Not a day goes by that some issue of "homeland security" isn't on the front page of your local newspaper or featured on the 6 o'clock news. People want to know that their children's college dormitories are safe from a terrorist act, that the food they buy isn't tainted, and that the railcar or barge sitting next to their employer's plant isn't going to be an explosive target. Homeland security is on everyone's mind.
Yet the reality is that few business folks have any idea what homeland security will mean for them, how their employees will be affected as they comply with the various laws and agency regulations under short deadlines, and what it will cost to be in compliance. Homeland security has the potential to become a nuisance. In a recessionary climate, it may also become a major imposition and drain on a business's bottom line.
Like it or not, homeland security is here, so fasten your seatbelts. The Department of Homeland Security (DHS) is about to descend upon nearly every aspect of your business. Compliance will be time-consuming, complicated, and controversial, and turnaround will be expected in very short order.
Homeland security is really an amalgam of some 40-plus different federal laws. Many states have their own counterparts. These laws affect plant security, identification of key assets and processes, background checks on new employees, employee access to sensitive areas, cybersecurity, and transportation of products and services.
Further, as a result of complying with these many laws and regulations, a company may have to part with critical, proprietary, and sensitive information. While there are some built-in protections to make this information exchange immune from disclosure, the information may be "independently obtained" by enterprising plaintiffs' lawyers. Therefore, careful attention must be paid to how to comply with these acts without placing proprietary information into the public domain. Special care will be needed to review and revise records management programs and to protect sensitive information from third-party disclosure whenever possible.
Many of these laws will require affected companies to perform vulnerability assessments of their plants and manufacturing processes, as well as "value chain" assessments that identify and analyze component parts and the delivery of products identifying all modes of inbound and outbound transportation. Critical assets and infrastructures will need to be identified and assessed. Threats to those assets, infrastructures, and processes will need to be addressed, and companies will need to identify weaknesses in physical security, passenger and cargo security, structural integrity, protection systems, procedural policies, communication systems, information systems, transportation infrastructure utilities, and contingency response. The following is a look at three of the new regulations.
The Marine Transportation Security Act (MTSA) creates a port security program overseen by the U.S. Coast Guard for implementation and enforcement. Under the MTSA, the Coast Guard was directed to urgently prioritize vessels and facilities based on their vulnerabilities to potential security threats and the consequences of potential incidents, using a systematic, scenario-based process known as Risk-Based Decision-Making, or RBDM. In making scenario assessments and ranking those scenarios, the Coast Guard used a number of factors such as susceptibility, threat, vulnerability, consequence, and maritime security levels. Passenger vessels and container ships that carry hazardous products top the list. Facilities that are (1) adjacent to waters that handle dangerous cargoes, liquefied natural gas, or hazardous gas; (2) transfer oil or hazardous materials in bulk; (3) facilities that receive certain vessels and barges will each be required to perform facility security assessments and develop a facility security plan.
The Bioterrorism Act is administered and enforced by the U.S. Food and Drug Administration ("FDA"). The FDA, like the U.S. Coast Guard, will publish various directives to administer and enforce the Bioterrorism Act. This act, like many of the others, is thus a "work in progress."
The Bioterrorism Act will require the maintenance and inspection of records for two years (excluding farms and restaurants) by persons who manufacture, process, pack, transport, distribute, receive, hold, or import food. The FDA can detain an item of food if an officer or other qualified employee of the FDA has credible evidence or information indicating that the item presents a threat of serious adverse health consequences or death to humans or animals. These provisions allow for expedited enforcement actions, including hearings on perishable foods subject to the detention order. Finally, domestic or foreign food facilities that manufacture, process, pack, or hold food for human or animal consumption will have to register with the FDA.
The Critical Infrastructure Information Act ("CIIA") applies to "critical infrastructure information" that is "voluntarily" submitted to the Department of Homeland Security. "Critical infrastructure" is defined by reference to the USA Patriot Act, which does not mention any industry by name. As a threshold issue, a company must determine whether the Bush Administration meant to include a particular industry as "critical."
"Critical infrastructure information" essentially means information not customarily in the public domain regarding threats, vulnerabilities, and related problems or solutions affecting critical infrastructure or the physical or elecronic resources that support it. It does not include information submitted or relied on as the basis for making licensing or permitting decisions or during regulatory proceedings.
The law creates a variety of protections but must be accompanied by an express statement referencing the CIIA. Once the information is submitted, the information is exempt from disclosure under the Freedom of Information Act and its state law counterparts. If submitted in good faith, the information cannot be used "directly" in any federal, state, or local civil enforcement action, or in a private civil lawsuit in federal or state court. It could be used in a criminal action. It could also be used in a governmental or private civil case if the plaintiff obtained the information independently; that is, in some way besides through the DHS.
The submitter cannot be held to have waived any privileges or protections supplied by law (e.g., attorney-client privilege, work-product doctrine, or trade-secret protection). The DHS can share the information with federal, state, and local governments, but all of these entities can use it only for protecting infrastructure or prosecuting crimes.