Balancing Homeland Security and Freedom of Information

Sounds ridiculous,right?<br><br> Unfortunately,recent events have demonstrated all too vividly that worlds we once thought were distant are now colliding.The terrorists of September 11 availed themselves of the everyday freedoms that Amer- icans take for granted.Booking an airline ticket over the Internet,reserving a rental car,arranging for pilot training,and,in our environmental world,obtaining a hazardous substance transportation license are every- day activities in the U.S.which are now potential in- struments of war. Moreover,information may fall into the wrong hands without a direct request by a potential terrorist. Once information is released into the public domain,it becomes easily accessible.Commercial services that compile and organize public information into private databases for resale are commonplace.In fact,the bluntness of one recent e-mail solicitation from such a service is startling.The solicitation boasted access to cthousands of databases from around the world dand of- fered cto conduct in-depth background searches on in- A popular Government,without popular infor- mation,or the means of acquiring it,is but a prologue to a farce or a tragedy.<br><br> James Madison August 4,1822 T he hallmarks of America are our freedoms:free- dom of speech,freedom of association,freedom of movement,freedom of the press and,the sub- ject of this article,freedom of information.The terrorist attacks of September 11 have prompted a reevaluation of how each of these freedoms balances against the need for safety and security,and our approach to public access to information in the hands of the government is no different. Specifically,attention is focusing on the need for the protection of information relevant to the new war on terrorism 4a war in which domestic assets are both targets and weapons.Information and electronic access to it have become weapons in this new war.In the en- vironment,energy,and resources arena,information about power plants,pipelines,transmission systems, emergency preparedness,and hazardous and toxic ma- terials storage and transportation is directly relevant to homeland security.In a stark example,the Federal Bu- reau of Investigation (FBI) issued an alert to the oil and gas industry on November 26,2001,that terrorists may be planning an attack on natural gas infrastructure in the event that Osama bin Laden is captured or killed. But,despite the fact that ceverything has changed d in our post-September 11 world,policy decisions about our societal freedoms must be made with some histori- cal perspective.When Congress enacted the Freedom of Information Act (FOIA) in 1966,5 U.S.C.§ 552,it for- malized a principle which Americans have understood since the beginning of our republic 4that can informed citizenry is vital to the functioning of a democratic so- ciety, din words attributed to Thomas Jefferson.FOIA 9s drafters recognized that government accountability to the public was critical to a properly functioning gov- ernment and,more importantly,to a free society.<br><br> 139 NR&E Winter 2002 Balancing Homeland Security and Freedom of Information Stephen Gidiere and Jason Forrester Mr.Gidiere practices environmental and natural resources law with Balch & Bingham LLP in its Birmingham,Alaba- ma office.He may be reached at sgidiere@balch.com.Mr. Forrester is research director of the Nuclear Threat Reduc- tion Campaign.He may be reached at jason@vi.org. dividuals,companies,institutions and organizations in over 120 countries. dThe service claimed to use cintelli- gence-based software products to ferret out useful and relevant information on the targets of your inquiries d and even guaranteed that its celectronic searches are non-traceable to our clients,undetectable by the target and leave 8no footprints in the sand. 9 d(November 1, 2001 e-mail on file with the authors).<br><br> In addition to this avenue,immediate,direct, and free electronic access to information in the govern- ment 9s possession has become the norm.The Electronic FOIA Amendments of 1996 (E-FOIA),Pub.L.No.104- 231,110 Stat.3048,for example,require federal agen- cies to establish so-called electronic reading rooms. Basically,E-FOIA requires that records created by an agency after November 1,1996,be made available on the agency 9s website following a FOIA request,if cthe agency determines [the records] have become or are likely to become the subject of subsequent requests for substantially the same records. d5 U.S.C.§ 552(a)(2)(D). Importantly,electronic posting is not required for in- formation obtained by a federal agency from a private business or other entity.Rather,posting of such obtained information is within the discretion of the agency,subject to certain re- strictions like copyright laws.