Mr. Richard Weiss, Director Arkansas Department of Finance and Administration P.O. Box 3278 Little Rock, AR 72203-3278
Dear Mr. Weiss:
You have requested my opinion concerning certain issues that have arisen under the Arkansas Freedom of Information Act (FOIA) (A.C.A. § 25-19-101et seq.) in connection with the Arkansas State Travel Card Program.
You state that the Department of Finance and Administration, Office of State Procurement (OSP) has entered into a contract with United Missouri Bank (UMB) to provide Arkansas State Travel Cards. These cards are offered to state agencies and employees for approved business related travel expenses. Personal expenditures are not allowed, unless they are incidental to, and inseparable as a practical matter, from legitimate business expenditures. The contract with UMB provides for three different types of travel accounts: Business Travel Cards, Business Travel Accounts, and Sponsored Business Travel Cards. Individual state employees who meet certain minimum travel requirements are eligible to apply for Business Travel Cards that are issued in their own names. These cards can only be issued to employees of state agencies, and are to be used only for payment of expenses resulting from official travel. The individual employees to whom Business Travel Cards are issued are personally liable for payment of charges. Agencies can request and receive Business Travel Accounts and Sponsored Business Travel Cards. Although these cards may be issued to individual state employees, the agency is responsible for making payment.
Pursuant to the contract, UMB provides OSP the following information to the affected state agency on all accounts under the State Travel Cards program (including Business Travel Cards that are issued in the names of individual employees): charge card account number, employee name, social security number, date of report, previous balance, payments, credits, purchases, debits, finance charges (if any), new balance, amount due, agency name and identification number, amount past due, and type of transaction.
Regarding these cards and this arrangement with UMB, you have presented the following questions:
(1) What information provided by UMB constitutes a public document subject to disclosure pursuant to the FOIA?
(2) If a state employee uses a card for personal transactions, but pays the amount and does not seek reimbursement from the state, is the information concerning that transaction subject to disclosure pursuant to the FOIA?
(3) What documentation, if any, in the possession of UMB would be subject to disclosure pursuant to the FOIA?
RESPONSE
Question 1 — What information provided by UMB constitutes a publicdocument subject to disclosure pursuant to the FOIA?
Summary of Response:
It is my opinion that of the items of information you have listed as being provided by UMB to the state, the following items must be disclosed under the FOIA, if the information is maintained in records by the agency: the employee name, date of report, previous balance, payments, credits, purchases, debits, finance charges, new balance, amount due, agency name, amount past due, and type of transaction. The other items of information (i.e., charge card account numbers, social security numbers, and agency identification numbers) are, in my opinion, exempt from disclosure under the FOIA.
Discussion
The FOIA defines "public records" as follows:
(5)(A) "Public records" means writings, recorded sounds, films, tapes, electronic or computer-based information, or data compilations in any medium, required by law to be kept or otherwise kept, and which constitute a record of the performance or lack of performance of official functions which are or should be carried out by a public official or employee, a governmental agency, or any other agency wholly or partially supported by public funds or expending public funds. All records maintained in public offices or by public employees within the scope of their employment shall be presumed to be public records.
A.C.A. § 25-19-103(5)(A).
The FOIA goes on to state:
(a)(1) Except as otherwise specifically provided by this section or by laws specifically enacted to provide otherwise, all public records shall be open to inspection and copying by any citizen of the State of Arkansas during the regular business hours of the custodian of the records.
A.C.A. § 25-19-105(a)(1).
If the state maintains records reflecting any of the items of information provided by UMB to the state, the pertinent question will be whether any of those items of information falls within an exemption from disclosure, either under the FOIA's list of exemptions, or under an exemption stated in another law. Again, the items of information you have mentioned are: charge card account number, employee name, social security number, date of report, previous balance, payments, credits, purchases, debits, finance charges (if any), new balance, amount due, agency name and identification number, amount past due, and type of transaction.
In my opinion, the following items of information are not exempt from disclosure under the FOIA's list of exemptions, or under any other law's exemption: the employee name, date of report, previous balance, payments, credits, purchases, debits, finance charges, new balance, amount due, agency name, amount past due, and type of transaction. Any record reflecting these items of information would, in my opinion, constitute a non-exempt "public record," within the meaning of the FOIA, and would thus be subject to disclosure.
