Volume 19, Number 6
September 2002



By Stephen Gidiere and Jason Forrester

The terrorist attacks of September 11 have prompted a reevaluation of our approach regarding public access to information in the hands of the government. Attention is focusing on the need to protect information relevant to the war on terrorism, in which domestic assets are both targets and weapons.

The Freedom of Information Act (FOIA) requires a federal agency to release information in its control to "any person" following a request reasonably describing the documents sought. The statute balances public disclosure against other important considerations, including national security, through nine exemptions. Of these exemptions, the first four stand out as possible protections against the release of information critical to homeland security. This article discusses these exemptions as well as legislation pending in Congress that would prohibit the release of critical infrastructure information via FOIA's Exemption 3.

Exemption 1: Classified Infor-mation. Exemption 1 protects information classified pursuant to an applicable executive order. The operative executive order today is Executive Order No. 12,958, issued by President Clinton. The categories of information classified under the Order are broad enough to include homeland security information. Information may be classified if it concerns scientific, technological, or economic matters relating to the national security; a U.S. government program for safeguarding nuclear materials or facilities; or vulnerabilities or capabilities of systems, installations, projects, or plans relating to the national security. Military, intelligence, and foreign relations information is also eligible for classification.

Information falling within any of these categories may be classified if its release "reasonably could be expected to result in damage to the national security" and if that damage is identified or described by the classifying agency. The Order originally was an attempt to loosen control and speed the declassification of information within the government's control. The question today is whether the reality of terrorism warrants a reevaluation of this premise, given the trend toward openness reflected in the Order.

Exemption 2: Risk of Circumvention. Exemption 2 applies to information "related solely to the internal personnel rules and practices of an agency." Courts have recognized, however, that Exemption 2 applies not just to trivial internal matters like sick leave and parking policies (called "Low 2" information) but also to more substantial information, the disclosure of which would assist lawbreakers ("High 2" information). Typically, High 2 information includes things like law enforcement manuals, guidelines for conducting investigations or litigation, and information that would reveal the identity of confidential informants or under- cover agents.

The seminal case recognizing the High 2 category, Crooker v. ATF, set out the two-part test still used today: The requested document must be "predominantly internal" and its disclosure must significantly risk the circumvention of agency regulations or statutes or impede the effectiveness of law enforcement activities.

In the wake of September 11, the DOJ's Office of Information and Privacy (OIP) is encouraging agencies to use Exemption 2 to protect information relating to critical domestic assets. OIP specifically instructed federal agencies that vulnerability assessments of "critical systems, facilities, stockpiles, and other assets" should be protected from disclosure under the High 2 prong. But information about the vulnerability of private assets, unlike an agency's assessment of its own assets, is not clearly protected by Exemption 2. Exemption 2 applies only to an agency's "predominantly internal" records, which seems to exclude records submitted by an outside private party.

Exemption 3: The Critical Infra-structure Information Security Act of 2001. Exemption 3 protects information "specifically exempted from disclosure by statute…provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld." The Critical Infrastructure Information Security Act of 2001 (CIISA) was introduced in the Senate on September 24, 2001, in an attempt to use Exemption 3 to protect homeland security information. Its stated purpose is to "facilitate the security of the critical infrastructure of the United States, to encourage the secure disclosure and protected exchange of critical infrastructure information, to enhance the analysis, prevention, and detection of attacks on critical infrastructure, to enhance the recovery from such attacks, and for other purposes." To effectuate this "protected exchange," the CIISA exempts from disclosure under FOIA "critical infrastructure information that is voluntarily submitted" to one of 13 covered federal agencies (including EPA).

(Significantly, the CIISA protects only "voluntarily" submitted critical infrastructure information. As you will read in the next section, this sounds very similar to "voluntarily" submitted commercial or financial information protected by the Critical Mass court's interpretation of Exemption 4. Given that information is generally considered "commercial or financial" under Exemption 4 if it simply relates to a business or trade, the CIISA seems to address a subset of Exemption 4 business information. But the CIISA notes that critical infrastructure information is in fact "not normally in the public domain." Thus, the CIISA's definition of "voluntary" is a critical facet of the bill. Under the proposed legislation, voluntary means the "submittal of the information or records in the absence of an agency's exercise of legal submission.")

Exemption 4: Confidential Business Information. Exemption 4 of FOIA exempts from disclosure "trade secrets and commercial or financial information obtained from a person and privileged or confidential." Most information protected by Exemption 4 falls within the second part of this language as "confidential business information" (CBI).

The parameters of what qualifies as CBI have been fleshed out over the years, beginning with the seminal case of National Parks & Conservation Association v. Morton. National Parks recognizes that information is protected as CBI if its release would either (1) impair the government's ability to obtain necessary information in the future or (2) cause substantial harm to the competitive position of the person from whom the information was obtained. The National Parks test was refined by Critical Mass Energy Project v. NRC. Under Critical Mass, the first determination to be made is whether the information was submitted to the government "voluntarily" or whether submission was required. If the information was supplied voluntarily, the only question is whether it is the type of information that "for whatever reason, would customarily not be released to the public by the person from whom it was obtained." If the business was compelled to provide the information, however, then the two prongs of the National Parks test apply.

Exemption 4, then, seems to protect just the type of homeland security information only questionably protected by Exemption 2-vulnerability and infrastructure information submitted to agencies by private entities about private assets. First, if the information is "voluntarily" submitted, it would seem that such critical information is not the type of information that would be "customarily released" by the business. Even if the information is the type that requires submission, vulnerability and infrastructure information is competitive in nature. Destruction of a business's facility or equipment would undoubtedly cause it "substantial competitive harm." In addition, Exemption 4 (unlike Exemptions 1 and 2) provides an existing procedural mechanism for the submitting business to explain to the agency why the information is critical and, therefore, protected from disclosure.

Another area for administrative action under Exemption 4 is formal acknowledgment and application of the "mosaic effect." The mosaic effect recognizes that an individual piece of information that alone would not qualify as CBI may be combined with other pieces of information to cause substantial competitive harm. This common-sense approach prevents the piecemeal accumulation of critical security information. OIP should encourage this application under Exemption 4 as well.

Stephen Gidiere practices environmental and natural resources law with Balch & Bingham LLP in its Birmingham, Alabama, office. Jason Forrester is research director of the Nuclear Threat Reduction Campaign in Washington, D.C.

This article is an abridged and edited version of one that originally appeared on page 139 of Natural Resources & Environment, Winter 2002 (16:3).

Upcoming Events | Magazine | Solo Newsletter | Books | Membership | Committees | State/Local Bar | Products/Services | Feedback | ABA Network Home Page

Back to Top