Skip to main content

Opinion

Opinion By: Andy Beshear,Attorney General;James M. Herrick,Assistant Attorney General

Open Records Decision

The question presented in this appeal is whether the Louisville Metro Government ("LMG") violated the Kentucky Open Records Act by denying Courier-Journal reporter Darcy Costello's January 15, 2019, request for the "[f]indings and recommendations from the most recent completed software licensing audit conducted by Microsoft" and "from the most recent completed software audit conducted by Adobe." For the reasons that follow, we find that LMG procedurally and substantively violated the Act.

On January 30, 2019, LMG denied the request for the findings and recommendations from the Microsoft audit "pursuant to KRS 61.878(1)(i) & (j) as the audit is still not final." By way of explanation, LMG stated: "The City's attorneys have traded 'release' language with Microsoft and the parties still have not been able to agree to the content and wording of the release despite the time frame that this issue has existed. The City is waiting on a response from Microsoft regarding the finalization of same. When it is finalized, the audit will be released pursuant to the open records process." LMG said nothing in regard to the request for findings and recommendations from an audit by Adobe.

KRS 61.880(1) requires a public agency to make a written disposition of an open records request within three days, excluding weekends and legal holidays. Since the record contains no explanation for why LMG took ten business days to respond, we conclude that the untimeliness of the response violated the Open Records Act.

On appeal, LMG explains that there has been no audit conducted by Adobe, and therefore no records exist to provide in response to that portion of Ms. Costello's request. Although it is true that a public agency cannot afford a requester access to a record that it does not have or that does not exist, 99-ORD-98, it is "incumbent on the [agency] to so state in clear and direct terms," 01-ORD-38, and "a written response that does not clearly so state is deficient. " 12-ORD-162 (emphasis omitted) (quoting 02-ORD-144). See also 14-ORD-013 (failure to address a portion of a request was a violation). Therefore, by failing to disclose the nonexistence of any Adobe audit prior to Ms. Costello's appeal, LMG committed another violation of the Act.

On March 18, 2019, this office received this appeal, in which Ms. Costello argued that Microsoft's findings and recommendations are final, so that subsequent communications between LMG and Microsoft are irrelevant to a determination under KRS 61.878(1)(i) and (j). In response to the appeal, LMG reiterated its position that the audit is not yet final because there is no "final agreement, " and added that Microsoft is still "attempting to review more licenses for the time period of the subject audit and negotiate with Louisville Metro regarding additional remedies."

On April 19, 2019, in response to this office's request for a more detailed explanation of the audit process and "final agreement, " LMG stated that Microsoft notified LMG of a license compliance review in January 2017. Deloitte & Touche LLP ("Deloitte"), the auditor, informed LMG that the audit would encompass all Microsoft licensing agreements with LMG and its predecessors, Jefferson County and the City of Louisville, dating back to 1996. In May 2018, LMG received a draft report of Deloitte's findings, in response to which LMG had an opportunity to present evidence of unused licenses that could be counted against other licenses which Deloitte had found deficient. After consideration of LMG's evidence, Microsoft presented Deloitte's findings to LMG in the form of a spreadsheet on May 12, 2017, and demanded, pursuant to the governing license agreement, that LMG purchase sufficient product licenses within 30 days to cover its deficiencies.

Under the Microsoft license agreement, the audit process is called "verification of compliance." Subsection 14(c) of the agreement, "Remedies for non-compliance," in pertinent part, provides:

If verification or self-audit reveals any unlicensed use or distribution, Customer must within 30 days order sufficient licenses to cover that use or distribution. If unlicensed use is 5% or more, Enrolled Affiliate must reimburse Microsoft for the cost Microsoft has incurred in verification and acquire the necessary additional licenses at 125% of the then current price list and Enrolled Affiliate price level within 30 days. . . . If there is no unlicensed use, Microsoft will not undertake another verification of the same Enrolled Affiliate for at least one year.

