Volume 19, Number 6
September 2002
ENVIRONMENTAL LAW
BALANCING HOMELAND SECURITY AND FREEDOM OF INFORMATION
By Stephen Gidiere and Jason Forrester
The terrorist attacks of September 11 have prompted a
reevaluation of our approach regarding public access to
information in the hands of the government. Attention is focusing
on the need to protect information relevant to the war on
terrorism, in which domestic assets are both targets and
weapons.
The Freedom of Information Act (FOIA) requires a federal
agency to release information in its control to "any person"
following a request reasonably describing the documents sought.
The statute balances public disclosure against other important
considerations, including national security, through nine
exemptions. Of these exemptions, the first four stand out as
possible protections against the release of information critical
to homeland security. This article discusses these exemptions as
well as legislation pending in Congress that would prohibit the
release of critical infrastructure information via FOIA's
Exemption 3.
Exemption 1: Classified Infor-mation.
Exemption 1 protects information classified pursuant to an
applicable executive order. The operative executive order today
is Executive Order No. 12,958, issued by President Clinton. The
categories of information classified under the Order are broad
enough to include homeland security information. Information may
be classified if it concerns scientific, technological, or
economic matters relating to the national security; a U.S.
government program for safeguarding nuclear materials or
facilities; or vulnerabilities or capabilities of systems,
installations, projects, or plans relating to the national
security. Military, intelligence, and foreign relations
information is also eligible for classification.
Information falling within any of these categories may be
classified if its release "reasonably could be expected to result
in damage to the national security" and if that damage is
identified or described by the classifying agency. The Order
originally was an attempt to loosen control and speed the
declassification of information within the government's control.
The question today is whether the reality of terrorism warrants a
reevaluation of this premise, given the trend toward openness
reflected in the Order.
Exemption 2: Risk of Circumvention. Exemption
2 applies to information "related solely to the internal
personnel rules and practices of an agency." Courts have
recognized, however, that Exemption 2 applies not just to trivial
internal matters like sick leave and parking policies (called
"Low 2" information) but also to more substantial information,
the disclosure of which would assist lawbreakers ("High 2"
information). Typically, High 2 information includes things like
law enforcement manuals, guidelines for conducting investigations
or litigation, and information that would reveal the identity of
confidential informants or under- cover agents.
The seminal case recognizing the High 2 category, Crooker
v. ATF, set out the two-part test still used today: The
requested document must be "predominantly internal" and its
disclosure must significantly risk the circumvention of agency
regulations or statutes or impede the effectiveness of law
enforcement activities.
In the wake of September 11, the DOJ's Office of Information
and Privacy (OIP) is encouraging agencies to use Exemption 2 to
protect information relating to critical domestic assets. OIP
specifically instructed federal agencies that vulnerability
assessments of "critical systems, facilities, stockpiles, and
other assets" should be protected from disclosure under the High
2 prong. But information about the vulnerability of
private assets, unlike an agency's assessment of its own
assets, is not clearly protected by Exemption 2. Exemption 2
applies only to an agency's "predominantly internal" records,
which seems to exclude records submitted by an outside private
party.
Exemption 3: The Critical Infra-structure Information
Security Act of 2001. Exemption 3 protects information
"specifically exempted from disclosure by statute…provided
that such statute (A) requires that the matters be withheld from
the public in such a manner as to leave no discretion on the
issue, or (B) establishes particular criteria for withholding or
refers to particular types of matters to be withheld." The
Critical Infrastructure Information Security Act of 2001 (CIISA)
was introduced in the Senate on September 24, 2001, in an attempt
to use Exemption 3 to protect homeland security information. Its
stated purpose is to "facilitate the security of the critical
infrastructure of the United States, to encourage the secure
disclosure and protected exchange of critical infrastructure
information, to enhance the analysis, prevention, and detection
of attacks on critical infrastructure, to enhance the recovery
from such attacks, and for other purposes." To effectuate this
"protected exchange," the CIISA exempts from disclosure under
FOIA "critical infrastructure information that is voluntarily
submitted" to one of 13 covered federal agencies (including
EPA).
(Significantly, the CIISA protects only "voluntarily"
submitted critical infrastructure information. As you will read
in the next section, this sounds very similar to "voluntarily"
submitted commercial or financial information protected by the
Critical Mass court's interpretation of Exemption 4.
Given that information is generally considered "commercial or
financial" under Exemption 4 if it simply relates to a business
or trade, the CIISA seems to address a subset of Exemption 4
business information. But the CIISA notes that critical
infrastructure information is in fact "not normally in the public
domain." Thus, the CIISA's definition of "voluntary" is a
critical facet of the bill. Under the proposed legislation,
voluntary means the "submittal of the information or records in
the absence of an agency's exercise of legal
submission.")
Exemption 4: Confidential Business
Information. Exemption 4 of FOIA exempts from disclosure
"trade secrets and commercial or financial information obtained
from a person and privileged or confidential." Most information
protected by Exemption 4 falls within the second part of this
language as "confidential business information" (CBI).
The parameters of what qualifies as CBI have been fleshed out
over the years, beginning with the seminal case of National
Parks & Conservation Association v. Morton. National
Parks recognizes that information is protected as CBI if its
release would either (1) impair the government's ability to
obtain necessary information in the future or (2) cause
substantial harm to the competitive position of the person from
whom the information was obtained. The National Parks
test was refined by Critical Mass Energy Project v. NRC.
Under Critical Mass, the first determination to be made
is whether the information was submitted to the government
"voluntarily" or whether submission was required. If the
information was supplied voluntarily, the only question is
whether it is the type of information that "for whatever reason,
would customarily not be released to the public by the person
from whom it was obtained." If the business was compelled to
provide the information, however, then the two prongs of the
National Parks test apply.
Exemption 4, then, seems to protect just the type of homeland
security information only questionably protected by Exemption
2-vulnerability and infrastructure information submitted to
agencies by private entities about private assets. First, if the
information is "voluntarily" submitted, it would seem that such
critical information is not the type of information that would be
"customarily released" by the business. Even if the information
is the type that requires submission, vulnerability and
infrastructure information is competitive in nature. Destruction
of a business's facility or equipment would undoubtedly cause it
"substantial competitive harm." In addition, Exemption 4 (unlike
Exemptions 1 and 2) provides an existing procedural mechanism for
the submitting business to explain to the agency why the
information is critical and, therefore, protected from
disclosure.
Another area for administrative action under Exemption 4 is formal acknowledgment and application of the "mosaic effect." The mosaic effect recognizes that an individual piece of information that alone would not qualify as CBI may be combined with other pieces of information to cause substantial competitive harm. This common-sense approach prevents the piecemeal accumulation of critical security information. OIP should encourage this application under Exemption 4 as well.
Stephen Gidiere practices environmental and natural
resources law with Balch & Bingham LLP in its Birmingham,
Alabama, office. Jason Forrester is research director of the
Nuclear Threat Reduction Campaign in Washington,
D.C.
This article is an abridged and edited version of one that
originally appeared on page 139 of Natural Resources &
Environment, Winter 2002 (16:3).
Enjoy the benefits of membership:
- Award-Winning Periodicals
- Special Member Discounts
- Practice Area Committees
- Continuing Legal Education
- Networking Opportunities
- Leadership Opportunities
