National Academies Press: OpenBook
« Previous: I. INTRODUCTION
Page 12
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 12
Page 13
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 13
Page 14
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 14
Page 15
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 15
Page 16
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 16
Page 17
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 17
Page 18
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 18
Page 19
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 19
Page 20
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 20
Page 21
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 21
Page 22
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 22
Page 23
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 23
Page 24
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 24
Page 25
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 25
Page 26
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 26
Page 27
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 27
Page 28
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 28
Page 29
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 29
Page 30
Suggested Citation:"II. FEDERAL LEGAL ISSUES." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 30

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

12 ent poses the danger of further unauthorized disclo- sures. II. FEDERAL LEGAL ISSUES A number of federal statutes and regulations govern requirements for disclosing information to the public, safeguarding information from disclosure, and main- taining public records. Such statutes include FOIA and a variety of laws—primarily enacted post-9/11—that cover Critical Infrastructure Information (CII) and SSI. Also covered are laws the requirements of which will require government agencies to generate security in- formation that could be considered CII or SSI. This section discusses these federal requirements and their importance to transit agencies in managing security information in procurement documents. The section also addresses guidance that may be relevant to such management, including FTA’s guidance concern- ing SSI. A. FOIA71 FOIA applies only to the federal government.72 It does not create a right of access to records held by state or local government agencies73 or municipal entities.74 However, if state or local agency records, such as pro- curement documents, come into the possession and/or control75 of a federal agency, those records could be con- 71 5 U.S.C. § 552. See generally U.S. DEP’T OF JUSTICE, UNITED STATES DEPARTMENT OF JUSTICE GUIDE TO THE FREEDOM OF INFORMATION ACT (2009), www.justice.gov/oip/foia_guide09.htm (accessed Jan. 17, 2010). See also GIDIERE III, supra note 39. For a discussion of the statute’s legislative history, see, e.g., Michael W. Field, Rhode Island’s Access to Public Records Act: An Application Gone Awry, 8 ROGER WILLIAMS U. L. REV. 293 (2003). 72 Jobson, supra note 35, at 2. 73 E.g., Dunleavy v. New Jersey, 251 Fed. App'x 80, 83 (3d Cir. 2007) (unpublished disposition) (stating that FOIA does not impose obligations on state agencies); State ex rel. Warren v. Warner, 84 Ohio St. 3d 432,704 N.E.2d 1228 (1999); State ex rel. Findlay Publishing Co. v. Schroeder, 76 Ohio St. 3d 580, 669 N.E.2d 835, 839 (1996). 74 U.S. DEP’T OF JUSTICE, supra note 71 (2009), Entities Subject to FOIA, at 29, n.42, www.justice.gov/oip/foia_guide09/ procedural-requirements.pdf, citing Nelson v. City of Plano, Case No. 06CV102, docket accessible thru 2007 U.S. LEXIS 34992 (E.D. Tex. May 14, 2007) (dismissing FOIA claims against municipal corporation); Cruz v. Superior Court Judges, Case No. 3:04CV1103(CFD), 2006 US Dist. LEXIS 8628 (D. Conn. Mar. 1, 2006) (municipal police department); Jones v. City of Indianapolis, 216 F.R.D. 440, 443 (S.D. Ind. 2003) (mu- nicipal agencies). 75 See McCullough v. FDIC, CA No. 79CV1132, 1980 U.S. Dist. LEXIS 17685, at *6 (D.D.C. July 28, 1980) (concluding that state report transmitted to FDIC remains under control of state and is not agency record under FOIA in light of state confidentiality statute, but that other reports transmitted to agency by state regulatory authorities might be agency records because “it is questionable whether [state authorities] retained control” over them); Teich v. FDA, 751 F. Supp. 243, 248–49 sidered federal records for purposes of FOIA.76 In addi- tion, despite the lack of direct applicability, many states model their open records statutes on the federal stat- ute.77 Accordingly the rationales of court decisions and guidance for determining whether to disclose informa- tion under FOIA are considered persuasive by some state courts78 and thus relevant to transit agencies’ un- derstanding of their disclosure obligations. 1. Overview of FOIA As the Supreme Court noted in one of its seminal FOIA cases: “The basic purpose of FOIA is to ensure an informed citizenry, vital to the functioning of a democ- ratic society, needed to check against corruption and to hold the governors accountable to the governed.” 79 FOIA is intended to assist citizens in discovering “what their government is up to.”80 Accordingly, FOIA estab- lishes a fundamental right of access to federal govern- ment records, except to the extent that such records are (D.D.C. 1990) (holding that documents submitted to FDA in “‘legitimate conduct of its official duties’” are agency records notwithstanding FDA's presubmission review regulation allow- ing submitters to withdraw their documents from agency's files). 76 See U.S. DEP’T OF JUSTICE, supra note 71 (2009), at 35, n.68, www.justice.gov/oip/foia_guide09/procedural- requirements.pdf. 77 Daniel J. Solove, Modern Studies in Privacy Law: Notice, Autonomy and Enforcement of Data Privacy Legislation: Access and Aggregation: Public Records, Privacy and the Constitution, 86 MINN. L. REV. 1137, 1159 (2002). See, e.g., Woodstock Acad- emy v. FOIC, 181 Conn. 544, 436 A.2d 266 (1980) (appropriate to look to federal act for guidance in interpreting Connecticut FOIA). 78 E.g., Michaelis, 44 Cal. Rptr. 3d at 671; Fioretti v. Md. State Bd. of Dental Examiners, 351 Md. 66, 716 A. 2d 258 (1998) (FOIA interpretations persuasive in Maryland Public Information Act cases); Educ. Law Ctr. v. N.J. DOE, 966 A.2d 1054, 1060, 198 N.J. 274, 285 (2009) (because of similarity between New Jersey’s deliberative process exemption and FOIA Exemption 5, New Jersey courts “have turned to federal deliberative process jurisprudence, where such law chiefly has developed, for guidance in ascertaining the scope of OPRA’s deliberative process exemption.”); Progressive Animal Welfare Soc’y v. Univ. of Wash., 54 Wash. App. 180, 773 P.2d 114 (1989) (FOIA interpretations may be used to construe Wash- ington Public Disclosure Act); Opinion of Hawaii’s Office of Information Practices, OIP Op. Ltr. No. 07-05 (The exceptions to disclosure found in the federal Freedom of Information Act (“FOIA”), on which the UIPA is indirectly based, generally are more specific and apply to specific types of records described in the law, but under the UIPA many of the situations covered by a specific FOIA exception fall under the general umbrella of frustration…. Thus OIP looks to the examples provided by the UIPA’s legislative history and to FOIA case law for guidance in determining how the frustration exception applies to particular types of records.), www.state.hi.us/oip/opinionletters/opinion%2007-05.pdf. 79 Robbins Tire & Rubber Co., 437 U.S. at 242. 80 U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 773, 109 S. Ct. 1468, 1481, 103 L. Ed. 2d 774, 795 (1989).

13 protected from disclosure by statutory exceptions.81 FOIA is intended to balance between the public’s right to know and the government’s need to protect certain information.82 The statutory language favors disclosure, as does judicial interpretation.83 When Congress amended FOIA in 2007, Congress declared that FOIA should be regularly reviewed “in order to determine whether further changes and im- provements are necessary to ensure that the Govern- ment remains open and accessible to the American peo- ple and is always based not upon the ‘need to know’ but upon the fundamental ‘right to know’.”84 In an effort to ensure that the right to know is enforced, the 2007 amendment added a tracking requirement for FOIA requests.85 Two subsections of FOIA provide for automatic availability of certain government records,86 while a third governs requests for information.87 For informa- tion to be disclosable pursuant to a FOIA request, it must be contained in what is an agency record under FOIA, which includes electronic formats.88 Subsection (b) of FOIA contains nine exemptions. The exemptions are to be construed narrowly.89 The exemptions are generally discretionary rather than mandatory,90 although the Department of Justice notes that it is not appropriate for agencies to make discre- tionary disclosure of information that comes under Ex- emption 3.91 Applicability of the exemptions does not depend on the identity of the requestor nor the purpose 81 John Doe Agency v. John Doe Corp., 493 U.S. 146, 151– 52, 110 S. Ct. 471, 474, 107 L. Ed. 2d 462, 470 (1989). 82 Id. at 152. 83 Rose, 425 U.S. at 366 (1976) (holding that “limited exemp- tions do not obscure the basic policy that disclosure, not se- crecy, is the dominant objective of the Act”); Alirez v. N.L.R.B., 676 F.2d 423, 425 (10th Cir. 1982); Lion Raisins v. U.S. Dep’t of Agriculture, 354 F.3d 1072, 1079 (9th Cir. 2004). See I.C.1, Disclosing Public Records, supra this digest. 84 Section 2(6), Openness Promotes Effectiveness in Our Na- tional Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524, Dec. 31, 2007. 85 Section 7 of Pub. L. No. 110-175 (Dec. 31, 2007), amend- ing 5 U.S.C.§ 552(a) by adding paragraph (7). See U.S. DEP’T OF JUSTICE, supra note 71, at 26. 86 5 U.S.C. § 552(a)(1), (a)(2) (2006), amended by OPEN Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524, Dec. 31, 2007. 87 Id. § 552(a)(3) (2006). 88 Id. § 552(f)(2)(A) (2006). 89 E.g., Lion Raisons, 354 F.3d at 1079. 90 Chrysler Corp. v. Brown, 441 U.S. 281, 293, 91 S. Ct. 1705, 1713, 60 L. Ed. 2d 208, 219 (1979). Attorney General Holder’s FOIA guidelines encourage agencies to make discre- tionary disclosures. Attorney General Holder’s Memorandum for Heads of Executive Departments and Agencies Concerning the Freedom of Information Act (Mar. 19, 2009), http://www.usdoj.gov/ag/foia-memo-march2009.pdf (accessed Aug. 16, 2009). 91 U.S. DEP’T OF JUSTICE, supra note 71, at 688, www.justice.gov/oip/foia_guide09/disclosure-waiver.pdf. for which the information is requested.92 To facilitate meaningful review of assertions of exemptions from FOIA, when an agency withholds information under one of the nine exemptions and litigation ensues, the agency must prepare an index describing the withheld documents and explaining why those documents fall under the exemptions asserted.93 Such an index is com- monly referred to as a Vaughn index,94 in reference to Vaughn v. Rosen,95 the case that first articulated the need for the index. The justification for withholding should be relatively detailed.96 Four of the nine exemptions have particular applica- bility to protection of security information in the con- text of procurement: • Exemption 2:97 records that relate solely to the in- ternal personnel rules and practices of an agency. • Exemption 3:98 information that is specifically ex- empted from disclosure by another statute. • Exemption 4:99 trade secrets/commercial or finan- cial information. • Exemption 5:100 certain inter-agency or intra- agency analyses or recommendations. Exemption 2.—This exemption has been interpreted to cover relatively trivial internal matters (“low 2”) and matters the disclosure of which would help the recipient 92 Id. at 40–46, www.justice.gov/oip/foia_guide09/ procedural-requirements.pdf. 93 Vaughn v. Rosen, 484 F.2d 820, 827–28, 157 U.S. App. D.C. 340 (D.C. Cir. 1973). 94 E.g., Larson v. Dep’t of State, 565 F.3d 857, 385 U.S. App. D.C. 394 (D.C. Cir. 2009). State courts may also require prepa- ration of a Vaughn index under state public records acts. E.g., Farley v. Worley, 215 W.Va. 412, 599 S.E.2d 835 (2004). 95 484 F.2d 820, 827–28, 157 U.S. App. D.C. 340 (D.C. Cir. 1973). 96 Mead Data Central, Inc. v. U.S. Dep’t of Air Force, 566 F.2d 242, 251, 184 U.S. App. D.C. 350 (D.C. Cir. 1977). 97 5 U.S.C. § 552(b)(2). See U.S. DEP’T OF JUSTICE, supra note 71, Exemption 2, http://www.justice.gov/oip/foia_guide09/exemption2.pdf`. 98 5 U.S.C. § 552(b)(3). See U.S. DEP’T OF JUSTICE, supra note 71, Exemption 3, http://www.justice.gov/oip/foia_guide09/exemption3.pdf; STEVENS & TATELMAN, supra note 34, at CRS-1. www.fas.org/sgp/crs/secrecy/RL33670.pdf, at CRS-6–CRS-9; Department of Justice, Agencies Rely on Wide Range of Ex- emption 3 Statutes, FOIA Post, www.usdoj.gov/oip/foiapost/2003foiapost41.htm`` (accessed Apr. 1, 2009). 99 5 U.S.C. § 552(b)(4). See U.S. DEP’T OF JUSTICE, supra note 71, Exemption 4, http://www.justice.gov/oip/foia_guide09 /exemption4.pdf. 100 5 U.S.C. § 552(b)(5). See U.S. DEP’T OF JUSTICE, supra note 71, Exemption 5, http://www.justice.gov/oip/foia_guide09/ exemption5.pdf.

