Congressional Record: November 19, 2002 (Senate) Page S11405-S11455 HOMELAND SECURITY ACT OF 2002 [excerpts on FOIA] Mr. LEAHY. [...] This bill has its problems. As I will discuss in more detail in the balance of my remarks, this legislation has five significant problems. It would: (1) undermine Federal and State sunshine laws permitting the American people to know what their government is doing, (2) threaten privacy rights, (3) provide sweeping liability protections for companies at the expense of consumers, (4) weaken rather than fix our immigration enforcement problems, and (5) under the guise of "management flexibility," it would authorize political cronyism rather than professionalism within the new department. These problems are unfortunate and entirely unnecessary to the overall objective of establishing a new department of homeland security. Republican leaders and the White House have forced on the Senate a process under which these problem areas cannot be substantively and meaningfully addressed, and that is highly regrettable and a needless blot on this charter. Though I will support passage of this legislation in order to get the new department up and running, the flaws in this legislation will require our attention next year, when I hope to work with the administration and my colleagues on both sides of the aisle to monitor implementation of the new law and to craft corrective legislation. First, the bill guts the FOIA at the expense of our national security and public health and safety. This bill eliminates a bipartisan Senate provision that I crafted with Senator Levin and Senator Bennett to protect the public's right to use the Freedom of Information Act, FOIA, in order to find out what our Government is doing, while simultaneously providing security to those in the private sector that records voluntarily submitted to help protect our critical infrastructures will not be publicly disclosed. Encouraging cooperation between the private sector and the government to keep our critical infrastructure systems safe from terrorist attacks is a goal we all support. But the appropriate way to meet this goal is a source of great debate--a debate that has been all but ignored by the Republicans who crafted this legislation. The administration itself has flip-flopped on how to best approach this issue. The administration's original June 18, 2002, legislative proposal establishing a new department carved out of FOIA exemption, in section 204, and required non-disclosure of any "information" "voluntarily" provided to the new Department of Homeland Security by "non-Federal entities or individuals" pertaining to "infrastructure vulnerabilities or other vulnerabilities to terrorism" in the possession of, or that passed through, the new department. Critical terms, such as "voluntarily provided," were undefined. The Judiciary Committee had an opportunity to query Governor Ridge about the administration's proposal on June 26, 2002, when the administration reversed its long-standing position and allowed him to testify in his capacity as the Director of the Transition Planning Office. Governor Ridge's testimony at that hearing is instructive. He seemed to appreciate the concerns expressed by Members about the President's June 18th proposal and to be willing to work with us in the legislative process to find common ground. On the FOIA issue, he described the Administration's goal to craft "a limited statutory exemption to the Freedom of Information Act" to help "the Department's most important missions [which] will be to protect our Nation's critical infrastructure." (June 26, 2002 Hearing, Tr., p. 24). Governor Ridge explained that to accomplish this, the Department must be able to "collect information, identifying key assets and components of that infrastructure, evaluate vulnerabilities, and match threat assessments against those vulnerabilities." (Id., at p. 23). I do not understand why some have insisted that FOIA and our national security are inconsistent. The FOIA already exempts from disclosure matters that are classified; trade secret, commercial and financial information, which is privileged and confidential; various law enforcement records and information, including confidential source and informant information; and FBI records pertaining to foreign intelligence or counterintelligence, or international terrorism. These already broad exemptions in the FOIA are designed to protect national security and public safety and to ensure that the private sector can provide needed information to the government. Current law already exempts from disclosure any financial or commercial information provided voluntarily to the government, if it is of a kind that the provider would not customarily make available to the public. Critical Mass Energy Project v. NRC, 975 F.2d 871 (D.C. Cir. 1992) (en banc). Such information enjoys even stronger nondisclosure protections than does material that the government requests. Applying this exception, Federal regulatory [[Page S11424]] agencies are today safeguarding the confidentiality of all kinds of critical infrastructure information, like nuclear power plant safety reports (Critical Mass, 975 F.2d at 874), information about product manufacturing processes land internal security measures (Bowen v. Food & Drug Admin., 925 F.2d 1225 (9th Cir. 1991), design drawings of airplane parts (United Technologies Corp. by Pratt & Whitney v. F.A.A., 102 F.3d 6878 (2d Cir. 1996)), and technical data for video conferencing software (Gilmore v. Dept. of Energy, 4 F. Supp.2d 912 (N.D. Cal. 1998)). The head of the FBI National Infrastructure Protection Center, NIPC, testified more than 5 years ago, in September, 1998, that the "FOIA excuse" used by some in the private sector for failing to share information with the government was, in essence, baseless. He explained the broad application of FOIA exemptions to protect from disclosure information received in the context of a criminal investigation or a "national security intelligence" investigation, including information submitted confidentially or even anonymously. [Sen. Judiciary Subcommittee On Technology, Terrorism, and Government Information, Hearing on