Topics:

Formal Complaints

Date:
02/20/2020

Subject:
Joel Miller/Office of the Iowa Secretary of State - Dismissal Order

Opinion:

The Iowa Public Information Board

In re the Matter of:

Joel Miller, Complainant

And Concerning:

Office of the Iowa Secretary of State, Respondent

 

                      Case Number: 19FC:0144

                                  

                          Dismissal Order

              

COMES NOW, Margaret E. Johnson, Executive Director for the Iowa Public Information Board (IPIB), and enters this Dismissal Order:


On December 12, 2019, Joel Miller filed this formal complaint with the IPIB, alleging a violation of Chapter 22 by the Office of the Iowa Secretary of State (SOS) on December 12, 2019.

Mr. Miler submitted copies of various requests he made for public records, as follows: 

 

  1. October 23, 2019, request made to Heidi Burhans, chairperson of the Iowa Voter Registration Commission, requesting “All public records including emails in the custody of the Iowa Voter Registration Commission (VRC) related to I-Voters aka IVoters aka a voter registration system including, but not limited to, references to IVoters Status, IVoters Updates, IVoters Security Updates, Future IVoters Releases, and IVoters Revamp; All public records including emails in the custody of the Iowa Voter Registration Commission containing the key words ‘Citrix’ or ‘Arikkan’ or ‘Chaves Consulting’ or common misspellings of those words.”  The request noted that the records “may include, but not be limited to, flow charts, graphs, or timelines.”

  2. November 1, 2019, request made to Matthew Gannon, assistant attorney general, requesting “All confidential and public records including meeting minutes and emails related to the Cybersecurity Working Group from the time of its creation until the present.”

  3. November 1, 2019, request to Matthew Gannon, assistant attorney general, requesting “All confidential and public records including the written note cards typically used by the Secretary whether used or unused by the Secretary during the Secretary of State Presentation” and “All confidential and public records including timelines related to the topics of I-Voters Security, I-Voters Feedback, New Election Management & Voter Registration System, and I-Voters New User Request Process whether used or unused by the Director of Elections and other employees of the Secretary during the Secretary of State Presentation.”  (referencing an August 23, 2019, presentation by the Secretary of State)

  4. November 1, 2019, request to Matthew Gannon, assistant attorney general, requesting “All contracts including change orders and termination notices approved by any former or current employee, appointee, or elected official of the State of Iowa related to the creation, administration, maintenance, operation, and changes to Iowa’s voter registration system aka I-Voters from its first use by the State of Iowa through 31 December 2020 for ONLY the following vendors.  Chaves Consulting, Inc.; Arikkan, Inc.; and BPro, Inc.” 

  5. November 4, 2019, request to Matthew Gannon, assistant attorney general, requesting “All cybersecurity assessments, tests, and reviews conducted on the Secretary of State’s systems including Iowa’s voter registration system aka I-Voters by any government agency, contractor, vendor, or person(s) including the DHS or FBI for the time period from 1/1/2016 through the current date;” and “All cybersecurity assessments, tests, and reviews of the Secretary of State’s systems planned to occur between the current date and 12/31/2020 by any government agency, contractor, vendor, or person(s).” 

 

All five record requests stated the requests related to “HAVA Complaint Hearing scheduled for 12/9/2019” (numbers two through five) or “my pending HAVA complaint” (number one).  Mr. Miller requested that the IPIB order the SOS provide the requested records.

 

On December 31, 2019, legal counsel for the SOS responded to the complaint, indicating that there was confusion between the SOS office and the Iowa Attorney General (AG) office as to who would respond to the complaint, as four of the five record requests were addressed to the AG and not to the SOS.   

 

In a response dated January 2, 2020, legal counsel for the SOS stated that requests two through five were sent to the AG’s office. The SOS office was unaware of the requests until the complaint was filed.  Because the request included “confidential” records and “cybersecurity” records protected by Iowa Code section 22.7(50) and was sent to the AG, legal counsel for the HAVA complaint, it appeared that the request was for discovery rather than public records.

