Guidance for Transportation Agencies on Managing Sensitive Information (2005)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

53 Controlling Access to Sensitive Information Once a decision is made that information is considered sensitive, DOTs should ensure that appropriate information management practices are in place to assure its pro- tection. Individuals or groups seeking sensitive information for inappropriate purposes may try to use official channels, such as a “sunshine” law request to obtain copies; alter- natively, they may obtain it by stealing from the desk of a careless employee or through a disgruntled worker. DOTs can guard against these and other scenarios by establish- ing a straightforward and easy-to-implement set of practices that become an ongoing part of document creation, storage, distribution, use, and destruction. FIVE STEPS FOR DEVELOPING AN INFORMATION PROTECTION POLICY Following are five practical steps that should be considered for inclusion in any DOT’s sensitive information management policies. Each step should be customized to fit the needs of individual DOTs. Step 1. Create an Oversight Committee for Setting Sensitive Information Policies As a first step, DOTs should consider creating an oversight committee that can guide overall development and implementation of sensitive information policies, such as how to identify sensitive information and how to protect it. The committee should include agencywide representation and may also have third-party participation from groups directly affected by policies it establishes (e.g., contractors, law enforcement, and fed- eral agencies). It would be responsible for establishing and documenting procedures, ensuring procedures are adhered to, monitoring their effectiveness, and modifying approaches if necessary. New Mexico DOT, for example, has established a committee that oversees its sensitive information policies. Step 2. Review and Identify DOT’s Sensitive Information DOTs should review all the information they produce and/or control to determine which sensitive information may require protection. For most agencies, this list will include vulnerability reports, emergency response plans, as well as information related to selected infrastructure or other facilities. As they identify sensitive information, agen- cies may wish to prioritize it according to its sensitivity relative to other information.

Information should be protected at a level commensurate with the risk posed by its pos- sible misuse. Step 3. Establish a Single Point of Contact for Managing Sensitive Information To avoid inadvertent dissemination of sensitive information, state DOTS should pro- mote consistent handling and ensure adequate monitoring of potentially suspicious activities. A single internal point of contact (POC) should have day-to-day responsi- bility for management of sensitive information issues, including identification of sen- sitive information, documentation of protocols, and handling of information requests. The POC typically may be located in either the office of general counsel, which is familiar with laws governing the release of DOT documents, or the office responsible for records management, which maintains the DOT’s public records. Step 4. Identify Sensitive Information Handling Protocols Clear and documented agencywide protocols should be established for handling sen- sitive information in paper and electronic formats. Protocols may address, but need not be limited to, the following: • Information access. Identification of individuals who have a legitimate need to possess sensitive information. Access to sensitive information should be on a “need to know” basis, with more sensitive information being more tightly restricted. • Information marking. Sensitive information should be conspicuously marked with clear warnings that inform holders about the degree of protection required. • Information storage and accountability. Appropriate custodial responsibilities should be established for storing information and tracking its use. The more sen- sitive the information, the more secure storage should be. Options may include lock and key storage, tamper evident seals, and removal of electronic information from shared computer networks. When electronic distribution of sensitive infor- mation to individuals with the need to know is requested, the information should be sent in a password-protected document (with a separate email or phone num- ber to provide the password). • Information requests. Procedures for evaluating requests for sensitive informa- tion should be established and be consistent with state “sunshine” and information disclosure laws. For example, Maine DOT and Kentucky Transportation Cabinet (KTC) require all requests to be submitted in a letter indicating what information is needed; why it is needed; and the name, title, and affiliation of the requestor. Florida DOT (FDOT) requires that requests for information on FDOT structures or the FDOT security system plan must be submitted on an “Exempt Documents and Security System Plan Request Form.” Requestors must provide their address and phone number, a reason for the request, and a driver’s license or photo iden- tification number. (The FDOT Exempt Documents and Security System Plan Request Form are included in Appendix A.) Agencies may wish to vary the level of protection accorded to individual documents depending on their sensitivity. Policies should, however, always be consistent in the degree of protection they afford to different types of information. 6