Critical Infrastructure Protection: Toward a New Policy Directive, S. HRG. 105-763, March 17 and June 10, 1998, at p. 107] The FBI also used the confidential business record exemption under (b)(4) "to protect sensitive corporate information, and has, on specific occasions, entered into agreements indicating that it would do so prospectively with reference to information yet to be received." NIPC was developing policies "to grant owners of information certain opportunities to assist in the protection of the information (e.g., `sanitizing the information themselves') and to be involved in decisions regarding further dissemination by the NIPC." Id. In short, the former administration witness stated: "Sharing between the private sector and the government occasionally is hampered by a perception in the private sector that the government cannot adequately protect private sector information from disclosure under the Freedom of Information Act (FOIA). The NIPC believes that this perception is flawed in that both investigative and infrastructure protection information submitted to NIPC are protected from FOIA disclosure under current law." (Id.) Nevertheless, for more than 5 years, businesses have continued to seek a broad FOIA exemption that also comes with special legal protections to limit their civil and criminal liability, and special immunity from the antitrust laws. The Republicans are largely granting this business wish-list in the legislation for the new Department of Homeland Security. At the Senate Judiciary Committee hearing with Governor Ridge, I expressed my concern that an overly broad FOIA exemption would encourage government complicity with private firms to keep secret information about critical infrastructure vulnerabilities, reduce the incentive to fix the problems and end up hurting rather than helping our national security. In the end, more secrecy may undermine rather than foster security. Governor Ridge seemed to appreciate these risks, and said he was "anxious to work with the Chairman and other members of the committee to assure that the concerns that [had been] raised are properly addressed." Id. at p. 24. He assured us that "[t]his Administration is ready to work together with you in partnership to get the job done. This is our priority, and I believe it is yours as well." Id. at p. 25. This turned out to be an empty promise. Almost before the ink was dry on the administration's earlier June proposal, on July 10, 2002, the administration proposed to substitute a much broader FOIA exemption that would (1) exempt from disclosure under the FOIA critical infrastructure information voluntarily submitted to the new department that was designated as confidential by the submitter unless the submitter gave prior written consent, (2) provide limited civil immunity for use of the information in civil actions against the company, with the likely result that regulatory actions would be preceded by litigation by companies that submitted designated information to the department over whether the regulatory action was prompted by a confidential disclosure, (3) preempt State sunshine laws if the designated information is shared with State or local government agencies, (4) impose criminal penalties of up to one year imprisonment on Government employees who disclosed the designated information, and (5) antitrust immunity for companies that joined together with agency components designated by the President to promote critical infrastructure security. Despite the administration's promulgation of two separate proposals for a new FOIA exemption in as many weeks, in July, Director Ridge's Office of Homeland Security released The National Strategy for Homeland Security, which appeared to call for more study of the issue before legislating. Specifically, this report called upon the Attorney General to "convene a panel to propose any legal changes necessary to enable sharing of essential homeland security information between the government and the private sector." (p. 33) The need for more study of the administration's proposed new FOIA exemption was made amply clear by its possible adverse environmental, public health and safety affects. Keeping secret problems in a variety of critical infrastructures would simply remove public pressure to fix the problems. Moreover, several environmental groups pointed out that, under the administration's proposal, companies could avoid enforcement action by "voluntarily" providing information about environmental violations to the EPA, which would then be unable to use the information to hold the company accountable and also would be required to keep the information confidential. It would bar the government from disclosing information about spills or other violations without the written consent of the company that caused the pollution. I worked on a bipartisan basis with many interested stakeholders from environmental, civil liberties, human rights, business and government watchdog groups to craft a compromise FOIA exemption that did not grant the business sector's wish-list but did provide additional nondisclosure protections for certain records without jeopardizing the public health and safety. At the request of Chairman Lieberman for the Judiciary Committee's views on the new department, I shared my concerns about the administration's proposed FOIA exemption and then worked with Members of the Governmental Affairs Committee, in particular Senator Levin and Senator Bennett, to craft a more narrow and responsible exemption that accomplishes the Administration's goal of encouraging private companies to share records of critical infrastructure vulnerabilities with the new Department of Homeland Security without providing incentives to "game" the system of enforcement of environmental and other laws designed to protect our nation's public health and safety. We refined the FOIA exemption in a manner that satisfied the Administration's stated goal, while limiting the risks of abuse by private companies or government agencies. This compromise solution was supported by the administration and other members of the Committee on Governmental Affairs and was unanimously adopted by that Committee