                                  Cite as 2014 Ark. 139

               SUPREME COURT OF ARKANSAS
                                     No.   CV-13-733

JON HOPKINS                                     Opinion Delivered   April 3, 2014
                              APPELLANT
                                                APPEAL FROM THE MONROE
V.                                              COUNTY CIRCUIT COURT
                                                [NO. CV-12-65]

THE CITY OF BRINKLEY,                           HONORABLE L.T. SIMES, II, JUDGE
ARKANSAS; AND THE BRINKLEY
WATER & SEWER DEPARTMENT                        REVERSED AND REMANDED.
                      APPELLEES


                             JIM HANNAH, Chief Justice


       Appellant, Jon Hopkins, appeals an order of the Monroe County Circuit Court

finding that appellees, the City of Brinkley, Arkansas, and Brinkley Water & Sewer

Department (“BW&S”) were not required to disclose a municipal-utility ratepayer’s home

address under the Arkansas Freedom of Information Act (the “FOIA” or the “Act”), codified

at Arkansas Code Annotated sections 25-19-101 to -110 (Repl. 2002 & Supp. 2011). We

reverse and remand the circuit court’s order.

       A review of the record reveals that Hopkins submitted multiple requests to BW&S

for the home address, phone number, and payment history of Kathryn Harris, a municipal-

utility ratepayer and resident of Brinkley. BW&S responded by providing a redacted copy

of her account history, which did not disclose her home address. In addition, BW&S stated

that it “did not maintain the customer’s telephone number.” In denying the request for

Harris’s address, BW&S stated that it believed there was a “constitutional expectation of
                                   Cite as 2014 Ark. 139

private individuals not to have personal information disclosed publicly,” that it considered

a person’s street address “to be something a person could expect to be a private matter not

to be disclosed to third parties,” and that “[r]ecent requirements of the adoption of identity

theft protection measures by the Waterworks Department has further restricted the access of

individuals to the information you request, even within the Waterworks Department.”

Hopkins appealed the denial of his request to the circuit court. After a hearing, the circuit

court entered an order denying Hopkins’s request, finding

       that [o]n October 27, 2008, the Brinkley Water and Sewer Commission adopted an
       Identify Theft Prevention Program, as required by 16 C.F.R. § 681.1(d)(1);

       that [Hopkins’s] request for a customer’s street address was denied by [BW&S]
       pursuant to the Brinkley Municipal Waterworks Identify Theft Prevention Program;

       that [BW&S has] provided [Hopkins] with account history information indicating the
       “requested individual” is a customer of the Waterworks Department and indicating
       the usage history of the customer, however, that personally identifiable information
       of the customer, including address, social security number, or other personal
       information has been redacted;

       that [BW&S’s] providing of redacted information provides sufficient information to
       [Hopkins] to establish the conduct of a public function, as provided by the Freedom
       of Information Act of the State of Arkansas, while protecting the privacy of personal
       information as prescribed by the Identity Theft Prevention Program mandated by 16
       C.F.R. § 681.1(d)(1); and

       [that BW&S is] not required to provide the street address or telephone number to
       [Hopkins] as requested.

       Hopkins contends that the circuit court erred in finding that BW&S was not required

to provide him with Harris’s home address because a municipal-utility ratepayer’s home

address, a “public record” as defined by the FOIA, is not exempt from the Act’s disclosure

and copying requirements. This court liberally interprets the FOIA to accomplish its laudable

                                              2
                                    Cite as 2014 Ark. 139

purpose that public business be performed in an open and public manner. E.g., Thomas v.

Hall, 2012 Ark. 66, at 4, 399 S.W.3d 387, 390. Furthermore, this court broadly construes the

Act in favor of disclosure. Id., 399 S.W.3d at 390. Arkansas Code Annotated § 25-19-

105(a)(1)(A) (Supp. 2011) provides that “[e]xcept as otherwise specifically provided by this

section or by laws specifically enacted to provide otherwise, all public records shall be open

to inspection and copying by any citizen of the State of Arkansas during the regular business

hours of the custodian of the records.” Subsection (a)(2)(A) provides that “[a] citizen may

make a request to the custodian to inspect, copy, or receive copies of public records.” Ark.