In my opinion, the following items of information are exempt from disclosure: charge card account numbers, social security numbers, and agency identification numbers.
I interpret the exemption stated in A.C.A. § 25-19-105(b)(11) to include such information as charge card account numbers and agency identification numbers. That provision states:
(11) Records containing measures, procedures, instructions, or related data used to cause a computer or a computer system or network, including telecommunication networks, or applications thereon, to perform security functions, including, but not limited to, passwords, personal identification numbers, transaction authorization mechanisms, and other means of preventing access to computers, computer systems or networks, or any data residing therein;
A.C.A. § 25-19-105(b)(11).
In my view, the charge card account numbers and agency identification numbers could provide access to computer systems and the data residing therein. The disclosure of such information could thus result in the type of security breach that this exemption was apparently intended to prevent. My conclusion regarding this matter is supported by the Report of the Electronic Records Study Commission, a body that was created pursuant to Act 1060 of 1999 and charged with the task of studying public access to electronic or computerized records under the FOIA, and with developing recommendations for amendments to the FOIA for consideration by the 83rd General Assembly. The above-quoted provision was added to the FOIA in response to the Commission's recommendation. Regarding this provision, the Commission's Report stated:
This provision addresses a problem pointed out by the Department of Information Systems regarding security-related information in government computer systems and networks. In short, security information in public records is potentially available under the FOIA. It is likely that transactional information, including credit card numbers, would often be available as well. The opportunity for mischief is obvious and would be eliminated by the proposed amendment, which exempts records containing security information, i.e., passwords, personal identification numbers, transaction authorization mechanisms, and other means of preventing unauthorized access. While it could be argued that some of all of this information does not constitute a record of official performance or lack thereof, and thus not be subject to disclosure, the proposed amendment provides needed certainty in this regard.
Report of the Electronic Records Study Commission Recommendations forAmendments to the Arkansas Freedom of Information Act (December 15, 2000) at 26.
It is clear that the intent of A.C.A. § 25-19-105(b)(11) was to protect the security of information such as credit card account numbers and identification numbers.
My predecessors have consistently opined that federal law prohibits state agencies from disclosing social security numbers. See, e.g., Ops. Att'y Gen. Nos. 2002-158; 95-262, citing 5 U.S.C. § 552a, note (the "Federal Privacy Act"). I agree with that assessment.
I therefore conclude that if the state maintains records reflecting the employee name, date of report, previous balance, payments, credits, purchases, debits, finance charges, new balance, amount due, agency name, amount past due, and type of transaction, those records are subject to disclosure under the FOIA. I conclude that any records containing charge card account numbers, social security numbers, and agency identification numbers are exempt from disclosure.
It should be noted that the FOIA states:
(f)(1) No request to inspect, copy, or obtain copies of public records shall be denied on the ground that information exempt from disclosure is commingled with nonexempt information.
(2) Any reasonably segregable portion of a record shall be provided after deletion of the exempt information.
(3) The amount of information deleted shall be indicated on the released portion of the record and, if technically feasible, at the place in the record where the deletion was made.
(4) If it is necessary to separate exempt from nonexempt information in order to permit a citizen to inspect, copy, or obtain copies of public records, the custodian shall bear the cost of the separation.
A.C.A. § 25-19-105(f).
The custodian of the records therefore has the responsibility to review any records containing disclosable information, and to redact any exempt information contained in those records before they are released to the public.
Question 2 — If a state employee uses a card for personal transactions,but pays the amount and does not seek reimbursement from the state, isthe information concerning that transaction subject to disclosurepursuant to the FOIA?
It is my opinion that information concerning a personal transaction for which an employee uses a card issued under the State Travel Cards program is subject to disclosure under the FOIA.
As indicated previously, under the State Travel Cards program, personal expenditures are not allowed, unless they are incidental to, and inseparable as a practical matter, from legitimate business expenditures. Moreover, cards issued under the program are available to individuals only by virtue of the fact that they are state employees who meet certain minimum travel requirements. As noted, these cards are to be used only in connection with official travel. Under these circumstances, any transaction for which the card is used is subject to scrutiny by the public.