<br><br> See 5 U.S.C.§ 552(a)(2);U.S.Department of Justice, FOIA Update ,Vol.XVIII, No.1 (Winter 1997) (the complete text of all issues of DOJ 9s FOIA Up- date cited in this article can be ac- cessed at www.usdoj. gov/oip/foi-upd.htm).Because a large of amount of homeland securi- ty information,such as critical infra- structure information,is obtained from private parties,agencies can use their discretion not to post that information.However,once an agency incorporates or summarizes such information into a newly creat- ed record (as agencies are wont to do),the record be- comes subject to the mandatory posting requirement. Prior to September 11,agencies flooded their web- sites with information,not only to comply with E-FOIA, but also to regulate through disclosure and to ease their own administrative burden of responding to writ- ten requests.But since September 11,agencies have done an about-face and have rushed to remove informa- tion from their websites that they deem may be useful to would-be terrorists.<br><br> For example,the Nuclear Regulatory Commission (NRC) initially took its entire website offline and has subsequently begun cdeploying its newly redesigned public Web site in a phased approach following a thorough review of all information at the site. d See www.nrc.gov,visited Nov.9,2001.The State of New Jer- sey,a leader in regulation through disclosure of infor- mation collected under its Community Right-to-Know Survey,has pulled the plug on Internet access to its fa- cilities database,which includes information about haz- ardous materials storage. See www.state.nj.us/ NASApp/pCRTK/jsp/ecrtkview.jsp,visited Nov.28,2001 ( cThe Public Access System is temporarily unavail- able. d).The Federal Energy Regulatory Commission (FERC) announced that in light of September 11 it was removing information from its website containing spec- ifications of certain energy facilities it licenses. See 66 Fed.Reg.52,917 (2001).To obtain such materials,inter- ested persons must submit a written FOIA request.<br><br> There are numerous other examples:the Depart- ment of Energy removed its National Transportation of Materials site;the U.S.Geological Survey removed a number of water resource reports from its site and re- quested that its CD-ROM publication on large public surface water supplies be removed from circulation and destroyed;and the Department of Transportation 9s Office of Pipeline Safety removed pipeline mapping data from its site. It is not yet clear whether this quick response by federal and state agencies will result in the permanent withholding of the types of records that were once readily available or whether it is simply a temporary reaction.No doubt the reevaluation now taking place at many agencies involves an analysis of the various FOIA exemp- tions that could be used to protect homeland security information ei- ther from traditional written disclo- sure or electronic posting.This article first discusses FOIA 9s Exemp- tions 1 (classified information),2 (internal agency procedures),and 4 (confidential business information), in an attempt to determine their ef- ficacy in preventing the release of information relevant to homeland security and the need for legislative or administrative changes.This arti- cle also discusses legislation pending in Congress that would prohibit the release of critical infrastructure in- formation via FOIA 9s Exemption 3. In addition to the language of the exemptions and the relevant case law,these exemptions must now be read in light of Attorney General Ashcroft 9s October 12,2001 memorandum to all federal agencies on FOIA implementation (Ashcroft Memo).It has become the tradition since the Carter administration for Attorneys General to issue memos to the agencies describing the Department of Justice 9s (DOJ) policy for defending agencies in their decisions to withhold documents.