National Academies Press: OpenBook
« Previous: LIKELY QUESTIONS CONCERNING MANAGEMENT OF SECURITY INFORMATION
Page 5
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 5
Page 6
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 6
Page 7
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 7
Page 8
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 8
Page 9
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 9
Page 10
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 10
Page 11
Suggested Citation:"I. INTRODUCTION." National Academies of Sciences, Engineering, and Medicine. 2010. Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements. Washington, DC: The National Academies Press. doi: 10.17226/14404.
×
Page 11

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

5 RECONCILING SECURITY, DISCLOSURE, AND RECORD-RETENTION REQUIREMENTS IN TRANSIT PROCUREMENTS By Jocelyn K. Waite, Esq. Waite & Associates, Reno, Nevada I. INTRODUCTION A. Statement of the Problem Public transportation has been the target of planned and actual terrorist attacks. Part of public transit agen- cies’ security efforts must include taking steps to ensure that information that would facilitate such attacks does not become readily available. At the same time, there is also a clear, well-established public interest in ensuring that publicly-funded projects are transparent and that information to provide oversight is publicly available. This tension plays out in the area of procurement and contract management. Material in bid solicitations, re- sponses, and contracts that contains potentially harm- ful information not otherwise available must be kept secure, while safeguarding the public interest in open government. Accordingly, public transit agencies must balance the competing legal and public policy interests manifested by requirements for full disclosure of the public’s business on the one hand and security concerns on the other. 1. Purpose In managing competitive security procurements— and in some circumstances nonsecurity procurements with security-related elements—agency personnel re- sponsible for developing and managing procurements must be cognizant of disclosure requirements under federal and state public records laws, as well as the obligation to keep certain information with security implications confidential. These competing needs may influence the structure of procurements. Confidentiality requirements come into play not only in the context of responding to requests for information, but in maintain- ing adequate records management systems. The purpose of this digest is to provide government and private attorneys who specialize in procurement and contract management, as well as other attorneys and management personnel, an overview of the legal requirements that are relevant to the process of balanc- ing the competing needs of open government and public security. In particular the digest is intended to provide these practitioners information about federal and state requirements concerning record retention and disclo- sure, as well as practices transit agencies have adopted to meet their responsibilities in balancing these compet- ing public policy interests. Particularly in terms of state requirements, the digest is intended to provide enough information to allow transit agencies to more easily research the requirements in their specific juris- dictions. The digest is also intended to provide transit agencies a basis for assessing issues they may wish to consider as they develop policies for managing security information throughout the procurement process. In- formation in the digest is current as of October 2009. 2. Focus The balance of the Introduction presents the histori- cal background of threats to public transportation and of public records requirements, including in both cases the context of actual attacks, such as the events of Sep- tember 11, 2001 (9/11). The potential relationship be- tween competitive procurement documents and disclo- sure requirements is also raised. The main body of the digest examines federal and state records management requirements to the extent that—in the context of com- petitive bidding—legislation and regulations require transit agencies to keep information from public disclo- sure, allow transit agencies to keep information from public disclosure, and require transit agencies to dis- close information. The digest includes citations to all state freedom of information laws (Appendix B), secu- rity exemptions (Appendix C), and state records man- agement laws (Appendix D). As is the case throughout the digest, links to citations are provided for conven- ience; transit agencies should verify statutory language from official sources. The digest also discusses several examples of how public transit agencies in fact manage security informa- tion in the procurement process in light of the agencies’ obligations regarding disclosure of public records. Due to the sensitivity of this information, not all agencies have been identified. After reviewing federal and state legal requirements, the report presents issues to con- sider in reviewing agency practices concerning the management of security information during the com- petitive procurement process. 3. Scope The digest does not focus on requirements concern- ing information sharing between government agencies, except to the extent that such requirements are rele- vant to the public disclosure issue. However, the discus- sion of federal and state security exemptions should be useful for transit agencies interesting in understanding the scope of their ability to share security information without incurring an obligation to disclose that infor-

