Homeland Security Alert

Transcription

1 November 2007 Authors: Barry M. Hartman Sandra Y. Snyder K&L Gates comprises approximately 1,400 lawyers in 22 offices located in North America, Europe and Asia, and represents capital markets participants, entrepreneurs, growth and middle market companies, leading FORTUNE 100 and FTSE 100 global corporations and public sector entities. For more information, please visit Homeland Security Issues New Regulations Requiring Inventories, Assessments and Security Programs at Chemical Facilities On June 8, 2007, Department of Homeland Security (DHS) regulations designed to bolster security at facilities that possess certain chemicals went into effect. Compliance obligations will begin in early November, 2007, with initial reports due in early January, Under this new regime, any facility that possesses or plans to possess any one of approximately 300 chemicals such as propane in amounts over certain threshold quantities must: determine if the facility may be covered by the regulations; register with DHS; complete a Top-Screen self-evaluation; prepare a security vulnerability assessment, if DHS determines that it is a high risk chemical facility; and prepare a site security plan, if DHS determines that it is a high risk chemical facility. This new regime will likely impact entities well beyond those traditionally thought of as chemical facilities. The scope of the regulations could even reach apartment buildings, hospitals, public works operations, as well as colleges and universities, depending upon how the chemicals are used. Anyone with facilities housing chemicals should review the regulations closely, as failure to comply with the new rules could eventually result in the imposition of civil or administrative penalties or a shut down order. 1 Additionally, failure to accurately report information to DHS in an effort to escape coverage under the rule could possibly result in criminal liability. This Alert describes the new program and details the steps facilities must take to comply with the regulations. 2 Background Since September 11, 2001, the security of facilities possessing dangerous chemicals has been of particular concern to the U.S. Congress. In October 2006, after over four years of trying, 3 Congress enacted legislation authorizing DHS to create a regulatory regime to address chemical facility security. 4 The legislation s operative provision reads: 1 Chemical Facility Anti-Terrorism Standards, 72 Fed. Reg , (Apr. 9, 2007) (to be codified at 6 C.F.R (c)(1)). 2 This Alert is part of a series of Alerts detailing congressional efforts to create a regime to protect chemical facilities against terrorist activity. See Barry M. Hartman, et al., Senate Considers Competing Bills to Address Security at Chemical Manufacturing and Processing Facilities (July 2003) and Barry M. Hartman, et al., New Law Grants Homeland Security Broad Powers to Mandate Security Measures at Facilities Having Chemical Substances (Oct. 2006), available at 3 See Barry M. Hartman, et al., New Law Grants Homeland Security Broad Powers to Mandate Security Measures at Facilities Having Chemical Substances (Oct. 2006), available at 4 Department of Homeland Security Appropriations Act of 2007, Pub. L. No , 550 (2006).

