Congressional Record: November 19, 2002 (Senate)
Page S11405-S11455

                     HOMELAND SECURITY ACT OF 2002
			[excerpts on FOIA]

  Mr. LEAHY. [...]
  This bill has its problems. As I will discuss in more detail in the 
balance of my remarks, this legislation has five significant problems. 
It would: (1) undermine Federal and State sunshine laws permitting the 
American people to know what their government is doing, (2) threaten 
privacy rights, (3) provide sweeping liability protections for 
companies at the expense of consumers, (4) weaken rather than fix our 
immigration enforcement problems, and (5) under the guise of 
"management flexibility," it would authorize political cronyism 
rather than professionalism within the new department. These problems 
are unfortunate and entirely unnecessary to the overall objective of 
establishing a new department of homeland security. Republican leaders 
and the White House have forced on the Senate a process under which 
these problem areas cannot be substantively and meaningfully addressed, 
and that is highly regrettable and a needless blot on this charter. 
Though I will support passage of this legislation in order to get the 
new department up and running, the flaws in this legislation will 
require our attention next year, when I hope to work with the 
administration and my colleagues on both sides of the aisle to monitor 
implementation of the new law and to craft corrective legislation.
  First, the bill guts the FOIA at the expense of our national security 
and public health and safety. This bill eliminates a bipartisan Senate 
provision that I crafted with Senator Levin and Senator Bennett to 
protect the public's right to use the Freedom of Information Act, FOIA, 
in order to find out what our Government is doing, while simultaneously 
providing security to those in the private sector that records 
voluntarily submitted to help protect our critical infrastructures will 
not be publicly disclosed. Encouraging cooperation between the private 
sector and the government to keep our critical infrastructure systems 
safe from terrorist attacks is a goal we all support. But the 
appropriate way to meet this goal is a source of great debate--a debate 
that has been all but ignored by the Republicans who crafted this 
  The administration itself has flip-flopped on how to best approach 
this issue. The administration's original June 18, 2002, legislative 
proposal establishing a new department carved out of FOIA exemption, in 
section 204, and required non-disclosure of any 
"information" "voluntarily" provided to the new Department of 
Homeland Security by "non-Federal entities or individuals" pertaining 
to "infrastructure vulnerabilities or other vulnerabilities to 
terrorism" in the possession of, or that passed through, the new 
department. Critical terms, such as "voluntarily provided," were 

  The Judiciary Committee had an opportunity to query Governor Ridge 
about the administration's proposal on June 26, 2002, when the 
administration reversed its long-standing position and allowed him to 
testify in his capacity as the Director of the Transition Planning 
  Governor Ridge's testimony at that hearing is instructive. He seemed 
to appreciate the concerns expressed by Members about the President's 
June 18th proposal and to be willing to work with us in the legislative 
process to find common ground. On the FOIA issue, he described the 
Administration's goal to craft "a limited statutory exemption to the 
Freedom of Information Act" to help "the Department's most important 
missions [which] will be to protect our Nation's critical 
infrastructure." (June 26, 2002 Hearing, Tr., p. 24). Governor Ridge 
explained that to accomplish this, the Department must be able to 
"collect information, identifying key assets and components of that 
infrastructure, evaluate vulnerabilities, and match threat assessments 
against those vulnerabilities." (Id., at p. 23).
  I do not understand why some have insisted that FOIA and our national 
security are inconsistent. The FOIA already exempts from disclosure 
matters that are classified; trade secret, commercial and financial 
information, which is privileged and confidential; various law 
enforcement records and information, including confidential source and 
informant information; and FBI records pertaining to foreign 
intelligence or counterintelligence, or international terrorism. These 
already broad exemptions in the FOIA are designed to protect national 
security and public safety and to ensure that the private sector can 
provide needed information to the government.
  Current law already exempts from disclosure any financial or 
commercial information provided voluntarily to the government, if it is 
of a kind that the provider would not customarily make available to the 
public. Critical Mass Energy Project v. NRC, 975 F.2d 871 (D.C. Cir. 
1992) (en banc). Such information enjoys even stronger nondisclosure 
protections than does material that the government requests. Applying 
this exception, Federal regulatory