<br><br> See, e.g., Attorney General Reno 9s FOIA Memorandum to Heads of Departments and Agencies (Oct.1993) (Reno 140 NR&E Winter 2002 FOIA 9s drafters recognized that government accountability to the public was critical to a properly functioning government. Memo).The Ashcroft Memo states that DOJ will defend agency withholdings cunless they lack a sound legal basis or present an unwarranted risk of adverse impact on the ability of other agencies to protect other impor- tant records. d This csound legal basis dstandard is much more slanted toward withholding than the standard an- nounced in 1993 by Attorney General Reno.The Reno Memo instructed agencies to use their discretion to re- lease records 4even where they qualified for an ex- emption 4unless release would cause cforeseeable harm dto the purposes for which the exemption was es- tablished.The Ashcroft Memo does not explicitly state that it was promulgated in response to September 11, but its more liberal withholding policy will certainly af- fect agencies 9implementation of the exemptions dis- cussed below. Exemption 1:Classified Information Perhaps the most obvious place to begin a discus- sion of whether FOIA is effective in protecting home- land security information is Exemption 1.Exemption 1 protects information classified pursuant to an applica- ble executive order.The operative executive order today is Executive Order No.12,958 issued by Presi- dent Clinton in 1995 (and amended in 1999 by Execu- tive Order No.13,142).<br><br> See Exec.Order No.12,958,60 Fed.Reg.19,825 (1995) (Clinton Executive Order).It is the fifth in a series of such executive orders,the first of which was issued by President Truman in 1951. The categories of information that may be classi- fied under the Clinton Executive Order are broad enough to include homeland security information.In- formation may be classified if it concerns scientific, technological,or economic matters relating to the na- tional security;a U.S.government program for safe- guarding nuclear materials or facilities;or vulnerabilities or capabilities of systems,installations,projects or plans relating to the national security. See Clinton Executive Order § 1.5.Not surprisingly,military,intelligence,and foreign relations information is also eligible for classifi- cation.<br><br> See id. Information falling within any of these categories may be classified if its release creasonably could be expected to result in damage to the national security dand that damage is identified or described by the classifying agency. Id.<br><br> § 1.2(a)(4). The Clinton Executive Order is significant as a re- action to the perceived excessive secrecy of the govern- ment during the Cold War period.The Clinton Executive Order was an attempt to loosen control and to speed the declassification of information within the government 9s control. In this vein,the executive order preamble states: Our democratic principles require that the American people be informed of the activities of their Govern- ment....Nevertheless,throughout our history,the na- tional interest has required that certain information be maintained in confidence in order to protect our citi- zens,our democratic institutions,and our participation within the community of nations....<br><br> In recent years, however,dramatic changes have altered,although not eliminated,the national security threats that we con- front.These changes provide a greater opportunity to emphasize our commitment to open Government. (Emphasis added). More than six years later,the question today is whether the reality of terrorism warrants a reevaluation of this premise and the trend toward openness reflect- ed in the Clinton Executive Order.A look at some of the details of the Clinton Executive Order can help an- swer that question.<br><br> The Clinton Executive Order differs most signifi- cantly from its predecessor (Exec.Order No.12,356 is- sued by President Reagan) with respect to the new procedures and presumptions put in place.These new procedures encourage the classification of less informa- tion and the faster declassification of more information. For example,among other things,the Clinton Executive Order:(1) places a general ten-year limit on classifica- tions (the Reagan Executive Order had no limit);(2) es- tablishes an automatic declassification mechanism (the Reagan Executive Order had no such mechanism);(3) removes certain presumptions of classified status (the Reagan Executive Order contained three presumptions of classified status);and (4) creates a mechanism for agency personnel to challenge classification decisions to an Interagency Security Classification Appeals Panel (the Reagan Executive Order had only a limited internal appeals process for certain donated records). One question that must be addressed today is whether these new procedures should be reversed in favor of reestablishing greater secrecy.The most obvi- ous argument against reversal is that the September 11 terrorists apparently did not utilize previously classified information.Moreover,the Clinton Executive Order was only one response to widespread criticism of the classi- fication process following the end of the Cold War.The government was,and still is to some,keeping too much information classified.