Federal News Radio reports on the CMS denying an Associated Press Reporter's FOIA request for records pertaining to documents about the kinds of security software and computer systems behind the federally funded HealthCare.gov. The agency denied the records using a novel claim that release of the records because doing so could leave the site vulnerable to hackers thus causing an unwarranted risk to consumer's private information.
Less than five years ago, this request would simply have been denied pursuant to FOIA Exemption 2. However, the Supreme Court limited the use of Exemption 2 in Milner v. Navy in 2011 and there has been no attempt to add legislative language that would protect information that would truly cause a harm to internal government operations since. Agencies have had to use extreme measures to protect information they are concerned about and by doing so the argument has shifted away from the real issues. For instance in this case, would the release of the records really create a vulnerability to hackers is the issue. However, the argument made by the government creates a secondary issue that is just as important - if hackers get in, would it allow for the release of personal privacy information otherwise protected pursuant to Exemption 6?
By failing to provide a real legislative fix, both Congress and the Administration has made it much harder for both requesters and FOIA Offices to have workable rules to get or deny information under the FOIA. Agencies are forced to make arguments that come out of law school blue book exam and requesters are then forced to push back on those arguments in much the same way.