7Step 5. Educate DOT Staff About Sensitive Information Ultimately, physical protection of sensitive information must be the responsibility of every component and employee of the agency. Education is critical to ensuring they understand and follow established procedures. Texas DOT (TxDOT) has distributed a memo to all its employees detailing protocol on sensitive security information han- dling. Employees are instructed to contact the TxDOT Office of General Counsel whenever there is an “unusual request for information that may relate to public safety or the security of Texas infrastructure.” (A copy of the memo is included in Appen- dix B.) Washington State DOT (WSDOT) has also distributed a memo to employees that requires suspicious requests to be shared with division managers. If the manager determines it is necessary, the request is forwarded to the WSDOT’s Record Services Unit for further review. HANDLING REQUESTS FOR INFORMATION UNDER STATE “SUNSHINE” LAWS Agencies are encouraged to consult their legal counsel and review existing state leg- islation to ensure they are adequately equipped to withhold sensitive information in response to public requests. In most instances, under existing state “sunshine” or pub- lic disclosure (information act) laws, DOTs should be able to avoid disclosure of sen- sitive information. Many states model their sunshine laws after the federal Freedom of Information Act (FOIA), which allows federal agencies to protect sensitive security information from public disclosure by using the statutory exemptions contained in FOIA. Key federal exemptions to FOIA that are also likely to be applicable at the state level are as follows:
Exemption 2. This exempts from mandatory public disclosure agency records “related solely to the internal personnel rules and practices of an agency.”1 The courts have inter- preted this exemption as encompassing two different types of information: (1) routine internal administrative matters, in which the public has little interest, often called “low 2” information and (2) more substantial internal matters, the disclosure of which would risk circumvention of a statute or agency regulation, often called “high 2” information. The underlying concept is that a FOIA disclosure should not benefit persons attempting to violate (“circumvent”) the law. Application of the high 2 exemption is particularly use- ful in protecting vulnerability assessments. These are records in which an agency specif- ically evaluates its own vulnerability (or that of another entity or installation) to safe- guard against possible interference or unlawful action—in effect, “circumvention.”
Exemption 5. There may be circumstances where information can be withheld under Exemption 5, which protects “inter-agency or intra-agency memorandums or let- ters which would not be available by law to a party . . . in litigation with the agency.” This includes predecisional documents whose disclosure would inhibit open and frank discussions among government employees in formulating recommendations for agency action.2 Under Exemption 5, security analyses and recommendations, as well as related draft letters and memorandum, may be protected from release. 1 The Freedom of Information Act, U.S. Code 5§552(b)(2). 2 See, e.g., Coastal States Gas Corp. v. Dep’t of Energy, 617 F.2d 854, 866 (D.C. Cir. 1980) (importance of pro- tecting documents that reflect “the give-and-take of the consultative process”).

Departments of transportation in some states may legally be able to protect some information under broad exemptions found in their sunshine laws. In New York for example, release of information can be restricted if it “endangers the life or safety of any person,” and in Illinois information may be withheld if it endangers “the life or physical safety of law enforcement personnel or any other person.” Some DOTs have sought to change sunshine-law language to provide specific exemp- tion from public disclosure for information related to critical infrastructure designs and plans, vulnerability assessments, and emergency response plans. Florida, Maryland, Missouri, Texas, Virginia, and Washington have all added exemptions to their state laws that specifically safeguard critical infrastructure data and legally allow them to deny requests for these documents: • The State of Florida can exempt from public records “building plans, blueprints, schematic drawings, and diagrams, including draft, preliminary, and final formats, which depict the internal layout and structural elements of a building, arena, sta- dium, water treatment facility, or other structure. . . .”3 • The State of Maryland can exempt “response procedures or plans prepared to pre- vent or respond to emergency situations, the disclosure of which would reveal vul- nerability assessments, specific tactics, specific emergency procedures, or specific security procedures.”4 • The State of Missouri can exempt information about “existing or proposed secu- rity systems and structural plans of real property owned or leased by a pub- lic governmental body, the public disclosure of which would threaten public safety.”5 • The State of Texas can exempt information if “the information is collected, assem- bled, or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism or related criminal activity . . .”6 • The Commonwealth of Virginia can exempt “plans and information to prevent or respond to terrorist activity, disclosure of which would jeopardize the safety of any person, including (i) critical infrastructure sector or structural components; (ii) vulnerability assessments, operational, procedural, transportation, and tactical planning or training manuals, and staff meeting minutes or other records; and (iii) engineering or architectural records . . .”7 • The State of Washington can exempt records that have been maintained to respond to criminal terrorist acts as well as “specific and unique vulnerability assessments or emergency response plans intended to prevent or mitigate crim- inal terrorist acts . . .”8 Appendix C contains copies of the referenced legislation. Before deciding to seek modifications in state law, DOTs should carefully consider whether such efforts are truly necessary to protect information they control, or whether administrative solutions of the kind described in this guide may be satisfactory. 8 3 Florida Statutes §119.07 4 Maryland Code §10.618 5 Missouri Revised Statutes §610.021 6 Texas Statutes §418.177 7 Code of Virginia §2.2-3705.2 8 Washington Revised Code §42.17.310

9HOUSING SENSITIVE INFORMATION AT FEDERAL OR LAW ENFORCEMENT AGENCIES Agencies should use caution when considering partnering with federal or law agen- cies to house sensitive information outside the DOT as a means for protection. Such strategies do not offer any greater legal justification for limiting disclosure of DOTs’ information, and they may create time-consuming and bureaucratic hurdles to legiti- mately accessing important information.