Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The Department of Homeland Security in April issued a notice of proposed rule making that has the potential to affect virtually every other government agency. This proposed rule contains the recipe for screening from public view all kinds of vital information about federal government actions. If it takes force, it may frustrate the missions of federal regulatory agencies and shield bad actors in the private sector, without fulfilling its intended purpose of improving the security of America’s critical infrastructure. The ingredients for these results were put in place by part of the Homeland Security Act titled the Critical Infrastructure Information Act of 2002. This provision grants special protections to information marked as “critical infrastructure information,” to encourage the sharing of private-sector CII with the government. Affected infrastructure includes computer network and physical systems supporting energy, banking, telecommunications, transportation, and other vital services. The notice-and-comment period on the regulations implementing this provision remains open until June 16, 2003. TOO MUCH INFORMATION The new law essentially invites companies to dump irrelevant information on the government without any guarantee the government will be given access to key information needed to harden the defenses of critical infrastructures. The proposed rule gives no guidance to businesses on identifying needed CII or to agencies on how to deal with this information effectively once received. Information is useless when it just sits in an agency “in-box” awaiting processing. By contrast, the benefits to businesses are fully spelled out. When the proposed rule goes into effect, information submitted, either orally or in writing, by businesses to any government agency will enjoy stringent nondisclosure protections and unprecedented limitations on the way agencies may use the information. To trigger these protections and limitations, all the businesses need to do is mark the information with the mantra: “This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.” Stamp vendors should take heed, since this “CII marking” could become ubiquitous on all submissions to the government, whether or not the information is actually helpful or even relevant to improving homeland security. CII-marked information submitted to the government will enjoy special protections from disclosure to the public under the Freedom of Information Act, state “sunshine” laws, the Federal Advisory Committee Act, and even Congress, unless the submitter consents (or the matter is determined to fall within the congressional committee’s jurisdiction). In addition, CII-marked information may not be used directly in any civil action, even against persons other than the submitter, without the submitter’s consent. This is likely to produce additional litigation over whether the source of information used in regulatory or enforcement actions is CII-marked information or independently obtained. Protections for CII-marked information were designed to respond to the excuses proffered by businesses to explain their reluctance to share information about vulnerabilities with the government. Congressional hearings dating back to the mid-1990s explored the reasons for the reluctance of businesses to share such information. In essence, companies were afraid that the government might actually act on the information — by issuing warnings alerting the public to problems or by prosecuting those persons responsible for the breach. The companies feared that government action might generate bad publicity and adversely affect stock values and customer confidence. In addition, companies were not convinced that the government could offer sufficient help in dealing with their problems to warrant incurring these risks. Industry preferred the plan eventually adopted last year. But there are other options. One possible alternative is mandatory reporting. This is the method that California has adopted in a new law, effective July 1, requiring companies that hold personal information about California residents to disclose any breach in the security of that information to (among others) the resident or major statewide media. Similarly, pending legislation in the Senate would require chemical manufacturing facilities situated near large population areas to report to the government on plans to improve site security and reduce vulnerabilities to terrorist attacks. BLAMING FOIA Another alternative would be to protect the information under existing law — namely, FOIA. Instead, FOIA has become the scapegoat in this debate. That law contains exemptions from disclosure applicable to financial or commercial records, including those relating to critical infrastructures, voluntarily submitted to an agency. The U.S. Court of Appeals for the D.C. Circuit has held that such records are categorically exempt if the information is not “customarily” disclosed to the public by the submitter. In fact, at the prompting of Andrew Card Jr., the White House chief of staff, the Justice Department circulated guidance to all departments confirming that for sensitive but unclassified information, particularly relating to critical infrastructures, “voluntarily submitted to the Government from the private sector, such information may readily fall within the protection of Exemption 4″ of FOIA. This legal backdrop prompted one government expert, Michael Vatis, then the head of the FBI’s National Infrastructure Protection Center, to testify before a congressional committee that the “perception in the private sector that the government cannot adequately protect private sector information from disclosure under the Freedom of Information Act . . . is flawed.” FOIA