MA Public Records Search
← Back to Search

Aaron X v. Framingham, City of (SPR 20251408)

Massachusetts Public Records Appeal · Petitioner won — agency ordered to provide records · Filed 05-19-2025

ClosedAppealPetitioner Won

SPR 20251408 is a Massachusetts Public Records Law appeal filed by Aaron X concerning records held by Framingham, City of, opened 05-19-2025. Type: Appeal. Status: Closed. Supervisor of Public Records determination: Petitioner won — agency ordered to provide records.

Case Details

Case Number
20251408
Case Type
Appeal
Case Subtype
Initial
Status
Closed
Requester
Aaron X
Custodian
Framingham, City of
Date Opened
05-19-2025
Date Closed
06-02-2025
Date Request Submitted
04-22-2025
Response Provided Date
05-08-2025
Processing Fees Charged
0.00
Petitions Regarding Fees
No
Time to Comply
18 Business Days
Went to Court
No

PDF Document

Extracted Text (searchable & copyable)

The Commonwealth of Massachusetts William Francis Galvin, Secretary of the Commonwealth Public Records Division Manza Arthur Supervisor of Records June 2, 2025 SPR25/1408 Paul J. Iversen City Records Access Officer City of Framingham 150 Concord Street Framingham, MA 01702 Dear Mr. Iversen: I have received the petition of Aaron X (“requestor”) appealing the response of the City of Framingham (City) to requests for public records. See G. L. c. 66, § 10A; see also 950 C.M.R. 32.08(1). On April 22, 2025, in two separate requests, the requestor sought the following records: [Request 1] [1] . . . [C]opies of the active lease agreements for real property where the City is either the leasee [sic] or leassor [sic][;] [2] . . . [If] the City is leasing any motor vehicles; copies of any said agreements, make & model, year, VIN, and milage [sic]. [Request 2] . . . [C]opies of payments for the technology department, for the of [sic] licenses, for either Microsoft Exchange, Microsoft 365, Office 365, and or payments to 3rd party suppliers for the above products. The City responded on May 6, 2025, denying both requests, and claiming that the responsive records are exempt from disclosure under Exemption (n) of the Public Records Law. See G. L. c. 4, § 7(26)(n). Unsatisfied with the City’s response, the requestor petitioned this office and this appeal, SPR25/1408, was opened as a result. Subsequently, the City provided additional information concerning this appeal in an email to this office on May 27, 2025. The Public Records Law The Public Records Law strongly favors disclosure by creating a presumption that all governmental records are public records. G. L. c. 66, § 10A(d); 950 C.M.R. 32.03(4). “Public records” is broadly defined to include all documentary materials or data, regardless of physical form or characteristics, made or received by any officer or employee of any agency or One Ashburton Place, Room 1719, Boston, Massachusetts 02108 • (617) 727-2832 • Fax: (617) 727-5914 sec.state.ma.us/pre • pre@sec.state.ma.us

Paul J. Iversen SPR25/1408 Page 2 June 2, 2025 municipality of the Commonwealth, unless falling within a statutory exemption. G. L. c. 4, § 7(26). It is the burden of the records custodian to demonstrate the application of an exemption in order to withhold a requested record. G. L. c. 66, § 10(b)(iv); 950 C.M.R. 32.06(3); see also Dist. Attorney for the Norfolk Dist. v. Flatley, 419 Mass. 507, 511 (1995) (custodian has the burden of establishing the applicability of an exemption). To meet the specificity requirement a custodian must not only cite an exemption, but must also state why the exemption applies to the withheld or redacted portion of the responsive record. If there are any fees associated with a response, a written, good faith estimate must be provided. G. L. c. 66, § 10(b)(viii); see also 950 C.M.R. 32.07(2). Once fees are paid, a records custodian must provide the responsive records. The City’s May 6th Response In its May 6, 2025 response to both requests, the City stated, “[t]he City must withhold any record under M.G.L. c. 4, § 7(26)(n).” In an email to this office on May 27, 2025, the City provided additional information regarding its claims under Exemption (n) for withholding the records responsive to both requests. The City further contended that Request 1 “does not comply with the reasonable description requirement” and cited Jaideep Chawla v. Dep’t of Revenue, Suffolk. Sup. No. 1784CV02087 (January 23, 2019) in support of this contention. Current Appeal In the appeal petition, the requestor states, “[t]he City has, thus far, provided no explanation as to why it intends to withhold these public documents beyond citing public security.” Exemption (n) Exemption (n) applies to: records, including, but not limited to, blueprints, plans, policies, procedures and schematic drawings, which relate to internal layout and structural elements, security measures, emergency preparedness, threat or vulnerability assessments, or any other records relating to the security or safety of persons or buildings, structures, facilities, utilities, transportation, cyber security or other infrastructure located within the commonwealth, the disclosure of which, in the reasonable judgment of the record custodian, subject to review by the supervisor of public records under subsection (c) of section 10 of chapter 66, is likely to jeopardize public safety or cyber security.