Code Ann. § 25-19-105(a)(2)(A) (Supp. 2011). Pursuant to subsection (d)(2)(A), “the

custodian shall furnish copies of public records if the custodian has the necessary duplicating

equipment,” upon request and payment of a fee as provided in subsection (d)(3). Ark. Code

Ann. § 25-19-105(d)(2)(A) (Supp. 2011).

       We have held that for a record to be subject to the FOIA and available to the public,

it must be (1) possessed by an entity covered by the Act, (2) fall within the Act’s definition

of a public record, and (3) not be exempted by the Act or other statutes. E.g., Nabholz

Constr. Corp. v. Contractors for Pub. Protection Ass’n, 371 Ark. 411, 416, 266 S.W.3d 689, 692

(2007). In this case, Hopkins and BW&S agree that BW&S is subject to the inspection and

copying provisions of the FOIA and that the account history of a municipal ratepayer is a

public record. BW&S and Hopkins part ways, however, on the issue of whether the

ratepayer’s home address is exempt from disclosure.

       Hopkins contends that no exemption permits BW&S to withhold what is in the


                                              3
                                   Cite as 2014 Ark. 139

public record. In support of his contention, Hopkins cites Arkansas Attorney General

Opinion No. 2009-060, in which the Attorney General concluded that “[t]he individual

payment records of customers of public utilities (such as water distributers under A.C.A. §

14-116-101 et seq.) are not eligible for any specific exemption under the FOA,” Arkansas

Attorney General Opinion No. 2000-129 (concluding that the FOIA “requires the disclosure

of customer-specific payment-history records of a city-owned utility company”), and

Arkansas Attorney General Opinion No. 97-244 (concluding that the FOIA requires

disclosure of customer-specific payment-history records of a municipally owned water

system). In addition, Hopkins points out that, in drafting the FOIA, the General Assembly

exempted, for example, certain personnel records, see Ark. Code Ann. § 25-19-105(b)(12)

(Supp. 2011) (stating that personnel records are not open to the extent that disclosure would

constitute a clearly unwarranted invasion of personal privacy),1 the personal contact

information of certain government employees, see Ark. Code Ann. § 25-19-105(b)(13)

(Supp. 2011) (stating that personal contact information, including home addresses of certain

government employees contained in employee records, is not open, except that the custodian


       1
        At one time, the clearly-unwarranted-invasion-of-privacy exemption was not limited
to personnel records. Rather, any information that, if disclosed, would constitute a clearly
unwarranted invasion of privacy was not considered to be a part of the public record. In
1981, the General Assembly amended the definition of “public records,” to include the
following language: “Provided, that compilations, lists, or other aggregations of information
of a personal nature where the public disclosure thereof would constitute a clearly
unwarranted invasion of personal privacy, are hereby determined to be confidential and shall
not be considered to be ‘public records’ within the terms of this Act, and shall not be
supplied to private individuals or organizations.” See Act of Mar. 23, 1981, No. 608, § 3,
1981 Ark. Acts 1345, 1346 (1981). But that language was deleted in 1985. See Act of Mar.
21, 1985, No. 468, § 3, 1985 Ark. Acts 917, 918 (1985).

                                             4
                                    Cite as 2014 Ark. 139

of the records shall verify an employee’s city or county of residence or address on record

upon request), and certain concealed handgun records, see Ark. Code Ann. § 25-19-

105(b)(19), as amended by Act 145 of 2013 (deleting (b)(19)(C), which stated that “[t]he

name and the corresponding zip code of an applicant, licensee, or past licensee may be

released upon request by a citizen of Arkansas”). Hopkins contends that because the

ratepayer’s home address is not exempt from disclosure by the Act, BW&S must disclose the

information upon request.

