Levinthal v. Federal Election Commission

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA _________________________________________ ) Dave Levinthal, et al., ) ) Plaintiffs, ) ) v. ) Civil No. 15-cv-01624 (APM) ) Federal Election Commission, ) ) Defendant. ) ) _________________________________________ ) MEMORANDUM OPINION I. INTRODUCTION Plaintiffs Dave Levinthal and the Center for Public Integrity bring this suit under the Freedom of Information Act (“FOIA”). On July 6, 2015, Plaintiffs submitted a FOIA request to Defendant Federal Election Commission seeking: (1) a copy of a study that assesses vulnerabilities in the Commission’s information technology (“IT”) systems and makes recommendations to address those vulnerabilities; and (2) any emails and documents related to the study. Defendant produced non-exempt materials related to the study, but withheld the study itself. Plaintiffs brought this suit claiming that Defendant violated FOIA by failing to produce the study. Upon consideration of the parties’ submissions and the record evidence, the court grants Defendant’s Motion for Summary Judgment and denies Plaintiffs’ Cross-Motion for Summary Judgment. II. BACKGROUND As required by Local Civil Rule 7(h)(1), Defendant Federal Election Commission (“Commission” or “Defendant”) submitted a detailed statement of undisputed material facts. See Def.’s Mot. for Summ. J., ECF No. 13 [hereinafter Def.’s Mot.], Def.’s Stmt. of Material Facts, ECF No. 13-1 [hereinafter Def.’s Stmt.]. Plaintiffs, for their part, responded with a bare-boned counter-statement that did not dispute Defendant’s factual assertions. Pls.’ Cross-Mot. for Summ. J., ECF No. 14 [hereinafter Pls.’ Mot.], Pls.’ Stmt. of Material Facts, ECF No. 14-1 [hereinafter Pls.’ Stmt.]. 1 Accordingly, the court treats Defendant’s proffered facts, recited below, as conceded by Plaintiffs. See SEC v. Banner Fund Int’l, 211 F.3d 602, 616 (D.C. Cir. 2000) (“If the party opposing the motion fails to comply with [the] local rule, then ‘the district court is under no obligation to sift through the record’ and should ‘[i]nstead . . . deem as admitted the moving party’s facts that are uncontroverted by the nonmoving party’s Rule [LCvR 7.1(h)] statement.’” (alterations in original) (quoting Jackson v. Finnegan, Henderson, Farabow, Garrett & Dunner, 101 F.3d 145, 154 (D.D.C. 1996)). A. Factual Background In Fiscal Year 2014, the Commission hired an outside contractor, SD Solutions, LLC, to determine whether there were vulnerabilities in the Commission’s IT systems and, if there were, to provide remedial recommendations. Def.’s Stmt. ¶ 5; Def.’s Mot., Decl. of Alec Palmer, ECF No. 13-2 [hereinafter Palmer Decl.], ¶ 7. The Commission ordered the study to assist it in deciding whether to implement newly developed information security guidelines published by the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”). Def.’s 1 Plaintiffs later submitted a more fulsome statement of facts with their Reply Brief, see Pls.’ Reply, ECF No. 18, Pls.’ Stmt. of Genuine Issues of Fact, ECF No. 18-1, but that statement came too late, see LCvR 7(h)(1) (“T]he Court may assume that facts identified by the moving party in its statement of material facts are admitted, unless such a fact is controverted in the statement of genuine issues filed in opposition to the motion.” (emphasis added)). 2 Stmt. ¶ 6; Palmer Decl. ¶ 7. In preparing its report, SD Solutions examined the Commission’s “physical and virtual information technology assets” and recommended measures for the Commission to protect its infrastructure from “wrongful interference, circumvention, or unlawful action by unauthorized persons.” Palmer Decl. ¶ 8. Furthermore, it assessed the “vulnerabilities to unlawful breach present in the Commission’s technological infrastructure, describing sensitive Commission systems and recommending specific security measures to address the vulnerabilities.” Id. The Commission refers to SD Solutions’ final report and its related documents, collectively, as the “NIST Study.” Def.’s Stmt. ¶ 8; Palmer Decl. ¶ 18. The NIST Study consists of two parts. The first part is an overview memorandum prepared by the Commission’s Office of the