Office of the Lieutenant Governor v. Mohn , 67 A.3d 123 ( 2013 )

OPINION BY

The Office of the Lieutenant Governor (OLG) petitions for review of a Final Determination of the Office of Open Records (OOR) directing the OLG to disclose to Daniel Mohn (Requester) the home address of an OLG employee and all agency-issued e-mail addresses for Lieutenant Governor James Cawley. For the reasons that follow, we affirm in part and reverse in part.

On April 25, 2012, Requester submitted a request to the OLG under the Right-to-Know Law (RTKL)1 seeking all agency-issued e-mail addresses for the Lieutenant Governor and two Board of Pardons’ employees; all agency-issued telephone numbers for an OLG employee; the home addresses of the Lieutenant Governor and an OLG employee; and copies of the OLG’s *126responses to previous RTKL requests dealing with some of the same information he was requesting.

The OLG responded explaining that it does not issue e-mail addresses or telephone numbers, so it would treat the request as one for government-issued email addresses and telephone numbers that were issued to members of the OLG. The OLG provided the government-issued email addresses and telephone numbers for the requested individuals that were held out to the public as e-mail addresses or telephone numbers at which the public officials could be contacted but, citing the personal identification information2 exception to the RTKL, denied the request to the extent it was seeking additional personal e-mail addresses for those individuals used to communicate with other agency officials. The OLG also denied the request for the home address of the OLG employee, citing the personal security3 and personal identification information exceptions to the RTKL. However, the OLG granted access to its responses to another individual’s prior RTKL requests, and because those responses contained some of the information sought by Requester here, the OLG noted that “some of the denied information is being provided outside of the RTKL.”4 (R.R. at 3a).

Requester appealed to the OOR, seeking the information to which the OLG had denied access. In support of its position to deny access based on the personal security exemption, the OLG submitted the affidavit of Eric Avakian (Avakian), its Chief Information Security Officer, attesting that the disclosure of home addresses increases the risk of social engineering attacks and identity theft, and copies of the OLG’s responses to other prior RTKL requests. It also maintained that access should be denied for the other reasons given in the denial letter.

The OOR granted Requester access to both the OLG employee’s home address and all agency-issued e-mail addresses for the Lieutenant Governor. With regard to home addresses, it noted that such information is not protected under the personal identification information exception or under the right to privacy principles embodied in the Pennsylvania Constitution because there is no expectation of privacy in home addresses. Moreover, in finding that the personal security exemption did not apply, it stated that nothing in OLG’s Chief Security Officer Avakian’s affidavit led it to conclude that the disclosure of home addresses is reasonably likely to result in identity theft and fraud, and went on to note that more than mere conjecture is needed to meet the “heightened standard” of establishing that the personal security exemption applies.

*127Regarding the disclosure of all agency-issued e-mail addresses for the Lieutenant Governor, the OOR held:

E-mails created by public officials, acting in their official capacity, for the purpose of furthering agency business are public records.... Similarly, e-mail addresses created for public officials to transact agency business cannot be considered anything other than public records. The OOR concludes that the word “personal” in “personal email addresses” is not intended to apply to email addresses assigned to specific public officials and public employees. Rather, the word “personal” is intended to apply to e-mail addresses not used for agency business. Had the General Assembly intended employee e-mail address[es] to be exempt from public disclosure, it would have specifically stated “employee e-mail addresses” instead of “personal email addresses.”

(OOR’s June 13, 2012 Final Determination at 5) (citation omitted). The OLG then filed this appeal.5

I.

A.

On appeal, the OLG, conceding that the personal identification information exception of the RTKL does not provide blanket protection for home addresses,6 contends that case law under the previous version of the RTKL recognized a constitutional privacy right in one’s home address and required a balancing, of interests before the disclosure of such information. That balancing test, which placed the burden on the requester to demonstrate why the public need for disclosure outweighs the constitutional right to privacy, should continue under the current RTKL, the OLG argues, and under such a test, Requester has failed to meet his burden. However, as our Supreme Court recently noted in Pennsylvania State Education Association ex rel. Wilson v. Commonwealth, — Pa.-, 50 A.3d 1263, 1277 (2012) (citing Pennsylvania State Education Association v. Commonwealth, 4 A.3d 1156, 1162 (Pa.Cmwlth.2010)), “determining whether ‘the privacy exception and its attendant balancing test have continued viability under the new Law is a proposition fraught with challenge.’” To explain why it is “fraught with challenge,” a short history of the right to privacy vis a vis public records is in order.