We note that the remedies described in subsection 14(c) represent the final step in the verification process as described in the license agreement. The only further action by Microsoft described in section 14 is "another verification. "

After receiving the findings, LMG negotiated with Microsoft in an effort to reduce its cost of compliance. An e-mail from Microsoft to LMG dated May 12, 2017, which LMG provided to this office pursuant to KRS 61.880(2)(c), indicated that the compliance verification process would be officially closed when Microsoft issued a closing letter, which would occur upon its receipt of a settlement letter from LMG and the completion of the compliance purchase. It is our understanding, based on the record and our in camera review, that all of those events occurred within the 30-day compliance period in 2017.

LMG states that it ultimately reached an agreement with Microsoft "on a quantity of licenses out of compliance, a cost for licenses necessary to bring LMG into compliance, and a price for [LMG's] pending Office 365 purchase." To cover the costs of both the license compliance and the new purchase of Office 365, "LMG signed a Master Installment Payment Agreement with a financial provider. " According to LMG, had the parties not reached agreement within 30 days of the findings, Microsoft would have withdrawn all of its products from LMG, "which would have shut [LMG's] entire governmental electronic system down."

What remains, according to LMG, is the negotiation of a subsequent "final agreement" with Microsoft, which would "close the audit and prevent further investigation into the current findings." LMG states that Microsoft has indicated it may wish to "continue investigating" some of the matters covered by the audit. In response, LMG has requested that Microsoft sign an agreement "that would prevent Microsoft from re-auditing the licenses/ time period of the subject audit, " so that Microsoft cannot "seek more license fees. " In reply, Microsoft has proposed that the parties enter into an "enterprise agreement," which would significantly increase LMG's license fees "but would absolve LMG of any potential audit issues." LMG has, at present, not agreed to these terms, but is continuing to negotiate with Microsoft.

As matters currently stand, according to LMG, Microsoft could "alter or amend" the auditor's findings and recommendations, either as the result of a re-audit or as part of a "final agreement" to forgo further auditing for the 1996-2017 time period. Thus, LMG regards the auditor's findings and recommendations as "not final" until it reaches such an agreement with Microsoft.

KRS 61.878(1)(i) and (j) create exceptions to the Open Records Act for:

(i) Preliminary drafts, notes, correspondence with private individuals, other than correspondence which is intended to give notice of final action of a public agency; [and]

(j) Preliminary recommendations, and preliminary memoranda in which opinions are expressed or policies formulated or recommended[.]

This office "has consistently held that final audit reports are public documents and are therefore subject to inspection." 98-ORD-173 (emphasis added). On the other hand, "an audit report does not have to be made available for inspection until it has been finalized. " 08-ORD-094. Accordingly, where the only existing version of an internal audit memo from the Louisville Water Company's former internal auditor contained a blank "cc" line and included handwritten notes "refer[ring] to the possibility of amending the recommendations" contained therein, we found that the audit memo was properly "regarded as [a] draft[.]" 1 15-ORD-066. We based that conclusion partly on the agency's assertion that the "audit was never taken to the [Board of Water Works] Audit Committee and does not appear in any BOWW Committee Report." Therefore, the totality of the circumstances indicated the document had been "neither finalized nor acted upon." 15-ORD-066 (emphasis added).

Here, LMG characterizes Deloitte's findings as "not final," in view of the possibility that Microsoft might choose to amend those findings based on a re-audit, unless and until Microsoft should agree to conduct no more compliance verifications for 1996-2017. Unlike 15-ORD-066, however, the 2017 audit findings were indeed "finalized, " inasmuch as Microsoft duly considered LMG's evidence and then presented a spreadsheet which triggered the 30-day remedy period, during which LMG negotiated a settlement and made its compliance purchase. That moment ended the verification process as described in the license agreement and the e-mail from Microsoft. Furthermore, LMG itself "acted upon" those findings by executing the settlement agreement with Microsoft to bring itself into compliance and to purchase Office 365, and, to that end, executing the "Master Installment Payment Agreement" with its financial provider.