14 to circumvent a legal requirement (“high 2”).101 The lat- ter category is relevant to security information. The Justice Department, following the rule in the D.C. Cir- cuit, interprets Exemption 2 as requiring the informa- tion to be predominantly internal.102 The D.C. Circuit’s case adopting the “predominantly internal” standard103 is widely cited104 and has been explicitly adopted by the Ninth Circuit.105 The “high 2” standard then requires that the disclosure of the requested information would have to significantly risk the circumvention of legal requirements.106 The legal requirement to be circum- vented need not relate to criminal matters.107 The asser- tion of a “high 2” exemption requires the agency to spe- cifically describe the potential harm from disclosure.108 The agency bears the burden of establishing that disclo- sure poses a significant risk of allowing recipients to circumvent agency regulations.109 For example, the Connecticut District Court addressed the need for speci- ficity in asserting a “high 2” exemption: The Court is not willing to accept the agency's word that documents are predominantly internal or that if dis- closed, the document would reveal ongoing law enforce- ment techniques and risk circumvention of the law. In- stead, on a motion for summary judgment, it is DHS’s responsibility to demonstrate that it has properly with- 101 See, e.g., Schiller v. NLRB, 964 F.2d 1205, 1207, 296 U.S. App. D.C. 84 (D.C. Cir. 1992); Judicial Watch, Inc. v. U.S. Se- cret Service, 579 F. Supp. 2d 182, 186 (D.D.C. 2008). 102 U.S. DEP’T OF JUSTICE, supra note 71, at 189, n.63, citing Schreibman v. U.S. Dep't of Commerce, 785 F. Supp. 164, 166 (D.D.C. 1991) (protecting vulnerability assessment of agency's computer security plan); Dorsett v. U.S. Dep’t of the Treasury, 307 F. Supp. 2d 28, 36–37 (D.D.C. 2004) (concluding that Se- cret Service document used to “analyze and profile factual in- formation concerning individuals” who may constitute threat to Secret Service protectees met “predominantly internal” stan- dard); Schwarz v. U.S. Dep’t of Treasury, 131 F. Supp. 2d 142, 150 (D.D.C. 2000) (finding “the threat potential to individuals protected by the Secret Service” to be exempt from disclosure under both Exemptions 2 and 7(E)); Voinche v. FBI, 940 F. Supp. 323, 328–29 (D.D.C. 1996) (protecting as “predominantly internal” information relating to security of Supreme Court building and Supreme Court Justices), www.usdoj.gov/oip/foia_guide07/exemption2.pdf. 103 Crooker v. Bureau of Alcohol, Tobacco & Firearms, 670 F.2d 1051, 1072–74, 216 U.S. App. D.C. 232 (D.C. Cir. 1981) (en banc). Crooker provides an exhaustive analysis of Exemp- tion 2. 104 E.g., Kaganove v. E.P.A., 856 F.2d 884 (7th Cir. 1988); El Badrawi v. Dep’t of Homeland Sec., 583 F. Supp. 2d 285, 316 (D. Conn. 2008). 105 Milner v. U.S. Dep’t of Navy, 575 F.3d 959 (9th Cir. 2009). 106 Stolt-Nielsen Transp. Group Ltd. v. United States, 534 F.3d 728, 732 (D.C. Cir. 2008). 107 U.S. DEP’T OF JUSTICE, supra note 71, at 191–201, http://www.justice.gov/oip/foia_guide09/exemption2.pdf. 108 Id. at 205, http://www.justice.gov/oip/foia_guide09/exemption2.pdf. 109 Crooker, 670 F.2d at 1074; El Badrawi, 583 F. Supp. 2d at 316. held documents by providing the Court and Plaintiffs with reasonably detailed descriptions of the documents and with specific, particularized explanations regarding the reasons for withholding each portion of the docu- ments. It does not suffice to give a few examples, as DHS has done.110 Vulnerability assessments have been withheld under Exemption 2.111 Although the practice of asserting Ex- emption 2 to protect vulnerability assessments112 pre- dates the enactment of more specific exemptions related to SSI, discussed infra, Exemption 2 is still considered relevant for security information.113 Exemption 3.—This exemption allows an agency to withhold information prohibited from disclosure under another federal statute, provided that “such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.”114 This proviso was added to FOIA in 1976 to overrule the Supreme Court’s decision in Administrator, FAA v. Robertson,115 which had allowed statutes providing ad- ministrative discretion to withhold information to be the basis for Exemption 3 withholdings.116 Official disclosure of information waives Exemption 3, but the mere fact that information is in the public domain does not. Moreover, the official disclosure must be specific to constitute a waiver of the ability to claim Exemption 3 for the documents in question.117 Failure to adhere to the agency’s own regulations regarding circu- lation of internal agency documents may be sufficient to support a finding of waiver,118 as is, under certain cir- cumstances, agency carelessness in allowing access to documents.119 When an agency’s decision to withhold documents is challenged, the court must review the documents in question de novo to determine the applicability of any exemptions asserted.120 An Exemption 3 review is a two- 110 Lowenstein v. Dep’t of Homeland Sec., 603 F. Supp. 2d 354, 360 (D. Conn. 2009). 111 TRANSTECH MANAGEMENT, INC., supra note 1, at 7. 112 FOIA Update, Vol. X, No. 3, at 3–4 (OIP Guidance: Pro- tecting Vulnerability Assessments Through Application of Ex- emption Two), www.usdoj.gov/oip/foia_updates/Vol_X_3/page3.html. 113 U.S. DEP’T OF JUSTICE, supra note 71, at 203–06, http://www.justice.gov/oip/foia_guide09/exemption2.pdf. 114 5 U.S.C. § 552(b)(3); Irons & Sears v. Dann, 606 F.2d 1215, 1220, 196 U.S. App. D.C. (D.C. Cir. 1979). 115 422 U.S. 255, 95 S. Ct. 2140, 45 L. Ed. 2d 164 (1975). 116 Irons & Sears, 606 F.2d at 1219–20. 117 American Civil Liberties Union v. Dep’t of Defense, 584 F. Supp. 2d 19, 23 (D.D.C. 2008), citing Afshar v. Dep’t of State, 702 F.2d 1125, 1130, 226 U.S. App. D.C. 388 (D.C. Cir. 1983); Pub. Citizen v. Dep’t of State, 11 F.3d 198, 201, 304 U.S. D.C. 154 (D.C. Cir. 1993). 118 Shermco Indus. v. Secretary of the Air Force, 613 F.2d 1314, 1320 (5th Cir. 1980). 119 Goodrich v. EPA, 593 F. Supp. 2d 184, 192 (D.D.C. 2009). 120 5 U.S.C. § 552(a)(4)(B).

15 part process: first the court determines whether the statute relied upon falls within the ambit of Exemption 3, then it determines whether the information at issue falls within the scope of the statute relied upon.121 Both prongs must be satisfied for Exemption 3 to form a ba- sis for withholding requested information. Exemption 4.—While Exemption 4 protects confiden- tial information, FOIA does not define the term “confi- dential.” Courts have held that confidentiality of re- cords may be determined by looking at the legislative purpose of FOIA. The D.C. Circuit has articulated the following standard for information involuntarily dis- closed to the government: [C]ommercial or financial matter is “confidential” for pur- poses of the exemption if disclosure of the information is likely to have either of the following effects: (1) to impair the Government's ability to obtain necessary information in the future; or (2) to cause substantial harm to the com- petitive position of the person from whom the information was obtained.122 National Parks is considered the leading case on Ex- emption 4. The D.C. Circuit subsequently adopted two modifications to National Parks that have not been uni- versally accepted. The first was when the D.C. Circuit accepted the First Circuit’s “third prong” analysis allow- ing the government to withhold information under Ex- emption 4 if disclosure would damage the efficient exe- cution of the government’s statutory responsibilities.123 The other was when the D.C. Circuit modified its rule to apply the National Parks standard to information involuntarily submitted, and to find that financial or commercial information voluntarily submitted is confi- dential under Exemption 4 “if it is of a kind that would customarily not be released to the public by the person from whom it was obtained.”124 The voluntary submis- sion standard under Critical Mass requires that the agency possess the authority to require submission of the information at issue and actually exercise that au- thority in order for the submission not to be voluntary. The submitter’s mistaken belief that the agency has such authority does not make the submission involun- tary.125 No other court of appeal has adopted the Critical Mass distinction between voluntary and involuntarily submitted information, although some district courts have done so.126 121 Cent. Intelligence Agency v. Sims, 471 U.S. 159, 167, 105 S. Ct. 1881, 1887, 85 L. Ed. 2d 173, 182 (1985); Minier v. Cen- tral Intelligence Agency, 88 F.3d 796, 801 (9th Cir. 1996). 122 Nat’l Parks and Conservation Ass’n v. Morton, 498 F.2d 765, 770, 162 U.S. App. D.C. 223 (D.C. Cir. 1974) (footnote omitted). 123 GIDIERE III, supra note 39, at 240–41, citing 9 to 5 Or- ganization for Women Office Workers v. Bd. of Governors of the Fed. Reserve Sys., 721 F.2d 1 (1st Cir. 1983) and Critical Mass Energy Project v. Nuclear Regulatory Comm., 830 F.2d 278, 286, 265 U.S. App. D.C. 130 (D.C. Cir. 1987). 124 Critical Mass Energy Proj. v. Nuclear Regulatory Comm., 975 F.2d 879, 298 U.S. App. D.C. 8 (D.C. Cir. 1992). 125 GIDIERE III, supra note 39, at 242. 126 Id. at 241–42. Competitors may invoke Exemption 4 in filing “re- verse” FOIA actions.127 For example, ERG Transit Sys- tems (USA), Inc. (ERG) sued the Washington Metro- politan Area Transit Authority (WMATA) to prevent WMATA from releasing ERG’s requests for change or- ders and for an equitable adjustment on a WMATA con- tract to its competitor, Cubic Transportation Systems, Inc., under WMATA’s Public Access to Records Policy. The district court rejected WMATA’s argument that because the contract required ERG to submit the docu- ments if it wanted to pursue a change and ERG submit- ted them to obtain additional compensation, the sub- mission was involuntary. Such a finding would have held the information to a standard of confidentiality that it did not meet. Instead, the court held that infor- mation submitted to get a contract adjustment was vol- untarily submitted and therefore subject to the more lenient standard of what constitutes confidential infor- mation: “of a kind that would customarily not be re- leased to the public by the person from whom it was obtained.”128 Exemption 5.—This exemption, which has been con- strued to protect information that would be privileged in the civil discovery context, has been interpreted to incorporate three privileges: deliberative process privi- lege, the attorney work-product privilege, and the at- torney-client privilege.129 The attorney-client privilege, which could be asserted in the contract negotiation con- text, will only apply if the communication is based on confidential information provided by the client. The privilege does not apply if the information has been shared with a third party, at the time of the communi- cation or later.130 However, generally speaking, of the available Exemption 5 privileges, the deliberative proc- ess privilege is most likely to be relevant for protection of contract documents. This privilege has clearly been held to be relevant to agency discussions of contract positions.131 In terms of protecting the agency’s delib- erative process, documents must be both deliberative and predecisional to be covered by Exemption 5. After the fact explanatory communications are not covered by Exemption 5, nor are predecisional but nondeliberative documents.132 The deliberative process privilege will 127 See U.S. DEP’T OF JUSTICE, supra note 71, at 863–80, http://www.justice.gov/oip/foia_guide09/reverse-foia.pdf. 128 ERG Transit Systems (USA), Inc. v. Wash. Metro. Area Transit Auth., 593 F. Supp. 2d 249, 253 (D.D.C. 2009). 129 Nat’l Labor Relations Bd. v. Sears, Roebuck Co., 421 U.S. 132, 149, 95 S. Ct. 1504, 1515, 44 L. Ed. 2d 29, 46–47 (1975). 130 Mead Data v. U.S. Air Force, 566 F.2d 242, 253–54 (1977). 131 Id. at 257, where the court stated: “Discussions among agency personnel about the relative merits of various positions which might be adopted in contract negotiations are as much a part of the deliberative process as the actual recommendations and advice which are agreed upon. As such they are equally protected from disclosure by exemption five.” 132 Sears, Roebuck, 421 U.S. at 151–52; Tax Analysts v. IRS, 117 F.3d 607, 616, 326 U.S. App. D.C. 53 (D.C. Cir. 1997); Con-