Chief Information Officer. The overview memorandum lists measures the Office has used in the past to address IT vulnerabilities, summarizes SD Solutions’ final report, and discusses “the practicalities of implementing the [NIST] guidelines should the Commission adopt the recommendations in the Final Report.” Def.’s Stmt. ¶ 10; Palmer Decl. ¶¶ 2, 9, 10. The overview memorandum includes two appendices: (1) an abridged version of the full final report, and (2) a summary of both the recommendations in the report and the personnel and financial resources that would be required to satisfy each recommendation. Id. ¶¶ 10, 11. The second part of the NIST Study is the final report itself. As discussed, the report describes the Commission’s IT network, assesses the security of each system and identifies the vulnerabilities therein, and contains recommendations for security measures to address the identified vulnerabilities. Id. ¶¶ 12, 14. B. Procedural Background Plaintiff Dave Levinthal is an investigative journalist employed by Plaintiff the Center for Public Integrity. See Pls.’ Mot. at 1; Def.’s Mot. at 3; Def.’s Stmt. ¶ 4. On July 6, 2015, Plaintiffs 3 submitted a FOIA request to the Commission, seeking: (1) “a copy of the 2015 National Institute of Standards and Technology Report—also known as the NIST study—pertaining to the Federal Election Commission’s operations,” and (2) “any FEC emails, memoranda, correspondence or other documents that, in any form or fashion, mention or refer to this National Institute of Standards and Technology report, by name or otherwise.” Def.’s Stmt. ¶ 38; Def.’s Mot., Decl. of Robert M. Kahn, ECF No. 13-3 [hereinafter Kahn Decl.], ¶ 6 & Ex. A [hereinafter FOIA Request]. On August 18, 2015, the Commission denied Plaintiffs’ request for a copy of the NIST Study, but granted their request for documents that mention or refer to the study, subject to applicable FOIA exemptions. Kahn Decl. ¶ 7 & Ex. C (Email from Robert M. Kahn to Dave Levinthal (Aug. 18, 2015)). The Commission eventually produced more than 1,450 pages of non- exempt records, and non-exempt portions of records, that mentioned or referred to the NIST Study. Jt. Status Rep., ECF No. 11. Plaintiffs filed an administrative appeal challenging the decision to withhold the NIST Study, asserting that it “is likely to contain information that directly benefits the public’s understanding of Federal Election Commission capabilities and operations during a high-profile election season.” Kahn Decl. ¶ 8 & Ex. C. In September 2015, the Commission denied Plaintiffs’ appeal. Id. ¶ 10 & Ex. F (Email from Robert M. Kahn to Dave Levinthal (Sept. 30, 2015)). Plaintiffs filed their Complaint in this court on October 5, 2015, challenging only Defendant’s non-disclosure of the NIST Study. See Compl., ECF No. 1. On March 17, 2016, Defendant filed a Motion for Summary Judgment, claiming that the NIST Study is exempt from disclosure both as a law enforcement record under FOIA Exemption 7(E) and as deliberative material under FOIA Exemption 5. Def.’s Mot. at 10–21. On April 8, 2016, Plaintiffs filed a Cross-Motion for Summary Judgment, which contests categorizing the NIST Study as a law 4 enforcement record under Exemption 7(E). See Pls.’ Mot at 4. Additionally, although Plaintiffs concede the applicability of Exemption 5, they argue that the Commission has failed to meet its obligation under FOIA to release any “reasonably segregable non-exempt information.” Id. at 5. III. LEGAL STANDARD A court shall grant summary judgment “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a). To make this determination, the court must “view the facts and draw reasonable inferences in the light most favorable to the [non-moving] party.” Scott v. Harris, 550 U.S. 372, 378 (2007) (internal quotation mark omitted). A dispute is “genuine” only if a reasonable fact- finder could find for the nonmoving party, and a fact is “material” only if it is capable of affecting the outcome of litigation. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248–49 (1986). A non- material factual dispute cannot prevent the court from granting summary judgment. Id. at 249. Most FOIA cases are appropriately decided on motions for summary judgment. See Defenders of Wildlife v. U.S. Border Patrol, 623 F. Supp. 2d 83, 87 (D.D.C. 2009). A court may award summary judgment in a FOIA case by relying on the information included in the agency’s affidavits or declarations if they are “relatively detailed and non-conclusory,” SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1200 (D.C. Cir. 1991) (internal quotation marks omitted), and if they describe “the documents and the justifications for nondisclosure with reasonably specific detail, demonstrate that the information withheld logically falls within the claimed exemption, and are not controverted by either contrary evidence in the record nor by evidence of agency bad faith,” Military Audit Project v. Casey, 656 F.2d 724, 738 (D.C. Cir. 1981). The agency bears the burden of demonstrating that each FOIA exemption applies, and its determinations are subject to de novo review in district court. U.S. Dep’t of Justice v. Reporters 5 Comm. for Freedom of the Press, 489 U.S. 749, 755 (1989) (citing 5 U.S.C. § 552(a)(4)(B)). To prevail on a motion for summary judgment, the agency must demonstrate that “each document that falls within the class requested either has been produced, is unidentifiable, or is wholly exempt from the Act’s inspection requirements.” Goland v. Cent. Intelligence Agency, 607 F.2d 339, 352 (D.C. Cir. 1978); see also Students Against Genocide v. Dep’t of State, 257 F.3d 828, 833 (D.C. Cir. 2001). IV. DISCUSSION A. FOIA Exemption 7(E) The court first considers whether the NIST Study is exempt from disclosure under FOIA Exemption 7(E). Def.’s Mot at 10–17; Pls.’ Mot. at 3–4. Under Exemption 7(E), an agency may withhold information (1) “compiled for law enforcement purposes” if (2) its release “would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions,” and (3) such “disclosure could reasonably be expected to risk circumvention of the law.” 5 U.S.C. § 552(b)(7)(E). Exemption 7(E) “sets a relatively low bar for the agency to justify withholding,” Blackwell v. FBI, 646 F.3d 37, 42 (D.C. Cir. 2011), and “where an agency ‘specializes in law enforcement, its decision to invoke [E]xemption 7 is entitled to deference,’” Lardner v. Dep’t of Justice, 638 F. Supp. 2d 14, 31 (D.D.C. 2009) (quoting Campbell v. Dep’t of Justice, 164 F.3d 20, 32 (D.C. Cir. 1998)). This does not excuse an agency, however, from the requirement of describing its “justifications for withholding the information n with specific detail.” Am. Civil Liberties Union v. Dep’t of Def., 628 F.3d 612, 619 (D.C. Cir. 2011). 6 In this case, Plaintiffs offer a single argument challenging Defendant’s invocation of Exemption 7(E): the NIST Study was not “compiled for law enforcement purposes.” Pls.’ Mot. at 4.2 The court has little trouble rejecting that contention. A record is “compiled for law enforcement purposes” so long as there is (1) a rational “nexus” between the record and the agency’s law enforcement duties, and (2) a connection between the subject of the record and a possible security risk or violation of federal law. See Campbell, 164 F.3d at 32; see also Pratt v. Webster, 673 F.2d 408, 420 (D.C. Cir. 1982). The latter requirement must be satisfied “to establish that the agency acted within its principal function of law enforcement, rather than merely engaging in a general monitoring of individuals’ activities.” Pratt, 673 F.3d at 420. The NIST Study satisfies both requirements. First, the NIST Study meets the rational “nexus” requirement because a federal agency, like the Commission, cannot effectively carry out its law enforcement function unless it has a secure and reliable IT system. The Commission is responsible for investigating violations of the Federal Election Campaign Act. See Def.’s Mot. at 5–6; Def.’s Stmt. ¶¶ 1–3; 52 U.S.C. § 30109(a)(1)–(2). Its IT system contains sensitive information related to investigations, including “subpoenas, requests for information and documents, reports of investigation, and responses to Commission-issued subpoenas and requests.” Palmer Decl. ¶ 17. The system also contains a “confidential scoring system, the Enforcement Priority System, which identifies significant cases for enforcement[.]” Id. ¶ 