<br><br> For example,the classification process was the focus of the bipartisan Senate Commission on Protect- ing and Reducing Government Secrecy,chaired by Sen- ator Daniel Patrick Moynihan (D-NY) and including Republican foreign relations heavyweight Senator Jesse Helms (R-NC).The commission issued a unanimous re- port in 1997.Among its key findings were:(1) that se- crecy is itself a type of government regulation,and (2) that excessive secrecy has significant consequences when policymakers are not fully informed,the govern- ment is not held accountable for its actions,and the public cannot engage fully in informed debate. See S. D OC .N O .105-2 (1997).In the words of the Commis- sion, c[t]he classification system ...is used too often to deny the public an understanding of the policymaking 141 NR&E Winter 2002 process,rather than for the necessary protection of in- telligence activities and other highly sensitive matters. d Thus,the struggle to bring more accountability to the classification process has been long and hard fought,and reversing that trend could have wider poli- cy implications than necessary to address current con- cerns.Greatly limiting public access prevents the widest array of minds and institutions from working to reduce our vulnerabilities.Additionally,agencies already have the upper hand over the public in the classifica- tion process 4they receive considerable deference on judicial review of their classification decisions.<br><br> Prior to September 11,the Bush administration ini- tiated an interagency review of Exec.Order No.12,958 as part of a general review of policies of the prior ad- ministration.The intervening events of September 11 are sure to influence that review.A complete discus- sion of all the potential issues involved in such a review is well beyond the scope of this article.Suffice it to say, however,an overhaul of the current executive order may not necessarily be the most effective way to pro- tect homeland assets against terror- ist threats 4particularly given the availability of other FOIA exemp- tions as discussed below. There are ways to work within the confines of the current execu- tive order to address current events, and President Bush has already shown an inclination to do so.On December 10,2001,President Bush acted pursuant to the Clinton Exec- utive Order to grant the Secretary of Health and Human Services (whose agency is on the front line of the bioterrorism war) the authority to classify information as secret. See 66 Fed.Reg.64,345 (2001).Perhaps another simple way to guarantee that homeland security interests are appropri- ately considered under Exemption 1 is for the President to include the new Director of the Office of Homeland Security Thomas Ridge on the Interagency Security Clas- sification Appeals Panel.The President could also re- view the membership of the Information Security Policy Advisory Council,a federal advisory committee that ad- vises the President on the classification process,to en- sure that it includes sufficient representation of industries relevant to homeland security.<br><br> Exemption 2:Risk of Circumvention On its face,Exemption 2 does not seem to support the withholding of homeland security information.The exemption applies to information crelated solely to the internal personnel rules and practices of an agency. d5 U.S.C.§ 552(b)(2).Courts have recognized,however, that Exemption 2 applies not just to trivial internal mat- ters like sick leave and parking policies (called cLow 2 d information),but also to more substantial information, the disclosure of which would assist lawbreakers (called cHigh 2 dinformation).Typically,High 2 informa- tion includes things like law enforcement manuals, guidelines for conducting investigations or conducting litigation,and information that would reveal the identi- ty of confidential informants or undercover agents. The seminal case recognizing the High 2 category, Crooker v.ATF ,670 F.2d 1051 (D.C.Cir.1981),set out the two-part test still used today:(1) the requested doc- ument must be cpredominantly internal dand (2) its dis- closure must significantly risk the circumvention of agency regulations or statutes or impede the effective- ness of law enforcement activities. In the wake of September 11,the DOJ 9s Office of In- formation and Privacy (OIP) is encouraging agencies to use Exemption 2 to protect certain information about critical domestic assets.In an epi- logue to the Ashcroft Memo,OIP di- rected that c[a]gencies should be sure to avail themselves of the full measure of Exemption 2 9s protection for their critical infrastructure infor- mation as they continue to gather more of it,and assess its heightened sensitivity,in the wake of the Sep- tember 11 terrorist attacks. d See OIP, New Attorney General FOIA Memo- randum Issued ,posted Oct.15, 2001,available at www.usdoj.gov/ oip/foiapost/2001foiapost19.htm.