Date:
07/20/2023
Subject:
Michael Merritt/Jasper County- Dismissal Order
Opinion:
The Iowa Public Information Board
|
In re the Matter of: Michael Merritt, Complainant
Jasper County, Respondent |
Case Numbers: 22FC:0126 Dismissal Order
|
COMES NOW, Erika Eckley, Executive Director for the Iowa Public Information Board (IPIB), and enters this Dismissal Order:
On December 14, 2022, Michael Merritt filed formal complaint 22FC:0126, alleging that Jasper County (County) violated Iowa Code chapter 22 on December 7, 2022.1
Facts
Mr. Merritt alleged that he submitted a request on October 18, 2022, for various records. His request has been summarized by IPIB staff (see Attachment 1).
On November 7, 2022, the Jasper County Attorney responded to his record request and stated that the County IT department had advised him that most of the request was for confidential records.
At that time, Mr. Merritt was advised by the County that he could provide salary information for employees if Mr. Merritt would provide the names of the employees. The records identified in request 1(b) were provided.
On January 31, 2023, Jasper County provided additional information to IPIB staff concerning the confidential records that were withheld:
This is against basic our network and cyber security policies based on CISA (Cyber Security and Infrastructure Security Agency, Division of Home Land Security),
NIST (National Institute of Standards and technology, US Department of Commerce).
Jasper County also has to meet cyber security policies for HIPAA (Jasper County is a Hybrid Entity), CJIS, Elections Infrastructure Sharing and Analysis Center,
and The Iowa Secretary of State Elections Security Legislative Rules.
Such discussions on topics are protected by 21.5(k) and I normally ask for closed public meetings to discuss with the Board of Supervisors.
https://www.cisa.gov/cybersecurity
https://www.nist.gov/cyberframework
https://le.fbi.gov/cjis-division-resources/cjis-security-policy-resource-center
https://www.hhs.gov/hipaa/for-professionals/security/index.html
I also work with the Sheriff’s office on Cybercrimes and execute warrants to search computers and online accounts.
This response was provided to Mr. Merritt. Mr. Merritt then filed a reply with 21 attachments disputing the response from Jasper County.
The original record request from Mr. Merritt was framed as a request for answers to questions or confirmations of statements made by Mr. Merritt. He also requested the identification of certain employees with specific access to electronic communications, not for the records that may have been generated by these Jasper County employees.
Rule
Iowa Code § 22.7(50) states that certain records concerning cyber security are confidential:
50. Information and records concerning physical infrastructure, cyber security, critical infrastructure, security procedures or emergency preparedness information developed, maintained, or held by a government body for the protection of life or property, if disclosure could reasonably be expected to jeopardize such life or property.
a. Such information and records include but are not limited to information directly related to vulnerability assessments; information contained in records relating to security measures such as security and response plans, security codes and combinations, passwords, restricted area passes, keys, and security or response procedures; emergency response protocols; and information contained in records that if disclosed would significantly increase the vulnerability of critical physical systems or infrastructures of a government body to attack.
b. For the purpose of this subsection, "cyber security information and records" include but are not limited to information and records relating to cyber security defenses, threats, attacks, or general attempts to attack cyber system operations.
Analysis
As explained by the County, the release of these records would jeopardize the security of the information maintained by the County. The release of such records could disclose critical infrastructure utilized by the County to protect personal information, medical information, and state and federal laws, rules, and regulations.
Certain parts of the original record request were framed as requests for records. Request 1(b) was provided. Any records responsive to requests 1(a) and 3 are confidential pursuant to Iowa Code § 22.7(50). The County did not violate Iowa Code chapter 22 by withholding this information.
Conclusion
Iowa Code § 23.8 requires that a complaint be within the IPIB’s jurisdiction, appear legally sufficient, and have merit before the IPIB accepts a complaint. This complaint does not meet those requirements. Mr. Merritt received all the requested information that was not confidential under Iowa Code § 22.7.
IT IS SO ORDERED: Formal complaints 22FC:0126 is dismissed as it is without merit pursuant to Iowa Code § 23.8(2) and Iowa Administrative Rule 497-2.1(2)(b).
Pursuant to Iowa Administrative Rule 497-2.1(3), the IPIB may “delegate acceptance or dismissal of a complaint to the executive director, subject to review by the board.” The IPIB will review this Order on July 20, 2023. Pursuant to IPIB rule 497-2.1(4), the parties will be notified in writing of its decision.
By the IPIB Executive Director
_________________________
Erika Eckley, J.D.
1 Mr. Merritt’s complaint was not opened until December 22, 2022, as IPIB waited for copies of his record request and the County response. The County was notified on this date. Further, this matter has been held due to various personal issues among the parties.