Congressional Record: November 19, 2002 (Senate)
Page S11405-S11455
HOMELAND SECURITY ACT OF 2002
[excerpts on FOIA]
Mr. LEAHY. [...]
This bill has its problems. As I will discuss in more detail in the
balance of my remarks, this legislation has five significant problems.
It would: (1) undermine Federal and State sunshine laws permitting the
American people to know what their government is doing, (2) threaten
privacy rights, (3) provide sweeping liability protections for
companies at the expense of consumers, (4) weaken rather than fix our
immigration enforcement problems, and (5) under the guise of
"management flexibility," it would authorize political cronyism
rather than professionalism within the new department. These problems
are unfortunate and entirely unnecessary to the overall objective of
establishing a new department of homeland security. Republican leaders
and the White House have forced on the Senate a process under which
these problem areas cannot be substantively and meaningfully addressed,
and that is highly regrettable and a needless blot on this charter.
Though I will support passage of this legislation in order to get the
new department up and running, the flaws in this legislation will
require our attention next year, when I hope to work with the
administration and my colleagues on both sides of the aisle to monitor
implementation of the new law and to craft corrective legislation.
First, the bill guts the FOIA at the expense of our national security
and public health and safety. This bill eliminates a bipartisan Senate
provision that I crafted with Senator Levin and Senator Bennett to
protect the public's right to use the Freedom of Information Act, FOIA,
in order to find out what our Government is doing, while simultaneously
providing security to those in the private sector that records
voluntarily submitted to help protect our critical infrastructures will
not be publicly disclosed. Encouraging cooperation between the private
sector and the government to keep our critical infrastructure systems
safe from terrorist attacks is a goal we all support. But the
appropriate way to meet this goal is a source of great debate--a debate
that has been all but ignored by the Republicans who crafted this
legislation.
The administration itself has flip-flopped on how to best approach
this issue. The administration's original June 18, 2002, legislative
proposal establishing a new department carved out of FOIA exemption, in
section 204, and required non-disclosure of any
"information" "voluntarily" provided to the new Department of
Homeland Security by "non-Federal entities or individuals" pertaining
to "infrastructure vulnerabilities or other vulnerabilities to
terrorism" in the possession of, or that passed through, the new
department. Critical terms, such as "voluntarily provided," were
undefined.
The Judiciary Committee had an opportunity to query Governor Ridge
about the administration's proposal on June 26, 2002, when the
administration reversed its long-standing position and allowed him to
testify in his capacity as the Director of the Transition Planning
Office.
Governor Ridge's testimony at that hearing is instructive. He seemed
to appreciate the concerns expressed by Members about the President's
June 18th proposal and to be willing to work with us in the legislative
process to find common ground. On the FOIA issue, he described the
Administration's goal to craft "a limited statutory exemption to the
Freedom of Information Act" to help "the Department's most important
missions [which] will be to protect our Nation's critical
infrastructure." (June 26, 2002 Hearing, Tr., p. 24). Governor Ridge
explained that to accomplish this, the Department must be able to
"collect information, identifying key assets and components of that
infrastructure, evaluate vulnerabilities, and match threat assessments
against those vulnerabilities." (Id., at p. 23).
I do not understand why some have insisted that FOIA and our national
security are inconsistent. The FOIA already exempts from disclosure
matters that are classified; trade secret, commercial and financial
information, which is privileged and confidential; various law
enforcement records and information, including confidential source and
informant information; and FBI records pertaining to foreign
intelligence or counterintelligence, or international terrorism. These
already broad exemptions in the FOIA are designed to protect national
security and public safety and to ensure that the private sector can
provide needed information to the government.
Current law already exempts from disclosure any financial or
commercial information provided voluntarily to the government, if it is
of a kind that the provider would not customarily make available to the
public. Critical Mass Energy Project v. NRC, 975 F.2d 871 (D.C. Cir.
1992) (en banc). Such information enjoys even stronger nondisclosure
protections than does material that the government requests. Applying
this exception, Federal regulatory
[[Page S11424]]
agencies are today safeguarding the confidentiality of all kinds of
critical infrastructure information, like nuclear power plant safety
reports (Critical Mass, 975 F.2d at 874), information about product
manufacturing processes land internal security measures (Bowen v. Food
& Drug Admin., 925 F.2d 1225 (9th Cir. 1991), design drawings of
airplane parts (United Technologies Corp. by Pratt & Whitney v. F.A.A.,
102 F.3d 6878 (2d Cir. 1996)), and technical data for video
conferencing software (Gilmore v. Dept. of Energy, 4 F. Supp.2d 912
(N.D. Cal. 1998)).