Pennsylvania enacted its first Right-to-Know Law in 1957 (old RTKL).7 Section 66.1(2) of the old RTKL defined what records constituted public records. In doing so, it excluded from the definition of public records those “which would operate to the prejudice or impairment of a person’s reputation or personal security.”

*128Before the 1990s, Pennsylvania courts were consistent in holding that Section 66.1(2) of the old RTKL did not grant a right to privacy to those whose home addresses were requested pursuant to it. In Young v. Armstrong School District, 21 Pa.Cmwlth. 203, 344 A.2d 738 (1975), we stated:

The Right to Know Act, however, contains no clause or provision to protect against the invasion of an individual’s privacy as does the federal Freedom of Information Act, 5 U.S.C. § 552, and for us to equate a concept of privacy with the concept of ‘personal security’ would usurp the legislative prerogative of the General Assembly.... The concept of .personal security, we believe, involves protection from personal harm rather than protection from an invasion of privacy. To hold otherwise would render the Act nugatory. Moreover, we have held that for records to fall within the personal security exception they must be intrinsically harmful and not merely capable of being used for harmful purposes.

Id. at 740. In Mergenthaler v. Commonwealth State Employes’ Retirement Board, 33 Pa.Cmwlth. 237, 372 A.2d 944 (1977) (citing Kanzelmeyer v. Eger, 16 Pa. Cmwlth. 495, 329 A.2d 307 (1974)), we held that “the phrase ‘personal security’ does not mean ‘personal privacy,’ as the lower court seems to have concluded.” Mergenthaler, 372 A.2d at 946. We went on to explain that in order for records to fall within the personal security exception, they must be intrinsically harmful, which a list of names and addresses is not. Id. at 947-48.

In 1983, in a non-RTKL case dealing with the Public Officials Ethics Act,8 our Supreme Court in Denoncourt v. Commonwealth State Ethics Commission, 504 Pa. 191, 470 A.2d 945 (1983), found for the first time that there is a constitutional right to privacy grounded in Article 1, Sections 1 and 8 of the Pennsylvania Constitution. This right to privacy extends to the freedom of disclosure of personal matters, but it is not absolute. Rather, it must be balanced against a countervailing state interest as well as its relationship to other basic rights. In general, “it may be said that government’s intrusion into a person’s private affairs is constitutionally justified when the government interest ... is significant and there is no alternate reasonable method of lesser intrusiveness to accomplish the governmental purpose.” 504 Pa. at 199-200, 470 A.2d at 949 (footnotes omitted).

A decade later, for the first time, this Court extended the Denoncourt analysis to home addresses requested pursuant to the old RTKL. In Times Publishing Company, Inc. v. Michel, 159 Pa.Cmwlth. 398, 633 A.2d 1233 (1993), a reporter requested to view and copy written applications pertaining to valid licenses to carry firearms. The trial court held that all information on the licenses was subject to disclosure except for the addresses, telephone numbers and social security numbers of the applicants. This Court affirmed, holding in a 4-3 decision that the Denoncourt privacy analysis applied to the personal security exception of the old RTKL, and that public disclosure of home addresses would constitute an unwarranted invasion of privacy that outweighed any public benefit derived from disclosure. Two years later, in Tribune-Review Publishing Company v. Allegheny County Housing Authority, 662 A.2d 677 (Pa.Cmwlth.1995), in another 4-3 *129decision, this Court again stated explicitly that the right to privacy granted by Article 1, Section 1 of the Pennsylvania Constitution applied to the old RTKL’s personal security exemption. Although the specific issue of whether the release of home addresses would violate this right to privacy was moot, the majority, in a footnote, stated, “[W]e are cognizant of the fact that we are expressly overruling that part of Young v. Armstrong [School District], which found no right of privacy existed in the Right to Know Act.” Id. at 688 n. 9.