       BW&S agrees that there is no specific statutory exemption for a ratepayer’s home

address, but it contends that the Federal Trade Commission’s Red Flags Rule preempts the

FOIA’s disclosure requirements. The Red Flags Rule requires certain companies to “develop

and implement a written Identify Theft Prevention Program (Program) that is designed to

detect, prevent, and mitigate identity theft in connection with the opening of a covered

account or any existing covered account.” 16 C.F.R. § 681.1(d)(1).

       As required by federal regulations, BW&S developed an “Identity Theft Prevention

Program,” which BW&S says was “intended to identify red flags that will alert our employees

when new or existing accounts are opened using false information, protect against the

establishment of false accounts, methods to ensure existing accounts were not opened using

false information, and measures to respond to such events.” As part of the Program, BW&S

implemented “Personal Information Security Procedures” with the aim of better protecting

personal customer information. Procedures included storing files with “secure information”

in locked file cabinets and limiting access to a customer’s “personal identify [sic] information”


                                               5
                                   Cite as 2014 Ark. 139

to employees with a “need to know.”

       The Supremacy Clause of the United States Constitution provides that state laws that

“interfere with, or are contrary to the laws of Congress, made in pursuance of the

constitution” are invalid. Gibbons v. Ogden, 22 U.S. 1, 210–11 (1824); U.S. Const. art. VI,

cl. 2. State law is preempted under the Supremacy Clause in three circumstances: (1) when

Congress makes its intent to preempt state law explicit in statutory language; (2) when state

law regulates conduct in a field that Congress intends for the federal government to occupy

exclusively; or (3) when there is an actual conflict between state and federal law. English v.

Gen. Elec. Co., 496 U.S. 72, 78–79 (1990).

       BW&S contends that the third circumstance, an actual conflict, is present in the

instant case because the FOIA, on its face, mandates disclosure of the same personal

information that the Red Flags Rule and the Identity Theft Prevention Program seek to

protect. BW&S contends that the federal law, which aims to protect a customer’s personal

information as a guard against identity theft, is incompatible with the FOIA, which would

otherwise require the public disclosure of a customer’s personal information.

       The Supreme Court of the United States has explained that

       state law is pre-empted to the extent that it actually conflicts with federal law. Thus,
       the Court has found pre-emption where it is impossible for a private party to comply
       with both state and federal requirements or where state law stands as an obstacle to
       the accomplishment and execution of the full purposes and objectives of Congress.

English, 496 U.S. at 79 (internal quotations and citations omitted).

       We are not persuaded by BW&S’s contention that the FOIA is “incompatible” with

the federal regulations that require BW&S to implement policies to detect, prevent, and

                                              6
                                    Cite as 2014 Ark. 139

mitigate identity theft. Pursuant to the federal regulations, “[i]dentity theft means a fraud

committed or attempted using the identifying information of another person without

authority.” 12 C.F.R. § 1022.3(h). “Identifying information” is defined as any name or

number that may be used, alone or in conjunction with any other information, to identify

a specific person, including any:

       (1) Name, social security number, date of birth, official state or government issued
       driver’s license or identification number, alien registration number, government
       passport number, employer or taxpayer identification number;

       (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or
       other unique physical representation;

       (3) Unique electronic identification number, address, or routing code; or

       (4) Telecommunication identifying information or access device (as defined in 18
       U.S.C. 1029(e)).

12 C.F.R. § 1022.3(g).

       Absent from the definition of “identifying information” is a person’s home address.

