The First Department, affirming Supreme Court’s denial of petitioner’s FOIL request for the email addresses of all New York City employees, determined the information was covered by the cybersecurity exemption from disclosure under FOIL. The petitioner is a foundation which seeks to inform those city employees who are public-employee-union members of their right to opt out of union membership:
… DCAS’s [NYC Department of Citywide Administrative Services’] General Counsel “articulat[ed] a particularized and specific justification for denying access” … under the cybersecurity exemption by explaining that “disclosure would create a substantial risk to the information technology infrastructure of the City of New York, including computer hardware, software, and data.”
The City Cyber Command’s Deputy Chief Information Security Officer further explained that disclosing “all New York City employees’ email addresses would relinquish control of the City’s information technology assets and jeopardize the security of those assets and of City infrastructure” by “mak[ing] it substantially easier for threat actors to successfully attack City . . . employees” in “[p]hishing and other email-based attacks.” Phishing and other confidence-based attempts at fraud prey on a target’s trust. The other information sought herein concerning employee’s names, titles, and other employment-related information could be used in conjunction with an email address to dupe unsuspecting targets. Of course, we do not find that the Foundation has any intention of phishing or committing any other type of fraud; it seeks to advance its mission. We note these facts only to point out the risks that can ensue from mass release of public employee contact information should the information fall into the wrong hands.
For these reasons, DCAS “articulate[d] a legitimate concern covered by the exemption”— that disclosure of email addresses could “breach or compromise [the agency’s] information technology infrastructure” or enable attackers to “gain access to or manipulate information maintained by” DCAS … . Matter of Freedom Found. v New York City Dept. of Citywide Admin. Servs., 2024 NY Slip Op 04483, First Dept 9-19-24
Practice Point: Here the FOIL request for the email addresses of all NYC employees was properly denied under the cybersecurity exemption because of the possibility of “phishing and other email-based attacks.”