Opinion
Opinion By: Andy Beshear,Attorney General;James M. Herrick,Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the University of Louisville violated the Open Records Act by denying Insider Louisville reporter Joe Sonka's undated request for a "list of the department, building, room and specific employee at the University of Louisville who operates from each of [five specified] IP addresses" in reliance on KRS 61.872(6) and KRS 61.878(1)(m)1.f-g. For the reasons stated herein, we find no violation of the Act.
On April 14, 2016, records custodian Sherri Pawson responded by citing an earlier open records decision based on the "unreasonable burden" language in KRS 61.872(6): "Based upon our reading of the 12-ORD-153 opinion, the Office of the Attorney General has exempted from release under [the Open Records Act] records which link the identity of an individual with an IP address. We read the opinion to apply to your request because you seek the link between the two."
Insider Louisville editor Sarah Kelley appealed on April 18, 2016, arguing that that identifying the users associated with the IP addresses "would not present a security risk for the university, as we have no interest in listing the numbers of these IP addresses." On May 11, 2016, Ms. Pawson responded to the appeal, pointing out that the open records request Insider Louisville is itself "an open record. Accordingly, the IP addresses correlated to specific individuals and office holders is information that could be subject to future release and made public." Ms. Pawson additionally provided an affidavit from University security analyst Jacob Jeffers with the Office of the Vice President for Information Technology, stating the following:
Currently, there are approximately fewer than 500 individual IP addresses associated with Grawemeyer Hall;
Revealing the identities and locations associated with specific IP addresses would result in the increased potential for unauthorized access and targeted hacking attacks on University IT systems;
For example, if a hacker had access to the individual IP addresses associated with the office of the Director for Financial Aid, that hacker could specifically target systems with sensitive financial information of students maintained by the University of Louisville;
Knowledge of who individuals are, with the additional identifier of their individual IP addresses, coupled with information about their proximity or access to sensitive information at the University of Louisville, would make the University's IT system vulnerable to unauthorized access.
(Numbering omitted.) Also, Ms. Pawson cited KRS 61.878(1)(m)1.f-g.
In 12-ORD-153, cited by the University, we held that disclosure of the IP addresses of city commissioners "would unreasonably burden the city by forcing it to overhaul an existing system each time the records were requested and released." (Internal quotation marks omitted.) KRS 61.872(6), which formed the basis for our ruling, provides:
If the application places an unreasonable burden in producing public records or if the custodian has reason to believe that repeated requests are intended to disrupt other essential functions of the public agency, the official custodian may refuse to permit inspection of the public records or mail copies thereof. However, refusal under this section shall be sustained by clear and convincing evidence.
We find no distinction in the fact that here the missing piece of information is the identities of the individuals associated with IP addresses, whereas in 12-ORD-153 the missing piece was the IP addresses themselves. As attested by Mr. Jeffers, the possession of the two pieces of information in conjunction creates the same danger of unauthorized access. 1 Therefore, we find 12-ORD-153 controlling on this issue and attach a copy of that decision as a basis for our conclusion in the present appeal.
As to the University's invocation of KRS 61.878(1)(m), the relevant portions of that subsection make an exception to open records for:
1. Public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act and limited to:
?
f. Infrastructure records that expose a vulnerability referred to in this subparagraph through the disclosure of the location, configuration, or security of critical systems, including public utility critical systems. These critical systems shall include but not be limited to information technology , communication, electrical, fire suppression, ventilation, water, wastewater, sewage, and gas systems?
?
2. As used in this paragraph, "terrorist act" means a criminal act intended to:
(Emphasis added.) While 12-ORD-153 is dispositive of the issues in this appeal, we find the University's argument under KRS 61.878(1)(m) credible as well. Disclosing the identities of IP address holders in conjunction with the addresses would, under the factual circumstances described by Mr. Jeffers, tend to create a reasonable likelihood of exposing a vulnerability in protecting against criminal acts intended to disrupt the University's information technology system. Given the presence of sensitive information in that system relating to students and perhaps other members of the public, this vulnerability could reasonably be construed as a threat to the public safety.
Accordingly, the University could properly have relied upon KRS 61.878(1)(m)1.f. to deny access to the list of IP address holders, 2 as well as KRS 61.872(6). We therefore find no violation of the Open Records Act.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 See generally Hardin Co. Schools v. Foster, 40 S.W.3d 865, 870 (Ky. 2001) (Cooper, J., dissenting).
2 We assume, for purposes of this appeal, that the information sought by this request exists in the form of a list. If no such list existed, the University would not be obligated to create one. See, e.g. , OAG 89-45 (the Open Records Act "does not require public agencies to carry out research or compile information to conform to a given request"); OAG 76-375 (public agencies "are not obligated to compile a list or create a record to satisfy an open records request").