We recognize that 12 C.F.R. § 1022.3(g) does not contain an exhaustive list of names and

numbers that qualify as “identifying information,” but we do not agree with BW&S’s

contention that, to prevent and mitigate identity theft, a person’s home address is considered

to be “within the same family” of the other items listed in the definition or that a person’s

home address is akin to a person’s social security number or date of birth.2 We conclude that


       2
        See, e.g., Office of Lieutenant Governor v. Mohn, 67 A.3d 123, 132 (Pa. Commw. Ct.
2013) (recognizing the “‘Holy Trinity’ of personal information, i.e., person’s name, social
security number and date of birth, that are reasonably likely to result in identity theft and
fraud,” and concluding that sufficient proof had not been presented to add “home address”
to the “Holy Trinity”); Governor’s Office of Admin. v. Purcell, 35 A.3d 811, 813 (Pa. Commw.

                                              7
                                   Cite as 2014 Ark. 139

the FOIA is not preempted by the Red Flags Rule because the laws do not conflict.

       BW&S next contends that the Arkansas Constitution protects a municipal-utility

customer’s individual privacy rights, including the secrecy of his or her personal information.

In support of this argument, BW&S cites McCambridge v. City of Little Rock, 298 Ark. 219,

766 S.W.2d 909 (1989), in which this court recognized “a constitutional right to

nondisclosure of personal matters.” Id. at 229, 766 S.W.2d at 914 (citing Whalen v. Roe, 429

U.S. 589 (1977)). In that case, McCambridge’s son, John Markle, committed suicide after

having murdered his wife and child, and the Little Rock Police Department recovered

several items from the crime scene, including two handwritten letters from Markle to his

attorney, a diary containing Markle’s notes, a handwritten letter from Markle to

McCambridge, and miscellaneous notes. McCambridge filed suit against the City of Little

Rock and its police department, seeking to restrain the department from releasing to the

media the items listed above and the crime-scene photographs.

       The court noted that McCambridge had a right “to avoid disclosure by the


Ct. 2011) (crediting an identity theft, privacy, and security expert’s affidavit testimony that
the “Holy Trinity . . . can be used by identity thieves to establish new financial accounts in
the name of the identity theft victim and to commit a variety of other types of identity fraud.
While one cannot hold one’s name secret, one can often protect their Social Security
number and date of birth. . . . Organizations that maintain records that contain consumer
date of births must protect that personal identifier and other personally identifiable
information that the consumer entrusted with the organization.”).

        BW&S’s Identity Theft Prevention Program contains “Personal Information Security
Procedures” that refer to “secure information,” “personally identifiable information,”
“sensitive information,” “sensitive consumer data,” “sensitive data,” and “personally identify
[sic] information.” None of those terms are defined.


                                              8
                                      Cite as 2014 Ark. 139

government of some personal matters,” id. at 230, 766 S.W.2d at 914, and concluded that

a constitutional privacy interest applies to matters “(1) that the individual wants to [keep] and

has kept private or confidential, (2) that, except for the challenged government action, can

be kept private or confidential, and (3) that to a reasonable person would be harmful or

embarrassing if disclosed.” Id. at 230, 766 S.W.2d at 914 (citing Bruce E. Falby, Comment,

A Constitutional Right to Avoid Disclosure of Personal Matter: Perfecting Privacy Analysis in J.P. v.

DeSanti, 653 F.2d 1080 (6th Cir. 1981), 71 Geo. L.J. 219, 240 (1981)). Having determined

which items involved “personal matters,” pursuant to the three-part test, the court then

considered “whether the governmental interest in disclosure under the Freedom of

Information Act outweighs the appellant’s privacy interest in the nondisclosure of the

personal matters.” Id. at 231, 766 S.W.2d at 915 (citing Nixon v. Admin. of Gen. Servs., 433

U.S. 425, 458 (1977)). Ultimately, the court concluded that the governmental interest in

disclosure under the FOIA outweighed McCambridge’s privacy interest in nondisclosure.

Id. at 231–32, 766 S.W.2d at 915.