16 apply “as long as a document is generated as part of such a continuing process of agency decision-making.”133 Key to determining whether the communication is de- liberative is whether “disclosure of the information would ‘discourage candid discussion within the agency.’”134 Segregability.—Part of the court’s responsibility in reviewing withheld documents is to make a finding re- garding the segregability of any nonexempt material:135 that is whether the material that is not properly subject to exemption can be segregated from the properly ex- empt material and released, rather than withholding the entire document based on the exempt status of a portion of the document. The judicial concept of segre- gability136 was codified by the 1974 amendments to FOIA.137 The concept of segregability applies to SSI as well as to other security information.138 Information Publicly Available.139—Whether prior disclosures of information constitute a waiver of an oth- erwise applicable exemption is fact specific.140 It de- pends on the circumstances of the prior disclosure (manner of prior disclosure and form and completeness of the information already disclosed), and on the harm to be caused by the release based on the exemption as- serted.141 The requester of the information bears the cepcion v. F.B.I., 606 F. Supp. 2d 14 (D.D.C. 2009); James Madison Project v. C.I.A., 607 F. Supp. 2d 109 (D.D.C. 2009). 133 Nat’l Ass’n of Home Builders v. Norton, 309 F.3d 26, 39, 353 U.S. App. D.C. 374 (D.C. Cir. 2002) (holding that document is predecisional if it was prepared to assist agency in arriving at decision, rather than supporting decision already made); Elec. Privacy Info. Ctr. v. DHS, 384 F. Supp. 2d 100, 112 (D.D.C. 2005). 134 Access Reports v. Dep’t of Justice, 926 F.2d 1192, 1195, 288 U.S. App. D.C. 319 (D.C. Cir. 1991); Elec. Privacy, 384 F. Supp. 2d at 112. 135 Nat’l Law Ctr. on Homelessness & Poverty v. U.S. Dep’t of Veteran Affairs, 964 F.2d 1210, 296 U.S. App. D.C. 89 (D.C. Cir. 1992); ACLU v. U.S. Dep’t of Defense, 584 F. Supp. 2d 23 (D.D.C. 2008). 136 EPA v. Mink, 410 U.S. 73, 91, 93 S. Ct. 827, 35 L. Ed. 2d 117, 134 (1973). 137 Pub. L. No. 93-502, 88 Stat. 1561, Nov. 21, 1974. § 2(c), inserted the provision relating to availability of segregable portion of records: “Any reasonably segregable portion of a record shall be provided to any person requesting such record after deletion of the portions which are exempt under this sub- section.” 138 See U.S. GOV’T ACCOUNTABILITY OFFICE, CLEAR POLICIES AND OVERSIGHT NEEDED FOR DESIGNATION OF SENSITIVE SECURITY INFORMATION 4 (2005), www.gao.gov/new.items/d05677.pdf (accessed Mar. 1, 2009); U.S. GOV’T ACCOUNTABILITY OFFICE, TRANSPORTATION SECURITY ADMINISTRATION’S PROCESSES FOR DESIGNATING AND RELEASING SENSITIVE SECURITY INFORMATION 5 (2007), www.gao.gov/new.items/d08232r.pdf (accessed July 30, 2009). 139 GIDIERE III, supra note 39, at 284. 140 Mobil Oil Corp. v. Envtl. Protection Agency, 879 F.2d 698, 700 (9th Cir. 1989). 141 GIDIERE III, supra note 39, at 284. burden of demonstrating that the information is pub- licly available. Prior release of documents may waive the release of the same documents, but not similar un- released documents.142 However, the release of similar information in the past may support a finding that the exemption asserted does not in fact apply.143 Unofficial disclosure or leaks may not be sufficient to constitute a waiver,144 and, generally speaking, mistaken releases of otherwise exempt information do not waive the applica- ble FOIA exemption.145 Mosaic Effect.146—Agencies may be able to withhold information that is not valuable in and of itself but that when combined with other available information may be damaging to disclose. This effect applies to Exemp- tion 4 and could apply in the context of security infor- mation. Agency Implementation.—The DOT has issued regu- lations governing FOIA requests for DOT. Both DOT and FTA provide guidance on making FOIA requests.147 2. Cases Construing FOIA in Transportation Security Context Both 49 U.S.C. § 114(s) and 49 U.S.C. § 40119(b) re- late to nondisclosure of SSI.148 At least two federal dis- trict courts have found both provisions to constitute Exemption 3 statutes.149 In Gordon, plaintiffs sought information about the TSA’s no-fly list. The Federal Bureau of Investigation (FBI) and TSA claimed that requested records were exempt from disclosure pursuant to §§ 114(s) and 40119(b). Citing the prohibitions in the Title 49 provi- sions, the court held that there was “no dispute that these statutes fall within Exemption 3,” the question being rather whether the withheld information fell within the regulations adopted under those statutes.150 In reviewing the redacted information, the court re- 142 Mobil Oil, 879 F.2d at 700–01. 143 Army Times Pub. Co. v. Dep’t of Air Force, 998 F.2d 1067, 1071, 305 U.S. App. D.C. 432 (D.C. Cir. 1993). 144 GIDIERE III, supra note 39, at 285. 145 U.S. DEP’T OF JUSTICE, supra note 71, at 690–703, www.justice.gov/oip/foia_guide09/disclosure-waiver.pdf. But see GIDIERE III, supra note 39, at 285 (prior releases due to the agency’s error may constitute a waiver). 146 See generally GIDIERE III, supra note 39, at 8.13, Mosaic Effect. 147 49 C.F.R. pt. 7. subpt. C—Availability of Reasonably De- scribed Records Under the Freedom of Information Act, www.access.gpo.gov/nara/cfr/waisidx_08/49cfr7_08.html; DOT’s FOIA Reference Guide, www.dot.gov/foia/ foiareferenceguide.htm#where; FTA’s instructions for FOIA requests, www.fta.dot.gov/about/about_FTA_186.html. 148 See II.B, Critical Infrastructure Information (CII)/SSI, infra this digest. 149 Gordon v. FBI, 390 F. Supp. 2d 897, 900 (N.D. Cal. 2004); Gordon v. FBI, 388 F. Supp. 2d 1028 (N.D. Cal. 2005) (cross- motions for summary judgment); Elec. Privacy Info., 384 F. Supp. 2d 110 n.10. 150 Gordon, 390 F. Supp. 2d at 900.

17 jected TSA’s position that all information within a secu- rity directive is SSI, even if that information appears elsewhere. The Gordon court found that simply reciting that in- formation derived from security directives is SSI did not meet defendants’ burden of explaining why the infor- mation was exempt from disclosure. The court also found that defendants had not met the burden of ex- plaining why innocuous information such as the fact “the Watch lists include persons who pose a threat to aviation” should be withheld.151 The court held that general statements that the information is SSI do not meet the government's burden. The court ordered the federal defendants to review all of the withheld mate- rial to determine whether they believed “in good faith” that the material was in fact exempt and if so to submit a detailed affidavit that explains why particular mate- rial was exempt. The court admonished that statements that information is SSI would not meet the govern- ment’s burden. The court further ordered that any sub- sequent motion for summary judgment must be accom- panied by a certification by government counsel that “counsel has personally reviewed all of the withheld information and in counsel's good faith opinion the withheld material is exempt from disclosure.”152 Following the court’s 2004 order, the TSA submitted a declaration addressing each redaction and explaining specifically why TSA had determined the redaction to be SSI. Upon reviewing the submission, the District Court found that the redacted SSI was appropriately withheld.153 Although not discussed in the 2004 opinion, Exemption 2 was discussed in the 2005 opinion. The court reviewed whether the information withheld under Exemption 2 would “assist terrorists in circumventing the purpose of the watch lists.”154 The court did not ex- plain specifically why information was correctly with- held, but did find that the FBI had not adequately ex- plained how certain information—the legal basis for detaining someone whose name appears on a watch list—could be used to circumvent agency regulations, and therefore ordered that the FBI release that infor- mation. In Electronic Privacy Information Center, the plain- tiff sought documents about TSA’s attempts to get pas- senger data from airlines for the Computer Assisted Passenger Prescreening System. In reviewing the de- fendants’ assertion that certain documents were exempt from disclosure pursuant to 49 U.S.C. § 114(s) and 49 U.S.C. § 40119(b), the court noted that to come under Exemption 3, “the statute must ‘on its face, exempt matters from disclosure.”’155 There was no dispute that the statutes provided a basis for asserting Exemption 151 Id. 152 Id. at 902. 153 Gordon, 388 F. Supp. 2d at 1028. 154 Id. at 1036. 155 Elec. Privacy Info, 384 F. Supp. 2d at 109–10, citing Re- porters Comm. for Freedom of the Press v. U.S. Dep’t of Jus- tice, 816 F.2d 730, 735 (D.C. Cir. 1987). 3.156 Although the plaintiffs had agreed to exclude documents marked as SSI from the scope of the litiga- tion, the court did require more of a showing than that a document was marked as SSI. The court found that describing a document as constituting selection criteria proposed for aviation screening and marking it as SSI was adequate indication that its disclosure would be detrimental to transportation security, and therefore it was properly withheld; merely marking a document as SSI without further description was not adequate to support the failure to disclose.157 3. DOT Use of Exemption 3 As indicated by Parts IV and V of the USDOT FOIA reports for fiscal years 2004–2008, during that time frame agencies within USDOT did cite 49 U.S.C. § 40119 in support of denying FOIA requests. In addition, agencies cited the National Defense Authorization Act of 1997,158 which prohibits disclosing contract propos- als.159 However, FTA did not cite Exemption 3 at all dur- ing that time as the basis for withholding information under FOIA.160 4. Release of Security Information Federal employees who make unauthorized disclo- sures of SSI may be subject to disciplinary action.161 156 Id. at 110 n.10. 157 Id. at 110. 158 41 U.S.C. § 253b(m). 159 Hornbostel v. Dep’t. of Interior, 305 F. Supp. 2d 21 (D.D.C. 2003). 160 U.S. DEP’T OF TRANSP., FREEDOM OF INFORMATION ACT (FOIA) 2004 ANNUAL REPORT, www.dot.gov/foia/reports/2004annualreport.pdf; U.S. DEP’T OF TRANSP., FREEDOM OF INFORMATION ACT (FOIA) 2005 ANNUAL REPORT, www.dot.gov/foia/reports/2005annualreport.pdf; U.S. DEP’T OF TRANSP., FREEDOM OF INFORMATION ACT (FOIA) 2006 ANNUAL REPORT, www.dot.gov/foia/reports/2006annualreport.pdf; U.S. DEP’T OF TRANSP., FREEDOM OF INFORMATION ACT (FOIA) 2007 ANNUAL REPORT, www.dot.gov/foia/reports/2007annualreport.pdf; U.S. DEP’T OF TRANSP., FREEDOM OF INFORMATION ACT (FOIA) 2008 ANNUAL REPORT, www.dot.gov/foia/reports/2008annualreport.pdf. 161 49 C.F.R. § 15.17; MacLean v. Dep’t of Homeland Sec., 543 F.3d 1145 (9th Cir. 2008). Cf., Driver Privacy Protection Act penalties: 18 U.S.C. § 2723. The statute is intended to pro- tect the privacy of driver records held by state departments of transportation. State departments of motor vehicles in sub- stantial noncompliance with the statutory requirements for maintaining privacy are subject to fines of up to $5,000 per day for each day of substantial noncompliance, http://frwebgate.access.gpo.gov/cgi- bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc18.wais& start=4193565&SIZE=900&TYPE=TEXT; 18 U.S.C. § 2724 authorizes a private right of action against “[a] person who knowingly obtains, discloses or uses personal information from a motor vehicle record, for a purpose not permitted…, [and makes the person who violates the DPPA] liable to the individ- ual to whom the information pertains…,” without any showing that the person to whom the personal information pertains