[[Page S11424]]

agencies are today safeguarding the confidentiality of all kinds of 
critical infrastructure information, like nuclear power plant safety 
reports (Critical Mass, 975 F.2d at 874), information about product 
manufacturing processes land internal security measures (Bowen v. Food 
& Drug Admin., 925 F.2d 1225 (9th Cir. 1991), design drawings of 
airplane parts (United Technologies Corp. by Pratt & Whitney v. F.A.A., 
102 F.3d 6878 (2d Cir. 1996)), and technical data for video 
conferencing software (Gilmore v. Dept. of Energy, 4 F. Supp.2d 912 
(N.D. Cal. 1998)).
  The head of the FBI National Infrastructure Protection Center, NIPC, 
testified more than 5 years ago, in September, 1998, that the "FOIA 
excuse" used by some in the private sector for failing to share 
information with the government was, in essence, baseless. He explained 
the broad application of FOIA exemptions to protect from disclosure 
information received in the context of a criminal investigation or a 
"national security intelligence" investigation, including information 
submitted confidentially or even anonymously. [Sen. Judiciary 
Subcommittee On Technology, Terrorism, and Government Information, 
Hearing on Critical Infrastructure Protection: Toward a New Policy 
Directive, S. HRG. 105-763, March 17 and June 10, 1998, at p. 107]
  The FBI also used the confidential business record exemption under 
(b)(4) "to protect sensitive corporate information, and has, on 
specific occasions, entered into agreements indicating that it would do 
so prospectively with reference to information yet to be received." 
NIPC was developing policies "to grant owners of information certain 
opportunities to assist in the protection of the information (e.g., 
`sanitizing the information themselves') and to be involved in 
decisions regarding further dissemination by the NIPC." Id. In short, 
the former administration witness stated: "Sharing between the private 
sector and the government occasionally is hampered by a perception in 
the private sector that the government cannot adequately protect 
private sector information from disclosure under the Freedom of 
Information Act (FOIA). The NIPC believes that this perception is 
flawed in that both investigative and infrastructure protection 
information submitted to NIPC are protected from FOIA disclosure under 
current law." (Id.)
  Nevertheless, for more than 5 years, businesses have continued to 
seek a broad FOIA exemption that also comes with special legal 
protections to limit their civil and criminal liability, and special 
immunity from the antitrust laws. The Republicans are largely granting 
this business wish-list in the legislation for the new Department of 
Homeland Security.
  At the Senate Judiciary Committee hearing with Governor Ridge, I 
expressed my concern that an overly broad FOIA exemption would 
encourage government complicity with private firms to keep secret 
information about critical infrastructure vulnerabilities, reduce the 
incentive to fix the problems and end up hurting rather than helping 
our national security. In the end, more secrecy may undermine rather 
than foster security.
  Governor Ridge seemed to appreciate these risks, and said he was 
"anxious to work with the Chairman and other members of the committee 
to assure that the concerns that [had been] raised are properly 
addressed." Id. at p. 24. He assured us that "[t]his Administration 
is ready to work together with you in partnership to get the job done. 
This is our priority, and I believe it is yours as well." Id. at p. 
25. This turned out to be an empty promise.
  Almost before the ink was dry on the administration's earlier June 
proposal, on July 10, 2002, the administration proposed to substitute a 
much broader FOIA exemption that would (1) exempt from disclosure under 
the FOIA critical infrastructure information voluntarily submitted to 
the new department that was designated as confidential by the submitter 
unless the submitter gave prior written consent, (2) provide limited 
civil immunity for use of the information in civil actions against the 
company, with the likely result that regulatory actions would be 
preceded by litigation by companies that submitted designated 
information to the department over whether the regulatory action was 
prompted by a confidential disclosure, (3) preempt State sunshine laws 
if the designated information is shared with State or local government 
agencies, (4) impose criminal penalties of up to one year imprisonment 
on Government employees who disclosed the designated information, and 
(5) antitrust immunity for companies that joined together with agency 
components designated by the President to promote critical 
infrastructure security.
  Despite the administration's promulgation of two separate proposals 
for a new FOIA exemption in as many weeks, in July, Director Ridge's 
Office of Homeland Security released The National Strategy for Homeland 
Security, which appeared to call for more study of the issue before 
legislating. Specifically, this report called upon the Attorney General 
to "convene a panel to propose any legal changes necessary to enable 
sharing of essential homeland security information between the 
government and the private sector." (p. 33)

