“Information sharing underpins any true partnership and is necessary to mitigate the threat posed by a cunning, adaptive, and determined enemy.”
We must begin to think differently about national security and who is responsible for it. Eighty-five percent of the nation’s critical infrastructure – the financial, transportation, telecommunications, energy and emergency services we depend upon – is controlled by the private sector. As the private sector and the Federal government have become increasingly interdependent, their abilities to assess and reduce vulnerabilities to terrorist attacks have become intertwined as well. Those responsible for homeland security must be able to obtain information on privately-held infrastructure and other potentially vulnerable targets in order to assess and prevent terrorist threats. The safety of our homeland depends on the ability of companies and government agencies to cooperate and share security-related information.
Despite the necessity of information sharing, companies have been understandably reluctant to provide information to the government. Since much homeland security-related information is also business-sensitive, private companies worry that this information could be released either accidentally or under compulsion through open government laws.
In an effort to strike the necessary balance between “sharing the information that needs to be shared and protecting the information that needs to be protected” the government has instituted protection regimes for sensitive but unclassified homeland security-related information. Three of the most important are Protected Critical Infrastructure Information (PCII), Sensitive Security Information (SSI) and Chemical Vulnerability Information (CVI). Each is supervised by the Department of Homeland Security (DHS). PCII, SSI and CVI are shielded from public disclosure under the Freedom of Information Act (FOIA) and other laws and are subject to strict rules regarding how that information may be shared among government entities and with the general public. The specific requirements of the regulations governing each type of information are outlined in Appendix A.
Though these protections are significant, they are neither absolute nor permanent. Protected information may be used in certain judicial and administrative proceedings. Congress is also reevaluating the disclosure protections given to each type of information. The protections for SSI were significantly weakened in 2006. In the coming months, the CVI classification may be eliminated altogether and FOIA may be strengthened in an effort to cut back on the disclosure exemptions afforded PCII, SSI and CVI.
PROTECTED CRITICAL INFRASTRUCTURE INFORMATION
The Critical Information Infrastructure Act of 2002 (the “CII Act”) created the PCII framework. It was designed to encourage the submission of Critical Infrastructure Information (CII) to DHS by implementing handling safeguards, restrictions on distribution and protections from disclosure of CII voluntarily submitted to DHS.
The Department of Homeland Security regulation regarding CII (the “CII Final Rule”) sets out specific physical and procedural safeguards against accidental disclosure of PCII and affords several protections against disclosure of information classified as PCII. Once information is classified as PCII, it does not lose these protections unless a change of status is requested by the submittor and the PCII Office determines that the information was in the public domain at the time it was submitted.10
- Marking and Handling. PCII must be clearly marked as such, stored in a secure environment and destroyed in a way that prevents retrieval.1111
- FOIA Exemption and Preemption of State and Local Open Records Laws. PCII is exempt from disclosure under FOIA and from any similar state or local laws that require disclosure of information.12
- Ex Parte Exclusion. PCII is not subject to any rules or judicial doctrine regarding ex parte communications with decision-making officials.1313 Communications with DHS officials regarding PCII do not become public record.
- Civil Liability Protection. PCII cannot be used directly in any civil action by a third party, including government entities.14 DHS interprets this to mean that PCII is neither discoverable nor admissible as evidence in civil litigation.15
- Restrictions on Sharing and Use. The CII Final Rule describes the circumstances under which DHS may share PCII with other government entities and with the general public. Disclosure of PCII must be authorized by the PCII Program Manager, the Under Secretary for Preparedness and the Assistant Secretary for Infrastructure Protection.
- Sharing with the government. PCII may be shared with Federal, state and local government entities for the purpose of protecting critical infrastructure and in furtherance of the investigation or prosecution of a criminal act.16 State and local governments may not further disclose PCII except to parties already authorized to receive PCII.17
- Sharing with government contractors. PCII may be shared with Federal, state and local government contractors only with the permission of the PCII Program Manager and only for appropriate purposes under the CII Act. Employees of government contractors who will handle PCII must sign individual nondisclosure agreements.18
- Sharing with the public. PCII may be used to prepare warnings and alerts directed to companies, targeted sectors and the general public. When issuing these warnings, DHS must take care to protect from disclosure any information that is business sensitive or might be used to identify the submitting entity.19
Exceptions to PCII Protections
The CII Final Rule provides several exceptions to the disclosure protections.