18 Even a brief text message with information about air security measures can constitute SSI.162 To the extent that information must be kept confi- dential, agencies need to make sure that both hard copy and electronic systems are secure. B. Critical Infrastructure Information/Sensitive Security Information CII is a defined term under federal law. In addition, the Department of Homeland Security (DHS) imple- menting regulation coined the term “PCII” to apply to specific infrastructure information that is protected under federal law.163 The information must not only relate to critical infrastructure, but as is discussed in- fra, must meet specific statutory criteria, including be- ing voluntarily submitted to DHS. Thus, information about mass transit infrastructure that is critical to the community in which it is located or to the nation at large because of its interconnectedness with major eco- nomic networks (such as the transit system in New York City) is not necessarily protected CII for purposes of the federal statute. However, as the FTA notes, tran- sit agencies “may come in contact with PCII through interaction with the Federal government.”164 While CII, let alone PCII, is likely to be of limited applicability to most transit agencies, particularly in the context of competitive bidding, a basic understanding of CII re- quirements is relevant. Transit agencies may them- selves voluntarily submit information to DHS that, pro- viding it meets statutory requirements described infra, will be considered protected CII. Protection of such in- formation applies to DHS, not to the submitting agency, to the extent that the submitting agency uses its own copy of the information and not the validated (and thus protected) CII.165 The term SSI has evolved based on aviation security requirements dating back to 1974,166 and has been ex- “suffered any adverse effect.” Wemhoff v. District of Columbia, 887 A.2d 1004, 1013 (D.C. 2005), citing Schmidt v. Multimedia Holdings Corp., 361 F. Supp. 2d 1346, 1348, 1354 (M.D. Fla. 2004). 162 MacLean, 543 F.3d 1145. 163 6 C.F.R. § 29.2. 164 KEVIN CHANDLER, PAMELA SUTHERLAND, & DONALD ELDREDGE, SENSITIVE SECURITY INFORMATION (SSI): DESIGNATION, MARKINGS, AND CONTROL, RESOURCE DOCUMENT FOR TRANSIT AGENCIES 3 (2009), http://transit- safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F TA%20SSI%20%28072009%29%20revised.pdf. 165 DEP’T OF HOMELAND SECURITY, HOW TO SUBMIT CRITICAL INFRASTRUCTURE INFORMATION (CII) FOR PCII PROTECTION, www.dhs.gov/files/programs/gc_1193091627563.shtm (accessed Sept. 2, 2009). See also PCII Program FAQ, www.dhs.gov/xlibrary/assets/pcii_faqs.pdf; PCII PROGRAM PROCEDURES MANUAL, www.dhsgov/xlibrary/assets/pcii__program_procedures_manual .pdf. 166 The Air Transportation Security Act of 1974 (Pub. L. No. 93-366 § 316, 88 Stat. 409 (1974)) authorized the Federal Avia- tion Administration (FAA) to issue regulations prohibiting tended by USDOT to apply to all modes of transporta- tion.167 The authorizing legislation for the USDOT and TSA provisions,168 discussed infra, is substantially simi- lar, as are the regulatory provisions themselves.169 TSA defines SSI as information that is obtained or developed in the conduct of security activities, including research and development, the disclosure of which TSA has determined would— (1) Constitute an unwarranted invasion of privacy (in- cluding, but not limited to, information contained in any personnel, medical, or similar file); (2) Reveal trade secrets or privileged or confidential in- formation obtained from any person; or (3) Be detrimental to the security of transportation.170 Despite the fact that the USDOT provision refers to information the disclosure of which would be “detrimen- tal to transportation safety” rather than “detrimental to transportation security” as under the DHS provision, the USDOT provision is interpreted as governing secu- rity issues as well as safety issues.171 Any security pro- gram or security contingency plan “issued, established, required, received, or approved by DOT or DHS” consti- tutes SSI. Vulnerability assessments that are “directed, created, held, funded, or approved by the DOT [or] DHS, or that will be provided to DOT or DHS in sup- disclosure of information developed during research and devel- opment that the FAA found would constitute unwarranted invasion of personal privacy, reveal trade secrets or privileged commercial information, or be detrimental to the safety of per- sons traveling in air transportation. See TODD B. TATELMAN, INTERSTATE TRAVEL: CONSTITUTIONAL CHALLENGES TO THE IDENTIFICATION REQUIREMENT AND OTHER TRANSPORTATION SECURITY REGULATIONS, CRS Report for Congress, RL32664 (2004), www.fas.org/sgp/crs/RL32664.pdf, for discussion of history of law governing SSI. 167 Department of Homeland Security, Transportation Secu- rity Administration, Interim Final Rule, Protection of Sensitive Security Information, Fed. Reg. 69, No. 96, 28066, May 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf; CHANDLER, SUTHERLAND & ELDREDGE, supra note 164, at 2, http://transit- safety.fta.dot.gov/publications/security/FTA%20SSI/Final%20F TA%20SSI%20%28072009%29%20revised.pdf, at 2. 168 49 U.S.C. § 40119(b); 49 U.S.C. § 114(s). 169 49 C.F.R. pt. 15; 49 C.F.R. pt. 1520. 170 49 C.F.R. § 1520.5(a) Sensitive security information. The corollary DOT provision is 49 C.F.R. § 15.5(a) Sensitive security information. 171 CHANDLER, SUTHERLAND & ELDREDGE, supra note 164, at 1. See also Third Party Contracting Guidance: Notice of Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30, 2008): FTA has determined that these laws and regulations [49 U.S.C. 40119(b), 49 C.F.R. 15; 49 U.S.C. 14(s), 49 C.F.R. 1520] do apply to public transportation agencies and other FTA recipi- ents that have sensitive security information, such as informa- tion related to vulnerability assessments (including any infor- mation addressing vulnerabilities or corrective actions) conducted after September 11, 2001, and other information cov- ered by the regulations.

19 port of a Federal security program” are specifically in- cluded in that category.172 In addition, TSA has issued a Stakeholder Best Practices Quick Reference Guide in which the agency lists a wide range of information the agency deems to constitute SSI.173 Managing SSI is more likely to be of concern to tran- sit agencies than is managing CII. A number of federal requirements make it likely that transit agencies will need to comply with Federal SSI requirements, includ- ing the following: • Establishing a National Strategy for Public Trans- portation Security,174 including use of public transporta- tion security assessments. • Establishing a Transportation Security Informa- tion Sharing Plan.175 • Preparing assessments and plans that will result in security assessments being submitted to DHS for transit agencies at a high risk of attack and for repre- sentative samples of non-high-risk transit agencies.176 172 49 C.F.R. § 15.5(b)(5); 49 C.F.R. § 1520.5(b)(5). 173 TRANSP. SECURITY ADMIN., SENSITIVE STAKEHOLDER BEST PRACTICES QUICK REFERENCE GUIDE, included as App. B to Chandler, supra note 163. Information listed: security pro- grams and contingency plans; security directives; information circulars; performance specifications; vulnerability assess- ments; security inspections or investigative information; threat information; security measures; security screening informa- tion; security training materials; identifying information of certain transportation security personnel; critical infrastruc- ture asset information; systems security information; confiden- tial business information; research and development; and other information as determined in writing by the TSA Admin- istrator. 174 Section 1404, Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. 401, Aug. 3, 2007, codified at 6 U.S.C. § 1133. Section 1404 (d)(2) references already developed security and strategies: National Infrastructure Protection Plan, www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf (accessed Sept. 2, 2009) required by Homeland Security Presidential Directive–7; Executive Order No. 13416: Strengthening Surface Transpor- tation Security, Dec. 5, 2006, Fed. Reg. 71, No. 235, 71033, Dec. 7, 2009, Accessed Sept. 13, 2009, at http://edocket.access.gpo.gov/2006/pdf/06-9619.pdf; the Memo- randum of Understanding between DHS and the DOT on Roles and Responsibilities dated Sept. 28, 2004. The sector-specific plan for mass transit is included as Annex C., Mass Transit, in Transportation Systems Critical Infrastructure and Key Re- sources Sector-Specific Plan as Input to the National Infra- structure Protection Plan, May 2007, www.dhs.gov/xlibrary/assets/Transportation_Base_Plan_5_21_ 07.pdf (accessed Sept. 2, 2009). 175 Section 1203, Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. 383, Aug. 3, 2007, codified at 49 U.S.C. § 114(u). 176 Section 1405, Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. 402, Aug. 3, 2007, codified at 6 U.S.C. § 1134 (National Transit Systems Security Act of 2007 is Title XIV of the public law.) Even where federal requirements are not directly applicable, for example, for vulnerability assessments that are funded locally and not shared with federal agencies and thus do not meet the SSI statutory crite- ria, transit agencies may have security information that should be protected. Thus, the federal requirements may nonetheless be instructive on issues for transit agencies to consider in adopting their own policies. Issues that arise concerning SSI designation include maintaining consistency in designating SSI, avoiding the problem of over-designating information as SSI, protecting SSI, reviewing SSI over time to determine whether its confidential status remains justified, and disposing of SSI. For example, DHS has been criticized for asserting overly broad claims for withholding sensi- tive information.177 As noted supra, in Gordon, the fed- eral district court judge rejected the government’s as- sertion that requested material was SSI or otherwise exempt from FOIA, finding rather that withheld mate- rial was innocuous and in some instances publicly available.178 This section reviews the authorizing legislation for CII and SSI provisions, as well as federal programs, requirements, and guidance related to CII and SSI by relevant agency. The purpose is to clarify the meaning and applicability of these terms and their attendant requirements. This is particularly important since to the extent that information comes within the definition of CII or SSI, that information becomes exempt from state disclosure requirements.179 1. Federal Legislation Several pieces of legislation that passed after the events of 9/11 vested the DHS, TSA, and USDOT with responsibility for administering CII and SSI require- ments. The legislation is described below and included in Appendix A. Federal transit legislation that has im- 177 E.g., Amicus Curiae Brief of Electronic Frontier Founda- tion, American Association of Law Libraries, American Library Association, Association of Research Libraries, Center for De- mocracy and Technology, National Security Archive, Project on Government Secrecy of the Federation of American Scientists, and Special Libraries Association on Petition for Writ of Cer- tiorari to the Court of Appeals for the Ninth Circuit, Gilmore v. Gonzalez, www.papersplease.org/gilmore/_dl/20061113/Gilmore%20v.%20 Gonzales%20EFF%20amicus.pdf (accessed Oct. 6, 2009). 178 Eric Lichtblau, Judge Scolds U.S. Officials Over Barring Jet Travelers, N.Y. TIMES, June 16, 2004, www.nytimes.com/2004/06/16/politics/16flight.html (accessed Mar. 24, 2009). The government ultimately settled, agreeing to pay attorneys fees. TSA and FBI Ordered to Pay $200,000 to Settle “No Fly” Lawsuit, Jan. 24, 2006, www.aclu.org/safefree/general/23926prs20060124.html (ac- cessed Aug. 1, 2009). 179 See Charles Davis, More Daunting Tests Ahead Pitting “Right To Know” Against “Need To Know,” FOI Columns, Jan.– Feb. 2004, www.ire.org/foi/janfeb2004.html (accessed Feb. 28, 2009).

20 plications is referenced in II.B.2, Federal Agencies, in- fra. Aviation and Transportation Security Act of 2001 (ATSA).180—The ATSA transferred civil aviation secu- rity responsibilities from the Federal Aviation Admini- stration (FAA) to TSA, including authority to conduct research and development activities related to secu- rity.181 Section 101(e)(3) of the ATSA-modified Section 40119(b) contains a provision requiring nondisclosure of certain safety-related information, by deleting the modi- fier “air” from “air transportation.” DHS has inter- preted this change as expanding the scope of the provi- sion to cover all modes of transportation.182 Homeland Security Act of 2002 (HSA).183—The HSA adopted the USA PATRIOT Act’s definition of critical infrastructure: “systems and assets, whether physical or virtual, so vital to the United States that the inca- pacity or destruction of such systems and assets would have a debilitating impact on security, national eco- nomic security, national public health or safety, or any combination of those matters.”184 The HSA also added a provision transferring TSA’s SSI authority and vesting SSI authority in the DOT Secretary.185 Critical Infrastructure Information Act of 2002.186— The CIIA was included as Title II of the HSA. Section 211(3) defines “critical infrastructure information”; sub- section 214(a) of the CIIA protects CII voluntarily sub- mitted to DHS for use regarding “the security of critical infrastructure and protected systems, analysis, warn- ing, interdependency study, recovery, reconstitution, or 180 Pub. L. No. 107-71, 115 Stat. 597, Nov. 19, 2001. 181 49 U.S.C. § 40119, Security and research and develop- ment activities. Section 40119 authorized the FAA to conduct research and development (R&D) activities aimed at protecting passengers and property against acts of criminal violence and aircraft piracy. The provision prohibited disclosure of informa- tion obtained or developed in carrying out specified security or R&D activities under specified sections of Chapters 445 (Facili- ties, Personnel, and Research) and 449 (Security) of title 49, pro- vided that the FAA decides that disclosing the information would: (A) be an unwarranted invasion of personal privacy; (B) reveal a trade secret or privileged or confidential commer- cial or financial information; or (C) be detrimental to transportation safety. 182 Department of Homeland Security, Transportation Secu- rity Administration, Interim Final Rule, Protection of Sensitive Security Information, Fed. Reg. 69, No. 96, 28066, 28068, May 18, 2004. 183 Pub. L. No. 107-296, 116 Stat. 2135, Nov. 25, 2002. 184 Section 2(4), Definitions, citing § 1016(e) of Pub. L. No. 107–56 (42 U.S.C.§ 5195c(e)). 185 Section 1601, Retention of Sensitive Security Information Authority at Department of Transportation, codified at 49 U.S.C. § 114(s) and 49 U.S.C. § 40119(b)(1). 186 Tit. II, subtit. B, HSA, Pub. L. No. 107-296, 116 Stat. 2135, Nov. 25, 2002, codified at 6 U.S.C. §§ 131–34. For a cri- tique of the strategy behind the CIIA, including the fact that the FOIA exemptions hamper public oversight, see Bagley, supra note 39. other informational purpose [sic],”187 provided the in- formation is accompanied by the express statement re- quired under the statute. Such protected CII is exempt from disclosure under FOIA; prohibited from being used for other official purposes except under very limited circumstances; and if shared with state and local gov- ernments and agencies, exempt from disclosure under state or local open records requirements. However, the CIIA does not affect any entity’s ability to lawfully ob- tain CII in a manner not covered by subsection (a) and to use such information in any lawful manner. Thus such information that is customarily in the public do- main (lawfully, properly, and regularly disclosed gener- ally or broadly to the public) is not protected.188 DHS may withdraw the protected status if it determines that at the time of submission the information was custom- arily in the public domain.189 Federal employees who knowingly disclose protected CII are subject to fine, imprisonment, and job loss.190 There is no private right of action to enforce the CIIA.191 At least one court has held that the CIIA does not apply to submitters of PCII, so that the CIIA does not preempt requests for information made to the submit- ting agency under state public records acts.192 The court noted that the CIIA prohibits disclosure of protected CII under state or local public records acts, but only if the protected CII is provided to a state or local government, and interpreted this statutory language as distinguish- ing between submission of CII and receipt of protected CII for purposes of when a state or local agency may disclose requested information: submitting CII to the federal government does not require the submitting agency to then withhold that information under the state public records law. The court also reviewed the implementing regulations, discussed infra, and found that they also support this distinction between submis- sion and receipt of protected CII for purposes of applica- 187 Section 214, Protection of voluntarily shared critical in- frastructure information, codified at 6 U.S.C. § 133; 6 C.F.R. § 29.8. See James W. Conrad, Jr., Protecting Private Security- Related Information from Disclosure by Government Agencies, 57 ADMIN. L. REV. 715, nn. 80–89 (2005); presented at ABA meeting, Protection of Facility Security Information, Dec. 10, 2004, http://meetings.abanet.org/webupload/commupload/AL316500/ newsletterpubs/Info%20protection.pdf (accessed in prepublica- tion form Mar. 4, 2009). 188 6 C.F.R. §§ 29.2, 29.5. Part 29 introduces the term “Pro- tected Critical Infrastructure Information, or PCII,” which is not a statutorily defined term. The regulation defines PCII as CII that has been validated by DHS as meeting the statutory criteria for protection. 189 6 C.F.R. § 29.6(g). 190 Section 214, Protection of voluntarily shared critical in- frastructure information, codified at 6 U.S.C. § 133; 6 C.F.R. § 29.9. 191 Section 215, codified at 6 U.S.C. § 134. 192 County of Santa Clara v. Superior Court of Santa Clara County, 170 Cal. App. 4th 1301, 89 Cal. Rptr. 3d 374 (Cal. Ct. App. 6th Dist. 2009).