  The need for more study of the administration's proposed new FOIA 
exemption was made amply clear by its possible adverse environmental, 
public health and safety affects. Keeping secret problems in a variety 
of critical infrastructures would simply remove public pressure to fix 
the problems. Moreover, several environmental groups pointed out that, 
under the administration's proposal, companies could avoid enforcement 
action by "voluntarily" providing information about environmental 
violations to the EPA, which would then be unable to use the 
information to hold the company accountable and also would be required 
to keep the information confidential. It would bar the government from 
disclosing information about spills or other violations without the 
written consent of the company that caused the pollution.
  I worked on a bipartisan basis with many interested stakeholders from 
environmental, civil liberties, human rights, business and government 
watchdog groups to craft a compromise FOIA exemption that did not grant 
the business sector's wish-list but did provide additional 
nondisclosure protections for certain records without jeopardizing the 
public health and safety. At the request of Chairman Lieberman for the 
Judiciary Committee's views on the new department, I shared my concerns 
about the administration's proposed FOIA exemption and then worked with 
Members of the Governmental Affairs Committee, in particular Senator 
Levin and Senator Bennett, to craft a more narrow and responsible 
exemption that accomplishes the Administration's goal of encouraging 
private companies to share records of critical infrastructure 
vulnerabilities with the new Department of Homeland Security without 
providing incentives to "game" the system of enforcement of 
environmental and other laws designed to protect our nation's public 
health and safety. We refined the FOIA exemption in a manner that 
satisfied the Administration's stated goal, while limiting the risks of 
abuse by private companies or government agencies.
  This compromise solution was supported by the administration and 
other members of the Committee on Governmental Affairs and was 
unanimously adopted by that Committee at the markup of the Homeland 
Security Department bill on July 24, 2002. The provision would exempt 
from the FOIA certain records pertaining to critical infrastructure 
threats and vulnerabilities that are furnished voluntarily to the new 
Department and designated by the provider as confidential and not 
customarily made available to the public. Notably, the compromise FOIA 
exemption made clear that the exemption only covered "records" from 
the private sector, not all `'information" provided by the private 
sector and thereby avoided the adverse result of government agency-
created and generated documents and databases being put off-limits to 
the FOIA simply if private sector "information" is incorporated. 
Moreover, the compromise FOIA exemption clearly defined what records 
may be considered "furnished voluntarily," which did not cover 
records used "to satisfy any legal requirement or obligation to obtain 
any grant, permit, benefit (such as agency forbearances, loans, or 
reduction or modifications of agency penalties or rulings), or other

[[Page S11425]]

