HR 3258 Analysis – Protected Information

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments HR 3258 Analysis – VA-SSP Review One of the continuing controversies regarding security programs at chemical facilities, including water treatment plants, is allowing public access to public safety related security information. This legislation takes a fairly conventional type approach by limiting access to specific sensitive information, while requiring information sharing among affected parties. The term ‘affected parties’ includes emergency response agencies, State and local officials, and employees, but does not include the neighboring public. Section 1433(l) does not assign the protected information to any of the current categories of controlled but unclassified information, nor does it try to specifically create a new standard. It does specify SSI protections in some cases and lists protection requirements in other cases. This cut and paste information protection scheme is confusing and part of the larger problem that the government is having in trying to determine how to protect security information for private companies. Freedom of Information Act Exemption Section 1433(l)(1) specifically exempts the ‘protected information’ from public disclosure “under section 552 of title 5, United States Code” and similar State, local or tribal laws. This means that the general public, including news agencies, has no rights to access the information. Security personnel will certainly agree with this exemption while environmentalists and local activists will feel that it shuts them out of determining if the facility is taking adequate measures to protect the public. This is a continuing source of conflict between these two groups and is aggravated in this case by the fact that most of the covered facilities will be publicly owned facilities. Sharing Requirements Section 1433(l)(2)(a) specifies that the regulations developed to implement this legislation will make provisions for sharing ‘protected information’ with a wide variety of categories of personnel. Those categories include:

Federal, State, local, and tribal authorities, First responders and law enforcement officials, Designated supervisory and non-supervisory covered water system personnel with security, operational, or fiduciary responsibility for the system, and Designated facility employee representatives, if any.

Specific provisions in this section require sharing of information related to employee responsibilities for actions under facility Site Security Plan. The complete Vulnerability Assessment and Site Security Plan must be made available to “a representative of each certified or recognized bargaining agent representing such employees”. Presumably this is to allow the experts within those labor organizations to review those documents and ensure that adequate measures are being taken to protect their members from the results of ‘an intentional act’. With the wide number of personnel given access to ‘protected information’ under these provisions, the legislation attempts to limit the subsequent spread of such information by providing sanctions against the unauthorized disclosure of such information. Anyone “who purposefully publishes, divulges, discloses, or makes known protected information in any manner or to any extent not authorized by the standards set by the Administrator” {§1433(l)(2)(B)} may be imprisoned or fined for a misdemeanor violation in accordance with chapter 227 of title 18 USC. Sensitive Security Information This legislation does not make the ‘protected information’ Sensitive Security Information under §525 of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109–295; 120 Stat. 1381). Section 1433(l)(3) does, however, provide the same protections to the ‘protected information’ in ‘adjudicative proceedings’. Thus, the SSI disclosure rules do apply in administrative hearings and court cases. Definition of ‘Protected Information’ The drafters of this legislation start their discussion of what is covered as ‘protective information’ by describing what is not included in that term. First {§1433(l)(4)} they note that the ‘protective information’ protections do not apply to any information required to be submitted to other Federal, State, tribal or local government agencies under any other laws. This should prevent the information disclosure problems seen in the recent CSB investigation of the Bayer CropScience incident, but I would be more comfortable if CSB and other Federal, state and local accident investigations were specifically addressed in the language. Next {§1433(1)(5)} notes that the ‘protected information’ provisions of this legislation may not be used to prohibit sharing information with Congress. That section does not exempt members of Congress or their staffs from subsequent unauthorized disclosure sanctions of §1433(l)(2)(B). I suspect that constitutional scholars would assert that there were other provisions of the Constitution that would protect actual members from those sanctions. Finally, §1433(l)(7) provides a typical list of the types of documents that would be considered ‘protected information’. Even then only specific portions of those documents would meet that definition. Only portions that would be detrimental to the security of the facility, or other covered facilities, if disclosed could be protected. Even then, that information only becomes protected if it was developed “exclusively for the purposes of this section” {§1433(l)(7)(B)(ii)}. This would mean, for example, that the amount of a substance of concern stored on site could not be considered ‘protected information’. Exclusions The final part of the ‘protected information’ portion of this legislation is the ‘exclusions’ paragraph {§1433(l)(7)(C)}. This reiterates most of the previously described types of information that cannot be considered ‘protected information’. One sub-paragraph that appears to be a simple re-wording of previously stated exemption deserves special recognition:

‘‘(i) information that is otherwise publicly available, including information that is required to be made publicly available under any law;”

This section would appear to allow any State, tribal or local government to pass a law that would make any security information publicly available. I’m sure that this is not what was intended, but the broad wording of the section certainly allows for that interpretation. There is certainly a conflict between this section and the wording of §1433(l)(1)(B), but that conflict could be explained away by stating that the earlier wording only applies to ‘protected information’ while the latter wording allows the for the exemption of information being considered ‘protected information’.