21 tion of state public records requirements. The court concluded: Taken as a whole, this consistent and pervasive regula- tory language supports our construction of the relevant provision of the CII Act, 6 United States Code section 133(a)(1)(E)(i). As we interpret that provision, it draws a distinction between the submission of CII and the receipt of PCII. In the hands of the submitter, the nature of the information remains unchanged; in the hands of the gov- ernmental recipient, it is protected from disclosure. (foot- note omitted)193 The court also noted that if the contrary interpreta- tion were correct, then the Geographic Information Sys- tem (GIS) Basemap at issue in the case could no longer be used by the county for any purpose other than those enumerated under the CIIA. Accordingly, the prohibi- tion under the CIIA against disclosure under the Cali- fornia Public Records Act was held not to apply. Department of Homeland Security Appropriations Act, 2006.194—This Act requires DHS to appoint at least one SSI coordinator in each DHS office that handles SSI to ensure that documents marked as SSI meet the SSI criteria. It requires the Secretary to issue guidance that “includes common but extensive examples of SSI that further define the individual categories of informa- tion cited under 49 C.F.R. 1520(b)(1) through (16) and eliminates judgment by covered persons in the applica- tion of the SSI marking.”195 The Act also required the Government Accountability Office (GAO) to report on DHS progress in implementing the law’s requirements. Department of Homeland Security Appropriations Act, 2007.196—The Act requires DHS to revise its Man- agement Directive (MD) 11056, which establishes DHS policy regarding the recognition, identification, and safeguarding of SSI, as specified in the legislation, and it requires GAO to report on DHS’ progress in imple- menting the law’s requirements.197 The Act also ex- 193 Id. at 1318. 194 Pub. L. No. 109–90, 119 Stat. 2064, Oct. 18, 2005. 195 Id. Tit. V, § 537, codified at 6 U.S.C. § 114. The provision also required GAO to report on DHS progress in implementing the law’s requirements. 196 Pub. L. No. 109–295, 120 Stat. 1355, Oct. 4, 2006. 197 Id. at § 525. Section 525 requires that MD 11056 be re- vised to provide as follows: (1) That when a lawful request is made to publicly release a document containing information designated as sensitive secu- rity information (SSI), the document shall be reviewed in a timely manner to determine whether any information contained in the document meets the criteria for continued SSI protection under applicable law and regulation and shall further provide that all portions that no longer require SSI designation be re- leased, subject to applicable law, including sections 552 and 552a of title 5, United States Code; (2) That sensitive security information that is three years old and not incorporated in a current transportation security direc- tive, security plan, contingency plan, or information circular; or does not contain current information in one of the following SSI categories: equipment or personnel performance specifications, vulnerability assessments, security inspection or investigative information, threat information, security measures, security screening information, security training materials, identifying tended the designation of “covered person” to a party in civil litigation who can demonstrate both a substantial need for relevant SSI in preparing the party’s case and an undue hardship in obtaining equivalent information by other means, provided that the judge enters an order protecting the SSI from unauthorized disclosure, the party undergoes a threat assessment including criminal background check, and access does not present a risk of harm to the nation. GAO reports that the directive has been revised.198 Implementing Recommendations of the 9/11 Com- mission Act of 2007.199—The Act contains several provi- sions that will require generating information that could be considered to be CII or SSI because of the in- formation being shared with DHS and USDOT for secu- rity purposes. These include grant provisions that pub- lic transportation agencies implement in part through contracts with private entities. The discussion here of this Act are limited to those provisions that require information generation that might reasonably be ex- pected to result in procurement activity.200 As noted, supra, Section 1203 requires DHS and USDOT, along with public and private stakeholders, to establish a Transportation Security Information Shar- ing Plan.201 Section 1305 requires DHS, in consultation with USDOT, to establish a program to share informa- tion about transportation security technology with, in- ter alia, public transportation agencies.202 Title XIV of the Act, the National Transit Systems Security Act of 2007 (NTSSA), requires DHS to develop and implement the National Strategy for Public Transportation Secu- rity. In meeting that requirement, DHS is required to “use established and ongoing public transportation se- curity assessments” and “consult with all relevant stakeholders, including public transportation agen- information of designated transportation security personnel, critical aviation or maritime infrastructure asset information, systems security information, confidential business information, or research and development information shall be subject to re- lease upon request unless: (A) the Secretary or his designee makes a written determina- tion that identifies a rational reason why the information must remain SSI; or (B) such information is otherwise exempt from disclosure un- der applicable law. 198 U.S. GOV’T ACCOUNTABILITY OFFICE, supra note 138, at 5. Some guidance may be available to transit agencies through FTA or TSA that is not publicly available, and therefore cannot be discussed in this report. 199 Pub. L. No. 110-53, 121 Stat. 266, Aug. 3, 2007. 200 Cf., § 1410, Information sharing, codified at 6 U.S.C. § 1139 (requiring public transportation agencies at high risk of terrorist attack to participate in the Information Sharing and Analysis Center for Public Transportation), which does not appear likely to result in procurement activity. See V.B.3, Con- trols Within the Agency, infra this digest, for a discussion of the NTSSA’s requirements for security background checks. 201 Codified at 49 U.S.C. § 114(u). 202 Codified at 6 U.S.C. § 1114.

22 cies.”203 The NTSSA also requires DHS to conduct cer- tain public transportation security assessments. In ad- dition, the Act mandates that DHS require public transportation agencies determined by DHS to be at high risk of terrorist attack to develop comprehensive security plans, with technical assistance provided by DHS. If DHS requires any other public transportation agencies to prepare security plans, DHS must provide technical assistance to those agencies as well. The stat- ute specifies the contents of such security plans, includ- ing requiring them to be consistent with security as- sessments developed by DHS and with the National Strategy for Public Transportation Security. The re- quirement for developing security assessments or secu- rity plans may be recognized by DHS as being met by existing procedures, protocols, and standards of a public transportation agency.204 Finally, the statute addresses nondisclosure as follows: “Nothing in this section shall be construed as affecting any authority or obligation of a Federal agency to disclose any record or information that the Federal agency obtains from a public transpor- tation agency under any other Federal law.”205 The security assistance program established under the NTSSA allows both capital and operating use of funding, with all funding to be awarded solely to ad- dress items included in a security assessment or to fur- ther a security plan.206 Agencies that receive such fund- 203 Section 1404, National Strategy for Public Transporta- tion Security, codified at 6 U.S.C. § 1133. 204 Section 1405, Security assessments and plans, codified at 6 U.S.C. § 1134. The statute prohibits requiring security plans under § 1405 from public transportation agencies not receiving grants under § 1406 of the Act, although the exemption may be waived for high-risk agencies with appropriate notification to Congress. 205 Section 1405(h)(2), codified as 6 U.S.C. § 1134(h)(1). 206 Section 1406, Public transportation security assistance, codified at 6 U.S.C. § 1135. Subsection (b) provides that allow- able uses of funds under this section are as follows: (1) Capital uses of funds, including— (A) tunnel protection systems; (B) perimeter protection systems, including access control, in- stallation of improved lighting, fencing, and barricades; (C) redundant critical operations control systems; (D) chemical, biological, radiological, or explosive detection systems, including the acquisition of canines used for such de- tection; (E) surveillance equipment; (F) communications equipment, including mobile service equipment to provide access to wireless Enhanced 911 (E911) emergency services in an underground fixed guideway system; (G) emergency response equipment, including personal pro- tective equipment; (H) fire suppression and decontamination equipment; (I) global positioning or tracking and recovery equipment, and other automated-vehicle-locator-type system equipment; (J) evacuation improvements; ing must develop training programs as specified under the statute.207 The NTSSA also contains a provision covering secu- rity background checks of public transportation em- ployees and contractors.208 The provision sets parame- ters for DHS guidance on background checks and requires DHS regulation on background checks to pro- vide a redress process and prohibit specified adverse actions based on the background checks. In addition, the statute and its implementing regulation prohibit public transportation agencies from knowingly making false statements to employees concerning security back- ground checks.209 (K) purchase and placement of bomb-resistant trash cans throughout public transportation facilities, including subway ex- its, entrances, and tunnels; (L) capital costs associated with security awareness, security preparedness, and security response training, including training under section 1408 and exercises under section 1407; (M) security improvements for public transportation systems, including extensions thereto, in final design or under construc- tion; (N) security improvements for stations and other public transportation infrastructure, including stations and other pub- lic transportation infrastructure owned by State or local gov- ernments; and (O) other capital security improvements determined appro- priate by the Secretary. (2) Operating uses of funds, including— (A) security training, including training under section 1408 and training developed by institutions of higher education and by nonprofit employee labor organizations, for public transpor- tation employees, including frontline employees; (B) live or simulated exercises under section 1407; (C) public awareness campaigns for enhanced public trans- portation security; (D) canine patrols for chemical, radiological, biological, or ex- plosives detection; (E) development of security plans under section 1405; (F) overtime reimbursement including reimbursement of State, local, and tribal governments, for costs for enhanced secu- rity personnel during significant national and international pub- lic events; (G) operational costs, including reimbursement of State, local, and tribal governments for costs for personnel assigned to full- time or part-time security or counterterrorism duties related to public transportation, provided that this expense totals no more than 10 percent of the total grant funds received by a public transportation agency in any 1 year; and (H) other operational security costs determined appropriate by the Secretary, excluding routine, ongoing personnel costs, other than those set forth in this section. 207 Section 1408, Public transportation security training program, codified at 6 U.S.C. § 1137. 208 Section 1414, Security Background Checks of Covered Individuals for Public Transportation, Pub. L. No. 110-53, 121 Stat. 419, codified at 6 U.S.C. § 1143. 209 6 U.S.C. § 1143(e); 49 C.F.R. pt. 1570; Department of Homeland Security, Transportation Security Administration, Interim Final Rule, False Statements Regarding Security Back- ground Check, Fed. Reg. 73, No. 148, 44665, July 31, 2008, http://edocket.access.gpo.gov/2008/pdf/E8-17515.pdf.