Our Supreme Court took up the issue in Sapp Roofing Company, Inc. v. Sheet Metal Workers’ International Association, Local Union No. 12, 552 Pa. 105, 713 A.2d 627 (1998). In this case, a labor union desired to examine a private contractor’s payroll records that were in the possession of a public agency to see if the contractor complied with the Prevailing Wage Act.9 Among the information on the payroll records were the names, home addresses, telephone numbers and social security numbers of the contractor’s employees. The Supreme Court concluded that the public interest in disclosure was weak while the right to privacy and personal security was strong; therefore, those portions of the records could not be disclosed. Significantly, the Supreme Court never mentioned the Pennsylvania Constitution other than in discussing the contractor’s contentions before it, and only begins its right to privacy analysis after quoting and highlighting the old RTKL’s statutory language concerning reputation and personal security. Sapp Roofing is ambiguous concerning the origins of the right to privacy in personal information such as home addresses, but it seemed to imply that the right’s origin was in the specific statutory language of the old RTKL.

The first case that addressed the privacy cases in the age of the Internet was in Commonwealth v. Duncan, 572 Pa. 438, 817 A.2d 455 (2003). In Duncan, a criminal case, our Supreme Court explicitly held that the constitutional right to privacy enunciated in Denoncourt does not extend to one’s home address. The Duncan court explained:

[W]e agree with the Commonwealth that any subjective expectation of privacy that appellant may have had in the name and address information is not an expectation which society would be willing to recognize as objectively reasonable in light of the realities of our modern age. Whether registering to vote, applying for a driver’s license, applying for a job, opening a bank account, paying taxes, etc., it is all but impossible to live in our current society without repeated disclosures of one’s name and address, both privately and publicly. There is nothing nefarious in such disclosures. An individual’s name and address, by themselves, reveal nothing about one’s personal private affairs. Names and addresses are generally available in telephone directories, property rolls, voter rolls, and other publications open to public inspection. In addition, it has become increasingly common for both the government and private companies to share or sell name or address information to unaffiliated third parties....

In this day and age where people routinely disclose their names and addresses to all manner of public and private entities, this information often appears in government records, telephone directories and numerous other documents that are readily accessible to the public, and where customer lists are regularly sold to marketing firms and other busi*130nesses, an individual cannot reasonably expect that his identity and home address will remain secret — especially where, as here, he takes no specific action to have his information treated differently and more privately.

We are further convinced of the correctness of our conclusion that no privacy expectation reposes in this information by the fact that the majority of courts to consider the question have agreed that a person’s name and address is not information about which a person can have a reasonable expectation of privacy.

572 Pa. at 455-56, 817 A.2d at 465-66 (citations omitted). A person has a constitutionally-protected expectation of privacy in cases where: (1) the person has exhibited an actual (subjective) expectation of privacy; and (2) society is prepared to recognize the expectation of privacy as reasonable. Id. at 452, 817 A.2d at 463; Commonwealth v. Rekasie, 566 Pa. 85, 92, 778 A.2d 624, 628 (2001). Duncan holds that no one in this day and age can have a legitimate expectation of privacy in home addresses, so you never get to balance the state interest against the expectation of privacy because there is no expectation of privacy. After Duncan, the Internet and search, social and other sites with the sole purpose of giving out personal information became common. So now, in addition to people routinely disclosing their home addresses, those home addresses can easily be obtained by conducting internet searches, which not only reveal a person’s home address and their age, but also other individuals that live at that address and their ages. See, e.g. http://www. whitepages.com. Other sites have a picture of your home and its value. See, e.g., http://www.zillow.com.