2 No later than six months after the date of enactment of this Act, the Secretary of Homeland Security shall issue interim final regulations establishing risk-based performance standards for security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities: Provided, that such regulations shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk.... This broadly worded mandate contains no definitions, even for such seemingly significant terms like chemical facility. The most significant feature of the legislation may be what it did not do: it deferred resolution of virtually every major issue that had prevented passage of previously proposed legislation 5 to the DHS rulemaking process. At the same time, Congress required DHS to promulgate interim final regulations within six months, a remarkably short period of time. In an effort to meet this timeline, DHS issued an Advanced Notice of Rulemaking on December 28, 2006; the notice contained the proposed text of the interim final regulations and requested public comment. 6 Subsequently, DHS published the interim final rule on April 9, The rule became effective on June 8, For example, the law is silent on whether more stringent state standards are preempted by the regulations. In the Advanced Notice of Rulemaking, DHS indicated that the regulations would preempt state and local law. Chemical Facility Anti-Terrorism Standards, 71 Fed. Reg , (proposed Dec. 28, 2006) (to be codified at 6 C.F.R. 27). After receiving comments on this issue, however, the interim final regulations appear to retreat from this position, requiring preemption only if the state laws directly conflict with the federal rules. Chemical Facility Anti-Terrorism Standards, 71 Fed. Reg , (Apr. 9, 2007) (to be codified at 6 C.F.R ) ( the type of preemption called for by Section 550 is not field preemption, but conflict preemption ); Department of Homeland Security, Remarks by Homeland Security Secretary Michael Chertoff... at a DHS Beat Reporter Briefing on Chemical Security Regulations (April 12,2007), available at shtm (statement by Secretary Chertoff making clear that consistent with longstanding constitutional principles applied by the courts over 200 years, state regulations of chemical security can be put into effect, so long as they do not interfere with or conflict with the federal measures ). The House and the Senate both recently passed a DHS Appropriations bill, which would amend the current law, providing expressly that States may enact chemical securities laws that are more stringent than the federal requirements, even if they conflict with the federal law. See Department of Homeland Security Appropriations Act of 2008, H.R. 2638, 110th Cong. 532(a) (as passed by the House, June 12, 2007 and by the Senate, July 26, 2007). As of the date of publication of this Alert, however, the bill has stalled at a Conference Committee where differences between the House and Senate are resolved. See Library of Congress, H.R. 2638, thomas.loc.gov (search Bill Text by Bill Number ; then follow Bill Status & Summary File for H.R.2638.PP ) (last visited Nov. 5, 2007). The Senate has insisted that an amendment to the bill is needed prior to sending the bill to the President for review. See id. 6 Chemical Facility Anti-Terrorism Standards, 71 Fed. Reg (proposed Dec. 28, 2006) (to be codified at 6 C.F.R. 27). 7 Chemical Facility Anti-Terrorism Standards, 72 Fed. Reg (April 9, 2007) (to be codified at 6 C.F.R. 27). This new program impacts any facility that possesses or plans to possess at least one of approximately 300 chemicals of interest in an amount greater than listed threshold quantities. These chemicals of interest and their threshold quantities are listed in Appendix A of the rule. A draft of Appendix A was made public at the same time the interim final rule was published in April. At that time, DHS solicited public comments on Appendix A, which were accepted until May 9, While the regulations technically became effective on June 9, the obligation to begin complying could not begin until the final list of chemicals in Appendix A was issued. DHS issued that list on November 2, 2007, but the exact compliance date is still unclear since DHS has said that Appendix A is not effective until published in the Federal Register. Publication is likely to occur in the next ten days. Facilities will have 60 days from the publication in the Federal Register of the final Appendix to comply with the regulations meaning that compliance will likely be required by sometime in January In response to the public comments, DHS substantially revised the final Appendix A list of chemicals. Some of the more notable changes include: eliminating the need to comply if in possession of any amount of a chemical of interest. The final version of Appendix A established screening threshold quantities (STQs) and minimum concentration provisions for each COI; determining STQ s based on the nature of the threat presented; clarifying that quantities of COIs used in laboratories under the supervision of a technically qualified individual are not to be counted when determining whether the STQ threshold is met; more closely tying the STQ determinations to existing regulatory programs such as the Environmental Protection Agency s (EPA) Risk Management Program (RMP) regulation under the Clean Air Act. November

3 Complying with the DHS Regulations The DHS regulations require facilities that may possess chemicals of interest to engage in a multi-step process: 1. Determine if the facility may be covered by the regulations; 2. Register the facility on the DHS website; 3. Complete a Top-Screen self-evaluation (by early January 2008); 4. Prepare a Security Vulnerability Assessment, if determined to be a high risk chemical facility; and 5. Prepare a Site Security Plan, if determined to be a high risk chemical facility. Step 1: Determine whether a facility is covered by the DHS Chemical Facility Anti-Terrorism Standards Who is covered? A chemical facility subject to the DHS regulations is: any establishment ; that possesses or plans to possess ; at any relevant point in time ; any of the chemicals of interest listed in Appendix A 8 of the rule; in amounts greater than the STQs. 9 Accordingly, if a facility possesses just one of the chemicals of interest 10 at levels above the STQ for that chemical, that site must then comply with the rule. Even if a facility does not currently possess chemicals of interest, if the site comes into possession of sufficient quantities of a chemical of interest in the future, it will have to comply with the rules within 60 days of the date of possession Appendix A was released in final form on November 2, Publication of the Appendix in the Federal Register will trigger the 60-day period to complete the Top Screen self-evaluation. 9 6 C.F.R Chemicals of interest include butane, propane, ethylene, carbon monoxide, hydrogen peroxide, and phosphorous C.F.R (a)(1)(i). DHS has also noted that additional facilities may be covered if the DHS determines that they should be covered and either notifies those facilities in writing or in a Who is exempt? The October 2006 authorizing legislation included the following exemptions: Facilities regulated pursuant to the Maritime Transportation Security Act (MTSA) ;12 Public water systems (as defined by Section 1401 of the Safe Drinking Water Act (SWDA)); 13 Water treatment works (as defined by Section 212 of the Federal Water Pollution Control Act, also known as the Clean Water Act, or CWA); 14 Facilities owned or operated by the Departments of Defense (DOD) or Department of Energy (DOE); and Facilities subject to regulation by the Nuclear Regulatory Commission (NRC). 15 The regulations incorporate these exemptions, 16 but their scope has been narrowed by DHS s implementation scheme. Specifically, if a large facility houses one or more chemical(s) of interest in a portion of its site that is not specifically regulated by one of the above laws or entities, according to DHS, the unregulated portion of the facility may not be exempt from compliance. For example, under the DHS Top-Screen questionnaire, 17 a facility is only partially exempt from compliance where only one building or one section of a facility may be regulated by the MTSA because it is considered a treatment works facility under the CWA or if it is part of a SDWA public water system. In these situations, that portion of the facility that is not regulated by the MTSA, CWA or SDWA must comply with the DHS regulations. Federal Register notice. DHS, Identifying Facilities Covered by the Chemical Security Regulation, programs/gc_ shtm (last visited Nov. 6, 2007). 12 See 33 C.F.R. Part U.S.C. 300f(4) U.S.C. 1292(2). 15 Department of Homeland Security Appropriations Act, Pub. L. No , Sec. 550(a) (2006) C.F.R (b). 17 The Top-Screen questionnaire is a web-based screening tool that DHS will use to determine which facilities present a high security risk. The Top-Screen questions and User s Guide are available on DHS s website at gc_ shtm (last visited Nov. 5, 2007). See infra for further discussion of the Top-Screen process. November