6 mation to the general public. A detailed discussion of required security measures is beyond the scope of the digest.1 The digest does not provide a state-by-state analysis on all relevant points; rather, it highlights the issues that transit agencies should consider in devising their policies for handling security information in the pro- curement and records management processes. Exam- ples of state requirements are provided so that transit agencies can “learn from the experiences and practices of others to find a balance between security require- ments and the need for open government.” 2 B. Background of Threats to Public Transit Systems The background of threats to public transit systems, both in the United States and abroad, provides some context for the need to protect transit security informa- tion. This section discusses the general vulnerability of public transit systems to attack, including examples of recent threats, and government response to threats of attack. A note on terminology: as discussed below, federal legislation defines a class of information as sensitive security information (SSI). (See List of Acronyms.) This is a term of art and is only used in the report to describe information that meets the federal definition. However, it is possible for information not to meet the federal definition of SSI and still be worthy of protection from disclosure because of the transportation security ramifi- cations of disclosing it.3 Transit agencies routinely pro- tect such information, but the author is not aware of a standard term. Therefore, throughout the report such sensitive but non-SSI information is referred to as “re- stricted security information.” The term “security in- formation” refers to information the disclosure of which 1 Numerous reports discuss recommended security meas- ures, e.g., YUKO NAKANISHI, TRANSIT SECURITY UPDATE, A SYNTHESIS OF TRANSIT PRACTICE (Transportation Research Board, Transit Cooperative Research Program Synthesis 80, 2009), http://onlinepubs.trb.org/onlinepubs/tcrp/tcrp_syn_80.pdf; JOHN N. BALOG, ANNABELLE BOYD, & JAMES E. CATON, THE PUBLIC TRANSPORTATION SYSTEM SECURITY AND EMERGENCY PREPAREDNESS PLANNING GUIDE 2003, http://transit- safety.volpe.dot.gov/publications/security/PlanningGuide.pdf. See also TRANSTECH MANAGEMENT, INC., GUIDANCE FOR TRANSPORTATION AGENCIES ON MANAGING SENSITIVE INFORMATION (National Cooperative Highway Research Pro- gram Report 525: Surface Transportation Security, Vol. 5, Transportation Research Board, 2005), http://onlinepubs.trb. org/onlinepubs/nchrp/nchrp_rpt_525v5.pdf. 2 Right to Know vs. Need to Know: States Are Re-examining Their Public-Records Laws in the Wake of Sept. 11, Homeland Security Brief, The Council of State Governments, 2003, www.csg.org/pubs/Documents/Brief1003RightToKnow.pdf (ac- cessed Sept. 20, 2009). 3 See TRANSTECH MANAGEMENT, INC., supra note 1, at 2. See II.B, infra, Protected Critical Infrastructure Information (PCII)/Sensitive Security Information (SSI). is likely to threaten transportation security, and may be used where the distinction between SSI and restricted security information is not legally significant. 1. Vulnerability of Public Transit Systems to Attack/Recent Threats to Public Transit Systems The openness of transit systems, as opposed to air transport, makes them particularly vulnerable to attack and difficult to secure. For example, transit vehicles that operate above ground, often equipped with large windows and doors, are vulnerable to close-range at- tack. In addition, transit systems must maintain acces- sibility, which eliminates some options for hardening access.4 Rail transit systems in particular present high consequence targets because of the potential loss of life and economic disruption. The Transportation Security Administration (TSA) has identified factors that make rail transit a high-consequence target: large numbers of passengers, confined environment, stations located near or below major government buildings, significant office complexes, and iconic structures.5 Worldwide, 182 public transit systems have been subjects of terrorist attacks.6 Among the most notable of these were a subway bombing in Moscow (February 2004) that killed at least 39 people and injured more than 30 others;7 bombing of trains in Madrid by Basque separatists in March 2004; a suicide bombing outside a Moscow subway reportedly carried out by an Al Qaeda– affiliated group;8 and attacks on the London transit system on July 7, 2005, killing about 50 people and in- juring more than 700.9 The London attacks came about 4 MATTHEW RABKIN, ROBERT BRODESKY, FRANK FORD, MARSHA HAINES, JORDAN KARP, KRISTIN LOVEJOY, TERRY REGAN, LINDA SHARPE, & MARGARET ZIRKER, TRANSIT SECURITY DESIGN CONSIDERATIONS, ch. 3, Security in the Transit Environment (2004), http://transit-safety.volpe.dot.gov /security/SecurityInitiatives/DesignConsiderations/CD/ftasesc. pdf (accessed Sept. 19, 2009). 5 Department of Homeland Security, Transportation Secu- rity Administration, Proposed Rule, Rail Transportation Secu- rity, Fed. Reg. 71, No. 245, 76852, 76854, Dec. 21, 2006, http://edocket.access.gpo.gov/2006/pdf/E6-21512.pdf. 6 Section 1403, Findings, Pub. L. No. 110-53, 121 Stat. 401 (Tit. XIV, Public Transportation Security), codified at 6 U.S.C. § 1132. 7 Moscow Mourns Metro Bomb Victims, CNN, Feb. 7, 2004, www.cnn.com/2004/WORLD/europe/02/07/moscow.blast/index. html (accessed July 30, 2009). 8 Steven Lee Meyers, Suicide Bomber Kills 9 at Moscow Subway Station, N.Y. TIMES, Sept. 1, 2004, www.nytimes.com/2004/09/01/international/europe/01moscow.h tml (accessed July 30, 2009). 9 Precise numbers varied, but the death tolls appeared to have been about 50, with many more injured. Cf., Don Van Natta Jr. & David Johnston, London Bombs Seen as Crude; Death Toll Rises to 49, N.Y. TIMES, July 9, 2005, www.nytimes.com/2005/07/09/international/europe/09intel.htm l?scp=5&sq=london%20+%20bomb%20+%202005&st=cse (ac- cessed July 30, 2009); Glenn Frankel & Fred Barbash, Death Toll From London Blasts Rises: 50 Killed in Attacks, 22 More in Critical Condition, WASH. POST, July 8, 2005; Statement to