23 2. Federal Agencies The DHS, TSA, USDOT, and FTA have issued rule- makings and guidance related to CII and SSI that are applicable, either directly or by analogy, to treatment of security information in competitive bidding. This sec- tion discusses these federal activities on an agency-by- agency basis. DHS/TSA.—DHS has issued several rulemakings related to CII and SSI. The first was the final rule that transferred aviation security authority from FAA to TSA. The second related to the PCII Program. The third related to SSI procedures. Those aspects of the rule- makings most relevant to the arena of competitive bid- ding are summarized here. Nonregulatory activities that may prove helpful in developing policies for han- dling security information in the competitive bidding context are also addressed. Transfer of aviation security authority:210 Under the rule, the then–Under Secretary (now TSA Administra- tor) has authority for determining what information is SSI and what persons are required to protect it, while the modal administrators are responsible for protecting the information. The rule expands the persons respon- sible for protecting SSI beyond the universe covered by 14 C.F.R. § 191.5 because the rule covers each person for which a vulnerability assessment has been “author- ized, approved, or funded by DOT, irrespective of mode of transportation.”211 CII: DHS issued a notice of proposed rulemaking (NPRM) on establishing procedures to implement Sec- tion 214 of the HSA in April 2003. DHS issued an in- terim final rule (IFR) the following year. In the notice promulgating the IFR, DHS stated that in the case of information that qualified as both CII and SSI, federal employees must comply with the more stringent CII requirements. However, the department noted: In practice, the situations in which information consti- tutes both SSI and Protected CII may be limited. For the most part, information that is SSI is created by TSA or is required to be submitted to TSA or to another part of the Federal government. Therefore, it ordinarily will not be voluntarily submitted, which is a required element for Protected CII designation. In addition, SSI might or might not relate to critical infrastructure assets.212 In addition, the notice made clear that while the regulation covers information that DHS did not exercise legal authority to obtain even if it was involuntarily submitted to other agencies, submission of such infor- mation to DHS does not affect the obligation of such 210 Department of Transportation, Federal Aviation Admini- stration, Transportation Security Administration, Civil Avia- tion Security Rules, Fed. Reg. 67, No. 36, 8340, Feb. 22, 2002, http://frwebgate.access.gpo.gov/cgi- bin/getdoc.cgi?dbname=2002_register&docid=02-4081-filed.pdf. 211 Id. at 8342. 212 Department of Homeland Security, Office of the Secre- tary, Interim Final Rule, 6 C.F.R. pt. 29, Procedures for Han- dling Critical Infrastructure Information, Fed. Reg. 69, No. 34, 8074, 8076, Feb. 20, 2004, http://edocket.access.gpo.gov/2004/pdf/04-3641.pdf. other federal agencies to disclose the information sub- mitted to them.213 DHS rejected comments requesting that the regulation provide for segregating submitted information so that only information absolutely neces- sary to protect critical infrastructure is withheld.214 The CII regulation was amended in 2006 when DHS issued a final rule amending the 2004 IFR. The final rule’s procedures apply to “all Federal, State, local, and tribal government agencies and contractors that have access to, handle, use, or store critical infrastructure information that enjoys protection under the Critical Infrastructure Information Act of 2002.”215 DHS noted that it had added a definition of “in the public domain” to the final rule, drawing in part on the statutory lan- guage and adding “information regarding systems, fa- cilities, or operational security, or that is proprietary, business sensitive, or which might be used to identify a submitting person or entity.”216 DHS rejected comments that called for excluding from the definition of “volun- tary” information submitted to other federal agencies pursuant to their legal authority.217 Thus information that otherwise meets the definition of CII, is required to be submitted to another agency, and is voluntarily submitted to DHS must still be treated as CII by DHS and any entity to which DHS discloses the information. However, it appears that if information is submitted to another agency, that agency need not treat the informa- tion as confidential, even if the information is identical to information submitted to DHS as CII.218 DHS again rejected comments requiring what it terms “portion marking” (segregating CII and non-CII) and extended CII protection to “any information, state- ments or other material reasonably necessary to explain the CII, put the CII in context, or describe the impor- tance or use of the CII.”219 DHS highlighted criminal and administrative penalties for unauthorized release of information.220 In addition, DHS eliminated two crite- ria for allowing a loss of protected status: The fact that the information “is publicly available through legal 213 Id. 214 Id. at 8078–79. 215 Department of Homeland Security, Office of the Secre- tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling Critical Infrastructure Information, Fed. Reg. 71, No. 170, 52262, Sept. 1, 2006, http://edocket.access.gpo.gov/2006/pdf/06- 7378.pdf. See STEVENS & TATELMAN, supra note 34, at CRS- 18–19. 216 Id. at 52262–63. 217 Id. 218 Nicholas Bagley, Benchmarking, Critical Infrastructure Security, and the Regulatory War on Terror, 43 HARV. J. ON LEGISLATION 47, 68 (2006), at 57 (citing 6 C.F.R. § 29.3(a) (2005)). 219 Department of Homeland Security, Office of the Secre- tary, Final Rule, 6 C.F.R. pt. 29, Procedures for Handling Critical Infrastructure Information, Fed. Reg. 71, No. 170, 52262, 52264, Sept. 1, 2006, http://edocket.access.gpo.gov/2006/pdf/06-7378.pdf. 220 Id. at 52267.

24 means” was deleted because this was not a basis under the CIIA. The fact that DHS requires the information was rejected as a basis for allowing a loss of protected status because DHS interprets the definition of volun- tary to be retrospective only.221 Finally, DHS clarified that contractors of state and local governments can re- ceive CII under the same conditions as federal contrac- tors, i.e., engaged in the performance of services in sup- port of the purposes of the CIIA, with strict limitations on further disclosure of the information.222 SSI Interim Final Rule:223 In 2004 DHS issued an IFR on SSI, which promulgated identical regulatory standards for USDOT and TSA under 49 C.F.R. Parts 15 and 1520.224 The rule was intended to extend the protection of aviation SSI to maritime SSI generated pursuant to the Maritime Transportation Security Act of 2002.225 The Federal Register notice described the rules as requiring employees, contractors, grantees, and agents of both departments to follow the rules’ SSI re- quirements.226 The notice stated that the rule largely incorporated the substance of the existing regulation, but streamlined and consolidated some provisions and expanded others. For example, the IFR expanded the definition of vulnerability assessment.227 Under this 221 Id. at 52265. 222 Id. at 52268–69. 223 See MITCHEL A. SOLLENBERGER, SENSITIVE SECURITY INFORMATION (SSI) AND TRANSPORTATION SECURITY: BACKGROUND AND CONTROVERSIES, CRS Report to Congress (2004), www.fas.org/sgp/crs/RS21727.pdf. 224 Department of Transportation, Office of the Secretary, Department of Homeland Security, Transportation Security Administration, Interim Final Rule, Protection of Sensitive Security Information, Fed. Reg. 69, No. 96, 28066, May 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. 225 Pub. L. No. 107-295, 116 Stat. 2064, Nov. 25, 2002. See also Department of Homeland Security, Coast Guard, Final Rule, Vessel Security, Fed. Reg. 68, No. 204, 60483, Oct. 22, 2003; Department of Homeland Security, Coast Guard, Final Rule, Facility Security, Fed. Reg. 68, No. 204, 60515, Oct. 22, 2003. 226 Department of Transportation, Office of the Secretary, Department of Homeland Security, Transportation Security Administration, Interim Final Rule, Protection of Sensitive Security Information, Fed. Reg. 69, No. 96, 28066, May 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. 227 Id. at 28070, 28079, 28082. Before the interim final rule, vulnerability assessment was defined as “any examination of a transportation system, vehicle, or facility to determine its vul- nerability to unlawful interference.” As revised under the final rule, the definition became: any review, audit, or other examination of the security of a transportation infrastructure asset; airport; maritime facility, port area, vessel, aircraft, train, commercial motor vehicle, or pipeline, or a transportation-related automated system or net- work, to determine its vulnerability to unlawful interference, whether during the conception, planning, design, construction, operation, or decommissioning phase. A vulnerability assessment may include proposed, recommended, or directed actions or countermeasures to address security concerns. 49 C.F.R. §§ 15.3, 1520.3. expanded definition, if a covered person creates a vul- nerability assessment at his or her own initiative, but intends to provide the vulnerability assessment to USDOT or DHS in support of a federal security pro- gram, the vulnerability assessment is SSI.228 The in- terim rule also: • Introduced the concept of “covered person.”229 • Designated contract proposals and attendant nego- tiations for grants and contracts to the extent that the subject matter relates to specific aviation or maritime transportation security measures.230 • Clarified that the agency may determine that in- formation is not SSI, even though it might appear to be covered by one of the regulatory categories. • Is applicable in particular when due to changes in circumstances information is no longer sensitive.231 • Added marking requirements for SSI.232 • Clarified that if information is both CII and SSI, any covered person who is a federal employee must comply with the more restrictive CII requirements.233 • Added provisions describing when federal employ- ees and contractors have need to know SSI.234 • Added a provision permitting TSA/Coast Guard to require security background check and imposition of safeguard requirements/procedures before providing SSI.235 • Added provisions allowing the department to au- thorize conditional disclosure of specific records and making clear that such disclosures are not public re- leases of information for FOIA purposes.236 • Added a provision governing required destruction of SSI, which allows state and local government agen- cies to preserve information required to be preserved under state or local law.237 Although the IFR established a broad category of covered persons, TSA noted that persons who fell within the coverage but did not have possession of SSI would not have to meet the disclosure restrictions of 49 C.F.R. § 1520.9.238 The notice made clear that records that contain SSI and non-SSI may be segregated, with the non-SSI disclosed, provided that the non-SSI is not 228 Department of Transportation, Office of the Secretary, Department of Homeland Security, Transportation Security Administration, Interim Final Rule, Protection of Sensitive Security Information, Fed. Reg. 69, No. 96, 28066, 28071, May 18, 2004, http://edocket.access.gpo.gov/2004/pdf/04-11142.pdf. 229 Id. 230 Id. at 28072. 231 Id. 232 Id. at 28074. 233 Id. 234 Id. 235 Id. 236 Id. at 28075. 237 Id. 238 Id. at 28074.

25 otherwise properly exempt from disclosure.239 This as- sertion is somewhat undercut by the statement “if it is impractical to redact the requested information from the record, the entire record is withheld.”240 The IFR did not address the issue of establishing that specific mate- rial constitutes SSI, as the rule deems categories of in- formation to be SSI. A number of parties filed comments in response to the request for comments to the IFR. Although TSA did not respond to the comments, some of the comments illuminate issues of interest in handling SSI in competi- tive bidding situations. Some commenters urged expanded coverage. For ex- ample, the Port Authority of New York and New Jer- sey241 asked that the definition of covered person be ex- panded to facilitate information sharing with other governmental entities and that modes such as rail and bus transportation be explicitly covered as well. The Massachusetts Port Authority (Massport)242 specifically requested that the regulations provide authority similar to that in Section 15.11(b)(2) for public agencies to share SSI with bidders and contractors, rather than requiring the agencies to rely on subparagraphs 15.11(a)(1) and (a)(4). Massport also recommended ex- panding specifications under Section 15.5(b)(4). The Coalition of Journalists for Open Government (CJOG)243 commented that the rule would result in too much information being designated SSI. CJOG specifi- cally raised the concern that local and state officials may be required to deny access to records that would otherwise be available under state and local open re- cords requirements. Other CJOG points relevant to procurement include the following recommendations: • The regulation require that limited numbers of trained individuals be assigned to designate SSI. • The regulation provide criteria for SSI designation. • Lists of infrastructure assets submitted by state and local government agencies not be automatically deemed SSI without some evaluation of whether the assets have some relation to security. • Records that deal with contracts, public funding, and operational issues that implicate accountability issues be subject to special review. • The regulation adopt the Department of Justice’s (DOJ) standard of withholding nonexempt information along with exempt information only if the two are “inex- tricably intertwined.” CJOG cautioned that allowing the government to designate “other information” as SSI was an invitation to abuse, particularly given the potentially large num- 239 Id. at 28075. 240 Id. at 28074. 241 TSA-2003-15569-0011. Accessible from www.regulations.gov/search/Regs/home.html#docketDetail?R= TSA-2003-15569. 242 Id. at 15569-0020. 243 Id. at 15569-0010. ber of people allowed to designate SSI. The comment also expressed concern that the requirements for mark- ing SSI did not call for segregating non-SSI, thereby effectively sealing off entire documents regardless of security implications. The Silha Center for the Study of Media Ethics and Law also commented on the dangers of over-designating information as SSI. Specifically the center argued that the IFR should be modified to more narrowly define SSI, reduce the scope of “covered persons” to those ac- tually having access to SSI, and to require the review of SSI after a set time, potentially declassifying rather than destroying it. Moreover, the center took the posi- tion that to prevent over-withholding of information, information should be reviewed to determine whether its disclosure presents an actual danger to transporta- tion security, rather than automatically conferring SSI designation on classes of information. In addition, the center argued against labeling an entire record SSI when only a portion of the record actually contains SSI. In particular, the center argued against allowing the IFR to trump state disclosure laws by requiring the withholding of information the release of which has not been shown to cause substantial harm to transportation safety.244 In 2005 DHS issued a correction to the IFR, elimi- nating “aviation or maritime” from 49 C.F.R. § 15.11 and 49 C.F.R. § 1520.11 to make clear that regardless of mode, vulnerability assessments and other documents properly designated as SSI may be shared with covered persons who meet the need to know requirements.245 Rail Security Rule:246 In December 2006, TSA issued an NPRM for Rail Transportation Security.247 Much of the notice related to security inspections, but the notice also proposed clarifications to SSI requirements. TSA noted that the proposed rule was consistent with the Memorandum of Understanding executed between DHS and USDOT248 to ensure collaboration as required under Homeland Security Presidential Directive 7.249 The no- 244 Comments of the Silha Center for the Study of Media Ethics and Law on Interim Final Rule, Protection of Sensitive Security Information, July 16, 2004, TSA-2003-15569-0013, www.regulations.gov/search/Regs/home.html#documentDetail? R=0900006480313ddb (accessed Sept. 10, 2009). 245 Protection of Sensitive Security Information; Technical Amendment, 70 Fed. Reg. 1379 (Jan. 7, 2005), http://edocket.access.gpo.gov/2005/pdf/05-366.pdf. 246 49 C.F.R. pts. 1520 and 1580. 247 Department of Homeland Security, Transportation Secu- rity Administration, Proposed Rule, Rail Transportation Secu- rity, Fed. Reg. 71, No. 245, 76852, Dec. 21, 2006, http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. 248 Memorandum of Understanding Between the Depart- ment of Homeland Security and the Department of Transpor- tation on Roles and Responsibilities, Sept. 2004. Accessed Sept. 13, 2009, at www.dot.gov/ost/ogc/DHS-DOT.PDF. 249 Homeland Security Presidential Directive 7: Critical In- frastructure Identification, Prioritization, and Protection (HSPD–7), Dec. 17, 2003,