4 No such partial exemption exists for facilities owned or operated by the DOD or DOE or sites which are significantly regulated by the NRC. Rather, in responding to the Top-Screen question that asks if the facility is owned or operated by the DOD or DOE, a facility can answer only yes or no. If the facility answers the question yes, the Top-Screen will conclude immediately and will inform the facility that it is not regulated under the DHS rules. Similarly, the Top-Screen allows a facility to answer only yes or no to the question of whether it is subject to the regulation of the NRC. DHS has instructed facilities, however, that they can answer this question yes only if the facility is one where NRC already imposes significant security requirements and regulates the safety and security of most of the facility, not just a few radioactive sources. 18 As with the DOD/DOE exemption, if a facility answers yes to this question, the Top-Screen will conclude and alert the facility that it is not regulated under the DHS rules. Thus, those facilities that know they are owned or operated by the DOD/DOE, or are subject to significant regulation by the NRC, may be completely exempt from the rule. Notably, the regulations indicate that the Assistant Secretary can provide for additional exemptions, waivers or phase-in of these requirements for various commercial or industrial sectors. For example, although DHS states that it does not plan to add any exemptions via amendments to the regulations at this time, it presently does not plan to screen railroad facilities..., and therefore DHS will not request that railroads complete the Top-Screen risk assessment methodology. 19 Step 2: Register at the DHS website to gain access to the Chemical Security Assessment Tool Facilities that possess or plan to possess more than the threshold quantity of any chemicals of interest will have to complete what DHS calls a Top-Screen. 20 Each potentially covered facility must register on 18 See Top-Screen User s Guide at 16, available at gov/xlibrary/assets/ chemsec_csattopscreenusersmanual.pdf (last visited Nov. 5, 2007). DHS has stated that if a facility only possesses small radioactive sources for chemical process control equipment, gauges, and dials, it will not be exempt. 19 Chemical Facility Anti-Terrorism Standards, 72 Fed. Reg , (Apr. 9, 2007) (to be codified at 6 C.F.R. 27) C.F.R (b)(2). the DHS website to gain access to DHS s Chemical Security Assessment Tool (CSAT) tool, 21 which is the interface used to complete the Top-Screen. Detailed instructions for registering for CSAT are available on the DHS website. To register, facilities will need the name and address of the facility and its latitude and longitude. Also, each facility must designate individuals (or an individual) that DHS calls the Preparer(s), Submitter(s), Authorizer(s) and Reviewer(s). These individuals play the following roles, according to DHS: The Preparer may enter the required data into the CSAT on-line screening tool but may not formally submit the data on the company s behalf. The Submitter may formally submit the regulatory required data to the DHS. The Authorizer is empowered by the facility parent company to provide assurance that the user account request for the Preparer and Submitter is valid. 22 The Reviewer, an optional role, may review information entered into the CSAT but cannot enter, edit or submit information. Once facilities input the registration information online, they will need to print out their registration form, have the Preparer, Submitter and Authorizer sign it, and mail or fax it to DHS. DHS will then process the registration and send the facility usernames and passwords to access and complete the Top-Screen. Step 3: Complete the Top-Screen by January 2008 As mentioned above, the Top-Screen is the initial questionnaire on the DHS website that each potentially covered facility will have to fill out. If a facility covered by the regulations does not complete the Top- Screen within 60 days, DHS may classify the facility as presumptively high risk and order the facility to 21 DHS, Critical Infrastructure: Chemical Security, gov/xprevprot/programs/gc_ shtm (last visited Nov. 5, 2007). 22 One individual can have one or more of these roles (e.g., the Authorizer could fulfill all three roles). Alternatively, a company with multiple facilities may have different Preparers at each facility but might choose to have a single Submitter for all of its facilities. DHS, Accessing the Chemical Assessment Security Tool, (last visited Nov. 5, 2007). November