Paul J. Iversen SPR25/1408 Page 3 June 2, 2025 G. L. c. 4, § 7(26)(n). Exemption (n) allows for the withholding of certain records which if released would jeopardize public safety. The first prong of Exemption (n) examines “whether, and to what degree, the record sought resembles the records listed as examples in the statute;” specifically, the “inquiry is whether, and to what degree, the record is one a terrorist ‘would find useful to maximize damage.’” People for the Ethical Treatment of Animals (PETA) v. Dep’t of Agric. Res., 477 Mass. 280, 289-90 (2017). The second prong of Exemption (n) examines “the factual and contextual support for the proposition that disclosure of the record is ‘likely to jeopardize public safety.’” Id. at 289-90. The PETA decision further provides that “[b]ecause the records custodian must exercise ‘reasonable judgment’ in making that determination, the primary focus on review is whether the custodian has provided sufficient factual heft for the supervisor of public records or the reviewing court to conclude that a reasonable person would agree with the custodian’s determination given the context of the particular case.” Id. PETA also provides that “[t]hese two prongs of exemption (n) must be analyzed together, because there is an inverse correlation between them. That is, the more the record sought resembles the records enumerated in exemption (n), the lower the custodian’s burden in demonstrating ‘reasonable judgment’ and vice versa.” PETA, at 290. Request 1 In its May 27th email to this office, under Exemption (n), the City provided the following with respect to Request 1: [Request 1] . . . follows the same pattern as . . . [Request 2] in that it is attempting to secure knowledge of City assets on a City-wide scale. In light of both requests and [the requestor’s] attempted interview with IT staff, the City deems it reasonable to withhold any responsive records under exemption (n). . . . In light of the above, it is unclear how the records responsive to Request 1 resemble the records listed as examples in the statute as contemplated in PETA. See PETA, 477 Mass. at 289. Particularly, it is unclear how the records resemble “blueprints, plans, policies, procedures and schematic drawings” that relate to security measures. It is also uncertain how the records are the type that “a terrorist would find useful to maximize damage” as required under Exemption (n). Where the requested records bear a minimal resemblance to the categories listed in Exemption (n), the burden on the custodian to prove its “reasonable judgment” that disclosure is likely to jeopardize public safety is greatest. See id. at 290 (noting “inverse correlation” between the two prongs of Exemption (n) inquiry). Further, the City did not provide factual heft to support the withholding of the records responsive to Request 1 pursuant to Exemption (n). Specifically, the City has not sufficiently explained how disclosure of the records are likely to jeopardize public safety or cyber security. See PETA, at 289-90. The City must clarify these matters.

Paul J. Iversen SPR25/1408 Page 4 June 2, 2025 It is additionally uncertain what records the City withheld from disclosure. The City is reminded that to deny access to a record under the Public Records Law, a records access officer must identify the record, categories of records, or portions of the record it intends to withhold. G. L. c. 66, § 10(b)(iv); see also 950 C.M.R. 32.06(3)(c)(4). Further, it is unclear why the records may be withheld in their entirety. It should be noted that any non-exempt, segregable portion of a public record is subject to mandatory disclosure. G. L. c. 66, § 10(a). See Reinstein v. Police Comm’r of Boston, 378 Mass. 281, 289-90 (1979) (the statutory exemptions are narrowly construed and are not blanket in nature). The City must clarify these matters. Request 2 Under Exemption (n), the City further provided the following with respect to Request 2: In the case of . . . [Request 2], the requester wants copies of payments for “the technology department, for the licenses, for either Microsoft Exchange, Microsoft 365, Office 365, and or payments to 3rd party suppliers for the above products.” . . . Copies of technology payment records, though not overt vulnerability assessments, provide high-signal intelligence about a municipality’s security maturity, likely weaknesses, and areas of risk exposure. Without admitting, confirming, or in any way implying that any of the below security vulnerabilities apply to the City of Framingham, the City provides the following non-exhaustive contextual and factual support for the proposition that disclosure of these records is likely to jeopardize public safety: [1] Licensing levels and coverage gaps: Invoice details or license purchases show what level of security features are being paid for. This can provide insight into effective lines of attack. Additionally, license counts can be cross referenced against employee counts in an attempt to search out under coverage and subsequent security vulnerabilities. [2] Use of Microsoft Exchange On-Premises: Payments to maintain Exchange Server licenses or third-party tools related to Exchange can reveal software- specific vulnerabilities (e.g. backup software, archiving, or spam filters). Use of certain on-premises Exchange opens doors to well-known vulnerabilities. [3] Third-Party Vendor Risk: Invoices to resellers, managed service providers (MSPs), or security vendors handling Microsoft products can provide insight into the quality of configuration and ongoing monitoring. [4] Patch and Support Posture: Line items may include support contracts. This can provide insight into endpoint protection and firewall hygiene. [5] Multi-Factor Authentication (MFA) Adoption: Certain Microsoft licenses or third party tools indicate whether MFA is being used. This can signal that one of the most exploited weaknesses in local governments is available. [6] Email Protection Level: Invoices for Defender for Office 365, Proofpoint, Mimecast, or other anti-phishing/anti malware tools, or the lack thereof, can provide insight into how to attack using spoofing, malware-laden attachments, or

