Last week, a D.C. federal judge ruled that an investigative reporter was not entitled to a 2014 cybersecurity study performed by an outside vendor detailing vulnerabilities in the Federal Election Commission’s information technology infrastructure.
David Levinthal made a Freedom of Information Act request in July 2015 contending that the study was essential to aid the public’s understanding of the FEC’s operations during the upcoming election season. The study was designed to determine the extent of weaknesses in the FEC’s systems and whether the agency should adopt guidelines recently published by the U.S. Department of Commerce’s National Institute of Standards and Technology. While the FEC produced 1,450 pages of records in response to the FOIA request that referenced the study, it refused to release the full study.
The court deemed that the study need not be disclosed under certain FOIA exemptions. The study was deemed to be a document that was “compiled for law enforcement purposes” under FOIA Exemption 7 and, as such, the FEC was permitted to withhold production. The court rejected Levinthal’s contention that the study needed to be linked to a specific investigation to fit within this statutory exemption.
The court also accepted the agency’s stated possible security risk by disclosure of the study noting it would be the “height of judicial irresponsibility” to disregard the claimed risk. The decision specifically referenced a statement made by the FEC’s Chief Information Officer that the report “provides a blueprint to the commission’s networks.”
The case is Levinthal et al. v. Federal Election Commission, case number 1:15-cv-01624, in the U.S. District Court for the District of Columbia.