The head of the FBI National Infrastructure Protection Center, NIPC,
testified more than 5 years ago, in September, 1998, that the "FOIA
excuse" used by some in the private sector for failing to share
information with the government was, in essence, baseless. He explained
the broad application of FOIA exemptions to protect from disclosure
information received in the context of a criminal investigation or a
"national security intelligence" investigation, including information
submitted confidentially or even anonymously. [Sen. Judiciary
Subcommittee On Technology, Terrorism, and Government Information,
Hearing on Critical Infrastructure Protection: Toward a New Policy
Directive, S. HRG. 105-763, March 17 and June 10, 1998, at p. 107]
The FBI also used the confidential business record exemption under
(b)(4) "to protect sensitive corporate information, and has, on
specific occasions, entered into agreements indicating that it would do
so prospectively with reference to information yet to be received."
NIPC was developing policies "to grant owners of information certain
opportunities to assist in the protection of the information (e.g.,
`sanitizing the information themselves') and to be involved in
decisions regarding further dissemination by the NIPC." Id. In short,
the former administration witness stated: "Sharing between the private
sector and the government occasionally is hampered by a perception in
the private sector that the government cannot adequately protect
private sector information from disclosure under the Freedom of
Information Act (FOIA). The NIPC believes that this perception is
flawed in that both investigative and infrastructure protection
information submitted to NIPC are protected from FOIA disclosure under
current law." (Id.)
Nevertheless, for more than 5 years, businesses have continued to
seek a broad FOIA exemption that also comes with special legal
protections to limit their civil and criminal liability, and special
immunity from the antitrust laws. The Republicans are largely granting
this business wish-list in the legislation for the new Department of
Homeland Security.
At the Senate Judiciary Committee hearing with Governor Ridge, I
expressed my concern that an overly broad FOIA exemption would
encourage government complicity with private firms to keep secret
information about critical infrastructure vulnerabilities, reduce the
incentive to fix the problems and end up hurting rather than helping
our national security. In the end, more secrecy may undermine rather
than foster security.
Governor Ridge seemed to appreciate these risks, and said he was
"anxious to work with the Chairman and other members of the committee
to assure that the concerns that [had been] raised are properly
addressed." Id. at p. 24. He assured us that "[t]his Administration
is ready to work together with you in partnership to get the job done.
This is our priority, and I believe it is yours as well." Id. at p.
25. This turned out to be an empty promise.
Almost before the ink was dry on the administration's earlier June
proposal, on July 10, 2002, the administration proposed to substitute a
much broader FOIA exemption that would (1) exempt from disclosure under
the FOIA critical infrastructure information voluntarily submitted to
the new department that was designated as confidential by the submitter
unless the submitter gave prior written consent, (2) provide limited
civil immunity for use of the information in civil actions against the
company, with the likely result that regulatory actions would be
preceded by litigation by companies that submitted designated
information to the department over whether the regulatory action was
prompted by a confidential disclosure, (3) preempt State sunshine laws
if the designated information is shared with State or local government
agencies, (4) impose criminal penalties of up to one year imprisonment
on Government employees who disclosed the designated information, and
(5) antitrust immunity for companies that joined together with agency
components designated by the President to promote critical
infrastructure security.
Despite the administration's promulgation of two separate proposals
for a new FOIA exemption in as many weeks, in July, Director Ridge's
Office of Homeland Security released The National Strategy for Homeland
Security, which appeared to call for more study of the issue before
legislating. Specifically, this report called upon the Attorney General
to "convene a panel to propose any legal changes necessary to enable
sharing of essential homeland security information between the
government and the private sector." (p. 33)
The need for more study of the administration's proposed new FOIA
exemption was made amply clear by its possible adverse environmental,
public health and safety affects. Keeping secret problems in a variety
of critical infrastructures would simply remove public pressure to fix
the problems. Moreover, several environmental groups pointed out that,
under the administration's proposal, companies could avoid enforcement
action by "voluntarily" providing information about environmental
violations to the EPA, which would then be unable to use the
information to hold the company accountable and also would be required
to keep the information confidential. It would bar the government from
disclosing information about spills or other violations without the
written consent of the company that caused the pollution.
I worked on a bipartisan basis with many interested stakeholders from
environmental, civil liberties, human rights, business and government
watchdog groups to craft a compromise FOIA exemption that did not grant
the business sector's wish-list but did provide additional
nondisclosure protections for certain records without jeopardizing the
public health and safety. At the request of Chairman Lieberman for the
Judiciary Committee's views on the new department, I shared my concerns
about the administration's proposed FOIA exemption and then worked with
Members of the Governmental Affairs Committee, in particular Senator
Levin and Senator Bennett, to craft a more narrow and responsible
exemption that accomplishes the Administration's goal of encouraging
private companies to share records of critical infrastructure
vulnerabilities with the new Department of Homeland Security without
providing incentives to "game" the system of enforcement of
environmental and other laws designed to protect our nation's public
health and safety. We refined the FOIA exemption in a manner that
satisfied the Administration's stated goal, while limiting the risks of
abuse by private companies or government agencies.