<br><br> OIP specifically instructed federal agencies that vulnerability assess- ments of ccritical systems,facilities, stockpiles,and other assets dshould be protected from disclosure under the High 2-prong of Exemption 2. An oft-cited example of such a vulnerability assess- ment is the computer security plans that the Computer Security Act of 1987,Pub.L.No.100-235,101 Stat.1724, requires federal agencies to prepare.These plans de- scribe the vulnerability of federal computer systems and the security measures taken to protect them from unau- thorized access or tampering.Since as early as 1989, DOJ has been encouraging the withholding of these plans. SeeFOIA Update ,Vol.X,No.3 (Summer 1989).<br><br> But information about the vulnerability of private assets,unlike an agency 9s assessment of its own assets, is not as clearly protected by Exemption 2.Exemption 2 applies only to an agency 9s cpredominantly internal d records,which seems to exclude records submitted by an outside private party.It could be argued,however, that this distinction is too simplistic.Courts often ad- dress the cpredominantly internal drequirement when the document in question essentially establishes a legal 142 NR&E Winter 2002 On its face, Exemption 2 does not seem to support the withholding of homeland security information. norm.In other words,if the agency documents concern standards for regulating the public (often termed cse- cret law d),then Exemption 2 will not protect them. See Cox v.DOJ ,601 F.2d 1 (D.C.Cir.1979).So,perhaps fo- cusing the cpredominantly internal dinquiry on the use to which an agency puts a particular piece of informa- tion,and not on its original source,would allow an agency to withhold information about the vulnerability of private assets.<br><br> Even DOJ 9s OIP 4which discharges DOJ 9s adminis- trative and policy responsibilities under FOIA and pro- motes governmentwide compliance with the Act 4has not clearly stated whether Exemption 2 could be used to protect vulnerability and infrastructure information submitted to an agency by a private entity regarding nonagency assets.OIP 9s 1989 guidance on vulnerability assessments mentions only one example of the success- ful withholding of such information (regarding threat levels at nuclear facilities) but that information was pro- tected under Exemption 1.DOJ 9s annual FOIA Guide , going a bit further,states that vulnerability assessments that properly fall within Exemption 2 cgenerally assess an agency 9s vulnerability (or that of another institu- tion) to some form of outside interference or harm by identifying those programs or systems deemed the most sensitive and describing specific security measures that can be used to counteract such vulnerabilities. dU.S.De- partment of Justice, Freedom of Information Act Guide & Privacy Act Overview (May 2000),at 125 (emphasis added) ( FOIA Guide ).Perhaps sensing the uncertainty on the issue,OIP 9s epilogue to the Ashcroft Memo does not directly address the issue of nongovernmental as- sets,perhaps anticipating a legal challenge down the road.The clear implication of OIP 9s epilogue is that such information is protected by Exemption 2. Given this uncertainty,agencies may be searching for additional support for their decisions to withhold vulnerability and infrastructure information submitted by private entities.Agencies may find this additional support in Exemption 4,below. Exemption 4:Confidential Business Information Exemption 4 of FOIA exempts from disclosure ctrade secrets and commercial or financial information obtained from a person and privileged or confidential. d 5 U.S.C.§ 552(b)(4).Most information protected by Ex- emption 4 falls within the second part of this language as cconfidential business information dor cCBI. d The parameters of what qualifies as CBI have been fleshed out over the years,beginning with the seminal case of National Parks & Conservation Association v.<br><br> Morton ,498 F.2d 765 (D.C.Cir.1974). National Parks recognizes that information is protected as CBI if its re- lease would either:(1) impair the government 9s ability to obtain necessary information in the future,or (2) cause substantial harm to the competitive position of the person from whom the information was obtained. See id.