- Use in Criminal Proceedings. PCII may be disclosed in furtherance of a criminal investigation or prosecution, when the disclosure is coordinated by a Federal law enforcement official.20
- Communication with Submitting Entities. PCII may be disclosed in order to communicate with a person who has submitted PCII about that submittal.21
- Congress and the Comptroller General. PCII may be disclosed by an officer or employee of the United States to (i) either House of Congress and to committees thereof; or (ii) to the Comptroller General, in the course of the duties of the General Accountability Office.22
- DHS Inspector General. PCII may be disclosed to the DHS Inspector General for the purposes outlined in the CII Act.23
SENSITIVE SECURITY INFORMATION
SSI is information related to transportation security, obtained or created by the Transportation Security Administration (TSA)2424 or the Department of Transportation (DOT). The rule governing SSI2525 (the “SSI Interim Final Rule”) was implemented to protect the confidentiality of SSI and reduce the ability of terrorists to obtain information regarding transportation security practices and vulnerabilities.
The disclosure protections for SSI are significantly weaker than those for PCII. They consist primarily of a FOIA exemption and restrictions on the sharing and use of information. TSA26 may determine at any time that information no longer meets the criteria for SSI.27
- Marking and Handling. SSI must be clearly marked as such, stored in a locked container and destroyed in a way that precludes recognition or reconstruction.28
- FOFOIA Exemption. SSI is exempt from public inspection or copying under FOIA, the Privacy Act29 and other laws.30 However, if a document contains information that is SSI and information that is not SSI, TSA may disclose the document with the SSI portion redacted.3131 Section 525 of the Homeland Security Appropriations Act of 20073232 limited the SSI FOIA exemption in two ways:
- Automatic reexamination of status upon request for release. When a request is made for a document containing SSI, “the document shall be reviewed in a timely manner to determine whether any information contained in the document meets the criteria for continued SSI protection” and “all portions that no longer require SSI designation [shall] be released.”33
- Release after three years. SSI that is three years old and is not incorporated into a current transportation security directive, contingency plan and information circular and does not contain current information in particular sectors is subject to release unless the Secretary of TSA makes a written determination that there is a rational reason that the information must remain SSI.34
- Restrictions on Sharing. SSI may only be shared with persons with a “need to know.” A person has a need to know SSI when the person (i) needs access to SSI to carry out transportation security activities, is in training to carry out such activities and is supervising individuals carrying out such activities; or (ii) needs SSI to provide technical or legal advice to a covered person35 regarding transportation security requirements of Federal law and needs the information to represent a covered person in connection with any judicial or administrative proceeding regarding those requirements.36 DHS may also further restrict who has the need to know specific SSI.37
- Sharing with Federal employees. A Federal employee has a need to know SSI if the employee requires access to the information for performance of official duties.38
- Sharing with contractors. A DHS or DOT contractor has a need to know SSI if the contractor requires access to the information for performance of the contract.39
Exceptions to SSI Protections
The SSI Interim Final Rule provides exceptions for disclosure to persons otherwise without a need to know SSI.
- Civil Proceedings. SSI will be disclosed to a party (or counsel) in a Federal civil proceeding where the party demonstrates “substantial need of relevant SSI in the preparation of the party’s case and that the party is unable without undue hardship to obtain the substantial equivalent of the information by other means,” unless TSA or DHS can demonstrate that such disclosure presents a risk of harm to the nation.40
- Administrative Enforcement Proceedings. SSI may be provided to a person when access to SSI is necessary for the person to prepare a response to an allegation in a legal enforcement action document issued by TSA.41
- Congress and the Comptroller General. SSI may be disclosed to a committee of Congress authorized to have the information and to the Comptroller General.42
- Conditional Disclosure. TSA may disclose specific SSI when it determines that such disclosure would not be detrimental to transportation security.43 For example, TSA discloses the requirement that airlines ask for identification upon passenger check-in, even though the information is SSI.
CHEMICAL VULNERABILITY INFORMATION
DHS promulgated regulations relating to chemical facility antiterrorism standards in April of 2007 (the “CVI Interim Final Rule”),44 including a section on the protection of CVI. CVI is information relating to vulnerability and security that is exchanged between DHS and facilities that produce or handle potentially dangerous quantities of chemicals.45
The disclosure protections for CVI are similar to, but somewhat broader than those afforded to SSI and include a FOIA exemption, restrictions on the sharing of information and restrictions on the use of CVI in judicial proceedings.
