Protected Critical Infrastructure Information: Reducing the Risk of Risk Assessment


	This article appeared in the April/May 2007 issue of Facility Manager, the magazine of the Inter-national Association of Assembly Managers

Protected Critical Infrastructure Information:
Reducing the Risk of Risk Assessment

Steven A. Adelman

Steve Adelman is an IAAM member and a frequent presenter on risk management issues for owners and managers of sports stadiums and arenas and performing arts venues. His practice includes venue safety, transportation law, products liability litigation and commercial litigation.

A man in New Jersey requested topographic maps from his town government. He wanted them in digital format, rather than just paper maps. In digital format, the data would have included not only the maps, but also detailed information on the town's water treatment facilities, computer information systems, and utility distribution lines. His request was properly filed under the state open public records law. But the town denied his request. So he sued. And he lost. (Tombs v. Brick Tp. Mun. Utilities Authority, 2006 WL 3511459 [N.J. Super.], unpublished opinion)

This article explains why the man lost his legal battle, and why his loss is the gain of every public assembly facility.

The town had submitted the data to the Department of Homeland Security (DHS) for protection under the Critical Infrastructure Information Act of 2002 (6 U.S.C. Sec. 131, et seq.). The CII Act, like DHS itself, was part of Congress' response to the September 11, 2001, terrorist attacks. The goal was to encourage privately owned and operated facilities to share security information with the government by giving that information broad protection from unwanted scrutiny, particularly public records disclosure laws (6 C.F.R. Sec. 29.8 [g]) and document requests and subpoenas in litigation (6 C.F.R. Sec. 29.8 [i]).

Through the CII Act, DHS extends facility managers the following offer. If you do the work to assess your building's vulnerability to terrorism and other threats to safety, such as through IAAM's Vulnerability identification Self Assessment Tool (ViSAT), the government will make it almost impossible for either bad guys or lawyers to get it. In other words, the CII Act allows a facility to consider worst case scenarios without giving a roadmap to people intent on doing harm.

"Critical Infrastructure Information" Defined. In order to be protectable as "critical infrastructure information" under the CII Act, there must be all of the following elements (6 U.S.C. Sec. 131 [3]:

The information must relate to a public facility's security.
It must include an evaluation of the venue's vulnerability to "interference, compromise, or incapacitation," including past operational problems or solutions.
The information must not already be in the public domain.

ViSAT meets all these criteria.

Benefits of CII Designation. A facility manager does not have to wait to know whether the information submitted to DHS is safe from public scrutiny. With the ViSAT program, for example, full protection under the statute attaches immediately after the submitter clicks submit for review, no matter how long it takes DHS to actually review the submission. Anything submitted pursuant to the CII Act is presumptively validated as critical infrastructure information and given full protection from disclosure, "unless and until" DHS reaches a final decision to the contrary (6 C.F.R. Sec. 29.6[b]).

Once information is designated as CII, it can be shared only among government agencies dealing with homeland security. This can range from exotic-sounding Federal agencies like the National Cyber Security Division to the most humble town council. But for all government entities, the rules are the same. They may use critical infrastructure information only to "prepare advisories, alerts, and warnings to relevant companies, targeted sectors, governmental entities, ISAOs (Information Sharing and Analysis Organizations, defined as public or private entities that use critical infrastructure information to address domestic security issues) or the general public regarding potential threats and vulnerabilities to critical infrastructure," (6 C.F.R. Sec. 29.8 [e]) or to help the government prosecute a crime (6 C.F.R. Sec. 29.8 [f]). Other than these exceptions, a government entity that wants to use material submitted to DHS for any other purpose must file a written request with the Federal government.

Limits of CII Protection. In most respects, the CII Act is a win-win situation. From the facility manager's perspective, CII designation removes the possibility that the wrong people could obtain safety information such as building evacuation plans, wiring diagrams that could disable emergency power, or vulnerable access points for drinking water or fresh air. This comprehensive veil of privacy allows you to examine and improve security outside the view of the people who would use that information to do harm.

The Federal government also benefits. Since September 11, the government has taken a strong interest in encouraging emergency preparedness, and in improving its ability to coordinate disaster responses at public facilities. By funneling critical infrastructure information into DHS, and then out to other emergency management agencies, the government's knowledge about vulnerabilities and response planning should be better coordinated.

However, a few words of lawyerly caution are necessary.

CII protection is not absolute. In a lawsuit, a court could order disclosure of information in a ViSAT submission if it is directly related to someone's injury. Consider a stadium's electrical diagrams. The electrical grid would almost certainly be protected critical infrastructure information. But if someone were electrocuted in the building, the victim's lawyer would likely demand the wiring diagrams to locate the cause of the jolt. A judge would then have to decide how far CII protection goes under these circumstances. An educated guess is that the more compelling is the need for the otherwise protected information, the more likely the protection will be lifted for this limited purpose. Only when more courts have ruled on CII challenges will anyone know for sure.

In the far more likely situation where confidentiality is upheld, there are still risks. Again using the electrocution example, say the judge upholds the CII designation, as in the New Jersey lawsuit. It is not too cynical to suggest that once a jury starts deliberating, it might consider anything in which it has an interest, even if the judge has instructed them otherwise. Conceivably, this could include whether the stadium sought CII protection to hide a wiring defect. Lawyers and risk managers have war stories about settling even seemingly defensible claims because of the possibility that a jury's curiosity would lead them to a disastrously costly verdict.

Conclusion. Protecting critical infrastructure information from inappropriate disclosure helps improve the national defense by allowing government agencies to share and coordinate with each other. As well, each venue benefits from a careful security examination without fear that the information will fall into the wrong hands. Although CII designation is not an absolute guaranty of confidentiality, that is a risk is inherent in nearly any legal protection. Without a doubt, the far greater risk from both a legal and a public safety standpoint would be for a venue to do nothing at all.