5 complete the Top-Screen. 23 If the facility still does not complete the Top-Screen, the facility could be subject to fines, shut-down orders and other penalties. 24 The Top-Screen requires the facility to list which chemicals of interest it possesses in quantities greater than the threshold quantities listed in Appendix A of the regulations. Answering these questions likely will require that facilities take an inventory of the types and amounts of chemicals they possess. The Top- Screen also asks questions that attempt to ascertain the potential for loss of life, or the potential loss of the ability to execute a critical government function, should the facility be attacked. Depending on which chemicals of interest the facility possesses, it may have to answer questions that address security issues unique to those chemicals, such as questions concerning how the chemical at issue is stored at the facility. 25 Once submitted to DHS, the answers to the Top-Screen will be analyzed to determine if the facility should be considered a high risk. 26 If the facility is not found to be high risk, then the facility will have to do nothing more to comply with the rules, at least until further notice. If a facility is found to be high risk, however, DHS will then make a preliminary determination and place the facility into one of four risk-based tiers (tier 1 being the highest risk to the public). 27 Facilities placed in the higher risk tiers (typically tiers 1-3) will be the first facilities asked to complete a Security Vulnerability Assessment (SVA). 28 An SVA is more detailed than the Top-Screen and will be used by DHS to refine the placement of facilities into the risk-based tiers. 29 DHS will then require that each high-risk facility prepare (and eventually implement) a Site Security Plan that describes how the facility is going to meet certain security standards set out by DHS. 30 Step 4: Complete the SVA within 90 days of High-Risk Notification If a facility is deemed high risk by the Top-Screen process, it will be notified of this status and initially placed in one of four tiers. 31 Within 90 days of notification, these facilities will have to complete an SVA. 32 This assessment of the facility s security will include the following components: (1) an asset characterization (identifying the facility s potential critical assets/dangerous chemicals and its current security efforts to protect these assets); (2) a threat assessment; (3) a vulnerability analysis; (4) a risk assessment (including the likelihood of a successful attack); and (5) a countermeasures analysis. 33 Based on this assessment, DHS could possibly change the tier in which the facility is placed. Periodically, covered facilities will have to submit updated SVAs, pursuant to a submission schedule set forth in the regulation, as well as submit revised assessments and plans after any material modification to the site. 34 Step 5: Complete a Site Security Plan (SSP) within 120 days of High-Risk Notification Within 120 days of notification, a high risk facility will also have to submit an SSP. 35 The SSP must address each security vulnerability set out in the SVA, describe security measures in place to address such vulnerabilities, describe how the site s security measures meet applicable performance standards, and implement appropriate measures. 36 The regulations include a number of areas to be addressed in the SSP, including: limiting site perimeters and site access; procedures to deter, detect and delay an attack; management controls for materials storage and theft prevention; stopping cyber sabotage; and emergency response plans and monitoring systems C.F.R C.F.R (c). 25 The list of Top-Screen questions is available at gov/xlibrary/assets/chemsec_csattopscreenquestions.pdf C.F.R C.F.R C.F.R C.F.R C.F.R C.F.R and C.F.R (a)(2) C.F.R C.F.R C.F.R (a)(3) C.F.R C.F.R November

6 Conclusion Given the broad authority conferred upon DHS to promulgate these regulations, and the limited time given the DHS to create this program, it is not surprising that the regime imposed by the agency is sweeping in scope and may potentially impact any operation that possesses any one of many different commonly held chemicals. As a result, many facilities beyond those traditionally viewed as chemical facilities may have to comply with the DHS regulations. Any operation that currently possesses, or plans to possess, any of the chemicals of interest that are the focus of these new DHS rules should review the regulatory regime carefully and consider conferring with counsel regarding compliance with the rules. The authors wish to thank Erika Kane, a former K&L Gates associate and Christine E. Goepp Towberman, a summer associate in the Washington, D.C. office of K&L Gates, for their substantial contributions to this Alert. K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name Kirkpatrick & Lockhart Preston Gates Ellis LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin, and in Beijing (Kirkpatrick & Lockhart Preston Gates Ellis LLP Beijing Representative Office); a limited liability partnership (also named Kirkpatrick & Lockhart Preston Gates Ellis LLP) incorporated in England and maintaining our London office; a Taiwan general partnership (Kirkpatrick & Lockhart Preston Gates Ellis) which practices from our Taipei office; and a Hong Kong general partnership (Kirkpatrick & Lockhart Preston Gates Ellis, Solicitors) which practices from our Hong Kong office. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office. This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Data Protection Act 1998 We may contact you from time to time with information on Kirkpatrick & Lockhart Preston Gates Ellis LLP seminars and with our regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please london@klgates.com if you would prefer not to receive this information Kirkpatrick & Lockhart Preston Gates Ellis LLP. All Rights Reserved. November