I find the FOIA's statement of intent to be particularly pertinent to this issue:
It is vital in a democratic society that public business be performed in an open and public manner so that the electors shall be advised of the performance of public officials and of the decisions that are reached in public activity and in making public policy. Toward this end, this chapter is adopted, making it possible for them, or their representatives to learn and to report fully the activities of their public officials.
A.C.A. § 25-19-102.
The public has a vital interest in being able to verify that state employees are complying with state and contractual requirements in the use of credit cards issued to them as a privilege of state employment.
Question 3 — What documentation, if any, in the possession of UMB wouldbe subject to disclosure pursuant to the FOIA?
It is my opinion that records in the possession of UMB concerning the State Travel Card program are not subject to disclosure under the FOIA.1
Although it is true that the disclosure requirements of the FOIA can apply to private entities, such requirements apply only if the following conditions are met:
• The private entity receives direct public funding. See Sebastian County Chp. of the Amer. Red Cross v. Weatherford, 311 Ark. 656, 846 S.W.2d 641 (1993).
• The private entity's work is intertwined with the work of government. See City of Fayetteville v. Edmark, 304 Ark. 179, 801 S.W.2d 275 (1990).
In my opinion, the state's arrangement with UMB does not meet either of these requirements. Although UMB will handle state funds in the course of administering the accounts established under the State Travel Card program, it will not be the ultimate recipient of those funds. UMB's compensation for handling State Travel Card transactions will come from the merchants with whom the transactions are conducted, rather than from the state. Moreover, the work that UMB will be performing under its contract with the state will not intertwine it with the workings of state government. In order to be intertwined with state government (for FOIA purposes), a private entity must perform a function that the state would otherwise perform. The issuance of credit cards is clearly not a function of state government.
It should be noted, however, that if the state receives a request for records that are subject to disclosure by the state, but such records are in the possession of UMB, the state must provide access to the records.See Swaney v. Tilford, 320 Ark. 652, 898 S.W.2d 462 (1995).
I must note that even if UMB were deemed to be subject to the disclosure requirements of the FOIA, these requirements could, as applied to UMB, be preempted in some cases by the provisions of the Financial Services Modernization Act (also called the "Gramm-Leach-Bliley Act") (Pub.L.106-102, Nov. 12, 1999, 113 Stat. 1338), and possibly by the provisions of the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.). These laws prohibit the disclosure by certain financial entities of certain financial information. See Op. Att'y Gen. No. 2001-227. The question of whether either of these laws applies to any given disclosure is a question of fact that will turn on a number of factors, including certain features of UMB, the nature of the particular information in question, the entity requesting the information, the nature of any relationship or transaction between UMB and that entity, and whether the customer to whom the information relates has given consent to disclosure of the information to that entity.
It should be noted that the state does not fall within the regulatory scope of these laws. That is, the state is not a financial entity that is subject to these laws, and these laws therefore do not operate to preclude the state from making required disclosures under the FOIA. Nor do these laws prevent UMB from providing information to the state concerning the State Travel Card Program. First, with regard to Business Travel Accounts and Sponsored Business Travel Cards, the state is the customer to whom the information relates. Second, with regard to Business Travel Cards issued in the names of individual state employees, these employees' participation in the Travel Card Program requires their consent to such disclosures. Under these circumstances, disclosure to the state is permissible. See 15 U.S.C § 6802(e); 15 U.S.C. § 1681b(a)(2). Finally, if the state is required, pursuant to Swaney v. Tilford, supra, to provide access to records that are in the possession of UMB, these federal laws do not prohibit such access. See 15 U.S.C. § 6802(e)(8) (excepting from the prohibition against disclosure any disclosure that is necessary "to comply with Federal, State, or local laws, rules, and other applicable legal requirements[.]"); 15 U.S.C. § 1681b(a)(2) (permitting disclosures in accordance with instructions from the consumer to whom the information relates.).
Assistant Attorney General Suzanne Antley prepared the foregoing opinion, which I hereby approve.
Sincerely,
MIKE BEEBE Attorney General
1 However, as noted hereinafter, the state must provide access to records that it would be required to disclose, even if those records are in the possession of a private entity.