 

The SOS stated that record request number one, sent to the SOS, was in the process of review and release.  Because the request did not indicate a timeline, the SOS reviewed records dating back to 2002. This was a “voluminous” request, again requiring close review to redact any information that is confidential pursuant to Iowa Code section 22.7(50).  As of January 2, 2020, the records were ready for release upon payment of $319.20.

 

Iowa Code section 22.7(50) states that the following records are confidential:

 

50. Information and records concerning physical infrastructure, cyber security, critical infrastructure, security procedures or emergency preparedness information developed, maintained, or held by a government body for the protection of life or property, if disclosure could reasonably be expected to jeopardize such life or property.

a. Such information and records include but are not limited to information directly related to vulnerability assessments; information contained in records relating to security measures such as security and response plans, security codes and combinations, passwords, restricted area passes, keys, and security or response procedures; emergency response protocols; and information contained in records that if disclosed would significantly increase the vulnerability of critical physical systems or infrastructures of a government body to attack.

b. For the purpose of this subsection, "cyber security information and records" include but are not limited to information and records relating to cyber security defenses, threats, attacks, or general attempts to attack cyber system operations.

When advised of the SOS response, Mr. Miller responded that he believed that Mr. Gannon provided record requests two through five to the SOS.  He also indicated that since Mr. Gannon was the attorney representing the SOS on the HAVA complaint, he was the proper party to collect and release the requested records.  He also stated that any confidential information could be redacted prior to the record release. He stated he sent payment for record request number one.

On January 14, 2020, Mr. Gannon sent an email concerning requests two through five, which stated:

I represent the Iowa Secretary of State’s Office in a Help America Vote Act (“HAVA”) complaint filed by Auditor Joel Miller before the state Voter Registration Commission (“VRC”).  I do not represent the Secretary of State’s office regarding public records requests. I am not an employee of the Secretary of State’s office, and I do not have any personal custody of, access to, or control over any of the records in Auditor Miller’s various requests. 

 

Auditor Miller sent his emails to me purporting to be either discovery requests in the HAVA VRC matter or open records requests.  I informed Auditor Miller in one or more telephone conversations regarding the HAVA VRC matter that I would not discuss the scope of discovery in that matter until after the VRC ruled on a Motion to Dismiss his complaint.  That Motion has been briefed and argued, and a decision from the VRC is pending. I also informed Auditor Miller that if he were seeking information via a public records request, that he needed to submit that request to the appropriate custodian of records or other designated official in the Secretary of State’s office.  My understanding then and now is that Auditor Miller had submitted previous open records requests to the Secretary of State, and that he was and is aware of the procedure to do so. 

 

Mr. Miller was advised to seek the other requested records from the SOS on January 14, 2020.

Iowa Code section 23.8 requires that a complaint be within the IPIB’s jurisdiction, appear legally sufficient, and have merit before the IPIB accepts a complaint.  This complaint does not fulfill those requirements.

 

IT IS SO ORDERED:  Formal complaint 19FC:0144 is dismissed as legally insufficient pursuant to Iowa Code section 23.8(2) and Iowa Administrative Rule 497-2.1(2)(b). 

 

Pursuant to Iowa Administrative Rule 497-2.1(3), the IPIB may “delegate acceptance or dismissal of a complaint to the executive director, subject to review by the board.”  The IPIB will review this Order on February 20, 2020. Pursuant to IPIB rule 497-2.1(4), the parties will be notified in writing of its decision.


 

By the IPIB Executive Director

 

________________________________

Margaret E. Johnson

 

CERTIFICATE OF MAILING

    

This document was sent by electronic mail on the ___ day of February, 2020, to:

 

Joel Miller

Molly Widen, legal counsel for the Iowa Office of the Secretary of State

Matt Gannon, assistant attorney general

 

Costs included ten hours of legal counsel review for confidential information.  Time spent searching for responsive records was not included in the total costs.  On January 6, 2020, the 498 pages of records were sent to Mr. Miller.

 Mr. Miller included copies of record requests made in July of 2019 that he alleged were not promptly fulfilled.  Those requests were not included in this complaint and likely exceed the 60 day jurisdictional authority of the IPIB as noted in Iowa Code section 23.7(1).