This compromise solution was supported by the administration and
other members of the Committee on Governmental Affairs and was
unanimously adopted by that Committee at the markup of the Homeland
Security Department bill on July 24, 2002. The provision would exempt
from the FOIA certain records pertaining to critical infrastructure
threats and vulnerabilities that are furnished voluntarily to the new
Department and designated by the provider as confidential and not
customarily made available to the public. Notably, the compromise FOIA
exemption made clear that the exemption only covered "records" from
the private sector, not all `'information" provided by the private
sector and thereby avoided the adverse result of government agency-
created and generated documents and databases being put off-limits to
the FOIA simply if private sector "information" is incorporated.
Moreover, the compromise FOIA exemption clearly defined what records
may be considered "furnished voluntarily," which did not cover
records used "to satisfy any legal requirement or obligation to obtain
any grant, permit, benefit (such as agency forbearances, loans, or
reduction or modifications of agency penalties or rulings), or other
[[Page S11425]]
approval from the Government." The FOIA compromise exemption further
ensured that portions of records that are not covered by the exemption
would be released pursuant to FOIA requests. This compromise did not
provide any civil liability or antitrust immunity that could be used to
immunize bad actors or frustrate regulatory enforcement enforcement
action, nor did the compromise preempt state or local sunshine laws.
Unfortunately, the new Republican version of this legislation that we
are voting on today jettisoned the bipartisan compromise on the FOIA
exemption, worked out in the Senate with the administration's support,
and replaced it with a big-business wish-list gussied up in security
garb. The Republican FOIA exemption would make off-limits to the FOIA
much broader categories of "information" and grant businesses the
legal immunities and liability protections they have sought so
vigorously for over 5 years. This bill goes far beyond what is needed
to achieve the laudable goal of encouraging private sector companies to
help protect our critical infrastructure. Instead, it will tie the
hands of the federal regulators and law enforcement agencies working to
protect the public from imminent threats. It will give a windfall to
companies who fail to follow Federal health and safety standards. Most
disappointingly, it will undermine the goals of openness in government
that the FOIA was designed to achieve. In short, the FOIA exemption in
this bill represents the most severe weakening of the Freedom of
Information Act in its 36-year history.
In the end, the broad secrecy protections provided to critical
infrastructure information in this bill will promote more secrecy which
may undermine rather than foster national security. In addition, the
immunity provisions in the bill will frustrate enforcement of the laws
that protect the public's health and safety.
Let me explain. The Republican FOIA exemption would allow companies
to stamp or designate certain information as "Critical Infrastructure
Information" or "CII" and then submit this information about their
operations to the government either in writing or orally, and thereby
obtain a blanket shield from FOIA's disclosure mandates as well as
other protections. A Federal agency may not disclose or use
voluntarily-submitted and CII-marked information, except for a limited
"informational purpose," such as "analysis, warning,
interdependency, study, recovery, reconstitution," without the
company's consent. Even when using the information to warn the public
about potential threats to critical infrastructure, the bill requires
agencies to take steps to protect from disclosure the source of the CII
information and other "business sensitive" information.
The bill contains an unprecedented provision that threatens jail time
and job loss to any Government employee who happens to disclose any
critical infrastructure information that a company has submitted and
wants to keep secret. These penalties for using the CII information in
an unauthorized fashion or for failing to take steps to protect
disclosure of the source of the information are severe and will chill
any release of CII information not just when a FOIA request comes in,
but in all situations, no matter the circumstance. Criminalizing
disclosures--not of classified information or national security related
information, but of information that a company decides it does not want
public--is an effective way to quash discussion and debate over many
aspects of the Government's work. In fact, under this bill, CII
information would be granted more comprehensive protection under
Federal criminal laws than classified information.
This provision has potentially disastrous consequences. If an agency
is given information from an ISP about cyberattack vulnerabilities,
agency employees will have to think twice about sharing that
information with other ISPs for fear that, without the consent of the
ISP to use the information, even a warning might cost their jobs or
risk criminal prosecution.
This provision means that if a Federal regulatory agency needs to
issue a regulation to protect the public from threats of harm, it
cannot rely on any voluntarily submitted information--bringing the
normal regulatory process to a grinding halt. Public health and law
enforcement officials need the flexibility to decide how and when to
warn or prepare the public in the safest, most effective manner. They
should not have to get "sign off" from a Fortune 500 company to do
so.
While this legislation risks making it harder for the Government to
protect American families, it will make it much easier for companies to
escape responsibility when they violate the law by giving them
unprecedented immunity from civil and regulatory enforcement actions.