<br><br> at 770. The National Parks test was subsequently refined by Critical Mass Energy Project v.NRC ,975 F.2d 871 (D.C.Cir.1992).Under Critical Mass ,the first determina- tion to be made is whether the information was submit- ted to the government cvoluntarily dor whether it was required to be submitted.If the information was given over to the government voluntarily,then the only ques- tion is whether it is the type of information that cfor whatever reason,would customarily not be released to the public by the person from whom it was obtained. d Id. at 878.If the business was compelled to provide the information,then essentially the two prongs of the Na- tional Parks test apply.The Critical Mass test for CBI is the most modern interpretation of Exemption 4 4the D.C.Circuit generates more FOIA law than any other cir- cuit and is generally thought to be on the cutting edge of those issues.Despite this,not all federal circuits have adopted the Critical Mass approach to CBI.<br><br> Exemption 4,then,seems to protect just the type of homeland security information only questionably pro- tected by Exemption 2 4vulnerability and infrastructure information submitted to agencies by private entities about private assets.First,if the information is cvoluntari- ly dsubmitted,it would seem that such critical informa- tion is not the type of information that would be ccustomarily released dby the business.Moreover,even if the information is required to be submitted (or in a ju- risdiction that has not adopted Critical Mass ),vulnera- bility and infrastructure information is competitive in nature.Destruction of a business 9s facility or equipment would undoubtedly cause it csubstantial competitive harm d 4just ask the airlines,who would be out of busi- ness after September 11 without a federal bailout. In addition,Exemption 4 (unlike Exemptions 1 and 2) provides an existing procedural mechanism for the sub- mitting business to explain to the agency why the infor- mation is critical and,therefore,protected from disclosure. With homeland security information 4which often in- volves private,not public,assets 4this is particularly im- portant,as recognized by Director Ridge.In recent remarks about the security of critical information infra- structure systems,Director Ridge described the protection of such systems as ca political challenge,because the gov- ernment must act in partnership with the private sector, since most of the assets that are involved in this effort are owned by the private sector,which owns and operates the vast majority of America 9s critical infrastructure. dRe- marks of Director Ridge,October 9,2001,available at www.whitehouse.gov/news/releases/2001/10.<br><br> Exemption 4 provides just such an opportunity for partnership.EPA 9s regulations,for example,require the agency,upon receipt of a FOIA request,to make a pre- liminary determination of CBI status and then,prior to making a final determination,provide the submitting 143 NR&E Winter 2002 business with an opportunity to provide csubstantiation comments din support of the business 9s CBI claim. See generally 40 C.F.R.Part 2,Subpart B.This opportunity to share information about the nature of submitted in- formation is not unique to EPA 9s procedures.Executive Order No.12,600 requires all agencies to provide sub- mitters advance notice and opportunity to comment prior to release of information claimed as CBI. Equally important to protecting the information it- self from release is the need to protect these substantia- tion comments.Such comments are themselves essentially a vulnerability assessment of the infrastruc- ture or asset described in the originally submitted infor- mation.In recognition of the importance of receiving full and open comments from the private sector,EPA 9s regulations provide that substantiation comments sub- mitted by a business to EPA are themselves given auto- matic confidential treatment.<br><br> See 40 C.F.R.§ 2.205(c). In a pre-September 11 proposal that is still pending, EPA has proposed to eliminate this automatic confiden- tial treatment for substantiation comments,and instead to subject the comments to the process of preliminary determina- tion,comment,and final determina- tion. See 64 Fed.Reg.57,421 (1999).In light of September 11, EPA should consider withdrawing this proposal.<br><br> Another area for administrative action under Exemption 4 is formal acknowledgment and application of the so-called mosaic effect.The mosaic effect recognizes that an in- dividual piece of information, which alone may not qualify as CBI,may be combined with other pieces of information to cause sub- stantial competitive harm.This common-sense approach prevents the piecemeal accumulation of critical security informa- tion.With the ubiquitous existence of private informa- tion hawkers,finding all of the other pieces is not difficult.Courts have applied the mosaic effect to pre- vent the disclosure of CBI, see,e.g.,Tinken Co.v.U.S. Customs Service ,491 F.Supp.557 (D.D.C.1980),and Exec.Order No.12,958 uses the mosaic effect for clas- sified information protected under Exemption 1.OIP should encourage the agencies to consistently apply it under Exemption 4 as well. One high-profile situation in the environmental arena where Exemption 4 may come into play is EPA 9s recent decision to pull from its website portions of Risk Management Plans (RMPs) once thought innocu- ous.