became the proverbial tail wagging the dog: While existing FOIA exemptions protected from disclosure business information voluntarily submitted to the government, private sector industries sought additional protections as the incentive to share information with the government. This effort finally paid off with passage of the Homeland Security Act and of the proposed CII regulations. To be eligible for protection, several conditions must be met: The information is not customarily in the public domain. It is voluntarily submitted to “a covered Federal agency,” which is limited by definition to the Department of Homeland Security. And the submitter expressly identifies, in writing, the information, whether written or provided orally, as CII Act-protected information. Of course, eligibility requirements are effective only if they are enforced. The Homeland Security Department’s proposed rule contains no effective policing mechanism for ensuring that only bona fide CII will be so marked. On the contrary, the proposed rule does not describe what exactly is covered by the CII Act and, instead, punts to the submitter the decision of whether information is covered. This is not how FOIA works. There, the process gives agency officials — and ultimately the courts — the authority to review questions of whether information is voluntarily submitted or legally required. Moreover, FOIA requires that exempt information be segregated and redacted so that as much of an agency record as possible may be disclosed. But the plan for CII-marked materials contains no such segregation requirement. Consequently, agency documents relating to the safety of critical infrastructure facilities that are of enormous interest to the public but that reference or incorporate CII-marked information may be kept under wraps in their entirety. To be sure, certain submissions are specifically barred under the Homeland Security Act from being marked as “CII” — for example, financial information submitted to the Securities and Exchange Commission or banking regulators, and information submitted or relied upon in making licensing or permitting determinations. But there are no penalties provided in the new law or the proposed rule for intentionally or negligently marking as “CII” information that is not. THE PROGRAM MANAGER’S POWER Savvy businesses will be able to mark every document handed over to, and every conversation they have with, government officials as “CII” to ensure their confidentiality. No matter which federal agency originally receives the information, all of these documents and CII-marked information will land on the desk of a new official called the CII program manager within the Department of Homeland Security. (Under the proposed rule, CII-marked information may be submitted to any federal agency, which is then required to forward the information to the Department of Homeland Security.) The proposed rule does set up a review procedure for policing the accuracy of CII markings. But it is doomed to collapse into chronic delay, due to the volume of material that will inevitably be dumped on the Department of Homeland Security from all federal agencies. The only person with the authority to decide that information is improperly labeled by a business as “CII” is the CII program manager. The chronic complaints about FOIA delays and backlogs will pale by contrast. Federal agencies may become supplicants to the CII program manager to remove the CII marking from information, so that agency officials may use the information without fear of job termination or criminal prosecution. Until the CII program manager decides that material is improperly marked as CII-protected, federal agencies are obligated to treat CII-marked material as properly marked. This presumption of protection applies even if the program manager determines that the CII marking is inaccurate. Before the CII designation is removed, the submitter is entitled to notice and an opportunity to explain the basis for the marking, and to express a preference for the material to be discarded in the event the designation is removed. The proposed rule places no time limits on when the CII program manager makes an initial determination that the CII marking is inaccurate, sends out a notice, or makes a final determination after the notice is sent to the submitter. HURTING THE GOVERNMENT By contrast, the law and proposed rule threaten job loss and misdemeanor criminal penalties for public servants within federal agencies who disclose or leak CII-marked information, even when the designation is patently wrong. Agency employees will be understandably chilled in using the information in any way without the express consent of the submitter. Indeed, the proposed rule directs federal agencies not to “utilize CII for regulatory purposes without the written consent of the submitter.” Businesses gained significant new protections as an incentive to share CII with the government. Unfortunately, the incentives may work so well that the Department of Homeland Security becomes the dumping ground for large amounts of irrelevant and improperly marked business information that will make the job of effectively identifying and processing CII more difficult. While businesses may have gotten their “wish list” of business information protections, this debate is not over. As the problems in implementation of the new law become apparent and potential abuses become a reality, the search for alternatives, including mandatory reporting, may begin anew. Beryl A. Howell is executive vice president of Stroz Friedberg, a computer forensics and cybersecurity firm, and previously served as the general counsel for the Senate Judiciary Committee under then-Chairman Patrick Leahy (D-Vt.).

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.