16. In short, the Commission’s IT system is central to its law 2 The court, therefore, treats as conceded the remaining elements of Exemption 7(E)—namely, that the exempted record (1) “would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions” and (2), if disclosed, “could reasonably be expected to risk circumvention of the law.” 5 U.S.C. § 552(b)(7)(E). See Wilkins v. Jackson, 750 F. Supp. 2d 160, 162 (D.D.C. 2010) (“It is well established that if a plaintiff fails to respond to an argument raised in a motion for summary judgment, it is proper to treat that argument as conceded.”); Sykes v. Dudas, 573 F. Supp. 2d 191, 202 (D.D.C. 2008) (“[W]hen a party responds to some but not all arguments raised on a Motion for Summary Judgment, a court may fairly view the unacknowledged arguments as conceded.”). 7 enforcement function. See id. (“The Commission’s information systems network allows it to fulfill its statutory obligation to administer and enforce campaign finance laws.”). The NIST Study in turn was designed to promote the integrity of that system and thus itself serves a law enforcement function. The study’s purpose was to “assess the vulnerabilities of the Commission’s information technology systems” and to make “recommendations about how the Commission could protect its systems from wrongful interference, circumvention, or unlawful action by authorized persons.” Palmer Decl. ¶¶ 7, 8. A study designed to evaluate and improve a critical law enforcement tool, such as an IT system, easily meets the rational nexus requirement. Second, there is a connection between the NIST Study and a possible security risk or violation of federal law. According to the Commission’s Chief Information Officer, Alec Palmer, the NIST Study is the type of assessment “that, if publicly disclosed, could be used by persons with malicious objectives to do great harm.” Id. ¶ 19. Palmer asserts that “information contained in the NIST Study could be used to gain unlawful access to the Commission’s technology systems, obtain and manipulate sensitive and confidential data about candidates, officeholders, party committees, and others who interact with the Commission, or obtain and manipulate data stored within the Commission’s systems regarding [Commission] enforcement matters.” Id. Further, Palmer explains that a person with access to the NIST Study “could use the information contained [therein] to seriously threaten the Commission’s ability to fulfill its civil enforcement and other statutory duties.” Id. Finally, Palmer attests that the NIST Study “provides a blueprint to the Commission’s networks” and that its public disclosure “could thus enable hackers to bypass the Commission’s current protection mechanisms.” Id. ¶ 21. This court observed in Long v. Immigration and Customs Enforcement, 149 F. Supp. 3d 39, 53 (D.D.C. 2015), that “[j]udges are not cyber specialists, and it would be the height of judicial irresponsibility for a court to blithely 8 disregard . . . a claimed risk” of a cyber-attack or a security breach. The court will not disregard such risk in this case. Accordingly, the court finds that the NIST Study satisfies the second prong of the “compiled for law enforcement purposes” inquiry. Plaintiffs offer two rejoinders. First, they contend that the NIST Study is not “compiled for a law enforcement purpose” because “[i]t is not connected to an investigation.” Pls.’ Mot. at 4. That argument misconstrues the law. The Court of Appeals consistently has held that records do not have to be linked to a specific investigation to be properly withheld under Exemption 7(E). For instance, in Tax Analysts v. Internal Revenue Service (IRS), the court held that IRS materials related to law enforcement activities “outside of the context of a specific investigation” met the threshold for materials “compiled for law enforcement purposes” under Exemption 7(E). See 294 F.3d 71, 73, 78–79 (D.C. Cir. 2002). In so holding, it observed that Congress amended Exemption 7 in 1986 to make clear that 7(E) “was not limited to records or information addressing only individual violations of the law.” Id. at 79. More recently, in Blackwell v. Federal Bureau of Investigation, the Court of Appeals held that the FBI had properly withheld methods of data collection, organization, and presentation contained in certain reports under Exemption 7(E). 