<br><br> See www.epa.gov/ceppo/review.htm,visited Dec. 10,2001 ( cRMP files that do not contain [off-site conse- quences analysis] information have been temporarily removed by EPA from its website in light of the Sep- tember 11 [attacks].EPA is reviewing the information we make available over the Internet and assessing how best to make the information publicly available.We hope to complete that effort as soon as possible. d). Under Clean Air Act § 112(r),certain private facili- ties must submit RMPs to EPA.RMPs provide informa- tion about regulated substances used at a facility, including a hazard assessment,a release prevention plan,and an emergency response plan 4types of infor- mation that seem obviously relevant to homeland secu- rity.A particularly sensitive piece of an RMP is the off-site consequences analysis (OCA) that describes worst-case accident scenarios.<br><br> Clean Air Act § 112(r) requires that RMPs be made available to the public pursuant to Section 114(c) of the Act.EPA initially proposed to carry out this disclosure provision by posting RMPs,including OCAs,on its web- site.EPA 9s electronic access proposal prompted a firestorm of protest,including from law enforcement and intelligence agencies that argued that OCA information would assist would-be terrorists in targeting U.S.facili- ties.Ultimately,Congress stepped in and added a new subsection (H) to Section 112(r) that specifically ad- dressed the public availability of OCAs. See Chemical Safety Informa- tion,Site Security and Fuels Regulato- ry Relief Act,Pub.L.No.106-40,113 Stat.207 (1999).EPA issued its imple- menting regulations on August 4, 2000. See 65 Fed.Reg.48,107 (2000).<br><br> Detailed discussions of the new subsection (H) and EPA 9s implemen- tation of it are beyond the scope of this article.In general,the new rules provide for various levels of access to certain OCA information.Under the rules,the most sensitive informa- tion is available for review in paper form in a limited number of physical reading rooms, while less sensitive information is posted on EPA 9s web site along with cnon-OCA dRMP information.But,in the wake of September 11,EPA pulled all RMP information from its website,even non-OCA information not subject to subsection (H).Many are complaining about this move,characterizing it as a backdoor way to protect in- dustry from embarrassing and indicting information.EPA is now faced with the unenviable job of having to strike the difficult balance between the need for citizens to know about the facilities in their back yards and the need to protect those facilities from a terrorist threat. Exemption 4 may play into the analysis regarding non-OCA RMP information not subject to the new sub- section (H) or EPA 9s regulations implementing it.As mentioned above,RMPs are to be released to the public cunder section 7414(c) dof the Act.That section explic- itly requires the withholding of certain competitively 144 NR&E Winter 2002 The CIISA has been severely criticized as creating a major new loophole to FOIA 9s right of public access. valuable information,namely cmethods or processes en- titled to protection as trade secrets. dOne could argue that this ctrade secret dexception is not as broad as CBI under Exemption 4,but EPA has not historically inter- preted Section 114(c) that narrowly.<br><br> EPA struggled with the meaning of this phrase when developing its initial regulations implementing Section 114(c).Ultimately,EPA concluded that Section 114(c) protects a broader class of business information than the narrow phrase cmethods or processes entitled to protection as trade secrets dmay at first suggest.The regulations,now found at 40 C.F.R.Part 2,Subpart B, were based on an understanding that Section 114(c) protects cdata which in many cases businesses regard as confidential,such as operating costs,profits and loss- es,details of transactions with others,plans for capital investment,marketing information,proposed new prod- ucts,input and output rates,and similar information. d40 Fed.Reg.21,987,21,990 (1975) (proposed rule);41 Fed.Reg.36,902 (1976) (final rule). This broad interpretation of Section 114(c) seems to be consistent with the language of Section 114(c) and the legislative history of the Clean Air Act Amend- ments of 1970.Section 114(c) specifically references the Trade Secrets Act (TSA),a statute with a sweeping disclosure prohibition.Moreover,the legislative history of the Clean Act Air Amendments of 1970 indicates that Congress intended Section 114(c) to protect from disclosure the same information that falls within the scope of the TSA. See S.R EP .N O .91-1196,at 19 (1970).