26 tice made clear TSA’s position that although 49 C.F.R. Part 1520 primarily relates to aviation and maritime security information, vulnerability assessments and threat assessments for all modes of transportation are considered SSI.250 TSA proposed to extend the definition of covered persons to include rail transit systems, ex- plicitly requiring them to restrict “distribution, disclo- sure, and availability of SSI to persons with a need to know, and refer all requests for SSI by other persons to TSA or the applicable component or agency within DOT or DHS.” 251 In addition, TSA proposed to clarify that “any review, audit, or other examination of the secu- rity” of a rail transit system or facility “that is directed, created, held, funded, or approved by DOT or DHS, or that will be provided to DOT or DHS in support of a Federal security program, is SSI.” TSA also proposed to extend coverage to specific details of rail transportation security measures, security training materials for those carrying out rail transportation security measures re- quired or recommended by DHS or USDOT, and lists identifying critical rail infrastructure assets. TSA also sought comment on whether it should protect as SSI “any other information that may be created under this rule.”252 TSA noted that the training materials contain descriptions of security measures that could be used by terrorists to defeat security procedures. In addition, while TSA proposed to expand the lists of critical infra- structure assets to include rail transportation, the in- formation would only be covered if it is prepared by DHS or USDOT or prepared by a state or local govern- ment agency and submitted to DHS or USDOT.253 While most of the transit comments related to con- cerns about unannounced inspections and other opera- tional requirements, a number of the comments related to SSI. The Oregon DOT commented that the expansion of the “need to know” requirement raises issues con- cerning the need for states to access information now required under partnership programs with the Federal Railroad Administration and FTA.254 Chicago also sug- gested that the rule should specify that state and local governments have access to SSI.255 New Jersey asked www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1. HSPD–7 required the Secretary of DHS to coordinate protection activi- ties for specified critical infrastructure sectors, including mass transit. 250 Department of Homeland Security, Transportation Secu- rity Administration, Proposed Rule, Rail Transportation Secu- rity, Fed. Reg. 71, No. 245, 76852, 76862, Dec. 21, 2006, http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. 251 Id. 252 Id. 253 Id. at 76867. 254 Oregon Department of Transportation, Kelly Taylor, Rail Division Administrator, Feb. 20, 2007, at 3, TSA-2006-26514- 0095, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa82c. 255 Chicago Department of Transportation, Cheri Heramb, Acting Commissioner, Jan. 15, 2007, TSA-2006-26514-0038, that rail security information be accorded “enhanced” protection status.256 The City of Cleveland suggested that the rule require employees of covered entities to undergo background investigations, using a federally- established list of disqualifying crimes in hiring.257 The Texas258 and Florida259 DOTs also raised concerns that the proposed requirements for SSI would inhibit ex- change of information with state oversight agencies. On the other hand, CJOG raised concerns that the rule would result in a vast range of information about rail and transit management and operations being shielded from public view, eliminating public oversight. In particular, CJOG questioned the fact that the pro- posed rule would allow the operators to determine what information is included in vulnerability assessments and automatically treated as SSI, potentially resulting in the withholding of information traditionally disclosed at the state and local level. CJOG suggested that TSA narrow the definition of SSI and review filings and identify information that does not warrant protection. Finally, CJOG advocated for sunsetting the SSI desig- nation, subject to potentially extending the protection for specific information for which, based on subsequent review, further withholding was deemed necessary.260 In November of 2008, TSA issued the final rule.261 TSA made two changes to the NPRM provisions on SSI.262 First, TSA added rail to the categories of re- search and development information protected under 49 C.F.R. § 1520.5(b)(15). Second, TSA added state, local, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa7e6. 256 New Jersey Office of Homeland Security & Preparedness, Richard L. Canas, Director, Feb. 20, 2007, at 2, TSA-2006- 26514-0072, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa810. 257 Shirley A. Tomasello, Assistant Law Director, Depart- ment of Law, City of Cleveland, Feb. 16, 2007, at 7, TSA-2006- 26514-0067, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa80a. 258 Texas Department of Transportation, Michael W. Behrens, P.E., Executive Director, Feb. 20, 2007, TSA-2006- 26514-0078, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa815. 259 Florida Department of Transportation, Mike Johnson, Administrator, Transit Operations, Feb. 1, 2007, TSA-2006- 26514-0012, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa7c5. 260 Coalition of Journalists for Open Government, Pete Weit- zel, Feb. 20, 2007, TSA-2006-26514-0053, www.regulations.gov/search/Regs/home.html#documentDetail? R=09000064802aa7fb. 261 Department of Homeland Security, Transportation Secu- rity Administration, Final Rule, Rail Transportation Security, Fed. Reg. 73, No. 229, 72130, Nov. 26, 2008, http://edocket.access.gpo.gov/2008/pdf/E8-27287.pdf. 262 Id. at 72134.

27 and tribal government employees, contractors, and grantees to the list under 49 C.F.R. § 1520.11(b) of per- sons with a potential need to know SSI. In its response to comments, TSA reiterated: “TSA does not intend to protect information as SSI that would not be detrimen- tal to transportation security if publicly disclosed.”263 Directives: TSA has issued a number of directives that provide guidance on managing SSI. These direc- tives are not publicly available,264 and so are not sum- marized here. Transit agencies should be able to obtain them directly from TSA. Guidance: DHS has issued guidance for public transportation agencies on conducting background checks.265 DHS suggests that transit agencies may use criminal background checks for employees and contract workers with unmonitored access to designated critical infrastructure. DHS suggests that in structuring those requirements, the agencies look to the federal security requirements for hazardous material drivers and port transportation workers.266 DHS also suggests that tran- sit agencies consider using the Social Security Number Verification System and the Systematic Alien Verifica- tion for Entitlements database to determine a nonciti- zen’s immigration status, as well as periodically rein- vestigating employees and contractors, “particularly those with access to sensitive information or security critical facilities.”267 Nonregulatory activity: DHS/TSA nonregulatory ac- tivity may provide models for transit authorities in con- trolling access to security information. Two activities may be of particular interest. First, DHS requires its employees and contractors to sign nondisclosure agree- ments (NDAs), prohibiting them from disclosing a wide range of sensitive but unclassified information to the public.268 The scope of those NDAs was challenged.269 263 Id. at 72147. 264 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 27, http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 265 Additional Guidance on Background Checks, Redress and Immigration Status, www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch ecks.pdf. 266 Disqualifying crimes applicable to hazardous material drivers and transportation workers at ports: 49 C.F.R. § 1572.103; appeal and waiver process: 49 C.F.R. pt. 1515. 267 Additional Guidance on Background Checks, Redress and Immigration Status, www.tsa.dhs.gov/assets/pdf/guidance_employee_background_ch ecks.pdf. 268 PATRICE MCDERMOTT, WHO NEEDS TO KNOW?: THE STATE OF PUBLIC ACCESS TO FEDERAL GOVERNMENT INFORMATION 135 (2007); Spencer S. Hsu, Homeland Security Employees Required to Sign Secrecy Pledge, WASH. POST, Nov. 16, 2004, at A23, www.washingtonpost.com/wp- dyn/articles/A52977-2004Nov15.html (accessed Mar. 4, 2009); Department of Homeland Security Non-Disclosure Agreement, www.tsa.gov/assets/pdf/NDA_v2.pdf. See App. F, infra. Second, TSA has implemented a process for conducting SSI Access Threat Assessments.270 These threat assess- ments are conducted on any persons seeking access to SSI for use in a civil proceeding under Section 525(d) of the Department of Homeland Security Appropriations Act of 2007, supra. The assessments include a finger- print-based Criminal History Records Check and a name-based check against terrorism and other data- bases to determine “whether the individual poses or is suspected of posing a threat to transportation or na- tional security.”271 TSA provides a Privacy Act notice to each party seeking access to SSI for civil court proceed- ings to obtain informed consent before TSA conducts the threat assessment. TSA notifies covered individuals if the agency determines, based on the threat assess- ment, that the individuals are not eligible to access par- ticular SSI. The individuals may then appeal the deci- sion, including making requests to correct errors in the individuals’ records. USDOT—USDOT has issued several rulemakings related to SSI. The first was the final rule that trans- ferred aviation security authority from FAA to TSA. The second was the series of rulemaking related to SSI procedures. Transfer of aviation security authority: See discus- sion under DHS/TSA, supra. Protection of SSI regulation: The USDOT regulation, issued jointly with the TSA regulation, was virtually identical to the TSA regulation. See discussion under DHS/TSA, supra. FTA—Regulations, circulations, and guidance issued by FTA cover documentation related to various transit security plans and designs. Such documentation clearly raises FOIA/SSI issues; to the extent that contractors are involved in either preparing or executing the plans and designs, procurement security is also implicated. This section discusses guidance related, directly or indi- rectly, to SSI and other security documentation; secu- rity-related circulars and regulations for major capital investments and fixed rail; grant requirements and recommendations related to security procurements; and third party contracting security requirements. General Document Control Guidance: Following the events of 9/11, FTA issued general guidance concerning document control measures that transit agencies should undertake for security critical systems and facilities. These measures included maintaining an appropriate level of security around plans and designs of operating and maintenance facilities and infrastructure (e.g., tunnels, bridges, electrical substations), and maintain- 269 Unions Challenge Department of Homeland Security Non- Disclosure Agreement, CANADIAN DIMENSION 39.1 (Jan.–Feb. 2005), at 8(2); Hsu, supra note 268. 270 Dep’t of Homeland Security, Privacy Impact Assessment for Threat Assessments for Access to Sensitive Security Infor- mation for Use in Litigation, Dec. 28, 2006, www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_ssi.pdf (accessed Sept. 23, 2009). 271 Id. at 4.

