Are cybersecurity records accessible through the Freedom of Information Act (FOIA)?

The Freedom of Information Act (FOIA) exempts certain records from disclosure. In 2018, FOIA was amended to specifically include “cybersecurity plans, assessments, or vulnerabilities, unless disclosure would not impair a public body’s ability to protect the security or safety of persons or property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular instance.” So generally speaking, cybersecurity records would NOT be subject to a FOIA request. You may want to – but aren’t required to – add the following to cybersecurity documents as a reminder that such documents should not be disclosed: “CONFIDENTIAL – NOT SUBJECT TO FOIA PER MCL 15.243 (1)(U), (1)(Y) & (1)(Z)”

References:

FOIA – Act 442 of 1976: http://www.legislature.mi.gov/(S(bfs2hwrnqe50lithrg2mpui4))/mileg.aspx?page=GetObject&objectname=mcl-act-442-of-1976
House Bill 4973 amendment: http://www.legislature.mi.gov/(S(srxquveh0qwpjcewwhmb1moy))/mileg.aspx?page=getObject&objectName=2017-HB-4973