the records, which was not addressed by Supreme Court, DCAS asserts that disclosure would jeopardize its capacity to guarantee the security of its information technology assets. Relying on Public Officers Law § 87(2)(i), it argues that the mass release of employee email addresses would significantly increase the vulnerability of the City's systems to email-based cyberattacks.

The Foundation counters that this rationale would necessarily lead to no email addresses ever being disclosed via FOIL. It also argues that DCAS failed to explain how the mass disclosure of public employee email addresses poses a cybersecurity risk.

DCAS is correct that the requested information is covered by the cybersecurity exemption. This exemption's "expressed legislative intent was to protect against the risks of electronic attack, including damage to the [information technology] assets themselves, interference with the performance of agency computers and programs, and the unauthorized access to an agency's electronic data" (Matter of TJS of N.Y., Inc. v New York State Dept. of Taxation & Fin., 89 AD3d 239, 243 [3d Dept 2011], citing Senate Introducer Mem in Support, Bill Jacket, L 2011, ch 368, at 4-5).

Contrary to the Foundation's argument, DCAS's General Counsel "articulat[ed] a particularized and specific justification for denying access" (Matter of Kosmider v Whitney, 34 NY3d 48, 54 [2019] [internal quotation marks omitted]) under the cybersecurity exemption by explaining that "disclosure would create a substantial risk to the information technology infrastructure of the City of New York, including computer hardware, software, and data."

The City Cyber Command's Deputy Chief Information Security Officer further explained that disclosing "all New York City employees' email addresses would relinquish control of the City's information technology assets and jeopardize the security of those assets and of City infrastructure" by "mak[ing] it substantially easier for threat actors to successfully attack City . . . employees" in "[p]hishing and other email-based attacks." Phishing and other confidence-based attempts at fraud prey on a target's trust. The other information sought herein concerning employee's names, titles, and other employment-related information could be used in conjunction with an email address to dupe unsuspecting targets. Of course, we do not find that the Foundation has any intention of phishing or committing any other type of fraud; it seeks to advance its mission. We note these facts only to point out the risks that can ensue from mass release of public employee contact information should the information fall into the wrong hands.

For these reasons, DCAS "articulate[d] a legitimate concern covered by the exemption"— that disclosure of email addresses could "breach or compromise [the agency's] information technology infrastructure" or enable attackers to "gain access to or manipulate information maintained by" DCAS (Matter [*6]of TJS of N.Y., Inc., 89 AD3d at 243).

We have considered the Foundation's remaining arguments and find them unavailing.THIS CONSTITUTES THE DECISION AND ORDER

OF THE SUPREME COURT, APPELLATE DIVISION, FIRST DEPARTMENT.

ENTERED: September 19, 2024

Footnote 1:The court also denied DC 37's motion to intervene as moot.