approval from the Government." The FOIA compromise exemption further 
ensured that portions of records that are not covered by the exemption 
would be released pursuant to FOIA requests. This compromise did not 
provide any civil liability or antitrust immunity that could be used to 
immunize bad actors or frustrate regulatory enforcement enforcement 
action, nor did the compromise preempt state or local sunshine laws.
  Unfortunately, the new Republican version of this legislation that we 
are voting on today jettisoned the bipartisan compromise on the FOIA 
exemption, worked out in the Senate with the administration's support, 
and replaced it with a big-business wish-list gussied up in security 
garb. The Republican FOIA exemption would make off-limits to the FOIA 
much broader categories of "information" and grant businesses the 
legal immunities and liability protections they have sought so 
vigorously for over 5 years. This bill goes far beyond what is needed 
to achieve the laudable goal of encouraging private sector companies to 
help protect our critical infrastructure. Instead, it will tie the 
hands of the federal regulators and law enforcement agencies working to 
protect the public from imminent threats. It will give a windfall to 
companies who fail to follow Federal health and safety standards. Most 
disappointingly, it will undermine the goals of openness in government 
that the FOIA was designed to achieve. In short, the FOIA exemption in 
this bill represents the most severe weakening of the Freedom of 
Information Act in its 36-year history.
  In the end, the broad secrecy protections provided to critical 
infrastructure information in this bill will promote more secrecy which 
may undermine rather than foster national security. In addition, the 
immunity provisions in the bill will frustrate enforcement of the laws 
that protect the public's health and safety.
  Let me explain. The Republican FOIA exemption would allow companies 
to stamp or designate certain information as "Critical Infrastructure 
Information" or "CII" and then submit this information about their 
operations to the government either in writing or orally, and thereby 
obtain a blanket shield from FOIA's disclosure mandates as well as 
other protections. A Federal agency may not disclose or use 
voluntarily-submitted and CII-marked information, except for a limited 
"informational purpose," such as "analysis, warning, 
interdependency, study, recovery, reconstitution," without the 
company's consent. Even when using the information to warn the public 
about potential threats to critical infrastructure, the bill requires 
agencies to take steps to protect from disclosure the source of the CII 
information and other "business sensitive" information.
  The bill contains an unprecedented provision that threatens jail time 
and job loss to any Government employee who happens to disclose any 
critical infrastructure information that a company has submitted and 
wants to keep secret. These penalties for using the CII information in 
an unauthorized fashion or for failing to take steps to protect 
disclosure of the source of the information are severe and will chill 
any release of CII information not just when a FOIA request comes in, 
but in all situations, no matter the circumstance. Criminalizing 
disclosures--not of classified information or national security related 
information, but of information that a company decides it does not want 
public--is an effective way to quash discussion and debate over many 
aspects of the Government's work. In fact, under this bill, CII 
information would be granted more comprehensive protection under 
Federal criminal laws than classified information.
  This provision has potentially disastrous consequences. If an agency 
is given information from an ISP about cyberattack vulnerabilities, 
agency employees will have to think twice about sharing that 
information with other ISPs for fear that, without the consent of the 
ISP to use the information, even a warning might cost their jobs or 
risk criminal prosecution.

  This provision means that if a Federal regulatory agency needs to 
issue a regulation to protect the public from threats of harm, it 
cannot rely on any voluntarily submitted information--bringing the 
normal regulatory process to a grinding halt. Public health and law 
enforcement officials need the flexibility to decide how and when to 
warn or prepare the public in the safest, most effective manner. They 
should not have to get "sign off" from a Fortune 500 company to do 
  While this legislation risks making it harder for the Government to 
protect American families, it will make it much easier for companies to 
escape responsibility when they violate the law by giving them 
unprecedented immunity from civil and regulatory enforcement actions. 
Once a business declares that information about its practices relates 
to critical infrastructure and is "voluntarily" provided, it can then 
prevent the Federal Government from disclosing it not just to the 
public, but also to a court in a civil action. This means that an 
agency receiving CII-marked submissions showing invasions of employee 
or customer privacy, environmental pollution, or government contracting 
fraud will be unable to use that information in a civil action to hold 
that company accountable. Even if the regulatory agency obtains the 
information necessary to bring an enforcement action from an 
alternative source, the company will be able to tie the government up 
in protracted litigation over the source of the information.
  For example, if a company submits information that its factory is 
leaching arsenic in ground water, that information may not be turned 
over to local health authorities to use in any enforcement proceeding 
nor turned over to neighbors who were harmed by drinking the water for 
use in a civil tort action. Moreover, even if EPA tries to bring an 
action to stop the company's wrongdoing, the "use immunity" provided 
in the Republican bill will tie the agency up in litigation making it 
prove where it got the information and whether it is tainted as "fruit 
of the poisonous tree"--i.e., obtained from the company under the 
"critical infrastructure program."
  Similarly, if the new Department of Homeland Security receives 
information from a bio-medical laboratory about its security 
vulnerabilities, and anthrax is released from the lab three weeks 
later, the Department will not be able to warn the public promptly 
about how to protect itself without consulting with and trying to get 
consent of the laboratory in order to avoid the risk of job loss or 
criminal prosecution for a non-consensual disclosure. Moreover, if the 
laboratory is violating any State, local or Federal regulation in its 
handling of the anthrax, the Department will not be able to turn over 
to another Federal agency, such as the EPA or the Department of Health 
and Human Services, or to any State or local health officials, 
information or documents relating to the laboratory's mishandling of 
the anthrax for use in any enforcement proceedings against the 
laboratory, or in any wrongful death action, should the laboratory's 
mishandling of the anthrax result in the death of any person. The bill 
specifically states that such CII-marked information "shall not, 
without the written consent of the person or entity submitting such 
information, be used directly by such agency, any other Federal, State, 
or local authority, or any third party, in any civil action arising 
under Federal or State law if such information is submitted in good 
faith." [H.R. 5710, section 214(a)(1)(C)]
  Most businesses are good citizens and take seriously their 
obligations to the government and the public, but this "disclose-and-
immunize" provision is subject to abuse by those businesses that want 
to exploit legal techniques to avoid regulatory guidelines. This bill 
lays out the perfect blueprint to avoid legal liability: funnel 
damaging information into this voluntary disclosure system and pre-empt 
the Government or others harmed by the company's actions from being 
able to use it against the company. This is not the kind of two-way 
public-private cooperation that our country needs.