7 a decade after a Japanese cult had dispersed sarin gas on the Tokyo subway, killing more than 10 people and injuring thousands.10 In addition to actual attacks on public transportation elsewhere in the world, there have been various reports of possible attacks on transit systems in the United States. These include possible terrorist plots against the New York City subway system in the fall of 200711 and in late 2008.12 2. Government Responses to Terror Threats As might be expected, one government response to terror threats—whether based on a specific threat to an individual system or in response to threats or actual attacks elsewhere—is to increase security. For example, in the wake of the Madrid bombings, TSA issued two security directives in May 2004 to rail transit opera- tors.13 A portion of these directives became the basis for the Rail Transportation Security Rule issued in 2008.14 U.S. systems nationwide increased security after the London bombings in 2005.15 Transit agencies can increase security by augment- ing security personnel, installing video surveillance equipment, and conducting random searches.16 In addi- Parliament on the London Bombings, July 11, 2005, www.number10.gov.uk/Page7903 (accessed July 30, 2009). 10 JOCELYN WAITE, THE CASE FOR SEARCHES ON PUBLIC TRANSPORTATION 4, n.10 (Transit Cooperative Research Pro- gram Legal Research Digest No. 22, 2005), citing U.S. GENERAL ACCOUNTING OFFICE, MASS TRANSIT: CHALLENGES IN SECURING TRANSIT SYSTEMS 7 (2002) (killed 11, injured over 5,000); BRIAN MICHAEL JENKINS & LARRY N. GERSTEN, PROTECTING PUBLIC SURFACE TRANSPORTATION AGAINST TERRORISM AND SERIOUS CRIME: CONTINUING RESEARCH ON BEST SECURITY PRACTICES 49 (MTI Report 01-07, 2001) (killed 12, injured thousands). Jenkins and Gersten provide an in- depth look at the Tokyo attack, at 49–65, http://onlinepubs.trb.org/onlinepubs/tcrp/tcrp_lrd_22.pdf. 11 Official: Threat Cited This Weekend, CNN, Oct. 7, 2005, www.cnn.com/2005/US/10/07/newyork.subways/ (accessed July 30, 2009). 12 James Gordon Meek, Alison Gendar, & Larry McShane, FBI Warns of Possible Terror Plot Against New York City Sub- way System During Holiday Season, N.Y. DAILY NEWS, Nov. 26, 2008, www.nydailynews.com/news/2008/11/26/2008-11- 26_fbi_warns_of_possible_terror_plot_agains.html (accessed July 30, 2009). 13 Mass Transit and Passenger Rail Security, www.tsa.gov/what_we_do/tsnm/mass_transit/index.shtm. 14 Rail Transportation Security, Final Rule, 73 Fed. Reg. 72130, Nov. 26, 2008, http://edocket.access.gpo.gov/2008/pdf/E8-27287.pdf (49 C.F.R. pts. 1520 and 1580). 15 Laura Parker, Charisse Jones, & Thomas Frank, U.S. Mass-Transit Systems Step Up Vigilance, USA TODAY, July 7, 2005, www.usatoday.com/news/washington/2005-07-07-dc- londonblasts_x.htm (accessed July 30, 2009). 16 David Randall Peterman, Bart Elias, & John Frittelli, Transportation Security: Issues for the 110th Congress, CRS Report to Congress, RL 33512, Jan. 3, 2007, tion, they can conduct vulnerability assessments. The Federal Transit Administration (FTA), which does not have the authority to regulate transit agency security operations, has initiated various nonregulatory activi- ties,17 including measures aimed at increasing security activities. In addition, FTA’s recommendations18 include a number of actions that relate to protecting security in- formation—either directly or because they require cre- ating security information that must then be protected. These include: Action Item 9, establishing a risk man- agement process to assess and manage threats, vulner- abilities, and consequences; Action Item 14, conducting background checks of employees and contractors;19 Ac- tion Item 15, controlling access to documents of security critical systems; and Action Item 16, developing a proc- ess for handling and access to SSI. As discussed in the following section, both the fed- eral and state governments also reacted to terror threats by enacting limitations on disclosure of other- wise public information, based on security concerns. C. Background of Public Records Requirements Historically, public records requirements have been viewed as facilitating public oversight of government activity. The rationale for “sunshine” laws is that de- mocracy requires oversight of government activity, which in turn requires that the general public have access to information about government activity.20 Jus- tice Black drew the connection between democracy and informed public opinion in a case predating enactment of the Federal Freedom of Information Act (FOIA).21 When he signed the FOIA in 1966, President Johnson http://ncseonline.org/NLE/CRSreports/06Dec/RL33512.pdf (accessed July 30, 2009). 17 Transit security initiatives are described at http://transit- safety.volpe.dot.gov/Security/SecurityInitiatives/default.asp. BALOG, BOYD, & CATON, supra note 1. 18 TSA/FTA Security and Emergency Management Action Items for Transit Agencies, http://transit-safety.volpe.dot.gov/ Security/SecurityInitiatives/ActionItems/default.asp; www.tsa.gov/assets/pdf/mass_transit_action_items.pdf. 19 See additional guidance, http://transit-/safety.volpe.dot. gov/publications/security/AdditionalGuidance/PDF/AdditionalG uidance.pdf. 20 See NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242, 98 S. Ct. 2311, 2327, 57 L. Ed. 2d 159, 178 (1978) (“The basic purpose of [the] FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed.”) See also Robert Tanner, States Steadily Close Pub- lic Access to Information, THE WORLD, Mar. 17, 2008, www.theworldlink.com/articles/2008/03/17/news/doc47dead5e0 3573785159931.txt (accessed Feb. 28, 2009). 21 “The effective functioning of a free government like ours depends largely on the force of an informed public opinion.” Barr v. Matteo, 360 U.S. 564, 577, 79 S. Ct. 1335, 1342, 3 L. Ed. 2d 1434, 1444 (1959) (Justice Black, concurring). Through- out this report the term “FOIA” refers to the federal statute unless otherwise specified.

