 ATTORNEY GENERAL OF TEXAS GREG ABBOTT | |
|
April 7, 2004 Ms. Carol Longoria
OR2004-2810 Dear Ms. Longoria: You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 199044. The University of Texas at Austin (the "university") received a request for "copies of invoices from Qwest Communications for the year 2003." You indicate that redacted versions of these invoices were provided to this requestor in response to a previous request for information. See Gov't Code § 552.232 (outlining procedures governmental body may follow if governmental body does not wish to release information again in response to repetitious or redundant requests). You inform us that the only information currently at issue consists of "invoice and account numbers as well as, Dedicated Internet Access ('DIA') Numbers, circuit numbers, and Internet Protocol (IP) addresses." You claim that this information is not subject to disclosure under the Public Information Act (the "Act"). In the alternative, you contend that such information is excepted from disclosure under sections 552.101, 552.136, and 552.139 of the Government Code. We have considered your arguments and reviewed the submitted information.(1) You argue that the information at issue constitutes "numerical data that, outside the University's billing process, is of no significance to the general public." In Open Records Decision No. 581 (1990), this office determined that certain computer information, such as source codes, documentation information, and other computer programming, that has no significance other than its use as a tool for the maintenance, manipulation, or protection of public property is not the kind of information made public under section 552.021 of the Government Code. Open Records Decision No. 581 (1990) (construing predecessor statute). We understand you to assert that, like the computer-related information at issue in that decision, the information at issue here functions solely as a tool to maintain, manipulate, or protect public property and has no independent relevance. Id. at 6. After considering your arguments and carefully reviewing the submitted information, we agree that the "IP Address" and "Circuit ID" numbers contained in the requested invoices are the type of information that was at issue in Open Records Decision No. 581. As such, this type of information is not public information as defined by section 552.002 of the Government Code, and, therefore, is not subject to the Act. Thus, it need not be released in response to this request. We conclude, however, that the invoice, account, and DIA numbers are not the same type of information that was at issue in Open Records Decision No. 581 and instead constitute public information subject to release under the Act unless an exception to disclosure applies. Section 552.101 of the Government Code excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision" and encompasses information made confidential by statute. You claim that the invoice, account, and DIA numbers are made confidential by section 2054.077 of the Government Code. This section provides in part: (b) The information resources manager of a state agency may prepare or have prepared a report assessing the extent to which a computer, a computer program, a computer network, a computer system, computer software, or data processing of the agency or of a contractor of the agency is vulnerable to unauthorized access or harm, including the extent to which the agency's or contractor's electronically stored information is vulnerable to alteration, damage, or erasure. (c) Except as provided by this section, a vulnerability report and any information or communication prepared or maintained for use in the preparation of a vulnerability report is confidential and is not subject to disclosure under Chapter 552. Gov't Code § 2054.077(b), (c) (emphasis added). The records at issue consist of invoices for internet service. They do not constitute a vulnerability report. Furthermore, we find that you have failed to demonstrate that the billing information or the invoice, account, or DIA numbers are or were "prepared or maintained for use in the preparation of a vulnerability report." We therefore conclude that none of the remaining information at issue may be withheld under section 552.101 on the basis of section 2054.077. You also assert that This same data is also protected from disclosure under Section 552.101, Texas Government Code, specifically under Chapter 421, Homeland Security. In Section 421.002(6) of the Homeland Security Act ("HSA"), one of the strategies contemplated by statute is the "detecting, deterring, and defending against terrorism, including cyber-terrorism . . . ." (Emphasis added[.]) The [HSA] also attempts to protect "critical infrastructure" as defined in Section 421.002(2). By definition, ""critical infrastructure" includes all public or private assets, systems and functions vital to the security, governance, public health and safety, economy, or morale of the state or the nation." (Emphasis added[.]) Given that this statute specifically protects the state's (University's) systems and allows for its protection from cyber-terrorism, we assert that release of the requested data compromises our computer security and jeopardizes critical systems. Therefore, the requested information is protected by statute and should be excepted under Section 552.101, Texas Government Code. (All emphasis in original.) Section 421.002 espouses certain general goals and guidelines with regard to homeland security and combating terrorism. It does not, however, make any information confidential. Therefore, the invoice, account, and DIA numbers may not be withheld under section 552.101 on the basis of section 421.002. See Open Records Decision Nos. 658 at 4 (1998) (statutory confidentiality must be express, and confidentiality requirement will not be implied from statutory structure), 478 at 2 (1987) (statutory confidentiality requires express language making certain information confidential or stating that information shall not be released to the public). You also contend that section 552.136 of the Government Code protects the remaining information from disclosure. Section 552.136 states that "[n]otwithstanding any other provision of this chapter, a credit card, debit card, charge card, or access device number that is collected, assembled, or maintained by or for a governmental body is confidential." Gov't Code § 552.136. You have provided a letter from the university's Vice President for Information Technology (the "vice president") who explains that the DIA numbers could be used "to order Internet service changes or service cancellations on the University's Qwest account." Based on this explanation, we find that the DIA numbers constitute account numbers for purposes of section 552.136 and must be withheld, along with the university's "Account Number," pursuant to this exception. We find, however, that the invoice numbers do not constitute account numbers, and they may not be withheld under section 552.136. Finally, you claim that the invoice numbers at issue are excepted from disclosure pursuant to section 552.139 of the Government Code. This section provides: (a) Information is excepted from the requirements of Section 552.021 if it is information that relates to computer network security or to the design, operation, or defense of a computer network. (b) The following information is confidential: (1) a computer network vulnerability report; and (2) any other assessment of the extent to which data processing operations, a computer, or a computer program, network, system, or software of a governmental body or of a contractor of a governmental body is vulnerable to unauthorized access or harm, including an assessment of the extent to which the governmental body's or contractor's electronically stored information is vulnerable to alteration, damage, or erasure. Gov't Code § 552.139. In support of your assertion that information is protected under this exception, you point to the letter from the vice president. We note, however, that the vice president does not mention invoice numbers as information that affects network security. We find that the invoice numbers do not constitute reports or assessments of the extent to which the university's computer network systems are vulnerable to unauthorized access or harm or otherwise relate to the security of the university's computers. Consequently, the invoice number may not be withheld under section 552.139 of the Government Code. In summary, the "IP Address" and "Circuit ID" numbers contained in the requested invoices do not constitute "public information" subject to disclosure under the Act. The university must withhold the "Account Number" and DIA numbers pursuant to section 552.136. The invoice numbers must be released. This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a). If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877) 673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e). If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.-Austin 1992, no writ). Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512) 475-2497. If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling. Sincerely, Denis C. McElroy
c: Mr. Mark A. Miller
Footnotes 1. We assume that the sample of records submitted to this office is truly representative of the requested records as a whole. See Open Records Decision Nos. 499 (1988), 497 (1988). This open records letter does not reach, and therefore does not authorize the withholding of, any other requested records to the extent that those records contain substantially different types of information than that submitted to this office. |