28 ing an appropriate level of security around documenta- tion for security detection systems.272 Designation, Marking, and Control of SSI:273 FTA’s SSI guidance was issued with the express purpose of helping transit agencies to prevent “the unauthorized disclosure or dissemination of SSI while preserving the public’s ‘right to know’ about transit systems and opera- tions.”274 Under this guidance document, FTA defines transit SSI as “any information or record whose disclo- sure may compromise the security of the traveling pub- lic, transit employees, or transit infrastructure,” includ- ing “data, documents, engineering drawings and specifications, and other records whose disclosure could increase the agency’s risk of harm.”275 The types of re- cords that apply to transit agencies are identified:276 • Security programs and contingency plans issued, established, required, received, or approved by USDOT or DHS. • Vulnerability assessments that are directed, cre- ated, held, funded, or approved by USDOT or DHS, or that will be provided to either agency in support of a federal security program. • Threat information held by the federal government concerning transportation, transportation systems, and cyber infrastructure, including sources and methods used to gather or develop the information. Both the TSA Administrator and the Secretary of USDOT may determine that additional information constitutes SSI. In addition to appropriately handling the SSI listed above, the transit agency is advised to review the fol- lowing records for SSI:277 • Security program plans and procedures that in- clude vulnerability records or specific tactics for secu- rity operations. • Security contingency plans and records. • Records that reveal system or facility vulnerabili- ties (e.g., maps, detailed facility drawings, detailed ac- tion items from drills and exercises). 272 TSA/FTA Security and Emergency Action Items for Transit Agencies, Document Control, Items 15 and 16, http://transit- safety.volpe.dot.gov/security/SecurityInitiatives/ActionItems/ac tionlist.asp#Document_Control; FED. TRANSIT ADMIN., U.S. DEP’T OF TRANSP., FY 2009 TRIENNIAL REVIEW WORKSHOPS WORKBOOK 19–13, www.fta.dot.gov/documents/FY2009_TriennialReview_Workboo k.pdf; TRANSTECH MANAGEMENT, INC., supra note 1, at chs. 2, 3, and Appendices. 273 CHANDLER, SUTHERLAND, & ELDREDGE, supra note 164, at 3. 274 Id. at 1. 275 Id. at 3. 276 Id. at 5. 277 Id. According to the guidance, if a portion of a document is SSI, the entire document must be controlled as SSI, and can only be released if the SSI is redacted.278 If the SSI is placed in an appendix that can be separated from the rest of the document, the remainder of the docu- ment can be more widely distributed once the appendix is redacted.279 This approach clearly applies to contract documents. The guidance suggests a two-step process under which employees who may generate SSI are knowl- edgeable enough to recognize potential SSI and to refer it to the employee or committee designated to make SSI determinations for the agency. Making the determina- tion that information could be SSI requires considera- tion of the agency’s threat environment, the public’s need to know the information, the availability of similar information from other sources, and the utility of the information to someone intent on causing harm.280 For example, procurement personnel should be sufficiently knowledgeable about SSI requirements to understand when to refer material to the SSI employee/committee and how to structure contract documents that relate to SSI. The FTA’s examples of SSI and non-SSI are in- cluded as Appendix F, infra. Any information that is determined to be SSI must be marked to warn that the information is controlled and may only be distributed to persons with a need to know. The guidance provides the mandatory advisory marking, included the required language to use.281 Only a covered person with a need to know may access SSI. “Need to know” includes requiring the SSI to perform official duties pursuant to a contract or grant. “Covered person” includes the following four categories applicable to transit agencies:282 • Persons who have access to SSI. • Persons employed by, contracted to, or acting for a covered person, including a grantee of DHS or USDOT, and persons formerly in such a position. • Persons for whom a vulnerability assessment has been directed, created, held, funded, or approved by the USDOT or DHS, or who have prepared a vulnerability assessment that will be provided to either agency in support of a federal security program. • Persons receiving SSI. FTA advises that transit agencies establish rules for disseminating SSI to contractors and suggests control- ling access by using prequalification, including nondis- closure forms; maintaining secure locations for review of SSI; and covering SSI handling in contracts, includ- ing “use, storage, reproduction, dissemination, and re- turn, both on and off of transit property.”283 278 Id. at 8. 279 Id. at 5. 280 Id. at 7–8. 281 Id. at 10. 282 Id. at 11–12. 283 Id. at 13.

29 The following points concerning SSI control284 will apply to bid/contract SSI: • SSI must be stored securely. If possible, the SSI should be stored by the owner or originator. • When SSI is in use, the custodian, if required to suspend work temporarily, must secure the records. • Reproduction must be kept to the minimum re- quired for agency business, with copies protected as the originals. • Transmission must protect against unauthorized disclosure. • Return of SSI must be assured. • Destruction must be by a method that precludes recognition or reconstruction. • Employees and contractors likely to handle SSI should be trained on handling requirements. FTA Circular 5800.1: Under 49 U.S.C. § 5327(a), ap- plicants and recipients of major capital project funding must address safety and security management as part of their project management plan. FTA has imple- mented this statutory mandate by issuing guidance that calls on recipients to prepare a Safety and Security Management Plan (SSMP) as part of the project man- agement plan required by 49 U.S.C. § 5327(a).285 Chap- ter II of FTA Circular 5800.1 includes the following provisions: • Establishing a program that identifies and as- sesses security vulnerabilities throughout the project development process. • Establishing a process for documenting and track- ing actions taken to address the vulnerability assess- ment. • Establishing security requirements for the project, based on applicable safety and security codes, guide- lines, and standards established by government agen- cies and industry associations. • Developing documentation to convey security rules and procedures for the project to employees, contrac- tors, and oversight agencies. Documents may include security plans, as well as operating and maintenance procedures and manuals. • Establishing qualifications and training programs for operating and maintenance personnel, which pro- grams must address security elements. 284 Id. at 15–17. 285 Safety and Security Management for Major Capital Pro- jects: Notice of Final Circular, 72 Fed. Reg. 34339 (June 21, 2007), http://edocket.access.gpo.gov/2007/pdf/E7-11970.pdf; FTA Circular 5800.1, Safety and Security Management Guid- ance for Major Capital Projects (Aug. 1, 2007), www.transportation.org/sites/scopt/docs/FTA%20C%205800%2 01%20- %20FINAL%20Safety%20and%20Security%20Management%2 0Plan-1.pdf. See also Frequently Asked Questions, http://transit- safety.volpe.dot.gov/publications/security/Safety%20%20Securi ty%20frequent%20questions.pdf. • Identifying any security analyses contractors must perform for the construction site. Section 2, Chapter IV, of the circular provides that the SSMP include procedures for managing SSI. Con- tracting out any of the activities provided for under Chapter II or the development of procedures required under Chapter IV could have ramifications for pro- curement security. Chapter II of Circular 5800.1 expressly addresses protection of SSI. Recipients with major capital projects covered by 49 C.F.R. Part 633 are directed to document or reference their procedures for managing SSI in the SSMP, which procedures are expected to extend to their project contractors. In addition, any SSI submitted to FTA and project management oversight contractors during the project management oversight process will be exempt from disclosure under FOIA.286 Finally the circular directs the recipient to have SSI handling pro- cedures.287 Although SSMPs are required by law only for major capital investment projects, FTA encourages all transit systems to develop transit system security program plans. Such plans are also considered SSI. FTA’s Trien- nial Review contractors may only examine them on site at the time of the Triennial Review.288 State Safety Oversight of Rail Fixed Guideway Sys- tems: 289 The regulation requires transit agencies to de- velop system security plans for rail fixed guideway sys- tems and state oversight agencies to review those plans. The plans must contain five elements,290 which may include SSI: • Identification of policies, goals, and objectives for the security program. • Documentation of the rail transit agency’s threat and vulnerability process. • Identification of controls in place that address the personal security of passengers and employees. • Documentation of the agency’s process for conduct- ing internal security reviews to evaluate compliance and measure effectiveness of the system security plan. • Documentation of the agency’s process for making its system security plan and accompanying procedures available to the oversight agency for review and ap- proval. 286 FTA Circular 5800.1, II.4, at II-5. 287 FTA Circular 5800.1, IV.2.b., at IV-2. See also FED. TRANSIT ADMIN., supra note 272, at 19-7, noting requirement to review security and emergency management plans. 288 FED. TRANSIT ADMIN., supra note 272, at 19-7. 289 49 U.S.C. § 5330; 49 C.F.R. pt. 659, Rail fixed guideway systems; State safety oversight, www.access.gpo.gov/nara/cfr/waisidx_08/49cfr659_08.html; 49 C.F.R. Part 659 Reference Guide, http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 49CFR659_Reference_Guide.asp. 290 49 C.F.R § 659.23, System security plan: contents.

30 The requirements governing state oversight of the security of rail fixed guideway systems through desig- nated oversight agencies do raise confidentiality issues concerning the state agency’s handling of security plans, for example if such plans are considered public records under state public records law. The regulation does not require public availability of the system secu- rity plan;291 does require the oversight agency to explain how it will protect the system security plan from public disclosure; 292 and authorizes the oversight agency to prohibit a transit agency from publicly disclosing the system security plan.293 FTA recommends that the over- sight agency only take possession of a system security plan if the agency can maintain the plan’s confidential- ity under state sunshine laws.294 As FTA notes in its Part 659 guidance, the review of system security plans must comply with 49 C.F.R. Part 1520.295 According to FTA guidance, the process required under Section 659.23(e) must be documented “according to procedures established to prevent public disclosure of these mate- rials.”296 These oversight requirements also raise pro- curement concerns if a state contracts out its oversight responsibilities or if a transit agency contracts out the development297 or review298 of its systems security plan. Procurement of Security-Related Goods and Services: There are a number of grant requirements and FTA recommendations that result in transit agencies procur- ing security-related goods and services and having to manage information related to those procurements. For example, recipients of Urbanized Area Formula Grants must certify annually that they are spending 1 percent of Urbanized Area Formula Grant Program funds on security projects or that those projects are not neces- 291 49 U.S.C. § 659.11, Confidentiality of investigation re- ports and security plans. 292 49 C.F.R. § 659.15(b)(9). 293 49 C.F.R. § 659.21(b). 294 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 13, http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 295 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 26–27, http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). Compliance with 49 C.F.R. pts. 15 and 1520, to the extent ap- plicable, are grants requirements. FTA Master Agreement MA(16), 10-1-2009, at 59, Section 37: Protection of Sensitive Security Information, www.fta.dot.gov/documents/16-Master.pdf . 296 49 C.F.R. Part 659 Reference Guide, June 22, 2005, at 28, http://transit- safety.volpe.dot.gov/publications/sso/49CFRPart659_FinalRule/ 49CFR659_Reference_Guide.pdf (accessed Sept. 15, 2009). 297 49 C.F.R. §§ 659.21 System security plan: general re- quirements, 659.23 System security plan: contents. 298 49 C.F.R. § 659.25(b)(9). sary.299 Eligible projects under 49 U.S.C. § 5307 include increased lighting, increased camera surveillance, pro- viding emergency telephone lines, and “any other pro- ject intended to increase the security and safety of an existing or planned public transportation system.”300 FTA guidance provides the following more specific ex- amples of appropriate security expenditures: “facility perimeter security and access control systems (e.g., fencing, lighting, gates, card reader systems, etc.), closed circuit television camera systems (at stations, platforms, bus stops and on-board vehicles), security and emergency management planning, training and drills.”301 Agencies may also expend funds to purchase explosive detection equipment. For example, the New York Police Department, which conducts random pas- senger searches on the New York City subway system, has purchased hand-held devices that can be used “to detect and identify explosives, chemical warfare agents, and toxic industrial chemicals.”302 Third Party Contracting Security Requirements: Grant recipients are generally responsible for extending federal requirements to third party contractors. 303 While this alone might be sufficient to require grant recipients to require SSI protection from their contrac- tors, SSI requirements are specifically referenced in FTA’s third party contracting circular: third party con- tractors must protect SSI to ensure compliance with the DHS/USDOT statutes and implementing regulations discussed earlier. This requirement includes taking measures to ensure that subcontractors at each tier protect SSI in accordance with applicable law and regu- lation.304 Both the common grant rule and FTA’s authorizing legislation305 require third party procurement proce- dures that require full and open competition. This re- quirement covers prequalification,306 a method that may 299 FTA Master Agreement MA(16), Oct. 1, 2009, at 61, § 39: Special Provisions for the Urbanized Area Formula Program, e. Public Transportation Security, http://www.fta.dot.gov/documents/16-Master.pdf. 300 49 U.S.C. § 5307(d)(1)(J). 301 FED. TRANSIT ADMIN., supra note 272, at 19-4. 302 New York City Police Deploy Trace Detectors From Smiths Detection, THE POLICE CHIEF, vol. 73, no. 9, Sept. 2006, http://policechiefmagazine.org/magazine/index.cfm?fuseaction= display_arch&article_id=1005&issue_id=92006 (Sept. 23, 2009). 303 FTA Master Agreement MA(16), Oct. 1, 2009, at 15, § 2: Project Implementation, e. Recipient’s Responsibility to Extend Federal Requirements to Other Entities, http://www.fta.dot.gov/documents/16-Master.pdf. 304 FTA Circular 4220.1F, ch. IV, The Recipient’s Property and Services Needs and Federal Requirements Affecting Those Needs § 2.a(7), at IV-7; Third Party Contracting Guidance: Notice of Final Circular, 73 Fed. Reg. 56896, 56906 (Sept. 30, 2008), http://edocket.access.gpo.gov/2008/pdf/E8-22914.pdf. 305 49 U.S.C. § 5325(a). 306 FTA Circular 4220.1F, ch. VI, Procedural Guidance for Open Market Procurements, § 1.(c), at VI-2. For a discussion of prequalification procedures in general, see Daniel D. McMillan

Next: III. STATE LAW SUMMARY »
Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB‘s Transit Cooperative Research Program (TCRP) Legal Research Digest 32: Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements highlights the legal requirements that are relevant to the transit procurement process of balancing the competing needs of open government and public security. The report explores federal and state requirements concerning record retention and disclosure, as well as practices transit agencies have adopted to meet their responsibilities in balancing these competing public policy interests.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!