  The scope of the information that would be covered by the new 
Republican FOIA exemption is overly broad and would undermine the 
openness in government that FOIA was intended to guarantee. Under this 
legislation, information about virtually every important sector of our 
economy that today the public has a right to see can shut off from 
public view simply by labeling

[[Page S11426]]

it "critical infrastructure information." Today, for example, under 
current FOIA standards, courts have required Federal agencies to 
disclose (1) pricing information in contract bids so citizens can make 
sure the government is wisely spending their taxpayer dollars; (2) 
compliance reports that allow constituents to insist that government 
contractors comply with federal equal opportunity mandates; and (3) 
banks' financial data so the public can ensure that federal agencies 
properly approve bank mergers. Without access to this kind of 
information, it will be harder for the public to hold its Government 
accountable. Under this bill, all of this information may be marked CII 
information and kept out of public view.
  The Republican FOIA exemption goes so far in exempting such large 
amount of material from FOIA's disclosure requirements that it 
undermines Government openness without making any real gains in safety 
for families in Vermont and across America. We do not keep America 
safer by chilling Federal officials from warning the public about 
threats to their health and safety. We do not ensure our nation's 
security by refusing to tell the American people whether or not their 
federal agencies are doing their jobs or their Government is spending 
their hard earned tax dollars wisely. We do not encourage real two-way 
cooperation by giving companies protection from civil liability when 
they break the law. We do not respect the spirit of our democracy when 
we cloak in secrecy the workings of our Government from the public we 
are elected to serve.
  Notably, another part of the bill, section 892, would further 
undermine Government sunshine laws by authorizing the President to 
prescribe and implement procedures requiring Federal agencies to 
"identify and safeguard homeland security information that is 
sensitive but unclassified" The precise type of information that would 
be covered by this new category of "sensitive" information that is 
not classified but subject to carte blanche executive authority to keep 
secret is not defined and no guidance is provided in the Republican 
bill as to how far the President may go.
  As the Rutland Herald so aptly put it in an editorial on November 16, 
the Republicans "are moving to cloak the Federal Government in an 
unprecedented regime of secrecy." The argument over the scope of the 
FOIA and unilateral executive power to shield matters from public 
scrutiny goes to the heart of our fundamental right to be an educated 
electorate aware of what our government is doing. The Rutland Herald 
got it right in explaining. "The battle was not over the right of the 
government to hold sensitive, classified information secret. The 
government has that right. Rather, the battle was over whether the 
government would be required to release anything it sought to 


Full Statement of Sen. Leahy