Is It Safe to Share Sensitive Data?

By Joel A. Webber

Security managers routinely have to distinguish between measures that are effective and those that merely give the illusion of protection. A similar question arises with regard to a new Department of Homeland Security (DHS) rule regarding critical infrastructure information that private industry might share with government to help in the fight against terrorism. The rule purports to protect the shared information from being publicly disclosed or used against the company. But is the protection real or illusory? Let's examine how likely it is that a company might still be exposed to litigation, regulatory action, or competitive disadvantage under the rule and what a company can do to further protect itself.

Expansive definition.
What does the government mean by critical infrastructure? The rule contains this definition: "Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters."

Specifically, critical infrastructure encompasses just about any economically important business enterprise. From the local water treatment plant, to the electricity grid, to the pharmaceutical supply chain, the phrase has vast implications. Among the business sectors that have been named as part of the nation's critical infrastructure are those involved in providing food, water, agriculture, healthcare, emergency services, telecommunications, banking, energy, and transportation. Also included would be chemical and defense industries and postal services.

Ad hoc inquiries.
How might a request to share information under the rule arise? The way that information will be requested and what will be sought remains to be seen. Under Secretary of Homeland Security Asa Hutchinson told me that the rule is a tool whose exact use is hard to anticipate, but that it will be helpful where DHS has reasons to make ad hoc inquiries of particular firms or industry sectors, such as electric power plants or chemical facilities.

Some evidence of how inquiries will be handled already exists, however. For example, DHS has already made some site visits. In addition, DHS's Information Analysis and Infrastructure Protection (IAIP) Directorate says that in summer 2004 or later, it will informally begin to contact the many industry-specific Information Sharing and Analysis Centers (ISACs) that already exist to facilitate information sharing among participating companies.

Form and function.
To what would the rule apply when business and government communicate about critical infrastructure? The rule applies to both written and verbal submissions, as long as verbal ones are followed up in writing within 15 days. It provides particulars as to the exact form in which the critical infrastructure information should be submitted.

Information that is submitted is not automatically covered. It must be judged as critical infrastructure information by the DHS to qualify for protection under the rule. For qualifying information, the rule provides:

  • A special exemption from third-party access under the Federal Freedom of Information Act (FOIA), and state or local counterparts.
  • A bar on use as evidence in civil litigation, at least when offered by the government.
  • A (possibly qualified) bar on use by non-DHS regulatory agencies.

It is important to note that the rule's protections represent a compromise among those seeking to address business concerns about disclosure and those wishing to protect the public's right to information. The compromise resulted in three exceptions to or exclusions from the rule's coverage that bear consideration. The rule expressly allows information shared with DHS to be used by the government in criminal investigations and prosecutions, and accessed and used by Congress, its committees, and investigative arm. Moreover, information submitted to DHS that DHS determines not to qualify as protected may be retained for law enforcement or security purposes.

The rule was carefully designed to avoid giving companies that have broken the law a way to cloak evidence from prosecutors or congressional inquiry. The problem is that companies innocent of wrongdoing may find themselves falsely accused and may find their voluntarily provided information used against them under these exceptions.

The greatest concern stems from the possibility that the language, depending on how it is applied and interpreted, might allow information that has been submitted under the rule to then be used against the company in a civil tort case or by regulatory agencies. For example, facts that go to asset use, employee competence, or systems might bear on regulatory compliance or civil liability in addition to terror vulnerabilities. What would prevent a tort attorney or regulator from using that information? The concern is that information voluntarily supplied to protect the homeland from terror might, for example, result in adverse actions by the Occupational Safety and Health Administration on workplace safety or the Federal Motor Carrier Safety Administration on hours-of-service compliance.

Derivative use.
Regardless of formal protections against direct use of information submitted under the rule, there is the possibility of indirect or derivative use. That potential exposure creates a tangible danger.