at the markup of the Homeland Security Department bill on July 24, 2002. The provision would exempt from the FOIA certain records pertaining to critical infrastructure threats and vulnerabilities that are furnished voluntarily to the new Department and designated by the provider as confidential and not customarily made available to the public. Notably, the compromise FOIA exemption made clear that the exemption only covered "records" from the private sector, not all `'information" provided by the private sector and thereby avoided the adverse result of government agency- created and generated documents and databases being put off-limits to the FOIA simply if private sector "information" is incorporated. Moreover, the compromise FOIA exemption clearly defined what records may be considered "furnished voluntarily," which did not cover records used "to satisfy any legal requirement or obligation to obtain any grant, permit, benefit (such as agency forbearances, loans, or reduction or modifications of agency penalties or rulings), or other [[Page S11425]] approval from the Government." The FOIA compromise exemption further ensured that portions of records that are not covered by the exemption would be released pursuant to FOIA requests. This compromise did not provide any civil liability or antitrust immunity that could be used to immunize bad actors or frustrate regulatory enforcement enforcement action, nor did the compromise preempt state or local sunshine laws. Unfortunately, the new Republican version of this legislation that we are voting on today jettisoned the bipartisan compromise on the FOIA exemption, worked out in the Senate with the administration's support, and replaced it with a big-business wish-list gussied up in security garb. The Republican FOIA exemption would make off-limits to the FOIA much broader categories of "information" and grant businesses the legal immunities and liability protections they have sought so vigorously for over 5 years. This bill goes far beyond what is needed to achieve the laudable goal of encouraging private sector companies to help protect our critical infrastructure. Instead, it will tie the hands of the federal regulators and law enforcement agencies working to protect the public from imminent threats. It will give a windfall to companies who fail to follow Federal health and safety standards. Most disappointingly, it will undermine the goals of openness in government that the FOIA was designed to achieve. In short, the FOIA exemption in this bill represents the most severe weakening of the Freedom of Information Act in its 36-year history. In the end, the broad secrecy protections provided to critical infrastructure information in this bill will promote more secrecy which may undermine rather than foster national security. In addition, the immunity provisions in the bill will frustrate enforcement of the laws that protect the public's health and safety. Let me explain. The Republican FOIA exemption would allow companies to stamp or designate certain information as "Critical Infrastructure Information" or "CII" and then submit this information about their operations to the government either in writing or orally, and thereby obtain a blanket shield from FOIA's disclosure mandates as well as other protections. A Federal agency may not disclose or use voluntarily-submitted and CII-marked information, except for a limited "informational purpose," such as "analysis, warning, interdependency, study, recovery, reconstitution," without the company's consent. Even when using the information to warn the public about potential threats to critical infrastructure, the bill requires agencies to take steps to protect from disclosure the source of the CII information and other "business sensitive" information. The bill contains an unprecedented provision that threatens jail time and job loss to any Government employee who happens to disclose any critical infrastructure information that a company has submitted and wants to keep secret. These penalties for using the CII information in an unauthorized fashion or for failing to take steps to protect disclosure of the source of the information are severe and will chill any release of CII information not just when a FOIA request comes in, but in all situations, no matter the circumstance. Criminalizing disclosures--not of classified information or national security related information, but of information that a company decides it does not want public--is an effective way to quash discussion and debate over many aspects of the Government's work. In fact, under this bill, CII information would be granted more comprehensive protection under Federal criminal laws than classified information. This provision has potentially disastrous consequences. If an agency is given information from an ISP about cyberattack vulnerabilities, agency employees will have to think twice about sharing that information with other ISPs for fear that, without the consent of the ISP to use the information, even a warning might cost their jobs or risk criminal prosecution. This provision means that if a Federal regulatory agency needs to issue a regulation to protect the public from threats of harm, it cannot rely on any voluntarily submitted information--bringing the normal regulatory process to a grinding halt. Public health and law enforcement officials need the flexibility to decide how and when to warn or prepare the public in the safest, most effective manner. They should not have to get "sign off" from a Fortune 500 company to do so. While this legislation risks making it harder for the Government to protect American families, it will make it much easier for companies to escape responsibility when they violate the law by giving them unprecedented immunity from civil and regulatory enforcement actions. Once a business declares that information about its practices relates to critical infrastructure and is "voluntarily" provided, it can then prevent the Federal Government from disclosing it not just to the public, but also to a court in a civil action. This means that an agency receiving CII-marked submissions showing invasions of employee or customer privacy, environmental