Illinois Appellate Court Clarifies When a FOIA Request Is “Received” If Quarantined by Email Security Software

Takeaway: Public bodies should treat a FOIA request as “received” the moment it enters their email system, not when it is discovered after being quarantined, filtered, or otherwise delayed internally. To avoid missing statutory deadlines or forfeiting available exemptions, public bodies must implement procedures to monitor internal systems that quarantine or filter emails.

In Balzer v. Northeast Illinois Regional Commuter Railroad Corporation, the Illinois Appellate Court addressed when a Freedom of Information Act (“FOIA”) request sent by email is deemed “received” when a public body’s security software quarantines the message.

At issue was an emailed FOIA request to the Northeast Illinois Regional Commuter Railroad Corporation, which operates as Metra, sent on July 31. The email, however, did not reach the FOIA officer on July 31 because Metra’s third‑party email security system, Mimecast, flagged it as suspicious and placed it in quarantine. The FOIA officer learned of the request the next day, on August 1, when Mimecast notified the FOIA officer that a message was being held. After retrieving the request on August 1, the FOIA officer informed the requester that his request was unduly burdensome and asked the requester to narrow his request. The requester declined. The FOIA officer formally denied the request as unduly burdensome on August 8, six business days after the email was sent (though only five business days after the FOIA officer reviewed it after its release from quarantine). The requester sued, arguing Metra’s denial was late under FOIA, that the late response precluded Metra from utilizing the unduly burdensome exemption, and that he was entitled to attorneys’ fees.

The Appellate Court held that the request was “received” on July 31, the moment the email was received through Mimecast, despite its subsequent quarantine of the message. The Court emphasized that the deadline to respond under FOIA is not extended because of internal delays caused by email filters, security programs, or receipt by a vendor selected by the public body, however important those security measures may be. Accordingly, the Court found Metra’s denial after the five-business-day deadline under FOIA untimely.

As a result of the untimely response, the Court further held that Metra forfeited the ability charge fees or rely on the “unduly burdensome” exemption under Section 3(g) of the FOIA, which explicitly states the exemption is unavailable when a response is issued late. Announcing that it felt constrained by the plain language of the FOIA and openly questioning whether the Legislature should amend the law, the Appellate Court also begrudgingly held that the requester was a “prevailing party” under the FOIA, which meant that Metra was responsible for paying the requester’s reasonable attorneys’ fees and that the requester could seek a civil penalty against Metra.

This decision serves as an important reminder that the deadline for a public body’s response under the FOIA begins to run from the moment a request enters the public body’s technical infrastructure, and that any internal email filtering processes do not toll the date of receipt or excuse late responses. There are a few practical takeaways:

1. FOIA deadlines begin when the request enters your system—not when the request is discovered or released. Public bodies are responsible for monitoring any internal systems they have chosen to utilize. Security software that quarantines emails or email spam filters will not extend the five‑business‑day response window under the FOIA.
2. Regularly check spam, quarantine, and security queues. Public bodies should implement procedures to review all email security and/or spam folders daily. Failure to do so may result in missed deadlines and waiver of exemptions under FOIA.
3. Train FOIA Officers on email‑security processes. Ensure FOIA officers understand how automated filtering works, how alerts are generated, and how to retrieve quarantined messages.
4. Respond on time or risk waiving key defenses. As this case illustrates, an untimely response can forfeit the ability to claim the “unduly burdensome” exemption under Section 3(g).

If there are any questions, please contact one of the authors of this article or any Franczek attorney.