On Board Online • April 6, 2026

By Shubh N. McTague
Staff Counsel

The state's highest court has ruled that Town of Mount Pleasant properly denied a request under the state Freedom of Information Law (FOIL) to disclose the names and email addresses of subscribers to the town's email alert system as it would constitute an unwarranted invasion of personal privacy.

In Russell v. Town of Mount Pleasant, the Court of Appeals reversed a decision by the Appellate Division of the state Supreme Court, Second Department, that favored disclosure.

FOIL, which is part of the state Public Officers Law, requires government bodies and agencies, including school districts, to allow the public access to official documents and records. However, FOIL contains exceptions, including one that prevents disclosure of records that would constitute an "unwarranted invasion of personal privacy."

The text of the law provides a non-exhaustive list of what could constitute an unwarranted invasion of personal privacy. The Russell decision clarifies a gray area involving whether information about voluntary subscribers to a governmental email list must be disclosed.

In this case, the Town of Mount Pleasant used a notification system to send email alerts of news, updates and announcements. When signing up for the alerts, subscribers would sign a form indicating whether they consented to disclosure of their email address to others (218 of the 220 subscribers did not consent).

A member of the public named James Russell filed a FOIL request seeking the names and email addresses of all the subscribers. Initially, the town claimed it did not possess the records. Petitioner appealed to the Records Access Appeals Officer, who expressed discomfort in releasing the information and stated he would wait for a legal opinion. After no decision was ultimately made, Russell filed an action in state court.

At the state Supreme Court level, the town noted that most subscribers had not consented to release of their email addresses. It also stated that the town's cybersecurity manager asserted that disclosure would expose the subscribers to "unnecessary cybersecurity risks." Specifically, this could include spoofing, in which someone could identify themselves as the town and expose the subscriber to "potential identity theft, account hacking, or a computer virus."

The town manager noted that the town had added security to protect the subscribers but someone obtaining the names and email addresses via a FOIL request may not take appropriate safety measures. Notwithstanding these arguments, the Supreme Court ordered disclosure of records.

On appeal, the Second Department affirmed the lower court, finding that the town could not show that the privacy interests at stake outweighed the public interest in disclosure. In so finding, the court deemed the town's concerns about cybersecurity risks to be "speculative."

However, the Court of Appeals disagreed and reversed the decision of the Second Department. The court reiterated that governmental records are presumptively available to the public unless an exception applies, such as unwarranted invasion of personal privacy. However, nothing in the text of the law specifically exempted "names and email addresses submitted to obtain governmental correspondence" with the exception of a specific instance under the Real Property Tax Law.

Therefore, the Court of Appeals stated that it had to "balance[e] the privacy interests at stake against the public interest in disclosure of the information." The court found:

• There was no public interest served by disclosure of this information.
• The subscribers had a strong privacy interest in keeping their names and email addresses confidential to minimize cybersecurity threats from disclosing their information.

Regarding the subscribers' privacy interest, the court said that generally people assume that email addresses will be kept confidential by governmental entities unless people consent to disclosure or it is legally mandated. Furthermore, privacy is essential because email accounts usually house a large amount of individual personal data, and many use their email addresses as a username or ID to log in to websites.

Regarding the cybersecurity, the court found that the potential risks of disclosure were not speculative. The court noted that when an email address is made public, individuals can be taken advantage of by people posing as others to obtain their private information and that governmental entities use higher level security measures to protect emails.

On the topic of whether the release would be in the public interest, the court stated that if the information were disclosed, people would hesitate to sign up for municipal email alerts, reducing public engagement. The court noted that such would actually "undermine animating purpose of FOIL to make the workings of government transparent and accessible to the public."

The Court of Appeals further stated that when the Second Department found that the town could not establish that privacy interests outweighed public interest, it did not correctly apply the balancing test. The court found that the Second Department: (1) failed to discuss the privacy interests at stake or how those interests were balanced against public interest in disclosure; and (2) used the wrong standard when it found that the cybersecurity threats were "speculative." The court said that the town only "needed to establish that the subscribers' interest in maintaining their information private outweighed any public interest in its disclosure."

This case is important for school district records access officers and records access appeals officers as school districts house names and email addresses of many, including parents. Questions arising on dealing with this type of FOIL request can be discussed with their school attorneys.