Paul J. Iversen SPR25/1408 Page 5 June 2, 2025 credential phishing. [7] Security Monitoring and Incident Response Readiness: Licenses for Sentinel, Defender for Endpoint, SIEM platforms, or managed detection and response services, or the lack thereof, can provide insight into the degree to which a municipality has invested in visibility and countering attackers’ ability to operate undetected. . . . Upon review, I find the City has not met its burden to withhold records responsive to Request 2 pursuant to Exemption (n). It is unclear how the requested records resemble the records listed in the statute. See id. at 289. Where the record bears little resemblance to the types listed in the statute, the burden on the custodian is correspondingly at its highest. See id. at 290- 91. Further, I find the City has not provided “sufficient factual heft” to conclude that a reasonable person would agree that disclosure of the records are “likely to jeopardize public safety or cyber security” as required by Exemption (n). Id. Additionally, it is unclear which specific records responsive to Request 2 the City intends to withhold. The City must identify the records, categories of records, or portions of records it intends to withhold under Exemption (n). See G. L. c. 66, § 10(b)(iv). It is further uncertain why the records must be withheld in their entirety. In particular, the City has not explained why the records cannot be redacted so that segregable portions can be provided. See Reinstein, 378 Mass. at 289-90. Any nonexempt, segregable portion of a public record is subject to mandatory disclosure. G. L. c. 66, § 10(a). The City must clarify these matters. Reasonable Description of Records Sought A request for records must reasonably describe the records sought. See G. L. c. 66, § 10(a)(i). In Chawla, the Superior court found that under the Public Records Law “[t]he reasonable description requirement contemplates that a requesting party will identify documents or categories of documents with sufficient particularity that government employees will be able to understand exactly what they are looking for, and then make a prompt production.” See Jaideep Chawla v. Dept of Revenue, Suffolk. Sup. No. 1784CV02087, at 2 (January 23, 2019). The court further indicated “[r]equests for documents that are articulated with very broad language that calls upon non-lawyer administrative personnel to interpret the scope of what is sought, and then make fine judgments about what documents are and are not sufficiently ‘related’ to the category of materials requested, will not satisfy this statutory standard.” (emphasis in original). Id. In its May 27th correspondence, regarding Request 1, the City states the following: . . . [T]he requester seems to be asking City staff to conduct a survey of the bundle of property rights associated with every piece of real property the City has an interest in, determine if there is an active lease, and then produce said lease if one exists. This type of blanket request resembles a research demand, not a targeted public records request. As a result, records have not been identified with sufficient particularity that would enable City employees to understand exactly what they

Paul J. Iversen SPR25/1408 Page 6 June 2, 2025 are looking for, and then make a prompt production. In this case, the requestor has provided specific descriptions for the categories of records they are seeking. While the request may result in a large volume of responsive records, they have provided sufficient particularity required to identify the records they are seeking. To the extent possible, the City must provide responsive records on a rolling basis. Conclusion Accordingly, the City is ordered to provide the requestor with a response to the requests, provided in a manner consistent with this order, the Public Records Law, and its Regulations within ten (10) business days. A copy of any such response must be provided to this office. It is preferable to send an electronic copy of the response to this office at pre@sec.state.ma.us. Sincerely, Manza Arthur Supervisor of Records cc: Aaron X