On May 14, I noted an article in Legal Times about a FOIA lawsuit filed by Philip Reitinger against the FTC. Reitinger sued the FTC after it returned no responsive documents to his FOIA request of November, 2014. Reitinger originally sought:
- Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding standards, guidelines, or criteria for what conduct or omission constitutes an unfair act or practice in or affecting commerce authorizing FTC action under 1-5 USC section 45, where that conduct or omission relates to cybersecurity or data security, including any conduct or omission relating to prevention of, detection of, response to, mitigation of, or recovery from cybersecurity attacks or incidents.
- Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding standards, guidelines, or criteria for what conduct or omission should or may lead the FTC to bring an action related to prevention of unfair acts or practices in or affecting commerce under 15 USC section 45, where that conduct or omission relates to cybersecurity or data security, including any conduct or omission relating to prevention of, detection of, response to, mitigation of, or recovery from cybersecurity attacks or incidents.
- Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding the legality or appropriateness of the material referred to in paragraphs 1 or 2.
- Any communication, including email, notes regarding conversations, or voicemail concerning the material referred to in paragraphs 1, 2 or 3.
Reitinger subsequently conferred with the FTC and agreed to narrow his request to policies and not material specific to each investigation. Despite his agreement to narrow the original request, the FTC denied in full his FOIA request, alleging that “all [responsive records] are exempt from the FOIA’s disclosure requirements” under Exemption 5 because they are “deliberative and predecisional” or “attorney work-product.”
Since May, when Reitinger filed suit in the District of Columbia, he and the FTC have conferred at the court’s order, but have not come to any resolution – in part, because after agreeing to fee waiver, the FTC turned around and rescinded their approval of his fee waiver request.
If you’re a fan of FOIA and/or want to know what the FTC’s standards are for data security enforcement, you may feel very frustrated as you read how this case is going, as the FTC seems unwilling to do what FOIA requires: search all records and produce the segregable, non-exempt portions of the records that are responsive to FOIA.
Here’s the most recent joint status report, filed July 31. See what you think.