The San Diego Union-Tribune sought the contact information under the California Public Records Act, to make it easier for reporters to locate city staff members for news stories.
Angela Laurita, program manager of the city’s public records administration, said in an email that the city is unable to produce a complete directory due to security concerns, citing a memo written last week by city attorneys. The city plans to produce other information instead, Laurita said, such as organizational charts and contact information for select employees by Friday.
The memo, which was addressed to San Diego Chief Operating Officer Mary Michell and published on the City Clerk’s website, discusses the legal arguments surrounding the release of staff information and acknowledges there are no previous state or federal cases that specifically address the issue of denying the public access to a staff directory due to cyber security threats.
“There’s a reason why there are no other cases like this in California,” said Paul Fletcher, chairman of the Society of Professional Journalist’s Freedom of Information Committee. “It’s because denying citizens the ability to reach a government employee is ridiculous.”
The Union-Tribune in July requested a staff directory of city employees that included each workers name, title, email and phone number. The newspaper had no intention of publishing the information, but planned to use it internally for reporting purposes.
Through NextRequest, the city’s online records request portal, Laurita said the city needed a 14-day extension to “conduct a search for records, examine records, consult with another agency or compile data.” A week later, she said the city had no responsive documents.
Subsequent conversations with San Diego communications staff revealed the city had a way to produce a staff directory, but officials were hesitant to release the information because it could increase the risk of cyber attacks and phishing scams.
Advertisement
Under the California Public Records Act, access to public agencies and their conduct is a “fundamental and necessary right of every person in this state.” The law requires government records to be disclosed to the public unless there is a legal basis to withhold the information. For example, the law allows agencies to withhold attorney-client discussions, personnel files and medical records, among others.
“I don’t see how that principle squares with this theory that the government should not reveal the phone extension or email of a city employee,” said Jeff Light, editor and publisher of the Union-Tribune. “I understand the concern about phishing attacks; that is a real problem. But I suspect the city is going to discover that it needs to find other solutions to that issue.”
David Cuillier, a journalism professor at University of Arizona and president of the National Freedom of Information Coalition, said basic information about government employees and staff directories are almost universally considered public in the United States.
“The public is entitled to know who is being hired and how their taxes are being used,” Cuillier said. “The solution isn’t to hide information from the public — information that they have every right to have. The solution is for them to beef up their security protocols.”
Cuillier said denying such information could also set a dangerous precedent for future records requests and allow the city to keep additional public information behind closed doors without consequences.
“You have to ask yourself, ‘What they are going to try to keep secret next?’” he said. “Could the budget be a security risk? How far do you take this?”
In the memo, City Attorney Mara Elliott and Deputy City Attorney Steven Lastomirsky argue that the city’s decision to disclose or withhold the staff directory should be based on credible facts and information, including whether there’s a current threat to the city’s cybersecurity, what level of information may be safely disclosed and how drastically city operations would be affected if an attack is successful.
City officials have yet to publicly disclose specific details about any current cyber threats and did not respond to messages and calls seeking comment in time for publication.
According to the memo, city officials say releasing the information all at once would make it easier for “bad actors to launch phishing attacks against the city,” citing the recent ransomware attacks against the cities of Atlanta and Baltimore that cost both agencies millions of dollars in remediation efforts and lost productivity.
In 1991, the California Supreme Court found that the Governor’s schedule and appointment calendars were exempt from release because the information could jeopardize the Governor’s security. On a federal level, the D.C. District Court ruled that releasing employee phone extensions could lead to government workers being harassed.
On the other hand, the California Supreme Court ruled in 2007 that unless there is a need for an employee to remain anonymous, the public interest in disclosing employee names and titles outweighed the interest in not disclosing the information.
Locally, San Diego Superior Court ruled in 2011 that the San Diego County Employees Retirement Association was required to disclose the names of retired employees.
“Taken together, the California and federal cases suggest that, in certain circumstances, the public interest in disclosure of employee email addresses and telephone numbers may be outweighed by the public interest in nondisclosure,” the memo said. “A court may find that the city’s security concerns outweigh the need for public access to a complete employee directory, as the public already has alternative means for identifying and reaching city officials.”
Jonathan Behnke, the San Diego’s chief information officer, said the city is denying the request under what is more commonly known as the “catch-all” exemption, where the interest in withholding information outweighs the interest in releasing it. Under this exemption, the burden falls on the city to prove why the information is better kept private.
©2019 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.
