Judge: Some emails about a cyberattack at the state higher education department can’t be disclosed

By Jeffrey A. Roberts
CFOIC Executive Director

Certain records about a June 2023 cyberattack at the Colorado Department of Higher Education are subject to CORA’s deliberative process privilege and can’t be disclosed to a requester, a judge decided.

Denver District Court Judge Sarah Wallace reviewed the disputed documents in camera before making the determination last week in a civil action brought by the agency against Suzanne Taheri of the Public Trust Institute.

Taheri had argued that “boilerplate language” used by CDHE and its “vague descriptions of the withheld documents” did not adequately explain why disclosure of the emailed messages she requested would be harmful. The judge ordered the department to provide Taheri with a more detailed privilege log, also called a Vaughn index, but then granted the agency’s petition to restrict disclosure in a terse order.

Under the Colorado Open Records Act, government entities may keep certain records from the public “if the material is so candid or personal that public disclosure is likely to stifle honest and frank discussion within the government.” When invoking the deliberative process privilege, a records custodian must produce an affidavit “specifically describing each document withheld, explaining why each such document is privileged, and why disclosure would cause substantial injury to the public interest.”

If a requester believes the privilege has been misapplied, they can require the records custodian to ask a district court for permission to restrict disclosure. That’s what Taheri did after CDHE provided her with 166 documents in response to her CORA request but withheld another 28.

The withheld communications “are both predecisional and deliberative,” argued the state Attorney General’s office in a brief for the agency, with department staffers discussing matters such as possible courses of action, requests for assistance, talking points and recommendations for responding to the cyberattack.

In her argument for disclosure of the emails, Taheri wrote that “the public has a right to know” how the higher education department responded to the data breach.

CDHE announced Aug. 4 that it had been the victim of a “cybersecurity ransomware incident” between June 11 and June 19. Some of the impacted records “include names and social security numbers or student identification numbers, as well as other education records.”

The Denver Gazette reported in October that CDHE “kept the ransomware attack on its servers quiet” for several weeks, even though a law requires agencies to report such breaches to the attorney general within 30 days. That didn’t happen “until a staffer inadvertently mentioned it at a meeting long after the damage was done,” according to records reviewed by the newspaper.

“The notice to the Attorney General’s Office and the public didn’t happen for another week after that,” the Denver Gazette noted.

In another case involving records withheld under CORA’s deliberative process privilege, a Denver District Court judge hasn’t yet issued a ruling about contested Colorado Department of Health Care Policy and Financing documents requested by Complete Colorado.

Follow the Colorado Freedom of Information Coalition on Twitter @CoFOIC . Like CFOIC’s Facebook page. Do you appreciate the information and resources provided by CFOIC? Please consider making a tax-deductible donation.

Colorado Freedom of Information Coalition

The Voice for Open Government in Colorado

Subscribe to Our Blog

Subscribe to Our Blog

Related Articles

Letter from CFOIC volunteer attorney wins release of teacher sick-out list

Court of Appeals weighs public disclosure of Colorado’s database of law enforcement officers

‘Modest approach’ to CORA modernization wins House approval

Leadville newspaper explains why it’s suing the Lake County Commission