| |
Protected Critical
Infrastructure Information
Reducing the risk of risk assessment
By Steven A. Adelman, Esq.
IA man in New Jersey requested
topographic maps from his town government. He wanted them in digital format,
rather than just paper maps. In digital format, the data would’ve included
not only the maps, but also detailed information on the town’s water
treatment facilities, computer information systems and utility distribution
lines. His request was properly filed under the state open public records
law. But the town denied his request. So he sued — and he lost.1
This article explains why the man lost his legal battle, and why his loss is
the gain of every public assembly facility.
The town had submitted the data to the Department of Homeland Security (DHS)
for protection under the Critical Infrastructure Information Act of 2002
(the “CII Act”).2 The CII Act, like DHS itself, was part of Congress’
response to the terrorist attacks of Sept. 11, 2001.
The goal was to encourage privately owned and operated facilities to share
security information with the government by giving that information broad
protection from unwanted scrutiny, particularly public records disclosure
laws3 and document requests and subpoenas in litigation.4
Through the CII Act, DHS extends facility managers the following offer: If
you do the work to assess your building’s vulnerability to terrorism and
other threats to safety, such as through IAAM’s Vulnerability Identification
Self Assessment Tool (“ViSAT”), the government will make it almost
impossible for either bad guys or lawyers to get it. In other words, the CII
Act allows a facility to consider worst-case scenarios without giving a
roadmap to people intent on doing harm.
“Critical Infrastructure Information” Defined
In order to be protectable as “critical infrastructure information” under
the CII Act, there must be the following elements: (1) The information must
relate to a public facility’s security; (2) it must include an evaluation of
the venue’s vulnerability to “interference, compromise, or incapacitation,”
including past operational problems or solutions; and (3) the information
must not already be in the public domain.5 ViSAT meets all these criteria.
“Protecting critical infrastructure information from inappropriate
disclosure helps improve the national defense by allowing government
agencies to share and coordinate with each other.”
Benefits of CII Designation
A facility manager doesn’t have to wait to know whether the information
submitted to DHS is safe from public scrutiny. With the ViSAT program, for
example, full protection under the statute attaches immediately after the
submitter clicks “SUBMIT FOR REVIEW,” no matter how long it takes DHS to
actually review the submission. Anything submitted pursuant to the CII Act
is presumptively validated as critical infrastructure information and given
full protection from disclosure, “unless and until” DHS reaches a final
decision to the contrary.6
Once information is designated as CII, it can be shared only among
government agencies dealing with homeland security. This can range from
exoticsounding federal agencies like the National Cyber Security Division to
the most humble town council. But for all government entities, the rules are
the same. They may use critical infrastructure information only to “prepare
advisories, alerts, and warnings to relevant companies, targeted sectors,
governmental entities, ISAOs7 or the general public regarding potential
threats and vulnerabilities to critical infrastructure,”8 or to help the
government prosecute a crime.9
Other than these exceptions, a government entity that wants to use material
submitted to DHS for any other purpose must file a written request with the
federal government.
Limits of CII Protection
In most respects, the CII Act is a win-win situation. From the facility
manager’s perspective, CII designation removes the possibility that the
wrong people could obtain safety information such as building evacuation
plans, wiring diagrams that could disable emergency power, or vulnerable
access points for drinking water or fresh air. This comprehensive veil of
privacy allows you to examine and improve security outside the view of the
people who would use that information to do harm.
The federal government also benefits.
Since Sept. 11, the government has taken a strong interest in encouraging
emergency preparedness, and in improving its ability to coordinate disaster
responses at public facilities.
By funneling critical infrastructure information into DHS, and then out to
other emergency management agencies, the government’s knowledge about
vulnerabilities and response planning should be better coordinated.
However, a few words of lawyerly caution are necessary.
CII protection is not absolute. In a lawsuit, a court could order disclosure
of information in a ViSAT submission if it’s directly related to someone’s
injury. Consider a stadium’s electrical diagrams. The electrical grid would
almost certainly be protected critical infrastructure information. But if
someone were electrocuted in the building, the victim’s lawyer would likely
demand the wiring diagrams to locate the cause of the jolt.
A judge would then have to decide how far CII protection goes under these
circumstances. An educated guess is that the more compelling is the need for
the otherwise
“Once information is designated
as CII, it can be shared only
among government agencies
dealing with homeland security.”
protected information, the more
likely the protection will be lifted for this limited purpose. Only when
more courts have ruled on CII challenges will anyone know for sure.
In the far more likely situation where confidentiality is upheld, there are
still risks. Again using the electrocution example, say the judge upholds
the CII designation, as in the New Jersey lawsuit. It isn’t too cynical to
suggest that once a jury starts deliberating, it might consider anything in
which it has an interest, even if the judge has instructed them otherwise.
Conceivably, this could include whether the stadium sought CII protection to
hide a wiring defect. Lawyers and risk managers have war stories about
settling even seemingly defensible claims because of the possibility that a
jury’s curiosity would lead them to a disastrously costly verdict.
Protecting critical infrastructure information from inappropriate disclosure
helps improve the national defense by allowing government agencies to share
and coordinate with each other.
As well, each venue benefits from a careful security examination without
fear that the information will fall into the wrong hands. Although CII
designation isn’t an absolute guaranty of confidentiality, that risk is
inherent in nearly any legal protection. Without a doubt, the far greater
risk from both a legal and a public safety standpoint would be for a venue
to do nothing at all.
Steven A.
Adelman is an attorney specializing in entertainment law and litigation with
Renaud Cook Drury Mesaros, PA in Phoenix, Ariz. He can be reached at
sadelman@rcdmlaw.com. |
|
Back to Facility Manager
Contents