<br><br> How EPA will resolve the issue of RMPs,and whether Exemption 4 will play a role,is still uncertain. Exemption 3:The Critical Infrastructure Information Security Act of 2001 An additional basis being considered for use in pro- tecting homeland security information is Exemption 3. Exemption 3 protects information cspecifically exempt- ed from disclosure by statute ...provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue,or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld. d5 U.S.C.§ 552(b)(3).The Critical Infra- structure Information Security Act of 2001 (CIISA), S.1456,was introduced in the Senate on September 24, 2001,by Senators Robert Bennett (R-UT) and Jon Kyl (R-AZ) in an attempt to use Exemption 3 to protect cer- tain homeland security information.<br><br> The stated purpose of the CIISA is to cfacilitate the security of the critical infrastructure of the United States,to encourage the secure disclosure and protect- ed exchange of critical infrastructure information,to enhance the analysis,prevention,and detection of at- tacks on critical infrastructure,to enhance the recovery from such attacks,and for other purposes. d To effectuate this cprotected exchange, dthe CIISA exempts from disclosure under FOIA ccritical infrastruc- ture information that is voluntarily submitted dto one of thirteen covered federal agencies (including EPA).The CIISA has been severely criticized as creating a major new loophole to FOIA 9s right of public access.But whether the CIISA 9s disclosure exemption is either cnew dor cmajor dis subject to debate.In fact,much,if not all,of the information that falls within the ambit of the CIISA may be protected already by Exemption 4. Significantly,the CIISA protects only cvoluntarily d submitted critical infrastructure information.This sounds very similar to cvoluntarily dsubmitted commer- cial or financial information protected by the Critical Mass interpretation of Exemption 4.Given that infor- mation is generally considered ccommercial or finan- cial dunder Exemption 4 if it simply relates to a business or trade, seeFOIA Guide at 165,the CIISA seems to address a subset of Exemption 4 business in- formation.The only difference is that,under Critical Mass , cvoluntarily dsubmitted information is considered cconfidential donly if it is not the type of information that the business would normally provide to the public. But this public availability limitation may be built into the CIISA,which notes that critical infrastructure infor- mation is in fact cnot normally in the public domain. d Thus,the CIISA 9s definition of cvoluntary dis a criti- cal facet of the bill.Under the proposed legislation,vol- untary means the csubmittal of the information or records in the absence of an agency 9s exercise of legal submission. dDOJ 9s OIP reads the term cvoluntary dto mean essentially the same thing in the Exemption 4 and Critical Mass context.OIP says that an information submission is voluntary unless the collecting agency ac- tually exercises its valid authority to collect the infor- mation.<br><br> SeeFOIA Guide at 174. So why the debate? Why does the CIISA itself find that cFederal law provides no clear assurance that criti- cal infrastructure information voluntarily submitted to the Federal Government will be protected from disclo- sure or misuse d?<br><br> One reason may be that the Critical Mass test for voluntarily submitted business informa- tion has not been adopted by all federal circuits and has not been incorporated into all federal agencies 9CBI regulations.Perhaps it should be 4or perhaps in essence it will be for infrastructure information if the CIISA is enacted. As America learned on September 11,terrorism is real and in our backyard.No less real is the current war against terrorism.On the information front of that war, government agencies are struggling to balance the im- portant functions served by the public 9s access to infor- mation with the well-recognized need for domestic security.In the end,the tug of war between disclosure and protection 4whether taking place in a court,be- fore Congress,or in an executive agency 4may be as important to our democracy as the result itself. 145 NR&E Winter 2002<br><br>

less