       BW&S contends that a home address qualifies as a “personal matter” under

McCambridge and is thus “constitutionally protectable” because it is the type of information

that an individual wants to keep and has kept private or confidential, except for its potentially

being released pursuant to a FOIA request; it is a class of information that an individual can

keep private and confidential; and a reasonable person would find the disclosure of such

information harmful. BW&S further contends that, because an individual’s interest in

protecting his or her personal information is substantial and because there is “little to no


                                                 9
                                     Cite as 2014 Ark. 139

relevant” public interest in a municipal-utility customer’s personal information, the personal

information should not be disclosed.

       The Tennessee Court of Appeals recently addressed a similar argument. In Patterson

v. Convention Center Authority of Metro Government of Nashville, No. M2012-00341-COA-R3-

CV, 2013 WL 209051 (Tenn. Ct. App. Jan. 17, 2013), the Convention Center Authority

(“CCA”) appealed the trial court’s determination that the residential addresses of employees

of third-party contractors contained in payroll records submitted by the contractors to the

Convention Center Authority were not exempt from disclosure under the Tennessee Public

Records Act (“TPRA”). After concluding that the TPRA did not prohibit disclosure of the

addresses, the Tennessee Court of Appeals addressed the CCA’s contention that workers had

constitutional privacy rights to prevent disclosure to their home addresses:

               The CCA additionally asserts that workers have constitutional privacy rights
       to nondisclosure of their home addresses, and that disclosure of residential addresses
       under the TPRA would violate this right. Petitioners assert that the CCA lacks
       standing to assert this issue. In Schneider v. City of Jackson, the supreme court stated that
       the City of Jackson had failed to demonstrate that it had standing to assert the privacy
       rights of individuals where the cases upon which it relied were filed by the individuals
       alleging constitutional violations. Schneider v. City of Jackson, 226 S.W.3d 332, 344 n.
       16 (Tenn. 2007). The Schneider court additionally stated:

       were we to assume that the City has standing to assert the constitutional claim, the
       City has failed to offer specific proof that disclosing the field interview cards would
       threaten the personal security and bodily integrity of certain interviewees, proof that
       is necessary to establish such a claim.

       Id.

                                               ...

       As in Schneider, Petitioners here have failed to demonstrate that they have standing to
       assert the individual workers’ constitutional privacy rights. Additionally, as in

                                                10
                                     Cite as 2014 Ark. 139

       Schneider, Petitioners here have offered no proof that disclosing the workers’ addresses
       would threaten the personal security or bodily integrity of any worker. We
       accordingly decline to address this issue.

Patterson, 2013 WL 209051, at *14.

       In the instant case, BW&S relies on McCambridge, a case in which an individual alleged

constitutional violations of privacy, to assert the privacy rights of all its customers. Even if we

were to assume that BW&S has standing to assert the constitutional claim, it has failed to

offer specific proof that any customer’s home address qualifies as a “personal matter” under

the standards set forth in McCambridge. Therefore, we decline to address BW&S’s privacy

argument. See Patterson, supra; see also Op. Ark. Att’y Gen. No. 285 (2002) (stating that any

records maintained by a water district reflecting the names, addresses, and telephone numbers

of its paying customers constitute “public records” that are not exempt from disclosure, but

recognizing that, in some cases, unlisted telephone numbers and unlisted addresses may meet

the McCambridge standards).

       BW&S also contends that Hopkins’s request for a municipal ratepayer’s home address

falls outside of the FOIA’s stated purpose and, therefore, the address should not be disclosed.

The legislative intent of the FOIA is stated in Arkansas Code Annotated section 25-19-102

(Repl. 2002):

       It is vital in a democratic society that public business be performed in an open and
       public manner so that the electors shall be advised of the performance of public
       officials and of the decisions that are reached in public activity and in making public
       policy. Toward this end, this chapter is adopted, making it possible for them, or their
       representatives to learn and to report fully the activities of their public officials.

