On Sept. 1, the Department of Homeland Security (DHS) issued a final rule for procedures for handling information about critical infrastructure. The rule amends the interim rule issued in February 2004, for which OMB Watch submitted comments. Unfortunately, DHS ignored OMB Watch's suggested modifications, and the final rule opens the door to misuse by the private sector, allowing companies to restrict public access to information that is vital to protecting public health and safety.

"Critical infrastructure information, does need certain disclosure restrictions," explains Sean Moulton, OMB Watch's director of federal information policy, "but, DHS has implemented a series of procedures which will lead to unnecessary secrecy and greater agency confusion."

The Critical Infrastructure Information Act (CIIA) of 2002 (passed as a subtitle in the Homeland Security Act of 2002) requires DHS to create and implement procedures for the collection and protection of critical infrastructure information. Critical infrastructure information includes data on vulnerabilities and other vital information relating to our nation's communications, transportation, manufacturing, energy and other critical industries. According to government figures, the private sector owns more than 70 percent of the country's critical infrastructure. The act attempts to protect this information by encouraging the private sector to voluntarily submit such information and by preventing its public disclosure and use.

There are a number of problems with CIIA which DHS could have minimized in the final rule. For instance, the Act stipulates that once declared to be critical infrastructure information, company information cannot be used in civil court proceedings, even if the information clearly demonstrates that a company or individual is in violation of state or federal law or is liable for an accident or disaster. Moreover, once designated as critical infrastructure information, documents are immune from disclosure under the Freedom of Information Act (FOIA) and cannot be used by agencies for regulatory enforcement purposes. Hence, companies voluntarily submitting critical infrastructure information to DHS that might be incriminating are shielded from public scrutiny, government oversight, and court actions. The final rule by DHS compounds the original act's overly broad provisions with poor rulemaking language that provides coverage for bad actors who endanger our nation's security instead of strengthening our nation's security by protecting sensitive information.

DHS's final rule contains a number of additional shortcomings which may lead to increased secrecy on vital public right-to-know issues and greater bureaucracy and agency confusion:

Increased Secrecy and Coverage

The final rule allows for the Program Manager of the Protected Critical Infrastructure Information (PCII) program "to designate certain types of infrastructure information as presumptively valid PCII in order to accelerate the validation process." In order to speed up the certification process, the agency will not review each individual piece of information in these categories and will instead automatically grant protection. Additionally, companies will be permitted to submit large documents that contain some PCII without having to selectively remove such information from the document and otherwise allow its public release and use.

The final rule also states that information once designated as PCII "will not thereafter lose its protected status except under a very narrow set of circumstances." The final rule removed the requirement that information lose its protected status if the information can be publicly accessed through legal means. It also removed the requirement that information lose its protected status if DHS establishes requirements for submission of the information.

There is also no requirement for reevaluation of PCII status. Once information is given protected status, even if someone makes a FOIA request of such information 10 or 20 years later, there is no requirement that the information's status be reviewed. This could lead to the over-protection of important, non-threatening information. Essentially, under this rule, once information is accepted as PCII, it is highly unlikely that the information's protected status will ever be changed.

Agency Interference and Poor Information Management

The final rule fails to establish proper information handling requirements to avoid agency confusion and regulatory interference. For instance, the rule allows for indirect submissions of PCII through agencies other than DHS. Additionally, the original act included a clause that prevented any information required under other federal laws or regulations from being submitted and protected as PCII. The final rule, though, limits this provision to only DHS requirements for information. The poor drafting of these two provisions alone mean that, even if the Environmental Protection Agency, for instance, requires companies to submit information on toxic pollution, a company could claim the information is PCII and could prevent the EPA from sharing or using the information, should DHS accept the claim. This could have severe implications for the operations of other government agencies.

The final rule also does not establish a deadline for reviewing PCII submissions. Establishing such deadlines is a basic principle of information management and its omission could have detrimental implications. After information is submitted as PCII but before DHS has a chance to review it, the information is automatically treated as PCII until the program manager determines differently. If DHS encounters a backlog of submissions, years could pass before information is reviewed, and massive amounts of information may be unjustifiably restricted from public access.