Once a business declares that information about its practices relates
to critical infrastructure and is "voluntarily" provided, it can then
prevent the Federal Government from disclosing it not just to the
public, but also to a court in a civil action. This means that an
agency receiving CII-marked submissions showing invasions of employee
or customer privacy, environmental pollution, or government contracting
fraud will be unable to use that information in a civil action to hold
that company accountable. Even if the regulatory agency obtains the
information necessary to bring an enforcement action from an
alternative source, the company will be able to tie the government up
in protracted litigation over the source of the information.
For example, if a company submits information that its factory is
leaching arsenic in ground water, that information may not be turned
over to local health authorities to use in any enforcement proceeding
nor turned over to neighbors who were harmed by drinking the water for
use in a civil tort action. Moreover, even if EPA tries to bring an
action to stop the company's wrongdoing, the "use immunity" provided
in the Republican bill will tie the agency up in litigation making it
prove where it got the information and whether it is tainted as "fruit
of the poisonous tree"--i.e., obtained from the company under the
"critical infrastructure program."
Similarly, if the new Department of Homeland Security receives
information from a bio-medical laboratory about its security
vulnerabilities, and anthrax is released from the lab three weeks
later, the Department will not be able to warn the public promptly
about how to protect itself without consulting with and trying to get
consent of the laboratory in order to avoid the risk of job loss or
criminal prosecution for a non-consensual disclosure. Moreover, if the
laboratory is violating any State, local or Federal regulation in its
handling of the anthrax, the Department will not be able to turn over
to another Federal agency, such as the EPA or the Department of Health
and Human Services, or to any State or local health officials,
information or documents relating to the laboratory's mishandling of
the anthrax for use in any enforcement proceedings against the
laboratory, or in any wrongful death action, should the laboratory's
mishandling of the anthrax result in the death of any person. The bill
specifically states that such CII-marked information "shall not,
without the written consent of the person or entity submitting such
information, be used directly by such agency, any other Federal, State,
or local authority, or any third party, in any civil action arising
under Federal or State law if such information is submitted in good
faith." [H.R. 5710, section 214(a)(1)(C)]
Most businesses are good citizens and take seriously their
obligations to the government and the public, but this "disclose-and-
immunize" provision is subject to abuse by those businesses that want
to exploit legal techniques to avoid regulatory guidelines. This bill
lays out the perfect blueprint to avoid legal liability: funnel
damaging information into this voluntary disclosure system and pre-empt
the Government or others harmed by the company's actions from being
able to use it against the company. This is not the kind of two-way
public-private cooperation that our country needs.
The scope of the information that would be covered by the new
Republican FOIA exemption is overly broad and would undermine the
openness in government that FOIA was intended to guarantee. Under this
legislation, information about virtually every important sector of our
economy that today the public has a right to see can shut off from
public view simply by labeling
[[Page S11426]]
it "critical infrastructure information." Today, for example, under
current FOIA standards, courts have required Federal agencies to
disclose (1) pricing information in contract bids so citizens can make
sure the government is wisely spending their taxpayer dollars; (2)
compliance reports that allow constituents to insist that government
contractors comply with federal equal opportunity mandates; and (3)
banks' financial data so the public can ensure that federal agencies
properly approve bank mergers. Without access to this kind of
information, it will be harder for the public to hold its Government
accountable. Under this bill, all of this information may be marked CII
information and kept out of public view.
The Republican FOIA exemption goes so far in exempting such large
amount of material from FOIA's disclosure requirements that it
undermines Government openness without making any real gains in safety
for families in Vermont and across America. We do not keep America
safer by chilling Federal officials from warning the public about
threats to their health and safety. We do not ensure our nation's
security by refusing to tell the American people whether or not their
federal agencies are doing their jobs or their Government is spending
their hard earned tax dollars wisely. We do not encourage real two-way
cooperation by giving companies protection from civil liability when
they break the law. We do not respect the spirit of our democracy when
we cloak in secrecy the workings of our Government from the public we
are elected to serve.
Notably, another part of the bill, section 892, would further
undermine Government sunshine laws by authorizing the President to
prescribe and implement procedures requiring Federal agencies to
"identify and safeguard homeland security information that is
sensitive but unclassified" The precise type of information that would
be covered by this new category of "sensitive" information that is
not classified but subject to carte blanche executive authority to keep
secret is not defined and no guidance is provided in the Republican
bill as to how far the President may go.
As the Rutland Herald so aptly put it in an editorial on November 16,
the Republicans "are moving to cloak the Federal Government in an
unprecedented regime of secrecy." The argument over the scope of the
FOIA and unilateral executive power to shield matters from public
scrutiny goes to the heart of our fundamental right to be an educated
electorate aware of what our government is doing. The Rutland Herald
got it right in explaining. "The battle was not over the right of the
government to hold sensitive, classified information secret. The
government has that right. Rather, the battle was over whether the
government would be required to release anything it sought to
withhold."
[...]