8 called out that principle: “Democracy works best when the people have all the information that the security of the Nation permits.”22 The same principle is at work at the state level.23 The principle is recognized in state statutes and by state courts.24 The Alaska Supreme Court declared: The cornerstone of a democracy is the ability of its people to question, investigate and monitor the government. Free access to public records is a central building block of our constitutional framework enabling citizen participa- tion in monitoring the machinations of the republic. Con- versely, the hallmark of totalitarianism is secrecy and the foundation of tyranny is ignorance.25 Yet as important as the public’s right to know is, it must be balanced against other interests, such as per- sonal privacy, the need for commercial confidentiality, and—increasingly—security. Balancing security and disclosure considerations requires answering a funda- mental question:26 when does the public’s right to know outweigh the potential danger of releasing the informa- tion in question? Or vice versa, as the phrasing of the question may indicate the presumption of the ques- tioner: disclosure or nondisclosure. 1. Disclosing Public Records The presumption under FOIA27 and most state public records acts, embodying the principles described above, is one of disclosure. The obligation to disclose informa- tion under public records law exists so long as the pub- lic agencies retain covered public records. Thus the ob- ligation is affected by federal and state laws requiring that public agencies retain public records for specified periods of time. For example, the U.S. Department of Transportation (USDOT) imposes retention and access requirements for records related to awards to recipi- 22 Kristen Elizabeth Uhl, The Freedom of Information Act Post-9/11: Balancing the Public's Right to Know, Critical In- frastructure Protection, and Homeland Security, Comment, 53 AM. U. L. REV. 261, 263, n.1 (2003), www.wcl.american.edu/ journal/lawrev/53/uhl.pdf?rd=1 (accessed Mar. 4, 2009). 23 E.g., N.H. REV. STAT. ANN. 91-A:1 Preamble.—Openness in the conduct of public business is essential to a democratic society. The purpose of this chapter is to ensure both the great- est possible public access to the actions, discussions, and re- cords of all public bodies, and their accountability to the peo- ple, www.gencourt.state.nh.us/rsa/html/VI/91-A/91-A- 1.htm. 24 E.g., Head v. Colloton, 331 N.W.2d 870, 873–74 (Iowa 1983) (purpose of Iowa open records law: “to open the doors of government to public scrutiny—to prevent government from secreting its decision-making activities from the public, on whose behalf it is its duty to act.”). 25 Fuller v. City of Homer, 75 P.3d 1059, 1062 (Alaska 2003). 26 Mitchel A. Sollenberger, Sensitive Security Information and Transportation Security: Issues and Congressional Op- tions, CRS Reports to Congress, RL32425, June 9, 2004, www.fas.org/sgp/crs/RL32425.pdf. 27 5 U.S.C. § 552. ents.28 State record retention requirements may be in- cluded as part of a comprehensive public records stat- ute29 or may exist as part of other statutory schemes. In addition to being protected by state statute, in some states the right to inspect public records is pro- tected by the state constitution. The California state constitution, for example, creates a constitutional right of access to public agency records and calls for strict construction of statutes limiting such access.30 Other states with constitutional protection of right of access include Florida,31 Montana,32 and North Dakota.33 1. Effect of 9/11 Attacks Following the 9/11 attacls, a trend developed at both the federal and state levels toward keeping more gov- ernment information secret.34 Both the executive and legislative branches of the federal government sup- ported increased levels of secrecy. In particular, the Bush administration moved away from the prior FOIA presumption of disclosure under the Clinton administration35 and under Supreme Court 28 Section 18.42, 49 C.F.R. pt. 18—Uniform administrative requirements for grants and cooperative agreements to State and local governments, http://edocket.access.gpo.gov/cfr_2008/ octqtr/pdf/49cfr18.42.pdf. See II.C, Procurement and Contract Management Issues, infra this digest. 29 E.g., Florida Public Records Statute, §§ 119.01 et seq., www.flsenate.gov/Statutes/index.cfm?App_mode=Display_Stat ute&URL=Ch0119/titl0119.htm&StatuteYear=2008&Title=%2 D%3E2008%2D%3EChapter%20119. See III.D., Record Man- agement Laws, infra this digest. 30 Michaelis, Montanari & Johnson v. Superior Court, 44 Cal. Rptr. 3d 663, 667, 38 Cal. 4th 1065, 136 P.3d 194 (Cal. 2006), citing CAL. CONST. art. I, § 3, subd. (b). 31 FLA. CONST. art. I, § 24, www.myflsunshine.com/sun.nsf/sunmanual/AB22C5DD979202 70852566F30071D093. 32 MONT. CONST. art. II, § 9 (preserving a right to examine documents “except in cases in which the demand of individual privacy clearly exceeds the merits of public disclosure.”), http://leg.mt.gov/css/Laws%20and%20Constitution/Current%20 Constitution.asp. 33 N.D. CONST., art. XI, § 6 (protects the right to protect pub- lic records unless otherwise provided by law), www.legis.nd.gov/constitution/const.pdf. 34 GINA MARIE STEVENS & TODD B. TATELMAN, PROTECTION OF SECURITY-RELATED INFORMATION, CRS Report for Congress RL33670, CRS-1 (2006), www.fas.org/sgp/crs/secrecy/RL33670.pdf (accessed Mar. 4, 2009). 35 Uhl, supra note 22, at 272–74; 285–87; GENEVIEVE J. KNEZO, “SENSITIVE BUT UNCLASSIFIED” AND OTHER FEDERAL SECURITY CONTROLS ON SCIENTIFIC AND TECHNICAL INFORMATION: HISTORY AND CURRENT CONTROVERSY, CRS Report for Congress, RL31845, CRS-23–CRS-24 (2004), www.fas.org/sgp/crs/RL31845.pdf (accessed Sept. 23, 2009); UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON GOVERNMENT—MINORITY STAFF SPECIAL INVESTIGATIONS DIVISION, SECRECY IN THE BUSH ADMINISTRATION (2004); David C. Vladeck, Symposium: Harnessing the Power of Infor- mation for the Next Generation of Environmental Law: III.

9 precedent.36 On October 12, 2001, the Attorney General issued a FOIA policy memorandum. The memorandum urged agency personnel to exercise caution in making discretionary disclosures of information protected under FOIA and stated that the Department of Justice would defend agencies’ decisions to withhold information un- der FOIA “unless they lack a sound legal basis or pre- sent an unwarranted risk of adverse impact on the abil- ity of other agencies to protect other important records.”37 This was a significant change from the stan- dard under the Clinton administration, pursuant to which the Department of Justice would only defend FOIA nondisclosures where the agency could reasona- bly foresee harm to a party protected by the exemption in disclosing the information.38 Federal agencies had already removed information from Web sites in the months immediately following the 9/11 attacks.39 Thou- sands more documents were removed from federal gov- ernment Web sites after the White House Chief of Staff issued a March 2002 memorandum instructing federal agencies to review government information not only involving weapons of mass destruction, but also “other information that could be misused to harm the security of our nation and the safety of our people.”40 In fact, within a year of the 9/11 attacks, 13 federal agencies and 3 state Web sites had blocked access to previously available information.41 The Bush administration also Access and Dissemination of Information: Information Access— Surveying the Current Legal Landscape of Federal Right-to- Know Laws, 86 TEX. L. REV. 1787, 1790 (2008), www.utexas.edu/law/journals/tlr/assets/archive/v86/issue7/vlad eck.pdf (accessed Sept. 18, 2009); Guinevere Jobson, On the Public’s Right to Proprietary Data, a Contribution to the SSRC Data Consortium for Media and Communications Policy 2 (2007), http://programs.ssrc.org/media/dataconsortium/RighttoAccess Memo0607.pdf (accessed Mar. 4, 2009). 36 Dep’t of Air Force v. Rose, 425 U.S. 352, 96 S. Ct. 1592, 48 L. Ed. 2d 11 (1976) (disclosure, not secrecy is dominant objec- tive of FOIA); U.S. Dep’t of State v. Ray, 502 U.S. 164, 112 S. Ct. 541, 116 L. Ed. 2d 526 (1991) (FOIA establishes a strong presumption in favor of disclosure). 37 The Ashcroft Memo, reprinted by the Coalition of Journal- ists for Open Government, www.cjog.net/background_the_ashcroft_memo.html (accessed July 31, 2009). The memorandum is no longer available on the Department of Justice Web site. 38 Uhl, supra note 22, at 271. 39 P. STEPHEN GIDIERE III, THE FEDERAL INFORMATION MANUAL: HOW THE GOVERNMENT COLLECTS, MANAGES AND DISCLOSES INFORMATION UNDER FOIA AND OTHER STATUTES 350–51 (2006). Reportedly much of the information was re- posted by other groups. Nicholas Bagley, Benchmarking, Criti- cal Infrastructure Security, and the Regulatory War on Terror, 43 HARV. J. ON LEGIS. 47, 68 (2006). 40 Uhl, supra note 22, at 272. 41 One Year Later: September 11 and the Internet, Pew Internet & American Life Project, Sept. 5, 2002, at 8–9, www.pewinternet.org/~/media//Files/Reports/2002/PIP_9- 11_Report.pdf.pdf (accessed July 31, 2009). See also Stephen Gidiere & Jason Forrester, Balancing Homeland Security and issued a memorandum instructing federal agencies to process FOIA requests for sensitive information in ac- cordance with the Ashcroft Memorandum, that is, look- ing for all applicable exemptions.42 On the legislative front, the Homeland Security Act of 2002 (HSA)43 established two new mandatory exemp- tions to FOIA. First, under Title II of the HSA, the Critical Infrastructure Information Act of 2002 (CIAA)44 exempted from FOIA disclosure certain voluntarily submitted information, provided that the disclosure is accompanied by an express written or oral disclosure that it is being made voluntarily in expectation of pro- tection under the CIAA.45 Second, under Title XVI, the HSA amended the authorizing legislation for the TSA46 to create an exemption from FOIA for certain informa- tion obtained or developed in carrying out security un- der the Aviation and Transportation Security Act of 2001 (ATSA) or under Chapter 449 of Title 49. Unau- thorized disclosures are punishable by criminal fines, imprisonment, or both, as well as by mandatory re- moval from office or employment.47 Although Congress had enacted FOIA exemptions following the 9/11 attacks, the congressional stance on the Bush Administration’s “need to know” FOIA en- forcement eventually shifted. In the latter part of the second Bush term, Congress enacted the “Openness Promotes Effectiveness in Our National Government Act of 2007.”48 The OPEN Government Act specifically found that FOIA responses should be based on right to know rather than on need to know.49 Freedom of Information, 16 NAT. RESOURCES & ENV’T 139, 140 (2002), discussing removal of information from agency Web sites since September 11, 2001, www.abanet.org/environ/pubs/ nre/specissue/gidiereforrester.pdf (accessed March 4, 2009). In addition, these security concerns may have resulted in an ap- parent reluctance to post crisis communications or emergency management plans. COMMITTEE ON THE ROLE OF PUBLIC TRANSPORTATION IN EMERGENCY EVACUATION, THE ROLE OF TRANSIT IN EMERGENCY EVACUATION 82 (Transportation Re- search Board Special Report 294, 2008), http://onlinepubs.trb.org/Onlinepubs/sr/sr294.pdf. 42 Uhl, supra note 22, at 274. 43 Pub. L. No. 107-296, 16 Stat. 2135, Nov. 25, 2002. For a discussion of legislative history and competing policy argu- ments, see JOHN D. MOTEFF, CRITICAL INFRASTRUCTURE INFORMATION DISCLOSURE AND HOMELAND SECURITY, CRS Report to Congress, RL31547 (2003), www.fas.org/irp/crs/RL31547.pdf (accessed Oct. 9, 2009). 44 Pub. L. No. 107-296, 16 Stat. 2135, Nov. 25, 2002, Subti- tle B—Critical Infrastructure Information (6 U.S.C. § 131– 134). 45 Id. § 214(a)(2), codified as 49 U.S.C. § 133(a)(2). 46 Section 101 of the Aviation and Transportation Security Act (ATSA), Pub. L. No. 107-71, 115 Stat. 597, Nov. 19, 2001, codified as 49 U.S.C. § 114. 47 Critical Infrastructure Information Act, § 214(f), codified as 6 U.S.C. § 133(f); 6 C.F.R. § 29.9(d). See II.B.1, Federal Leg- islation, infra this digest. 48 Pub. L. No. 110-175, 121 Stat. 2524-2531, Dec. 31, 2007. 49 See Vladeck, supra note 35, at 1819–21.

10 Critics of the trend to increasing secrecy have argued that unnecessary restrictions on public access to infor- mation violates fundamental public policy principles of open government. In particular, application of the SSI designation has been seen as limiting citizen access to public safety information.50 The Obama administration appears to be moving back toward disclosure, with the President issuing an executive order on FOIA on January 21, 2009, stating that the presumption is toward disclosure,51 and the Attorney General following up with a memorandum to all department and agency heads reminding them that the presumption is to openness, even where the law allows nondisclosure.52 The Attorney General’s March 19, 2009, memorandum specifically rescinded the At- torney General’s Memorandum of October 21, 2001, which had in effect encouraged a presumption of non- disclosure. It remains to be seen whether the Obama administration’s formal position on FOIA will have any effect on its interpretation of SSI requirements. Mirroring the trend at the federal level, in the wake of the 9/11 attacks, many states have added security exemptions to their public disclosure laws,53 although apparently more on the theory that secrecy will in- crease security than in response to suspicious requests for information.54 According to an Associated Press analysis of state laws nationwide, of the more than 1,000 laws that have been passed by state legislatures to change access to information, more than twice as many of the measures further restrict access to infor- mation than make more information available.55 While other concerns such as identify theft and privacy of medical records are also at play, the concerns for secu- rity have clearly been a driving force. The scope of some of the exemptions has been criticized as overly broad.56 50 E.g., Feb. 20, 2007, Comments of the Coalition of Journal- ists for Open Government to TSA NPRM on Rail Transporta- tion Security, Docket No. TSA-2006-26514, www.cjog.net/documents/TSA_Regulations_Comments.pdf (accessed Feb. 28, 2009); Looking for Sunshine: Protecting Your Right to Know, League of Women Voters, Jan. 2006, www.lwv.org/Content/ContentGroups/Projects/OpennessinGove rnment/40404_LWV_LoRes.pdf (accessed Sept. 29, 2009). 51 Memorandum of Jan. 21, 2009—Freedom of Information Act, 74 Fed. Reg. 4683, Jan. 26, 2009, http://edocket.access.gpo.gov/2009/pdf/E9-1773.pdf. 52 Office of the Attorney General, Memorandum for Heads of Executive Departments and Agencies, Mar. 19, 2009, www.usdoj.gov/ag/foia-memo-march2009.pdf. 53 DOUGLAS F. GANSLER, REPORT OF THE OFFICE OF ATTORNEY GENERAL ON THE PUBLIC SECURITY EXCEPTION OF THE PUBLIC INFORMATION ACT, App. B (2007), http://www.oag.state.md.us/Opengov/PIA_public_security_exe mption_report.pdf. See App. C: Exemptions to State Public Records/Freedom of Information Laws, infra this digest. 54 Beth Wade, Security Through Secrecy, GOVERNMENT SECURITY MAGAZINE, Nov. 1, 2003, http://govtsecurity.com/ mag/security_secrecy/index.html (accessed Feb. 26, 2009). 55 Tanner, supra note 20. 56 Wade, supra note 54. 3. Disclosure of Bid/Contract Information Competitive bidding of publicly-funded contracts for large purchases is generally required under both fed- eral and state law57 and may be advised even where not required.58 The competitive bidding process is generally intended to provide reasonable competition, thereby protecting the public against discrimination, cronyism, or waste of public funds, and to ensure optimum public benefits from the contracting process.59 As a California court noted, because of the purposes of competitive bid- ding, “the public may have a legitimate and substantial interest in scrutinizing the process leading to the selec- tion of the winning proposal.”60 Nonetheless, information may be kept confidential for competitive purposes of the public agency until the bid/contract is awarded. Federal law prohibits disclos- ing bid or proposal information before the actual award,61 and state or local law may contain similar pro- visions. Certain contract information must also be withheld after award. For example, under the Los An- geles Administrative Code, the contents of proposals must be secured during the negotiations process so that proposers do not obtain pricing and other information about the competing bids during the negotiations proc- ess. Such information is not disclosed until an award recommendation is made.62 It can be argued that by postponing disclosure until after the award recommen- dation but before the final award, the public can scruti- nize the award decision in full and in time to provide input to the decision-makers, thereby balancing the need to know with the need to keep information confidential.63 Of course, even once the contract is awarded, some proposal information may be protected from disclosure. Traditionally, competitive information has been the primary concern in this context, but now confidentiality concerns extend to security issues. 57 E.g., OR. REV. STAT. 279C.335, Competitive bidding; ex- ceptions; exemptions, www.leg.state.or.us/ors/279c.html. See generally KEVIN M. SHEYS & ROBERT L. GUNTER, REQUIREMENTS THAT IMPACT THE ACQUISITION OF CAPITAL- INTENSIVE LONG-LEAD ITEMS, RIGHTS OF WAY, AND LAND FOR TRANSIT (Transit Cooperative Research Program Legal Re- search Digest No. 6, 1996). 58 E.g., [Pennsylvania] Governor’s Center for Local Govern- ment Services, Purchasing Handbook, downloading available at http://www.newpa.com/get-local-gov-support/ publications/index.aspx . 59 Jennifer Jo Snider Smith, Competition and Transparency: What Works for Public Procurement Reform. 38 PUB. CONT. L.J. 114 (2008), noting the importance of FOIA in providing oversight of government contracting. 60 Michaelis v. Sup. Ct. of Los Angeles County, 38 Cal. 4th 1065, 136 P.3d 194, 44 Cal. Rptr. 3d 663, 668 (2006) (citation omitted). 61 41 U.S.C. §§ 253b(f)(4), 253b(m), 423(a). 62 Michaelis, 44 Cal. Rptr. 3d at 666, citing § 10.15(f)(6) of the Los Angeles Administrative Code. 63 See Michaelis, 44 Cal. Rptr. 3d 663, 38 Cal. 4th 1065, 136 P.3d 194 (Cal. 2006).

11 A variety of contracts may cover security informa- tion. These include contracts to prepare employee manuals and training materials that cover security re- sponses, conduct vulnerability assessments,64 and pre- pare or evaluate emergency response plans.65 In addi- tion, some contracts that do not directly cover security projects may require contractors to access system de- sign documents that constitute SSI/restricted security information: Visual and textual architectural and engineering data are vital to understanding the core operations and structural components of transportation infrastructure. This infor- mation may include information such as building or structure plans, schematic drawings and diagrams, secu- rity system plans, and threat analyses related to the de- sign or security of critical infrastructure—all of which may be of interest to terrorists and could be dangerously misused by someone intending to cause harm to the sys- tem or its users, employees, or the general public…. [D]esign documents are often copied and distributed for use by architects, contractors, subcontractors, inspectors, third-party reviewers, and others—all of whom need ac- cess to blueprints, engineering schematics, and other technical documents to be able to safely and effectively fulfill their responsibilities.66 The FTA Security and Emergency Preparedness Planning Guide defines sensitive information as “any information that would allow a malicious actor to select, 64 E.g., Use of contractors in conducting rail security as- sessments: U.S. GOV’T ACCOUNTABILITY OFFICE, ENHANCED FEDERAL LEADERSHIP NEEDED TO PRIORITIZE AND GUIDE SECURITY EFFORTS 45 (2005), www.gao.gov/new.items/d05851.pdf (accessed Mar. 31, 2009). 65 See Use of Funds, § 1406(b), Pub. L. No. 110-53, 121 Stat. 405–407, 6 U.S.C. § 1135(b). E.g., Connecticut Commuter Rail Security and Emergency Preparedness Planning Study: Legal Notice—Request for Letters of Interest—CSO Solicitation No. 2059, www.das.state.ct.us/rfpdoc/DOT08/bids/2059.pdf (ac- cessed Oct. 1, 2009). There has been some controversy to keep- ing emergency response plans confidential because of public right to know and ability to respond to threats. See Comments of the Silha Center for the Study of Media Ethics and Law on TSA Interim Final Rule on Protection of Sensitive Security Information, July 16, 2004, http://www.silha.umn.edu/assets/ pdf/silhacenterssicomments.pdf ; Uhl, supra note 22, at 304–5. TRB’s Committee on the Role of Public Transportation in Emergency Evacuation recommends making sanitized versions of emergency evacuation plans public: The committee believes that the public should be informed about area emergency evacuation plans and how transit will be deployed in an emergency. An informed public, particularly spe- cial-needs populations, is critical to preparedness in an emer- gency incident. However, sensitive operational details should be excluded from emergency planning documents and only “sani- tized” versions made publicly available. FEMA could provide a template for suitable presentation formats as part of its guid- ance to state, local, and tribal governments. COMMITTEE ON THE ROLE OF PUBLIC TRANSPORTATION IN EMERGENCY EVACUATION, THE ROLE OF TRANSIT IN EMERGENCY EVACUATION 82, Transportation Research Board Special Report 294 (2008), http://onlinepubs.trb.org/Onlinepubs/sr/sr294.pdf. 66 TRANSTECH MANAGEMENT, INC., supra note 1, at 3–4. or gain information about, a target without the need to physically access it.”67 It is important that agencies correctly characterize information: As discussed in this report, significant ef- forts are required to adequately protect designated se- curity information, particularly SSI. Therefore, at- tempting to withhold nonsensitive information may impair efforts to withhold truly sensitive information.68 The range of persons who may request information about requests for proposals or awarded contracts in- cludes contractors, subcontractors, reporters, competi- tors, citizens/activists, and persons with no legitimate need for the requested information.69 For security pur- poses, the final category presents the greatest immedi- ate danger, although any recipient of information could make further disclosure that could have security impli- cations. In any case, state law may not allow the record custodian to inquire as to the identity of the requestor and/or the purpose for which the information is re- quested.70 There are several sources that can make unauthor- ized disclosures of security information. Agency em- ployees may inadvertently or purposely make unauthor- ized disclosures. Contractors who have received security information, whether authorized or unauthorized, may make unauthorized disclosures, whether intentionally or from ignorance about their nondisclosure responsi- bilities. Subcontractors pose the same danger. And once an unauthorized disclosure has been made, each recipi- 67 BALOG, BOYD, & CATON, supra note 1, at 93. 68 TRANSTECH MANAGEMENT, INC., supra note 1, at 3. 69 Coalition of Journalists for Open Government, An Oppor- tunity Lost: Part I, An In-Depth Analysis of FOIA Performance From 1998 to 2007 (July 3, 2008), accessed Feb. 28, 2009, at www.cjog.net/documents/Part_1_2007_FOIA_Report.pdf; Soci- ety of Professional Journalists, Frequent Filers: Businesses Make FOIA Their Business, July 3, 2006, www.spj.org/rrr.asp?ref=31&t=foia (accessed Feb. 26, 2009). See II.A.1, Overview of FOIA, infra this digest. 70 E.g., Hawaii requires that requested information not sub- ject to disclosure exceptions be made available to any person requesting it. HAW. REV. STAT. § 92F-11(b). In most circum- stances anonymity is allowed. Water Service Consumption Data, OIP Op. Ltr. No. 90-29 (Oct. 5, 1990), http://state.hi.us/oip/opinionletters/opinion%2090-29.pdf. Mary- land: Superintendent v. Henschen, 279 Md. 468, 473, 369 A.2d 588, 561 (1977) (Maryland statute affords general right of ac- cess to any person, without need to show grievance or interest); New Mexico: § 14-2-8(C), N.M. STAT. ANN. 1978 (requesters shall not be required to state their reasons for requesting the records, although they must provide identifying information), www.conwaygreene.com/nmsu/lpext.dll?f=templates&fn=main- h.htm&2.0; North Carolina: § 132[ ]6(b) (individual requesting information not required to disclose reason for inquiry), www.ncleg.net/EnactedLegislation/Statutes/HTML/ByChapter/ Chapter_132.html; Texas: A & T Consultants Inc. v. Sharp, 904 S.W.2d 668, 676 (Tex. 1995) (government cannot look at the motives of requester of information); Washington: Livingston v. Cedeno, 164 Wash. 2d 46186 P.3d 1055, 1058 (Wash. 2008) (en banc) (state agency must respond to all public disclosure requests without regard to requester’s status or motivation).

Next: II. FEDERAL LEGAL ISSUES »
Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB‘s Transit Cooperative Research Program (TCRP) Legal Research Digest 32: Reconciling Security, Disclosure, and Record-Retention Requirements in Transit Procurements highlights the legal requirements that are relevant to the transit procurement process of balancing the competing needs of open government and public security. The report explores federal and state requirements concerning record retention and disclosure, as well as practices transit agencies have adopted to meet their responsibilities in balancing these competing public policy interests.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!