05-ORD-175

Opinion

Opinion By: Gregory D. Stumbo, Attorney General; James M. Ringo, Assistant Attorney General

Open Records Decision

The question presented in this appeal is whether the Kentucky Personnel Cabinet (Cabinet) properly relied on KRS 61.878(1)(m)1.f in denying the request of The State Journal reporter Erik A. Carlson's July 7, 2005 request for "a list of every person in state government who had CICS privileges, their level of access and any other information available for March, 15 2005 and May 13, 2005." We find that the Cabinet failed to establish that disclosure of this information would result in a reasonable likelihood of threatening the public safety by exposing a vulnerability in protecting against a terrorist act.

By letter dated July 12, 2005, Mark D. Honeycutt, Executive Director of the Cabinet, partially denied Mr. Carlson's request, advising:

Pursuant to K.R.S. § 61.878(m)(1)(f), the Personnel Cabinet denies your request in part for the level of access for every person in state government who had CICS privileges for March 15, 2005 and May 13, 2005. As for your request for the list of every person with CICS privileges on the specified dates, please be advised that the Personnel Cabinet, Office of Legal Services is granting and compiling your request and will notify you upon completion.

State agencies may withhold "public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act. " K.R.S. § 61.878(m). This exempted category of public records includes infrastructure records and the security of critical systems, including information technology. K.R.S. § 61.878(m)(1)(f). CICS access levels fall within this category of exempted public records as disclosure of individuals and their specific access levels reveals a vulnerability of the state's personnel and payroll database to potential terrorists.

Further, any person who has the above-described access level information would know which employees would have access to particular levels of CICS and particular personnel information, and this makes CICS more vulnerable to hackers because it gives the hacker an entry point to the information sought.

Any person having the requested information would create a security risk for CICS because it increases the likelihood of CICS information being compromised. Due to the recent events after September 11, the Commonwealth takes great measures to protect its information technology infrastructure, including persons with specific access levels. I trust you understand our security concerns.

On July 13, 2005, Mr. Carlson initiated the instant appeal, expressing the opinion that the Cabinet "is taking an extraordinary leap to use KRS 61.878[1](m) as grounds to deny this request."

After receipt of notification of the appeal, Mr. Honeycutt provided this office with a response to the issues raised in the appeal. Elaborating on his initial response, he argued in part:

The use of KRS 61.878[1](m) to deny Mr. Carlson's request is warranted under the circumstances. The Personnel Cabinet has an interest in protecting the security of CICS and the information contained therein. CICS is an information technology system as defined in KRS 61.878[1](m)(1)(f). Any person who has the names of state government employees and their level of access to CICS would have an access point for breaking into CICS and personnel information that they could steal or modify. Disclosing this information would be analogous to disclosing the schematics of a building, in that it would tell the recipient where the weak points are in the structure, whether it be a building or an information technology system like CICS.

. . . A terrorist could use knowledge of the levels of access to intimidate or coerce the Personnel Cabinet into meeting his demands. Furthermore, a terrorist could use the information to disrupt CICS and in turn disrupt the personnel system for the Commonwealth of Kentucky, which could lead to a breakdown of services to the public.

For the reasons that follow, we conclude that the Cabinet has not met its burden of establishing that disclosure of the level of access of each person in state government with CICS privileges would result in a "reasonable likelihood of threatening the public safety by exposing a vulnerability" in protecting against a terrorist act, and thus, violated the Open Records Act in denying access to the records in dispute, under KRS 61.878(1)(m)1.f. This is particularly so under the facts of this case where the Cabinet has already provided a list of every person in state government with CICS privileges on the certain specified dates to Mr. Carlson.

KRS 61.878(1)(m)1.f excepts from disclosure to the public:

1. Public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terroristic act and limited to:

We agree with that portion of the Cabinet's position that the CICS is an information technology system as defined in KRS 61.878(1)(m)1.f. and that it could be subjected to a "terrorist act, " such as a criminal act intended to "[d]isrupt a system identified in subparagraph 1.f." KRS 61.878(1)(m)2.b. However, the responses of the Cabinet fail to establish how disclosure of the records in dispute, i.e., records that reveal the level of access of each person in state government with CICS privileges would result in a "reasonable likelihood of threatening the public safety by exposing a vulnerability, " as required by KRS 61.878(1)(m).

The General Assembly has declared "that the basic policy of KRS 61.870 to 61.884 is that free and open examination of public records is in the public interest and the exceptions provided for by KRS 61.878 or otherwise provided by law shall be strictly construed . . . ." KRS 61.871. Consistent with this policy, the General Assembly has assigned the burden of proof to the public agency in an open records appeal to this office or the circuit court. KRS 61.880(2)(c); KRS 61.882(3). The Attorney General is thus bound by a rule of strict construction in interpreting the exceptions to the Open Records Act, and all doubts must be resolved in favor of disclosure. 04-ORD-171.

The Cabinet argues that providing the levels of access for state government employees would narrow the potential number of computers that a hacker would have to hack in order to access specific information and that these persons might be subject to coercion. The Cabinet does not explain how providing the names of individuals with a higher level of access would result in a "reasonable likelihood of threatening the public safety by exposing a vulnerability. " KRS 61.878(1)(m). It claims that disclosure of this information would give someone an access point for breaking into CICS and personnel information that they could steal or modify. However, the Cabinet's argument is undercut by the fact that the Cabinet has already provided the names of each person in state government with CICS access on the dates in question. A person could narrow the possible persons with a higher level of access by inference. For example one could infer that persons in higher positions of responsibility or by their job descriptions or titles may have a higher level of access.

Moreover, we could see how disclosure of records containing information, such as access codes, user IDs, or other security codes would result in a reasonable likelihood of exposing a vulnerability, the security of the CICS system, to a criminal act that could disrupt the CICS system and the personnel system. The system is always vulnerable to an attack from a hacker or individual attempting to invade or disrupt its operation, but to qualify for the exemption from disclosure provided for by KRS 61.878(1)(m), the agency must establish that the disclosure of certain records would reasonably result in an attack on the information technology system. Speculation that someone obtaining the state employee's level of CICS access could enable a terrorist to intimidate or coerce that employee, the Cabinet or to disrupt the system's function, in our mind, does not meet this burden. Under the facts of this appeal, we conclude that the Cabinet has failed to meet its burden of establishing that disclosure of the names of employees and their levels of CICS access would result in the reasonable likelihood of exposing a vulnerability in preventing an attack on the system. Accordingly, we find the Cabinet's reliance upon KRS 61.878(1)(m) was misplaced and the records should be made available for inspection.

A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.

Distributed to:

Erik A. CarlsonCapitol Reporter The State Journal 1216 Wilkinson Blvd.Frankfort, KY 40601

Mark D. HoneycuttExecutive DirectorOffice of Legal ServicesPersonnel Cabinet200 Fair Oaks Lane, 5th FloorFrankfort, KY 40601

Disclaimer:
The Sunshine Law Library is not exhaustive and may contain errors from source documents or the import process. Nothing on this website should be taken as legal advice. It is always best to consult with primary sources and appropriate counsel before taking any action.
Requested By:
The State Journal
Agency:
Kentucky Personnel Cabinet
Type:
Open Records Decision
Lexis Citation:
2005 Ky. AG LEXIS 174
AG Original File:
Original on AG Site
Cites:
Forward Citations:
Cited By 11 Record(s)
Neighbors

Support Our Work

The Coalition needs your help in safeguarding Kentuckian's right to know about their government.

Give to the Coalition