- Marking and Handling. CVI must be clearly marked as such, stored in a secure container and destroyed in a way that precludes recognition or reconstruction.46
- FOIA Exemption. CVI is exempt from public inspection or copying under FOIA, the Privacy Act and other laws.47 However, if a document contains information that is CVI and information that is not CVI, DHS may disclose the document with the CVI portion redacted.48
- Restrictions on Sharing. CVI may only be shared with persons with a “need to know.” A person has a need to know CVI when the person (i) needs access to CVI to carry out chemical facility security activities, is in training to carry out such activities and is supervising individuals carrying out such activities; (ii) needs CVI to provide technical or legal advice to a “covered person” (each person with a need to know CVI or who otherwise receives or gains access to CVI) regarding chemical facility security requirements of Federal law; or (iii) is determined to have a need to know by DHS. DHS may also further restrict who has the need to know specific CVI.49
- Sharing with Federal employees. A Federal employee has a need to know CVI if the employee requires access to the information for performance of official duties.50
- Sharing with contractors. A DHS contractor has a need to know CVI if the contractor requires access to the information for performance of the contract.51
- Restrictions on Use in Judicial Proceedings. CVI is not available in any civil or criminal litigation, unless otherwise provided for by the Secretary of DHS.52
Exceptions to CVI Protections
The CVI Interim Final Rule provides a narrow exception for disclosure to persons without a need to know CVI, for use in the context of specific administrative and judicial enforcement proceedings. This disclosure is not mandatory – it is at the discretion of the Secretary of DHS. Judicial and Administrative Enforcement Proceedings. The Secretary of DHS may, in the context of a judicial or administrative enforcement proceeding of Section 550 of the Homeland Security Appropriations Act of 2007,5353 provide access to persons involved in the proceeding.5454
INTERACTION AMONG PROTECTIONS
The interplay among the protections has not been tested and remains unclear. SSI or CVI that was voluntarily submitted to the government could also be designated as PCII. Information receiving a PCII and either SSI or CVI designation will be afforded the more stringent protections of PCII.
THE FUTURE OFOF HOMELANDND SECURITY INFONFONFORMATIONON PROTECTIONONS
Though the Homeland Security Act was initially passed without much focus on its information protection provisions,56 Congress, businesses and open government advocates have since focused considerable attention on the disclosure exemptions for sensitive information. The information protection regimes will continue to evolve. Businesses possessing sensitive homeland-security related information must monitor these changes in order to make decisions regarding information sharing and to make sure that their interests are being protected. If the private sector remains reluctant to voluntarily share important information with the government, more stringent laws requiring information sharing are likely to be enacted.
- SSI has Been Significantly Weakened. The Homeland Security Administration Appropriations Act of 2007 significantly weakened the protections afforded to SSI. A designation of information as SSI must be re-examined upon a FOIA request and any information that no longer meets the SSI criteria is released. Information also loses its presumption of protection after three years and is no longer exempt from disclosure unless DHS makes an express determination that it must be exempt.57
- CVI May be Eliminated. DHS’s authority to regulate CVI expires in 2009, but significant changes to the chemical facility antiterrorism standards are likely to arise even before then. Representative Jackson-Lee of Texas has proposed the Chemical Facility Security Improvement Act of 2007,58 which would eliminate CVI classification altogether and make chemical facility information SSI. Though the bill is currently in a subcommittee and may not survive, it is an indication that future changes to the CVI regime are likely.
- FOIA May be Strengthened. Congress has become concerned with the perceived erosion of FOIA and could possibly weaken the FOIA protections given to PCII. Recently, the Freedom of Information Act Amendments of 200759 passed in the House. The amendments impose tighter deadlines on agencies to respond to FOIA requests and requires reports from the Comptroller General on the number of people who have submitted information under the CII program, the number of requests for access to information granted or denied and an examination of whether nondisclosure of information has led to increased protection of critical infrastructure. The Senate is considering a similar bill, the Openness Promotes Effectiveness in our National Government Act,60 to which President Bush strongly objects.61
The private sector has a responsibility to help ensure our nation’s safety by providing valuable security-related information to DHS. Without the private sector’s cooperation in information sharing, the government will have incomplete information regarding the security and vulnerability of critical infrastructures, such as transportation and chemical facilities. Companies can only be expected to provide this information, however, if they are confident that it will be adequately protected from public disclosure and will not be inappropriately shared among government entities. Presently, the PCII, SSI and CVI programs provide some, but not absolute protection for confidential or business-sensitive information. These programs are likely to change in the future, however. Those companies that produce or handle information relevant to homeland security need to remain informed of the requirements and safeguards of these information protection regimes, in order to confidently provide the government with the information it needs to keep us all safe.