646 F.3d at 42. The methods were developed for the FBI to meet the agency’s “investigative needs,” rather than linked to a specific investigation. Id. Moreover, as Defendant correctly points out, Def.’s Mot. at 11, 13–14, courts in this District repeatedly have held that information connected to law enforcement databases qualifies for exemption under 7(E). See, e.g., Long, 149 F. Supp. 3d at 44 (holding that requests for metadata and database schema of law enforcement information databases qualify for exemption under 7(E)); Strunk v. U.S. Dep’t of State, 905 F. Supp. 2d 142, 146–48 (D.D.C. 2012) (holding that computer transaction and function codes that reveal how to navigate and retrieve information from a law 9 enforcement database were properly withheld under Exemption 7(E)); Miller v. U.S. Dep’t of Justice, 872 F. Supp. 2d 12, 29 (D.D.C. 2012) (holding that numerical codes used to identify information and individuals, as well as codes “relate[d] to procedures concerning the use of law enforcement resources and databases . . . [and] case program and access codes[,]” were properly withheld under Exemption 7(E)); Skinner v. U.S. Dep’t of Justice, 893 F. Supp. 2d 109, 113–14 (D.D.C. 2012) (holding that user access codes that facilitated access to a law enforcement database were properly redacted under Exemption 7(E)), aff’d sub nom. Skinner v. Bureau of Alcohol, Tobacco, Firearms & Explosives, No. 12-5319, 2013 WL 3367431 (D.C. Cir. May 31, 2013)). Thus, the fact that the NIST Study does not pertain to a particular investigation does not place it outside Exemption 7(E). Second, Plaintiffs argue that Exemption 7(E) is inapplicable because Defendant “has not established that the vulnerabilities described in the NIST Study still exist.” Pls.’ Mot. at 4. More specifically, Plaintiffs argue that, even if Exemption 7(E) applies “to portions of the NIST Study, to the extent that facts on the ground have changed since the preparation of the report, disclosure of previous vulnerabilities would not fall under Exemption 7(E).” Id. at 5. That argument is a nonstarter. Again, the Palmer Declaration, which the court described above, amply supports Defendant’s contention that the public release of the NIST Study—or any portion of it—would run the risk of compromising the Commission’s law enforcement function. According to Palmer, if released, unauthorized readers of the NIST Study could “gain unlawful access to the Commission’s technology systems, obtain and manipulate sensitive and confidential data about candidates, officeholders, party committees, and others who interact with the Commission, or obtain and manipulate data stored within the Commission’s systems regarding [Commission] enforcement matters.” Id. ¶ 19. Additionally, Palmer states that an unauthorized individual or 10 government armed with the NIST Study could “seriously threaten the Commission’s ability to fulfill its civil enforcement and other statutory duties” and “alter the disclosure data that the Commission makes available on its public website, thereby providing false disclosure information that could adversely influence the outcome of an election.” Id. ¶¶ 19–20. Further, disclosing the NIST Study could allow hackers to gain access to the Commission’s networks, enabling them to “distort or prevent access to campaign finance reports,” or “expose sensitive information about parties regulated by the Commission.” Id. ¶¶ 21, 24. Palmer’s Declaration credibly demonstrates that disclosure of any portion of the NIST Study would pose a present and genuine security threat to the Commission’s law enforcement function. Accordingly, the court rejects Plaintiffs’ argument that the NIST Study is not exempt under 7(E). B. FOIA Exemption 5 and Segregability Defendant also invokes FOIA Exemption 5 to withhold the NIST Study. Def.’s Mot. at 17. Exemption 5 shields disclosure of “inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency.” 5 U.S.C. § 552(b)(5). Exemption 5 has been interpreted to incorporate the three traditional civil discovery privileges—the attorney work product privilege, the deliberative process privilege, and the attorney-client privilege. Burka v. U.S. Dep’t of Health & Human Servs., 87 F.3d 508, 518 (D.C. Cir. 1996). Here, Defendant asserts the deliberate process privilege as the basis for invoking Exemption 5. Def.’s Mot. at 17–21; see Tax Analysts v. IRS, 117 F.3d 607, 616 (D.C. Cir. 1997) (describing the deliberative process privilege as covering records that are both “predecisional” and “deliberative”). Plaintiffs do not contest the applicability of the deliberative process privilege to the NIST Study. See Pls.’ Mot. at 5 (“Plaintiffs do not doubt that the NIST Study contains predecisional 11 recommendations.”). Instead, they challenge whether Defendant has satisfied its duty to segregate and produce non-exempt factual material contained within the NIST Study. Id. Specifically, Plaintiffs argue that Defendant “has not established that [the factual material is] actually ‘inextricably entwined’ with deliberations.” Id.; see Mead Data Cent., Inc. v. U.S. Dep’t of the Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977) (collecting cases and explaining that “[i]t has long been a rule in this Circuit that non-exempt portions of a document must be disclosed unless they are inextricably intertwined with exempt portions”). The court disagrees. Because “the focus of FOIA is information, not documents . . . an agency cannot justify withholding an entire document simply by showing that it contains some exempt material.” Mead Data Cent., 566 F.2d at 260. FOIA therefore requires that “[a]ny reasonably segregable portion of [the] record shall be provided to any person requesting such record after deletion of the portions which are exempt.” 5 U.S.C. § 552(b). An agency must provide a “detailed justification” and not just make “conclusory statements” to support its segregability determination. Mead Data Cent., 566 F.2d at 261. Agencies, however, “are entitled to a presumption that they complied with the obligation to disclose reasonably segregable material,” which can be overcome by contrary evidence produced by the requester. Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117 (D.C. Cir. 2007). The Palmer Declaration provides a “detailed justification” for the Commission’s decision that no part of the NIST Report is segregable, and Plaintiffs have not offered any evidence to the contrary. According to Palmer, the Commission’s Office of the Chief Information Officer conducted a line-by-line analysis of the NIST Study to determine if any portion could be segregated and released without jeopardizing the security of its networks. Palmer Decl. ¶¶ 25–27. Palmer observes that the “factual descriptions of the Commission’s information technology 12 systems and their vulnerabilities in the Final Report form the basis of the Report’s analysis[] . . . and they reflect the need for the recommended protocols that constitute the core of the NIST Study.” Id. ¶ 26. If the factual content of the NIST Study were publicly disclosed, Palmer explains, it “would effectively release many of the NIST Study’s recommendations, as well as the substance of the vulnerability analysis that [the Office of the Chief Information Officer] submitted to the Commission for its determination on whether to accept those recommendations.” Id. ¶ 27. “The factual descriptions expose the Commission to risk of a security breach of its network and information technology systems.” Id. Palmer’s Declaration clearly establishes that the factual portions of the NIST Study are “inextricably intertwined” with its deliberative elements. Mead Data Cent., 566 F.2d at 260. It also sets forth with “reasonable specificity” why those factual portions cannot be segregated. Armstrong v. Exec. Office of the President, 97 F.3d 575, 578–79 (D.C. Cir. 1996). Accordingly, the court rejects Plaintiffs’ argument that Defendant has not met its duty of segregability. V. CONCLUSION For the foregoing reasons, the court grants Defendant’s Motion for Summary Judgment and denies Plaintiffs’ Cross-Motion for Summary Judgment. A separate final order accompanies this Memorandum Opinion. Dated: November 23, 2016 Amit P. Mehta United States District Judge 13