pollution, or government contracting fraud will be unable to use that information in a civil action to hold that company accountable. Even if the regulatory agency obtains the information necessary to bring an enforcement action from an alternative source, the company will be able to tie the government up in protracted litigation over the source of the information. For example, if a company submits information that its factory is leaching arsenic in ground water, that information may not be turned over to local health authorities to use in any enforcement proceeding nor turned over to neighbors who were harmed by drinking the water for use in a civil tort action. Moreover, even if EPA tries to bring an action to stop the company's wrongdoing, the "use immunity" provided in the Republican bill will tie the agency up in litigation making it prove where it got the information and whether it is tainted as "fruit of the poisonous tree"--i.e., obtained from the company under the "critical infrastructure program." Similarly, if the new Department of Homeland Security receives information from a bio-medical laboratory about its security vulnerabilities, and anthrax is released from the lab three weeks later, the Department will not be able to warn the public promptly about how to protect itself without consulting with and trying to get consent of the laboratory in order to avoid the risk of job loss or criminal prosecution for a non-consensual disclosure. Moreover, if the laboratory is violating any State, local or Federal regulation in its handling of the anthrax, the Department will not be able to turn over to another Federal agency, such as the EPA or the Department of Health and Human Services, or to any State or local health officials, information or documents relating to the laboratory's mishandling of the anthrax for use in any enforcement proceedings against the laboratory, or in any wrongful death action, should the laboratory's mishandling of the anthrax result in the death of any person. The bill specifically states that such CII-marked information "shall not, without the written consent of the person or entity submitting such information, be used directly by such agency, any other Federal, State, or local authority, or any third party, in any civil action arising under Federal or State law if such information is submitted in good faith." [H.R. 5710, section 214(a)(1)(C)] Most businesses are good citizens and take seriously their obligations to the government and the public, but this "disclose-and- immunize" provision is subject to abuse by those businesses that want to exploit legal techniques to avoid regulatory guidelines. This bill lays out the perfect blueprint to avoid legal liability: funnel damaging information into this voluntary disclosure system and pre-empt the Government or others harmed by the company's actions from being able to use it against the company. This is not the kind of two-way public-private cooperation that our country needs. The scope of the information that would be covered by the new Republican FOIA exemption is overly broad and would undermine the openness in government that FOIA was intended to guarantee. Under this legislation, information about virtually every important sector of our economy that today the public has a right to see can shut off from public view simply by labeling [[Page S11426]] it "critical infrastructure information." Today, for example, under current FOIA standards, courts have required Federal agencies to disclose (1) pricing information in contract bids so citizens can make sure the government is wisely spending their taxpayer dollars; (2) compliance reports that allow constituents to insist that government contractors comply with federal equal opportunity mandates; and (3) banks' financial data so the public can ensure that federal agencies properly approve bank mergers. Without access to this kind of information, it will be harder for the public to hold its Government accountable. Under this bill, all of this information may be marked CII information and kept out of public view. The Republican FOIA exemption goes so far in exempting such large amount of material from FOIA's disclosure requirements that it undermines Government openness without making any real gains in safety for families in Vermont and across America. We do not keep America safer by chilling Federal officials from warning the public about threats to their health and safety. We do not ensure our nation's security by refusing to tell the American people whether or not their federal agencies are doing their jobs or their Government is spending their hard earned tax dollars wisely. We do not encourage real two-way cooperation by giving companies protection from civil liability when they break the law. We do not respect the spirit of our democracy when we cloak in secrecy the workings of our Government from the public we are elected to serve. Notably, another part of the bill, section 892, would further undermine Government sunshine laws by authorizing the President to prescribe and implement procedures requiring Federal agencies to "identify and safeguard homeland security information that is sensitive but unclassified" The precise type of information that would be covered by this new category of "sensitive" information that is not classified but subject to carte blanche executive authority to keep secret is not defined and no guidance is provided in the Republican bill as to how far the President may go. As the Rutland Herald so aptly put it in an editorial on November 16, the Republicans "are moving to cloak the Federal Government in an unprecedented regime of secrecy." The argument over the scope of the FOIA and unilateral executive power to shield matters from public scrutiny goes to the heart of our fundamental right to be an educated electorate aware of what our government is doing. The Rutland Herald got it right in explaining. "The battle was not over the right of the government to hold sensitive, classified information secret. The government has that right. Rather, the battle was over whether the government would be required to release anything it sought to withhold." [...]