       BW&S asserts that the home address of a public-utility customer should not be


                                                11
                                    Cite as 2014 Ark. 139

disclosed because the disclosure will not aid anyone in evaluating the operation and

performance of the public utility and the job performance of the public officials responsible

for running the public utility. But BW&S points to no law that requires a citizen to give a

reason for his or her request to inspect public records. The FOIA does not direct itself to the

motivation of the person who seeks public records. See John J. Watkins & Richard J. Peltz,

The Arkansas Freedom of Information Act 410 (Ark. Law Press, 5th ed. 2009) (noting that under

the Act, “any public record that is not specifically exempt from disclosure is available for

inspection and copying by any citizen of the State of Arkansas, irrespective of his purpose or

motive in seeking access”) (internal quotations and footnote omitted).

       Finally, BW&S makes a policy argument, stating that

       the personal contact information, including home address and personal email address,
       of a public employee is specifically exempted from disclosure under FOIA. Ark. Code
       Ann. § 25-19-105(b)(13). In other words, a BW&S employee’s home address would
       be exempt from disclosure pursuant to a FOIA request. It defies logic that a private
       customer of a public utility, who has no connection to the operation of the public
       utility, should receive less protection than an employee of a public utility, who is
       supported by the taxpayers, when it comes to the protection of his or her personal
       information.

       Whether certain records should be exempt from the FOIA is a public-policy decision

that must be made by the General Assembly and not the courts. E.g., Harris v. City of Fort

Smith, 359 Ark. 355, 365, 197 S.W.3d 461, 467 (2004). As we noted in City of Fayetteville v.

Edmark, 304 Ark. 179, 194–95, 801 S.W.2d 275, 283 (1990), it is the job of the General

Assembly to establish exemptions under the FOIA, and arguments for additional exemptions

must be addressed to the General Assembly because this court “can only interpret the

exemption as it is written.” Id. (citing McCambridge, 298 Ark. at 233, 766 S.W.2d at 916).

                                              12
                                     Cite as 2014 Ark. 139

       Reversed and remanded.

       HOOFMAN, J., dissents.

       CLIFF HOOFMAN, Justice, dissenting. I must respectfully dissent. The majority’s

decision has the effect of requiring the disclosure of the home address of every resident of

every community of this state who subscribes to the services of any public utility (water,

sewer, cable television, electricity, solid waste, and recycling services, etc.). I do not believe

that the legislature intended such a result. Personal information such as a ratepayer’s home

address or phone number has no relation to the stated purpose of the Freedom of Information

Act (FOIA), which is to make it possible for electors “to learn and to report fully the activities

of their public officials.” Ark. Code Ann. § 25-19-102 (Repl. 2002). While I recognize that

the FOIA is broadly construed in favor of disclosure and that exceptions to the Act are

narrowly construed, we have also stated that “we will balance the laudable interest in favor

of disclosure with the intent of the General Assembly and do so with a common sense

approach.” Byrne v. Eagle, 319 Ark. 587, 590, 892 S.W.2d 487, 488 (1995); see also Sebastian

Cnty. Chapter of the Am. Red Cross v. Weatherford, 311 Ark. 656, 846 S.W.2d 641 (1993);

Bryant v. Mars, 309 Ark. 480, 830 S.W.2d 869 (1992). Given that the General Assembly

exempted from disclosure the personal contact information of employees of these public

utilities, pursuant to Ark. Code Ann. § 25-19-105(b)(13) (Supp. 2013), it defies logic and

common sense to conclude that this same information concerning a public utility’s private

customers was intended to be disclosed under the Act. These customers often are required

to subscribe to the services of such utilities in order to be a resident of that community and


                                               13
                                    Cite as 2014 Ark. 139

thus would have no choice but to have their private contact information disclosed. The

legislature surely did not foresee such an absurd result and therefore saw no need to enact a

specific exception for the utilities’ customers, as it did for the utilities’ employees. Thus, I

would affirm the circuit court’s order.

       Joseph Hamilton Kemp, PLLC, by: Joseph Hamilton Kemp, for appellant.

       Raymond R. Abramson and John W. Martin, for appellees.




                                              14