In a case decided under the old RTKL where the personal security exemption and the right to privacy was somewhat conflated, we held in Hartman v. Department of Conservation and Natural Resources, 892 A.2d 897 (Pa.Cmwlth.2006), that home addresses were not subject to disclosure. We did not apply Duncan because it was a criminal case, although our Supreme Court used both civil and criminal cases from other jurisdictions in making that analysis. Recently, however, our Supreme Court affirmed, per curiam, this Court’s decision in Marin v. Secretary of the Commonwealth, 41 A.3d 913 (Pa. Cmwlth.2012), aff'd, — Pa.-, 66 A.3d 250 (2013),10 our first case addressing whether home addresses were exempt under the new RTKL or under a constitutional right to privacy. Relying on language in Duncan, quoted above, we held “there is no constitutional right to privacy in one’s home address under the Pennsylvania Constitution.” Id. at 915. Based on the foregoing reasoning, we hold that there is no constitutional right to privacy in one’s home address under the Pennsylvania Constitution that would preclude the release of the home addresses.11

*131Because there is no constitutional privacy right in one’s home address, any previous privacy exception for that information was based only in statute. There is no language in the current RTKL’s personal security exception that requires the agency to balance personal security interests against the benefits of disclosure. In the absence of such express language, this Court cannot adopt the balancing test utilized under the prior version of the RTKL. See Governor’s Office of Administration v. Purcell, 35 A.3d 811, 820 (Pa.Cmwlth.2012) (“there is no privacy exception embedded in the current RTKL applying to all birth dates; consequently, no balancing of interests is contemplated by the current RTKL”); 1 Pa.C.S. § 1921(b) (when the words of a statute are free and clear from ambiguity, the letter of it is not to be disregarded under the pretext of pursuing its spirit). Accordingly, the OLG’s contention that Requester had the burden of proving that the public need for disclosure of an employee’s home address outweighs that employee’s privacy interests is without merit.

B.

Alternatively, the OLG argues that the evidence it submitted to the OOR was sufficient to prove that employees’ home address information falls under the RTKL’s personal security exception. In order to withhold information from public disclosure pursuant to the personal security exception of the RTKL, an agency “must meet its burden of proving by a preponderance of the evidence that disclosure of such “would be reasonably likely to result in a substantial and demonstrable risk of physical harm to the personal security of an individual.’ ” Schaefer, 45 A.3d at 1156 (emphasis in original). In order to meet that burden, “[m]ore than mere conjecture is needed.” Purcell, 35 A.3d at 820. Moreover, “[g]eneral, broad-sweeping conclusions will not be a substitute for actual evidence of the likelihood of a demonstrable risk to the individuals involved posed by a particular disclosure.” Schaefer, 45 A.3d at 1158.

In support of its assertion that the disclosure of the home addresses of government employees would be reasonably likely to result in a risk of harm to the personal security of those individuals, the OLG presented the affidavit of its Chief Security Officer, Avakian. The affidavit states that home addresses are one of the many elements often used for the express purpose of distinguishing individual identity, and that a home address “dear*132ly constitutes” Personally Identifiable Information (PII), based on various federal agencies’ and state courts’ definitions of that term. The affidavit claims that once various pieces of PII have been disclosed to a third party, that information can be exploited by cyber stalkers and criminals to commit identity theft or other types of crimes. The affidavit further asserts that:

Divulging home address information significantly increases the risk of social engineering attacks on the individuals whose information was divulged. For instance, someone with this specific information can conduct reconnaissance to gather additional details about an individual and target them directly by calling or emailing the individual, and pretending to be a representative for the individual’s company. The attacker could then verify the individual’s name and home address, which will, in turn, help to gain the targeted trust of the individual. Once a trust relationship has been established between the attacker and victim, the attacker is already down the path of gathering more information, including but not limited to, gaining financial, personal, or other sensitive information that the attacker would' not have otherwise known. Identity theft is the likely result. According to Justice Department figures, in about 8.6 million households at least one person 12 or older experienced some kind of identity theft in 2010.

(R.R. at 27a-28a).