The rule provides both criminal and dismissal penalties to discourage federal employees' unauthorized disclosures to third parties. Moreover, it establishes a new DHS directorate to manage the protected critical infrastructure information, and a series of written confidentiality agreements among government users to define such information flow within and outside of government, such as with contractors. But the potential for leaks, whether by mouth, via e-mail, or by other means poses the question of whether or not a private litigant or claimant or a regulatory party outside of the DHS could use information if it were obtained illegally. Once made aware of the information, the party might formally secure documentation of it through discovery, investigation, or other legal processes.

In criminal cases, information obtained in a way that violates defendants' rights is inadmissible (this is known as the "fruit of the poisonous tree" doctrine). By contrast, existing law and regulations contain no bar against indirect or derivative use of facts that were first informally obtained through violating a reporting party's rights under the rule, then formally obtained by other means.

Ideally, management should not disclose nonpublic critical infrastructure information without solid assurances that the information is protected against unwanted third-party use and without a clear indication that vital security interests relate directly to the specific information that government seeks.

Given the uncertainties inherent in the rule and its application by DHS, I suggest the following:

Don't go fishing. My own read of both middle-level employees' and senior officials' remarks is that DHS is still not entirely clear on what sort of information it wants about the various infrastructures. That means government officials may just go on fishing expeditions. Without specific guidance from DHS, a firm is left to guess what might be helpful. In such a situation, the natural response to any lack of specificity is broad, general disclosure, which is exactly what is most likely to expose the company to the risk of liability and regulatory trouble.

Management should be wary of this approach. A company should not volunteer detailed disclosures unless and until DHS states clearly what it wants from the company.

Agree on terminology. Even where the company receives what appears to be a specific request from DHS, management may end up giving far more information than it needs to if the terminology has not been defined by both parties. For instance, I had a conversation with an official who said he would like to see "incident reports" as a source of critical infrastructure information in a trucking context. I thought he meant accident documents, encounters with police, or casualty events, the meaning typical in a trucking setting. He actually wanted to know about drivers' sightings of suspicious activity.

While the first category would have been sensitive and problematic, the second could be provided with low risk of harm to the reporting company. In fact, the trucking industry now has a program to help DHS gather information about suspicious activity through the "eyes and ears" of its drivers and other personnel.

Company management should bear in mind that DHS personnel deal with a multitude of industries and may not know the industry-specific definitions of certain terminology. Thus, each request for information should be discussed to clarify what is sought.

Use ISACs. To the extent possible, individual companies are probably better off if they can channel information to DHS through their industry's ISAC. As noted earlier, DHS officials in the special directorate formed to administer the rule say they expect to start an outreach program within a few months to focus on the ISACs. Funneling information to DHS through ISACs will focus the agency on sector vulnerabilities rather than on an individual company's operating details.

Class I railroads already do this. Instead of individual railroad safety officers having one-on-one interactions with DHS, they report information through the Surface Transportation ISAC (Association of American Railroads liaison).

Involve legal counsel. Whether the company communicates with DHS directly or via an ISAC, management should consult in-house or outside legal counsel about information being handed over. Counsel may raise a concern that would not be obvious to managers who work directly with the information. Moreover, involvement of legal counsel from the start can ensure that the firm enjoys all attorney-client-privilege and work-product benefits that it has coming to it.

Ask for nondisclosure agreements. In the difficult case where DHS asks for the cooperative sharing of information whose use by specific third parties might harm the company--and if the government's need seems compelling from the standpoint of the public good--the company might want to request that the agency sign a nondisclosure agreement that limits the parties and circumstances under which the information disclosure may be transmitted beyond DHS (or to specified employees within DHS).

Private companies--and all of us involved in protecting corporate assets--want, like most Americans, to do what is right for the country. We want to make a contribution in the fight against terrorism. At the same time, as corporate fiduciaries, we must avoid creating for the company unintended exposures to plaintiffs, claimants, and regulators who might bring harm to our companies for purposes and motivations wholly unrelated to protecting our homeland. The good news is that if we are prudent in what we share with government and how those communications are structured, we should be able to meet our duties both as citizens and as fiduciaries.

Joel A. Webber, J.D., is an attorney with Couri & Couri law firm, Chicago. He is a member of the American Bar Association's Committee on Infrastructure Security.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.