Are cybersecurity records accessible through the Freedom of Information Act (FOIA)?

The Freedom of Information Act (FOIA) exempts certain records from disclosure. In 2018, FOIA was amended to specifically include “cybersecurity plans, assessments, or vulnerabilities, unless disclosure would not impair a public body’s ability to protect the security or safety of persons or property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular instance.” So generally speaking, cybersecurity records would NOT be subject to a FOIA request. You may want to – but aren’t required to – add the following to cybersecurity documents as a reminder that such documents should not be disclosed: “CONFIDENTIAL – NOT SUBJECT TO FOIA PER MCL 15.243 (1)(U), (1)(Y) & (1)(Z)”

There is also language in the Cyber Civilian Corp Act, Act 132 of 2017 that can protect any information given to the Michigan Cyber Command Center (MC3) that could result in cybersecurity victimization that reads:

(7) Information voluntarily given to the Michigan cyber command center or obtained under this act that
would identify or provide a means of identifying a person that may, as a result of disclosure of the
information, become a victim of a cybersecurity incident or that would disclose a person’s cybersecurity plans
or cybersecurity-related practices, procedures, methods, results, organizational information system
infrastructure, hardware, or software is exempt from disclosure under the freedom of information act, 1976
PA 442, MCL 15.231 to 15.246


FOIA – Act 442 of 1976:
House Bill 4973 amendment:
Cyber Civilian Corps Act: