Critical Information Policies for Water Utilities

Transcription

1 Critical Information Policies for Water Utilities Subject Area: Efficient and Customer-Responsive Organization

2

3 Critical Information Policies for Water Utilities

4 About the Awwa Research Foundation The Awwa Research Foundation (AwwaRF) is a member-supported, international, nonprofit organization that sponsors research to enable water utilities, public health agencies, and other professionals to provide safe and affordable drinking water to consumers. The Foundation s mission is to advance the science of water to improve the quality of life. To achieve this mission, the Foundation sponsors studies on all aspects of drinking water, including supply and resources, treatment, monitoring and analysis, distribution, management, and health effects. Funding for research is provided primarily by subscription payments from approximately 1,000 utilities, consulting firms, and manufacturers in North America and abroad. Additional funding comes from collaborative partnerships with other national and international organizations, allowing for resources to be leveraged, expertise to be shared, and broad-based knowledge to be developed and disseminated. Government funding serves as a third source of research dollars. From its headquarters in Denver, Colorado, the Foundation s staff directs and supports the efforts of more than 800 volunteers who serve on the board of trustees and various committees. These volunteers represent many facets of the water industry, and contribute their expertise to select and monitor research studies that benefit the entire drinking water community. The results of research are disseminated through a number of channels, including reports, the Web site, conferences, and periodicals. For subscribers, the Foundation serves as a cooperative program in which water suppliers unite to pool their resources. By applying Foundation research findings, these water suppliers can save substantial costs and stay on the leading edge of drinking water science and technology. Since its inception, AwwaRF has supplied the water community with more than $300 million in applied research. More information about the Foundation and how to become a subscriber is available on the Web at

5 Critical Information Policies for Water Utilities Prepared by: Charles Herrick and Elizabeth Scherer Stratus Consulting Inc L Street NW, Suite 420, Washington, DC and Gregory Welter O Brien & Gere Engineers 8401 Corporate Drive, Suite 400, Landover, MD Jointly sponsored by: Awwa Research Foundation 6666 West Quincy Avenue, Denver, CO and U.S. Environmental Protection Agency Washington D.C. Published by: Distributed by:

6 DISCLAIMER This study was co-funded by the Awwa Research Foundation (AwwaRF) and the U.S. Environmental Protection Agency (USEPA) under Cooperative Agreement No. CR AwwaRF and USEPA assume no responsibility for the content of the research study reported in this publication or for the opinions or statements of fact expressed in the report. The mention of trade names for commercial products does not represent or imply the approval or endorsement of either AwwaRF or USEPA. This report is presented solely for informational purposes. Copyright 2008 by Awwa Research Foundation ALL RIGHTS RESERVED. No part of this publication may be copied, reproduced or otherwise utilized without permission. ISBN Printed in the U.S.A.

7 CONTENTS LIST OF EXHIBITS... vii FOREWORD... ACKNOWLEDGMENTS... ix xi EXECUTIVE SUMMARY... xiii CHAPTER 1: PURPOSE AND APPROACH... 1 Background... 1 Purpose... 1 Report Organization... 1 CHAPTER 2: RESEARCH AND ANALYTICAL APPROACH... 3 Step 1: Targeted Literature Reviews... 3 Step 2: Update of State Freedom of Information Act Exemptions... 4 Step 3: Formal Evaluation of Existing Information Management Approaches... 4 Step 4: Utility Interviews... 5 Step 5: Integration and Analysis... 5 CHAPTER 3: ASSUMPTIONS AND RESEARCH ORIENTATION... 7 CHAPTER 4: SENSITIVE INFORMATION MANAGEMENT: UNDERSTANDING THE POLICY CONTEXT... 9 Information and Public Access: The Current Situation... 9 State Freedom of Information Laws CHAPTER 5: SENSITIVE INFORMATION IDENTIFICATION AND MANAGEMENT: THE CURRENT STATE OF AFFAIRS Utility Sensitive Information Management Practices Utility Information in the Public Domain CHAPTER 6: DECISION LOGIC FOR INFORMATION RELEASE AND DISCLOSURE Assessing an Information Object s Content and Context of Anticipated Use Question 1: Will the Document or Information Directly Reveal a Potential Vulnerability or Weakness in Security? Question 2: If the Document or Information Requested Were Combined With Other Information, Could it Reveal a Vulnerability or Weakness in Security? Question 3: Does the Requested Material Contain Personnel Information Such as Biographical Data, Contact Information, Names, Addresses, Telephone Numbers, etc.? Question 4: Is the Requestor Known or the Request Expected? v

8 Question 5: Would the Requesting Individual or Organization Have a Legitimate Benefit From Receipt of the Information? Question 6: If the Utility Does not Release the Information, Would it Forego an Understood Benefit? Question 7: Is the Document or Information Already Widely Available or Easily Available to the Public? Levels of Information Protection Sensitive Information Management Approaches Process Documentation, Transparency, and Consistency in Approach Information Management Case Studies Scenario 1: Dissemination of Water Distribution System Maps to Engineers and Developers Scenario 2: Release of Information on Raw Water Source Such as Detailed and Specific Information Beyond What is Required for Consumer Confidence Reports and Source Water Assessments Scenario 3: Information Released in the Course of Procurements, Particularly Drawings Released as Part of a Construction Bidding Process Scenario 4: Citizen Requests for General Information About Utility Construction or Maintenance Projects CHAPTER 7: ELEMENTS OF A WATER UTILITY INFORMATION SECURITY AND ACCESS CONTROL POLICY Scope and Purpose Staff Responsibilities for Information Management Information Classification and Associated Management Steps Supporting Procedures CHAPTER 8: ADDRESSING THE LINKAGE BETWEEN INFORMATION SECURITY AND RECORDS MANAGEMENT APPENDIX A: INFORMATION MANAGEMENT SURVEY APPENDIX B: STATE FOIA EXEMPTIONS REFERENCES ABBREVIATIONS vi

9 EXHIBITS 4.1 USEPA s management strategy for sensitive drinking water-related information Illustrative list of sensitive records or information objects Illustrative list of sensitive information topics Illustrative list of information topics that may contribute to a composite view of system vulnerabilities Illustrative list of sensitive data and information pertaining to utility business operations or personnel Illustrative list of types of information that might legitimately be requested by external parties Illustrative list of records and information that can be provided to the public Illustrative approaches to the development and implementation of a water utility sensitive information management policy Generic tasks and provisions relevant to a water utility information security policy vii

10 viii

11 FOREWORD The Awwa Research Foundation is a nonprofit corporation that is dedicated to the implementation of a research effort to help utilities respond to regulatory requirements and traditional high-priority concerns of the industry. The research agenda is developed through a process of consultation with subscribers and drinking water professionals. Under the umbrella of a Strategic Research Plan, the Research Advisory Council prioritizes the suggested projects based upon current and future needs, applicability, and past work; the recommendations are forwarded to the Board of Trustees for final selection. The foundation also sponsors research projects through the unsolicited proposal process; the Collaborative Research, Research Applications, and Tailored Collaboration programs; and various joint research efforts with organizations such as the U.S. Environmental Protection Agency, the U.S. Bureau of Reclamation, and the Association of California Water Agencies. This publication is a result of one of these sponsored studies, and it is hoped that its findings will be applied in communities throughout the world. The following report serves not only as a means of communicating the results of the water industry s centralized research program but also as a tool to enlist the further support of the nonmember utilities and individuals. Projects are managed closely from their inception to the final report by the foundation s staff and large cadre of volunteers who willingly contribute their time and expertise. The foundation serves a planning and management function, and awards contracts to other institutions such as water utilities, universities, and engineering firms. The funding for this research effort comes primarily from the Subscription Program, through which water utilities subscribe to the research program and make an annual payment proportionate to the volume of water they deliver and consultants and manufacturers subscribe based on their annual billings. The program offers a cost-effective and fair method for funding research in the public interest. A broad spectrum of water supply issues is addressed by the foundation s research agenda: resources, treatment and operations, distribution and storage, water quality and analysis, toxicology, economics, and management. The ultimate purpose of the coordinated effort is to assist water suppliers to provide the highest possible quality of water economically and reliably. The true benefits are realized when the results are implemented at the utility level. The foundation s trustees are pleased to offer this publication as a contribution toward that end. David E. Rager Chair, Board of Trustees Awwa Research Foundation Robert C. Renner, P.E. Executive Director Awwa Research Foundation ix

12 x

13 ACKNOWLEDGMENTS This report was funded by the Awwa Research Foundation. The project was managed and administered by Frank Blaha. The researchers would like to extend their great appreciation to AwwaRF, and especially to Frank for his creative inputs, process flexibility, and encouragement at every stage of the project. We also wish to thank the project advisory committee (PAC), which provided very useful comments, guidance, and critiques at various stages of this project. The researchers would like to thank the participating utilities for their input and feedback on all aspects of the research, analysis, and reporting of this work. Specifically, we would like to thank: Aquarion Water Company Santa Clara Valley Water District Fairfax County Water Authority Newport News Waterworks Lincoln Water System We would also like to thank the research team, individuals who attended the project workshop, and the utilities that participated in our survey process. Last, but not least, the researchers wish to thank the many individuals who helped execute the technical tasks and produce this report, especially Diane Callow, Erin Miles, and Christine Teter. Thank you all very much. Charles Herrick, PhD (Principal Investigator) Stratus Consulting Inc. Boulder, Colo. and Washington, D.C. xi

14 xii

15 EXECUTIVE SUMMARY The safety and security of the nation s drinking water systems is a top priority. Water security is a multi-faceted concern, but protection of utility information that could be used by terrorists to disrupt service, destroy critical infrastructure, or damage public confidence in the water supply is a key aspect of a comprehensive security program. Vulnerability assessments, detailed component specifications, and security audit findings are examples of security-relevant information that must be managed appropriately. However, other less explicitly security-focused documents and data may also be sensitive, especially if considered as part of a mosaic of system information. Following the attacks of September 11, 2001, many government agencies and nongovernmental organizations began restricting some of their information from access by the public. In some cases, these restrictions resulted in extensive denial of public access; in other cases, restrictions applied only to designated items and specific venues such as the internet. Decision-makers have begun to question how much such information would actually help a terrorist target and/or access a particular site or facility. Similarly, it has been recognized that information restriction practices sometimes make it difficult for legitimate partners to obtain information to conduct valued activities. RESEARCH OBJECTIVES This report is intended to serve as a primer on sensitive information management for and by water utilities. The report and an accompanying electronic decision tool provide guidance for identifying and managing potentially sensitive water utility records, data, and information. APPROACH This projected included five basic steps: (1) an extensive literature review of information management policies, approaches, and related issues, including the field of records management; (2) statutory review and development of an inventory of state-level freedom of information act exemptions pertinent to water utility information; (3) identification and evaluation of information security approaches from other sectors; (4) in-depth interviews with water utilities and other experts, focusing on typical and exemplary information management practices; and (5) integrated analysis of the literature review and interview findings. CONCLUSIONS Water utilities are clearly aware of the risks associated with inappropriate acquisition and use of information concerning their facilities and operations. Nevertheless, practices employed and capabilities for addressing this issue vary significantly. Interviews indicate that information security can fall between the cracks of utility management structures. In addition, the crossfunctional, cross-departmental nature of sensitive infrastructure information management underscores the need for a formal policy to assure utility-wide application of a defined set of information management procedures. New federal policies and freedom of information exemptions at the state level provide water utilities with the legal means to restrict information provision to stakeholders and the xiii

16 public. However, this document advises against a presumption of aggressive information restriction, and toward an approach that explicitly balances the potential risks and benefits associated with a given request for information disclosure. RECOMMENDATIONS Based on security literature, practices of leading utilities, and guidance developed for analogous organizations, such as electric utilities and airport authorities, we suggest that water utilities designate three levels of information sensitivity: Confidential Information: This category would include information that could be useful in planning or executing an attack on specified utility assets or processes, or could otherwise adversely impact the utility. This type of information requires the greatest restrictions from general release. Restricted Information: This category would include data, information, or records that should not be broadly released to the general public, but may be disclosed to or used by utility representatives or other individuals/groups with a need to know. Public Information: This category would include information provided to the public with few or no restrictions. Examples include water quality reports, service brochures, advertisements, press releases, and job opening announcements. Once the utility has specified the sensitivity of a particular item of information, the next decision is to designate an appropriate management protocol. Water utility information can be managed in many different ways, from absolute withholding to full and unrestricted disclosure. The report and electronic decision tool illustrate a range of useful and pragmatic approaches between these two extremes. The report outlines factors that water utilities should consider when developing and implementing an overall information security policy. This information security policy should provide administrative, managerial, and personnel guidelines for controlling access to and protecting a utility s sensitive information and records from unauthorized dissemination, access, utilization, and tampering. It should be flexible enough to address three basic types of information access needs: (1) access to utility information by customers and the general public; (2) access to information by utility partners; and (3) access to information by regulatory agencies and oversight bodies. There is no single policy for sensitive information management that will work for all utilities. Given its unique needs and circumstances, each utility may select from a range of options. Whatever approach a utility chooses to adopt, it is critical that the policy be designed to mesh appropriately with existing records management protocols and regulations. In a final chapter, the report identifies common concepts and points of overlap between sensitive information control and utility records management, and provides recommendations for the value-added linkage between these related fields of activity. xiv

17 CHAPTER 1 PURPOSE AND APPROACH BACKGROUND The safety and security of the nation s drinking water systems is a top priority throughout the country. Water utility security involves many facets, but protection of information that could be used by domestic or international terrorists to disrupt or destroy critical infrastructure or damage public confidence in the water supply is a key aspect of a comprehensive security program. Vulnerability assessments, emergency response plans, training exercise after action reports, risk assessments, detailed process and component specifications, and security audit findings are examples of security-relevant utility information that needs to be managed appropriately. For example, a vulnerability assessment in the wrong hands could provide a literal road map to a utility s most sensitive areas. However, other less explicitly security-focused documents and data streams may also reveal sensitive bits of information, especially if considered as part of a mosaic of system information (Stanley 2001, Baker 2004, USEPA 2005b). Following the attacks of September 11, 2001, many government agencies and nongovernmental organizations began to restrict some of their data, information, and records from access by the public. In some cases, these restrictions have resulted in extensive denial of public access; in other cases, restrictions apply only to designated items and specific venues such as the internet (OMB Watch 2002, Podesta 2003, Aftergood 2005). As time has passed, decisionmakers have begun to question the degree to which such information would actually help a terrorist target and/or access a particular site or facility. Similarly, it has been recognized that information restriction practices sometimes make it difficult for legitimate partners to obtain information necessary to conduct valued activities. PURPOSE This report is intended to serve as a general primer on the practice of protecting information in the water utility operational environment. While the subject of information protection has legal ramifications, there is no intent to provide legal advice in this report or associated materials. The report provides recommendations and guidance for the identification and management of potentially sensitive water utility records, data, and information. Also included is an electronic decision tool to help utility staff to quickly, comprehensively, and consistently review information sharing or disclosure requests. This tool, along with a worksheet utilities can use to document their decision process, is contained in the enclosed CD-ROM. Utilities are strongly advised to clear all information management decisions with in-house or other legal counsel. REPORT ORGANIZATION The rest of this report is organized into chapters. Chapter 2 provides a description of the overall approach and individual research activities undertaken in the course of this project. Chapter 3 discusses major assumptions that underlie and orient the project and our resulting recommendations. Chapter 4 summarizes federal and state policy regimes, procedures, and legal 1

18 positions pertinent to the management of sensitive water utility information. Chapter 5 summarizes current utility practice in the area of sensitive information management. Chapter 6 lays out a step-by-step decision logic for utilities to use to assess the sensitivity of particular information items and outlines a series of management options for the release or withholding of sensitive information. Chapter 7 describes the key aspects of a water utility information management policy, and explores alternative approaches for utilities to adopt as they implement an information management policy. Finally, chapter 8 addresses the linkage between sensitive information and records management, outlining key areas of overlap. The report includes a reference list and provides an electronic linkage to a decision tool to help utility staff assess the sensitivity of specific information items and select an appropriate management approach. Appendices include the questionnaire utilized in the utility survey described in chapter 5 and a listing of state-level Freedom of Information Act (FOIA) exemptions pertinent to water utilities. 2

19 CHAPTER 2 RESEARCH AND ANALYTICAL APPROACH This report, its recommendations and guidance, and the sensitive information identification and management tool, were developed based on a research approach that included five basic steps, described below. STEP 1: TARGETED LITERATURE REVIEWS The research team conducted a series of targeted literature reviews and expert interviews addressing the following six topical areas pertinent to the management of sensitive infrastructure information: Information Security Classification Approaches, Considerations, and Procedures: Over the past several decades, United States (U.S.) military branches, the Department of Defense, the Department of Energy, various National Laboratories, and private security companies have evolved a sophisticated body of methods and procedures to determine information classification levels and associated managerial protocols. This extensive literature base was reviewed to provide guidance regarding key issues and concepts. Records Management: There is a close association between the field of records management and evolving concerns about sensitive information management. State and municipal records management laws often determine how water utilities can choose to address information management issues. Many larger utilities already operate well-developed records management programs and procedures, which need to be coordinated with efforts to manage information security. Moreover, the field of records management provides access to a body of time-tested approaches and tools relevant to both public and private organizations. Right-to-Know and Civil Liberty Advocacy Literature: In recent years, proponents of open access have published critiques of governmental efforts to restrict information under the guise of enhanced security. In some cases, these authors have provided creative proposals for how agencies can better address the balance between open information access and security. Existing Water Sector Security Guidance and Utility Policies: Water sector research institutes and associations have sponsored a wide variety of studies that address various aspects of the information management issue. In addition, some utilities have pioneered policies and procedures specifically for the administration and management of sensitive infrastructure information. Federal Information Management Policies: Federal agencies with responsibility for homeland security and/or water sector oversight have developed internal standards and protocols for managing sensitive information. Characterization of these standards and procedures is pertinent to utilities that may be requested to submit information to these same agencies; but they are also useful in terms of model approaches. 3

20 Focused Search for Sensitive Information Already Available in the Public Domain: We developed a multi-pronged search strategy to locate potentially sensitive information about some of the project s participating utilities that is already available within the public domain. We shared this information with our partner utilities to (a) assess its potential sensitivity, and (b) review its overall status and reasons for public dissemination. STEP 2: UPDATE OF STATE FREEDOM OF INFORMATION ACT EXEMPTIONS Stratus Consulting engaged the National Conference of State Legislatures (NCSL) to obtain updated information on state security-related statutes pertinent to the distribution of water utility critical information. Drawing on past research, NCSL conducted a statutory analysis of state efforts to exempt drinking water systems from public disclosure in the context of Freedom of Information (FOI) requests. Knowledge of state-level FOI requirements is essential because it provides a starting point for utilities developing their own information management policies. Different exemption frameworks introduce different considerations at the utility level, in essence establishing rules of engagement for how to address FOI requests and manage potentially security-sensitive information. Appendix A contains state-by-state summaries of current applicable FOI exemptions for water utilities. STEP 3: FORMAL EVALUATION OF EXISTING INFORMATION MANAGEMENT APPROACHES Water utilities are by no means the first civilian organizations to deal with information access restriction from within an overall context of openness and right-to-know. Organizations such as financial institutions, healthcare organizations, and chemical manufacturing facilities have extensive experience with differential and situational access restrictions, information classification levels, and other information management controls. In an effort to draw upon the experience of other sectors, the research team conducted Web- and journal-based research to identify and describe potentially applicable models, approaches, and lessons learned. In this vein, we felt it important to draw upon the experience of sectors and organizations that are configured and operate in a manner generally comparable to water utilities. For many reasons, public water systems (PWS) tend to be more open than organizations in other critical infrastructure sectors (e.g., nuclear power). This arises from a number of reasons fundamental to what they do and how they have been traditionally organized. For instance, water utilities are intimately connected to their customers, often with no intermediary entities or operations. Public water supplies are usually publicly owned and managed by elected officials, or at least overseen by elected governmental bodies. Many public agencies and their officials operate with the philosophy of maximizing transparency and openness. And finally, water utilities generally work through competitive proposals with contractors, or contract by means of public bidding, or work cooperatively with property owners and commercial developers, to extend, modify, and maintain their distribution systems. We therefore felt it important that potentially applicable information management systems mesh with the fundamental qualities of community water systems. We assessed the relevance and applicability of approaches for the management of sensitive information in terms of a variety of factors such as public/private status, degree and nature of regulatory oversight, 4

21 organizational configuration and size, customer base and types of customer interaction, and the necessity for coordination with other organizations. Only organizational models deemed applicable were abstracted or summarized for use in this project. STEP 4: UTILITY INTERVIEWS The Stratus Consulting research team conducted 35 structured, in-depth interviews with utility staff, managers, and executives in an effort to determine their awareness of issues associated with the release of sensitive information, and to characterize both typical and exemplary practices with respect to the management of sensitive records and information. Interview subjects were identified from attendance lists for water utility conferences and workshops dealing with topics related to security. These individuals were asked if they would agree to telephone interviews; and also asked if they could recommend other individuals who would be knowledgeable about the overall topic of water utility information management, who were in turn contacted and approached regarding a possible interview. We first contacted potential interviewees by phone, provided them with a background on the project and the research team, encouraged them to ask questions, and asked them to (later) participate in a minute telephone interview. Subjects agreeing to participate in the telephone interview were provided with a copy of the questionnaire in advance, and encouraged to involve other colleagues as appropriate. The Principal Investigator (PI) conducted all interviews. During the telephone interview, the PI followed an interview guide and carefully noted all respondent inputs. If a respondent mentioned documentation pertinent to the research focus, the PI would request access to a copy of the document, under the condition of strict confidentiality. STEP 5: INTEGRATION AND ANALYSIS The descriptions, characterizations, and recommendations contained in this report are derived through integration across the various research areas described above. Outputs from the various research steps were synthesized according to the judgment of the co-pis and other research team members. We focused most prominently on findings consistent across multiple research steps, and as applicable, noted consistencies among source categories. 5

22 6

23 CHAPTER 3 ASSUMPTIONS AND RESEARCH ORIENTATION As will be described in chapter 4, new federal policies and FOI exemptions at the state level provide water utilities with the legal means to restrict information provision to stakeholders and the public. Individual utilities and municipalities know more than anyone else about their unique vulnerabilities; utilities should adopt an approach to information dissemination that is consistent with their overall approach to risk and business management. This report adopts an approach that attempts to balance the potential risks and benefits associated with a given request for data and/or information disclosure. There are three primary reasons for adopting such an approach: 1. Utilities Serve the Public Good: Water utilities have been historically open institutions, and are often operated under the aegis of local or municipal governments. Private- or investor-owned utilities are subject to governmental oversight. In short, water utilities in the U.S. are operated subject to the public trust. The basic principle of public accountability, whether direct or indirect, implies a reasonable degree of operational transparency. An unrestrained urge to deny public access will inevitably erode public trust in governmental credibility and integrity. Indeed, much of the information that a utility has is intended for customer or public disclosure, with information concerning rate structures providing a clear example. Other information must be disclosed as a matter of law, as is the case with Safe Drinking Water Act (SDWA) violations reported in annual Consumer Confidence Reports (CCR). 2. Information Restriction can be Expensive and Administratively Burdensome: Information management systems can be expensive, and may introduce administrative complexity and burden to an organization s operations. Information restriction means that resources must be designated throughout an information object s life cycle to protect, distribute, and limit access. Restriction also implies that those who work with the information should be investigated prior to being given access. It may also mean that resources will need to be designated to support editorial activities necessary to redact sensitive content from materials that could otherwise be widely distributed. When information has been designated as sensitive or otherwise restricted, formalized review is needed when the record in question is considered for archiving or destruction (U.S. GPO 1997). 3. Information Restriction Constrains Operations and Denies Benefits to the Utility or Municipality: Water utilities often have a coherent and compelling business logic for sharing information with external vendors, contractors, consultants, and customers. It is frequently necessary for water utilities to interact with external organizations in order to construct or repair facilities, extend or upgrade service capabilities, protect assets in public streets, or achieve other business objectives. Excessive information restriction makes it difficult for the utility to interact with valued external partners, and thus deprives the utility and its customers of specific benefits. Utilities must devise practices that strike a balance between security enhancement and outside access to information. Granted, such a balance will differ from utility-to-utility. A large 7

24 water utility in the suburban Washington, D.C. area may have a very different risk profile compared to a small, rural system in, say, Mississippi or Nebraska. The tools and recommendations in this report are framed to accommodate risk perceptions and hazard profiles that differ among utilities. 8

25 CHAPTER 4 SENSITIVE INFORMATION MANAGEMENT: UNDERSTANDING THE POLICY CONTEXT INFORMATION AND PUBLIC ACCESS: THE CURRENT SITUATION Open access to public information has always been a hallmark of American political culture. However, the terrorist attacks on and before September 11, 2001 are prompting a reevaluation of how freedom of information should be balanced against the need for enhanced security. While ready access to information about the operations and outputs of governmental agencies and regulated entities gives meaning to the ideal of accountability to the public, the same information can potentially be used by terrorists to plan and execute attacks on units of critical infrastructure (Mariani 2004). It is sometimes argued that the balance has swung strongly in favor of information control. Under the Bush Administration, the rules governing exemptions to the 1974 FOIA have been relaxed substantially, enabling federal agencies to withhold information that would previously have been released (Podesta 2003, Aftergood 2005). An October 2001 memorandum from Attorney General John Ashcroft instructed agency heads to rescind the FOIA presumption of disclosure that had been operative under previous administrations. In 1993, the U.S. Department of Justice (DOJ) announced that it would defend FOIA exemptions only in those cases where the agency reasonably foresees that disclosure would be harmful to an interest protected by that exemption (U.S. DOJ 2001). Moreover, agencies are no longer compelled to articulate a plausible scenario of harm, but merely to assure that information withholding decisions have a sound basis in legal reasoning (U.S. DOJ 2001). As a supplement to the Ashcroft A popular Government, without popular information, or the means of acquiring it, is but a prologue to a farce or a tragedy. James Madison An informed citizenry is vital to the functioning of a democratic society Thomas Jefferson memorandum, the DOJ Information Security Oversight Office (ISOO) instructed agencies to take appropriate steps to assure the security of sensitive but unclassified information related to America s homeland security (U.S. DOJ 2001). Recent federal legislation has resulted in several provisions designed to help secure sensitive infrastructure information. The Critical Infrastructure Information Act (CIIA) was passed in November 2002 as subtitle B of Title II of the Homeland Security Act (P.L , 116 Stat. 2135, sections ). The CIIA regulates the use and disclosure of information submitted to the Department of Homeland Security (DHS) about vulnerabilities and threats to critical infrastructure (CRS 2003). Drawing on the definition established under the Patriot Act, critical infrastructure consists of systems or assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters (CRS 2003). Critical Infrastructure Information (CII) voluntarily submitted and accepted by DHS as CII is secure from FOI access, and may only be utilized in prescribed law enforcement or national security-related applications. In 2005, DHS designated a New Jersey town s electronic mapping data as CII. The governing board of the Brick Township Municipal Utilities Authority had submitted its geographic information system (GIS)-based asset mapping system to DHS to circumvent an open records request for data that the utility had 9

26 deemed sensitive (Tombs 2005, Donald 2006). Although Brick Township avoided FOI access to its data system, the full implications of this action are not yet clear. As of the publication of this report, it is not clear whether Brick Township will face restrictions in the use of its own data. Also pertinent to water utilities, the Public Health Security and Bioterrorism Preparedness Act of 2002 stipulates that vulnerability assessment and emergency response certifications are exempt from disclosure requirements under the federal FOIA (U.S. Congress 2002). The Act required The U.S. Environmental Protection Agency (USEPA) to develop protocols for the protection of submitted vulnerability assessments. Enacted in November of 2002, the Protocol to Secure Vulnerability Assessments Submitted by Community Water Systems to EPA establishes storage, custody, transmission, and access procedures for vulnerability assessments submitted to USEPA. The protocol also includes disciplinary actions for USEPA employees who violate information security provisions (USEPA 2002). Beyond vulnerability assessments, USEPA has taken steps to assure the security of sensitive utility data, records, and information. Since September 2001, states, utilities, and others have requested guidance from USEPA on how to deal with the competing interests between public availability of drinking water information and prudent restrictions on access in the interest of homeland security. In December 2001, the Director of USEPA s Office of Ground Water and Drinking Water issued a memorandum to its regional water managers describing how water systems may modify their CCR to remove information that may be considered sensitive, or information that the system believes will increase their vulnerability (USEPA 2001). Similarly, systems were instructed to review SDWA source water assessments, eliminate overly detailed references or descriptions of system asset information, and ensure that [it is released] only to those governmental agencies, water suppliers, and stakeholders working to secure and protect water supplies (USEPA 2001). In 2001 and 2002, the Office of Ground Water and Drinking Water participated in an Agency-wide workgroup, chaired by the Office of Environmental Information (OEI), to assess the sensitivity of USEPA s publicly available information holdings. This review was triggered by a March 17, 2002 memorandum from White House Chief of Staff Andrew Card, instructing all agencies to reevaluate sensitive but unclassified information to determine if a change in security classification was warranted (Card 2002). USEPA headquarters delivered an Agencywide request in late September asking those in the agency responsible for disseminating information to identify potentially sensitive information, and particularly resources which provide information on chemicals, and/or location, and/or amounts, and/or impacts on the environment or human health (OMB Watch 2002). To guide Agency managers in this assessment process, OEI developed four criteria for determining the sensitivity of information objects: type, specificity, connectivity, and availability of information. Information on a facility s or a pollutant s location, chemical identification, volume, acute effects, and plant processes falls within the type criterion. The specificity criterion builds on the type category and assesses the level of detail available for a specified information object. The connectivity criterion looks at the degree to which individual pieces of information can be connected to create realistic scenarios. Finally, the availability criterion assesses the level of control that USEPA has over releasing the information, focusing on whether the Agency is the sole provider of a particular item of information (Stanley 2001). The workgroup identified drinking water well and intake locational information and detailed treatment process data as highly sensitive and worthy of additional restrictions. Other PWS facility locational data fields, such as treatment plant latitude/longitude coordinates, were not identified as highly sensitive. 10

27 Recently, utility progress on source water assessments has generated new questions from USEPA s state partners concerning access to and display of information collected for delineated source water areas (SWA) and related issues. States have raised concerns about the data handling procedures USEPA has in place for storing the source water area and related assessment information. According to USEPA, several states believe the digital source water area polygons are of a sensitive nature and merit special handling procedures. Responding to these and other concerns regarding information security, the Office of Ground Water and Drinking Water recently established a Policy to Manage Access to Sensitive Drinking Water-Related Information (USEPA 2005a) and an associated Interim Standard Operating Procedure for Drinking Water Reach Address Database (RAD) Authorization and Access (USEPA 2006a). Detailed in Exhibit 4.1, information elements included under this policy are: Latitude and longitude coordinates of PWS wells and intakes and GIS analyses derived from these data Delineated SWA and related state source water assessment program (SWAP) data available to USEPA Exhibit 4.1 USEPA s management strategy for sensitive drinking water-related information Data category USEPA information security designation Rationale/explanatory notes 1 Latitude and longitude coordinates of PWS wells and intakes and GIS analyses derived from these data. USEPA considers this information highly sensitive and related to homeland security, USEPA will limit public access consistent with Agency-wide sensitivity criteria to preserve authorized restrictions on information access and disclosure. Information systems and applications that access, store, or use this information will need to be modified to conform to this policy. USEPA will consider withholding these data under FOIA Exemption 9 or other exemption categories as appropriate on a case-bycase basis. This information is not widely available. Unauthorized access to USEPA s data could be misused for harmful purposes. USEPA believes that FOIA Exemption 9 is the most applicable authority for withholding this information because it specifically focuses on wells and, by inference, intakes. USEPA will continue to exchange source water well and intake location data with state co-regulators to allow updating but will follow the approved security plans and related procedures in response to all other requests for access. USEPA will share stream reach data with states to verify the specific drinking water intake location on each stream reach. (continued) 11

28 Exhibit 4.1 (Continued) Data category USEPA information security designation Rationale/explanatory notes 2 Source water delineated areas and related state source water assessment program data available to USEPA Source: USEPA 2005b. Sensitive for data management purposes, requiring special data handling procedures under a Standard Operating Procedure (SOP) applicable to all Federal users. The SOP will require that protocols be followed before allowing public access to the data. The SOP will also specify certain situations where USEPA will treat the data as highly sensitive and consider bases for withholding information in response to specific requests under FOIA. USEPA considers the SWA polygon data it holds as sensitive for data management purposes because of differences in state handling requirements and because the SWA polygon data are derived directly from the source facility location. Special data handling procedures under an SOP will be required to access, store, and use all the SWA polygon data held by the Agency. As a general rule, USEPA will not deny access to the public on request. However, USEPA will treat the SWA polygon data as highly sensitive and will withhold data, based on applicable FOIA exemptions, where: A state requests that USEPA treat the data received from the state as confidential because the state has mandatory data access restrictions more stringent than USEPA. USEPA determines that the SWA geospatial representation could be used to identify the precise location of the intake or well. As indicated in Exhibit 4.1, it is USEPA s intention to restrict sensitive water utility information under FOIA Exemption 9. Exemption 9 covers geological and geophysical information and data, including maps concerning wells (U.S. DOJ 2004). According to DOJ, Exemption 9 has rarely been invoked or interpreted, and its boundaries remain substantially undefined. It is thus not clear what types of geological or geophysical information are protected from disclosure, or perhaps more importantly, whether it was intended to apply to all types of wells (U.S. DOJ 2004). Nevertheless, DOJ s Freedom of Information Act Guide asserts that it is reasonable to assume that courts may apply Exemption 9 to protect well data in compelling circumstances, such as when [it] is necessary to guard against an attack upon pooled natural resources (U.S. DOJ 2004). The USEPA s new policy does not cover treatment plant location and treatment process information reported by states into the Safe Drinking Water Information System (SDWIS). While this information has been restricted in the past, treatment plant location data are generally available through other sources and in other forms. Although detailed treatment process information was identified as highly sensitive in USEPA s 2002 homeland security information reviews, the Agency does not believe that data reported to SDWIS are detailed enough to trigger the need for access restrictions. Moreover, information provided to SDWIS is available to the public from non-usepa sources, including many utilities and states (USEPA 2005b). 12

29 STATE FREEDOM OF INFORMATION LAWS All U.S. states provide access to public records by means of freedom of information laws and associated governmental programs. Generally, state FOI laws are not superseded or limited by federal FOI laws. As a result, public water utilities cannot necessarily rely on exemptions in the federal FOIA (AMWA 2002, NCSL 2003). Nor is it clear that utilities can rely upon categorical exemptions such as those instituted through the Public Health Security and Bioterrorism Preparedness Act. It is therefore critical that utility leadership and legal counsel closely inspect state and municipal FOI statutes to clearly understand the nature and scope of water utility records categories and their applicability with respect to sensitive infrastructure information. Public entities create numerous materials that are not publicly available records under the terms of the state s FOI regime. Thus, the first step for a utility should be to understand the factors that control whether the state s provisions apply or not. Once the utility has a clear and unambiguous sense of types of information that qualify as both a record and publicly available, it is important to clarify the criteria that control exemptions from the state s FOI program. Although many state FOI statutes are built upon the federal model, it is nevertheless prudent to carefully review specific provisions for exemptions and other departures from the overall policy of open access to public records. By way of example, Oregon has implemented 88 exemptions to its overall FOI regime, whereas Arkansas has only 15 (AMWA 2002). In research conducted for this project, the NCSL determined that 50 U.S. states and territories have enacted statutory provisions that exempt various types of CII from disclosure under FOIA. Of particular relevance to this project, 37 states and the District of Columbia have enacted specific exemptions from public disclosure requirements for vulnerability assessments of water system security. In almost all cases, state-level FOIA exemptions provide the statutory rationale under which a utility may choose to withhold information that could reasonably be used by an outside party to plan and/or conduct an action that could result in damage to utility components, operations, or personnel. However, the wording, topical specificity, and characterization of applicable exemption-triggering circumstances varies greatly from state-tostate. Some states such as Iowa and Indiana include a list of specific information items subject to FOI exemption. Other states provide triggering rationale that are more interpretive. For example, Alabama s exemption may be utilized when the disclosure could reasonably be expected to be detrimental to the public safety or welfare or otherwise detrimental to the best interests of the public (NCSL 2006). Even if a utility s resident state has a FOI exemption for security-related information, it is critical to clearly understand the exemption language as well as factors that influence its applicability and interpretation. In a 2004 case before the Connecticut Supreme Court, the Town of Greenwich cited that state s FOI exemption to deny access to GIS records. The Supreme Court granted access to the GIS records because Greenwich failed to provide specific evidence to demonstrate how the release might threaten the town s security (Supreme Court, State of Connecticut 2004). In 2002, the Vermont Supreme Court rejected a similar exemption claim. That court wrote, Assuming the security exemption applies at all, defendants bear the burden of showing that it applies through a specific factual record (Supreme Court, State of Connecticut 2004). Based on our research, it is difficult to predict whether the Connecticut and Vermont decisions are isolated, or potentially models for other states. However, it seems imperative that utilities combine use of FOI exemptions with careful and reasonable depictions of potential risk. 13