After reviewing Avakian’s affidavit, we agree with the OOR that “nothing in his affidavit leads [to the conclusion] that home addresses should be added to the ‘Holy Trinity of personal information, ie., person’s name, social security number and date of birth, that are reasonably likely to result in identity theft and fraud.” (OOR’s June 13, 2012 Final Determination at 6). First, as the courts of this Commonwealth have held and as we have stated above, any expectation of privacy that an individual may have in his or her home address information is not objectively reasonable in modern society. See Duncan; Marin. Second, the affidavit contains no actual evidence that the disclosure of home addresses is reasonably likely to result in identity theft, and fails to demonstrate even a correlation between the disclosure of home addresses and an increased likelihood of identity theft. To the contrary, the affidavit indicates that identity theft only occurs after the identity thief has taken additional steps to contact the victim, gain the victim’s trust and convince the victim into disclosing truly confidential information. Moreover, a number of Ava-kian’s conclusions are not supported by the facts stated in the affidavit. For instance, he concludes that a home address “clearly constitutes” PII, yet the definitions of PII he cites to specifically do not include home addresses as PII.12

Based on the foregoing, the OLG did not meet its burden of proving that disclosure of an individual’s home address would be reasonably likely to result in a substantial and demonstrable risk of harm to the personal security of that individual. Accordingly, the OOR correctly determined that an OLG employee’s home address is subject to disclosure under the RTKL.

*133II.

The OLG next argues that the Lieutenant Governor’s secondary, government-issued e-mail addresses are exempt from disclosure under the personal identification information exception to the RTKL. That exception exempts from disclosure, inter alia, “a record containing all or part of a person’s ... personal e-mail addresses.” Section 708(b)(6)(i)(A) of the RTKL, 65 P.S. §■ 67.708(b)(6)(i)(A). The OLG contends that “personal identification information” refers to information that is unique to a particular individual, and a “personal email address” is one intended for the use of a specific person. It argues that nothing in the RTKL restricts the exception to non-government issued e-mail addresses or suggests that the word “personal” only applies to e-mail addresses not used for agency business.

Both the OOR and Requester focus on the fact that the e-mail address in question may be used to conduct official government business. For instance, Requester argues in his brief that “[t]here is nothing personal ... about a government-issued email account that is used to conduct agency business at the public’s expense.” (Petitioner’s Brief at 81). Similarly, the OOR concluded that because e-mails created by public officials acting in their official capacity for the purpose of furthering agency business are public records, it follows that e-mail addresses created for public officials to transact agency business must also be considered public records.

What is considered “personal identification information” is not defined in the RTKL. However, this Court has defined the term as:

[I]nformation that is unique to a particular individual or which may be used to identify or isolate an individual from the general population. It is information which is specific to the individual, not shared in common with others; that which makes the individual distinguishable from another.

Schaefer, 45 A.3d at 1153. Whether the exemption for “personal identification information” extends to a government-issued “personal” e-mail address, in City of Philadelphia v. Philadelphia Inquirer, 52 A.3d 456, 461-462 (Pa.Cmwlth.2012), we addressed whether the daily governmental schedules of the Mayor and the City Council Members were exempt under Section 708(b)(12) of the RTKL, 65 P.S. § 67.708(b)(12),13 because they were being used for those officials’ “own personal use.” Rejecting a claim similar to this one that those calendars are not personal because they are used for government business, we held that “ ‘[pjersonal’ ... does not mean that it has to involve a public official’s personal affairs” but also “covers those documents necessary for that official that are ‘personal’ to that official in carrying out his public responsibilities.” City of Philadelphia, 52 A.3d at 461.

While the secondary e-mail address in question is used to conduct agency business, it still falls within Section 708(b)(6)(i)(A) of the RTKL’s exemption of “a record containing all or part of a person’s ... personal e-mail address” because, even though it is being used to transact public business, nonetheless, it is still personal to that person. We note that other than the identification of the e-mail address in question, a requester would clearly have the ability to request e-mails *134from that account under the RTKL, provided that they were not exempt from disclosure.

Accordingly, the OOR’s Final Determination is affirmed to the extent that it provided access to the home address of an OLG employee, but reversed as to the portion providing for the disclosure of all agency-issued e-mail addresses for Lieutenant Governor Cawley.14

ORDER

AND NOW, this 24-th day of April, 2013, the Final Determination of the Office of Open Records, dated June 13, 2012, at No. AP2012-0787, is affirmed in part and reversed in part. The Final Determination is affirmed to the extent that it provided access to the home address of an employee of the Office of the Lieutenant Governor, but reversed as to the portion providing for the disclosure of all agency-issued email addresses for Lieutenant Governor Cawley.