Further, unlike in 15-ORD-066, Deloitte's findings were generated not on behalf of a public agency, but on behalf of Microsoft, a private corporation. In some past decisions, particularly in the context of economic development, this office has upheld the application of KRS 61.878(1)(i) and (j) to communications by private entities where negotiations with a public agency were ongoing. See, e.g. , 93-ORD-29; 04-ORD-081. Here, however, even assuming that same rationale would apply to communications about a license audit, Microsoft clearly treated Deloitte's findings as complete for purposes of triggering the final steps in the 2017 compliance verification. Accordingly, the findings were not a draft or tentative version from Microsoft's perspective.

Moreover, the findings formed part of the basis for agency action. In

University of Kentucky v. Courier-Journal & Louisville Times Co., 830 S.W.2d 373, 378 (Ky. 1992), the Kentucky Supreme Court made clear that "materials that were once preliminary in nature lose their exempt status once they are adopted by the agency as part of its action." In 01-ORD-47, we summarized the manner in which "preliminary" records under KRS 61.878(1)(i) and (j) may retain or lose their exemption after final agency action is taken:

Until final administrative action is taken, or a decision is made to take no action, the requested records are protected by KRS 61.878(1)(i) and (j). If the records are adopted as part of that final action, they will forfeit their preliminary characterization. If not adopted, they will retain their preliminary character.

A record "is adopted as the basis of final action insofar as the final action 'necessarily stem[s] from' that document." 10-ORD-034 (quoting

City of Louisville v. Courier-Journal and Louisville Times Co., 637 S.W.2d 658, 659, 660 (Ky. App. 1982). It is not necessary that the record be explicitly adopted or incorporated by reference, so long as it constitutes the basis for the final agency action. 01-ORD-83 (citing City of Louisville, 637 S.W.2d at 659).

Since Microsoft's audit findings were the immediate impetus for LMG's compliance and purchase agreement with Microsoft and its payment agreement with its financial provider in 2017, those agreements necessarily stemmed from those findings. Thus, the 2017 audit findings are not preliminary, both because Microsoft used them as the basis for completing the audit process and because they formed the basis of final agency action; namely, LMG's execution of the compliance/purchase settlement and payment agreement.

While Microsoft does retain the ability to conduct a further audit covering the years 1996-2017 that could potentially result in additional findings of noncompliance, that would constitute, in LMG's words, "re-auditing, " or, in the words of the license agreement, "another verification. " Any new audit that occurs will be a separate process, with its own beginning and end, governed by the license agreement. To regard the 2017 audit as a perpetually unfinished process unless and until Microsoft agrees not to conduct another audit would wrongly deprive the public of access to the very audit findings which formed the basis for LMG's expenditure of public funds under the agreements reached in 2017. Therefore, we find KRS 61.878(1)(i) and (j) inapplicable and conclude that LMG's denial violated the Open Records Act. 2

A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General shall be notified of any action in circuit court, but shall not be named as a party in that action or in any subsequent proceedings.

Footnotes

Footnotes

1 Preliminary drafts" are records which "represent a tentative version, sketch, or outline of a formal and final written product." 05-ORD-179.

2 As part of our review of this appeal, we requested and received a copy of the Microsoft findings from LMG for in camera review. LMG redacted from that copy the names and identifiers of its computer servers, which LMG described as "analogous to an individual's birthdate and Social Security number," inasmuch as disclosure of that information would make it "very simple for someone to hack its servers, including our emergency services servers, and shut our system down."

LLM Summary
The decision finds that the Louisville Metro Government (LMG) violated the Kentucky Open Records Act by denying a request for audit findings from Microsoft and Adobe. The denial was based on the claim that the Microsoft audit was not final and no Adobe audit existed. The decision clarifies that the Microsoft audit findings were final and should have been disclosed, and that LMG failed to timely and adequately respond about the nonexistence of the Adobe audit, thus violating the Act.
Disclaimer:
The Sunshine Law Library is not exhaustive and may contain errors from source documents or the import process. Nothing on this website should be taken as legal advice. It is always best to consult with primary sources and appropriate counsel before taking any action.
Requested By:
The Courier-Journal
Agency:
Louisville Metro Government
Type:
Open Records Decision
Lexis Citation:
2019 Ky. AG LEXIS 108
Forward Citations:
Neighbors

Support Our Work

The Coalition needs your help in safeguarding Kentuckian's right to know about their government.