This CPLR article 78 proceeding arises from the denial of a request under the Freedom of Information Law (FOIL). Petitioner, Roth & Roth LLP, sought from respondents New York City Transit Authority and Metropolitan Transit Authority (MTA) "lists or directories containing the business phone numbers and business email addresses" for lawyers in numerous units of those [*2]respondents. (See NYSCEF No. 2 [reproducing FOIL request].)

Respondents denied petitioner's requests, citing, among other things, the cybersecurity exemption of Public Officers Law (POL) § 87 (2) (i). (See NYSCEF No. 4 at 1-2 [first-level denial]; NYSCEF No. 7 at 2-3 [administrative-appeal denial].) Section 87 (2) (i) permits an agency to deny a FOIL request for information that, "if disclosed, would jeopardize the capacity of an agency or an entity that has shared information with an agency to guarantee the security of its information technology assets, such assets encompassing both electronic information systems and infrastructures."

Petitioner now brings this article 78 proceeding to challenge respondents' denial of its FOIL requests.^[FN1] Respondents move to dismiss. The petition is denied; and respondents' motion to dismiss is granted. The proceeding is dismissed.

In moving to dismiss, respondents contend, drawing on an affidavit provided by MTA's chief information security officer (see NYSCEF No. 18), that they properly relied on POL § 87 (2) (i) in denying petitioner's FOIL request. In particular, respondents claim, the challenge to their denial is foreclosed by the decision of the Appellate Division, First Department, in Matter of Freedom Found. v New York City Dept. of Citywide Admin. Servs. (230 AD3d 999 [1st Dept 2024]). (See NYSCEF No. 17 at 6-7.) This court agrees.

In Matter of Freedom Foundation, the First Department sustained a denial on § 87 (2) (i) grounds of a FOIL request that would have entailed "the mass release of employee email addresses." (230 AD3d at 1004.) Here, as in Matter of Freedom Foundation, petitioner is seeking bulk contact information for City employees in the agencies to which the FOIL request is directed. (See NYSCEF No. 2.) And here, as in Matter of Freedom Foundation, respondents have "articulated a particularized and specific justification for denying access . . . under the cybersecurity exemption." (230 AD3d at 1005 [internal alterations and quotation marks omitted].) Respondents provided that justification both in their denial of petitioner's administrative appeal (see NYSCEF No. 7 at 2-3); and in the chief information security officer's affidavit supporting the motion to dismiss (see NYSCEF No. 18). Matter of Freedom Foundation thus controls here and warrants dismissal of petitioner's CPLR article 78 proceeding.

Petitioner argues that disclosure of the business email addresses of respondents' employees cannot constitute a cybersecurity risk because the email addresses of individual [*3]lawyers and employees are publicly disclosed on NYSCEF, on respondents' websites, and in FOIL productions; and because one can readily guess a given employee's address using the naming conventions of respondents' email addresses. (See NYSCEF No. 21 at 6-11.) Petitioner does not, however, explain why the individual, one-by-one disclosure of email information is equivalent, for cybersecurity purposes, to the bulk directory disclosure that petitioner seeks here. And the affidavit of MTA's chief information security office specifically explains why bulk directory disclosure presents a much more serious security risk. (See NYSCEF No. 18 at ¶¶ 5-6, 8, 14, 16-17.) Moreover, petitioner's argument that respondents must now provide email directories because they already disclose many staff email addresses on public websites cannot be reconciled with Matter of Freedom Foundation's holding that the City could properly withhold email directories on cybersecurity grounds.

Petitioner also attempts to distinguish Matter of Freedom Foundation on the ground that the FOIL request in that case sought a broader range of information than just email addresses, including "salary information, age, gender, and detailed employment data." (NYSCEF No. 21 at 13.) But the cybersecurity-related portion of the Court's decision in that case focused primarily on the "mass release of public employee contact information" like email addresses—not on the other demographic and employment information sought there by the requester. (See Matter of Freedom Foundation, 230 AD3d at 1004-1005.)

Finally, petitioner contends that respondents' telephone directories must be produced because "business phone numbers are unquestionably public records that must be disclosed under FOIL." (NYSCEF No. 21 at 3.) And petitioner emphasizes that disclosure of business telephone numbers should not be understood as creating an unwarranted invasion of personal privacy. (Id. at 4.) But this contention does not aid petitioner. Respondents did not deny the telephone-directory requests on the ground that those directories are not subject to FOIL in the first place, or that disclosure would invade personal privacy under POL § 87 (2) (b). Instead, the denial of the telephone-directory request, like the denial of the email-directory request, rested on § 87 (2) (i)'s cybersecurity exemption. (See NYSCEF No. 7 at 2-3.) And respondents have persuasively explained why bulk disclosure of telephone numbers, as well as email addresses, would pose excessive cybersecurity risks. (See NYSCEF No. 18 at ¶¶ 7, 14, 16-17.) Respondents were entitled to withhold internal telephone directories, as well as email lists.

Given this court's conclusion that petitioner's CPLR article 78 petition is subject to denial on the grounds set forth above, the court does not reach respondents' arguments that (i) the petition should be denied as untimely; (ii) the petition should be denied as to respondent Berenson for lack of a proper party; and (iii) petitioner's FOIL requests were properly denied under POL § 89 (3) as insufficiently specific.

Accordingly, it is

ORDERED that petitioner's CPLR article 78 petition (mot seq 001) is denied, and respondents' motion to dismiss the petition (mot seq 002) is granted; and it is further

ORDERED that this CPLR article 78 proceeding is dismissed, with costs to respondents [*4]as taxed by the Clerk upon the submission of an appropriate bill of costs; and it is further

ORDERED that respondents serve a copy of this order with notice of its entry on petitioner; and on the office of the County Clerk (using the NYSCEF document type "Notice to the County Clerk - CPLR § 8019 (c)"), which shall enter judgment accordingly.