WATER SECURITY State National Conference slatures Innovations in State Policy Protecting Water System Security Information By Cathy Atkins and Larry Morandi September 2003 Since the attacks of September 11, 2001, almost every state has considered amendments to its Freedom of Information Act (FOIA) to exempt security information related to drinking water systems from public disclosure under a FOIA request. At least 36 states have enacted such legislation in the last two years, bringing to 46 the number of states that appear to afford such protections to water system security information. In an effort to determine which states have statutory authority to protect such information from public disclosure, the National Conference of State Legislatures (NCSL) conducted an extensive review of state FOIA statutes for the U.S. Environmental Protection Agency's Drinking Water Academy. NCSL also contacted state drinking water agency staff in nine states where the statute was unclear to obtain clarification of the status of water system security information protection. The information in this report is presented in five parts. Part one presents an overview of NCSL's analysis of the status of exemptions from public disclosure requirements for water security system information in each state's FOIA statute. Part two is a matrix summary of each state's exemptions, part three is a narrative summary of each state's exemptions, part four summarizes relevant state FOIA legislation considered during the 2003 sessions, and part five contains the results of the survey responses from state drinking water agency staff. It must be emphasized that the information presented in this report reflects the interpretation of NCSL staff based on an exhaustive review of state FOIA statutes and, in those instances where the statutory language was unclear, responses to a written survey and follow-up telephone interviews with a select number of state agency drinking water staff. The report's findings do not represent the legal opinions of state attorneys general. Analysis of Water Security System Exemptions Based on the results of its statutory analysis and the state agency survey responses, NCSL staff determined that 46 states and the District of Columbia appear to have an exemption from public disclosure requirements for water security system information in their FOIA statutes. The states fall into one of four FOIA exemption categories: CONTENTS Analysis of Water Security System Exemptions 1 Summary of Water System Security Exemptions 3 Narrative Summary of State Water Security Exemptions 7 Summary of2003 State Water System Security Bills 11 Survey Responses from State Drinking Water Staff 14 Appendix A. Specific Statutory Language 17 Appendix B. Survey of Public Disclosure Require- ments and Protections under State Freedom of Information Acts and Open Record Laws 33 ------- 2 Water Security 1. States that have specific exemptions from public disclosure requirements for water system security information (e.g., vulnerability assessments). 2. States that have an exemption for information protected by federal or state law, whether it be statutory or judicial in origin. 3. States that do not have exemptions for water system security information. 4. States that have an uncertain exemption status. States That Have Specific Exemptions Thirty-six states and the District of Columbia have added a specific exemption from public disclosure requirements for water security system information to their FOIA law since September 11, 2001. Although the wording of the statutes varies greatly, the relevant statute usually provides that vulnerability assessments are not considered to be a public record that is required to be disclosed under the state's FOIA law. The states are shown in figure 1. Figure 1. States/Jurisdictions That Have Specific Exemptions Alaska Kansas New Mexico Arizona Louisiana North Carolina Arkansas Maine North Dakota California Maryland Ohio Colorado Massachusetts Oklahoma Connecticut Michigan Oregon Delaware Missouri Rhode Island District of Columbia Montana Tennessee Florida Nebraska Texas Georgia Nevada Virginia Idaho New Hampshire Washington Iowa New Jersey West Virginia Wyoming Source: NCSL, 2003. Although it is likely that information that is exempt under a federal law exemption (see the list of states in the following category) is safe from having to be disclosed under an open records law, a specific exemption for water system security information provides another layer of protection. When a legislature enacts a law that specifically exempts water security information, the withholding of such information is less likely to be successfully challenged on the basis of legislative intent, since the legislature presumably made its intent clear within the legislation. A state that enacts its own legislation to protect water system security information from disclosure also has a second layer of coverage if the federal law is challenged and found to be void. States That Have Exemptions for Information Protected by Federal or State Law Ten states provide for a FOIA exemption if statutory, regulatory or judicial law at the federal or state level requires the information to be protected. The Federal Bioterrorism Preparedness and Response Act of 2002 affords protection for vulnerability assessments that are required to National Conference of State Legislatures ------- Protecting Water System Security Information 3 be conducted under the act. Nebraska and Pennsylvania add the stipulation that the information may be protected if its release would result in the loss of federal funds. The states are shown in figure 2. States That Have No Specific Exemptions Three states—Alabama, Minnesota and South Dakota—that require a specific exemption before information is excluded from a FOIA request do not appear to have such an exemption in their statutes. States That Have an Uncertain Exemption Status The status of any exemption for water system security information in South Carolina and Puerto Rico is unclear. Summary of Water System Security Exemptions A summary is presented here of state exemptions from public disclosure requirements for water security system information in each state's FOIA statute. The information that is presented in the first two columns of table 1 relates directly to the states listed in the first category of part one. Table 1 includes the name of the state, the statutory citation where an exemption exists, and classification of each state in one of four categories: exemption specifically cites vulnerability assessments; pertains to the protection of public health or security generally; is contingent upon exemption under federal or other state law; or no exemption exists or the status of exemption is unclear. A narrative discussion follows the table of the degree to which a statutory exemption for water system security information also may apply to information held by a privately owned public water system and to information contained in a sanitary survey. Table 1. Summary of Water Security Exemptions State/ Jurisdiction Statutory Citation Specific Vulnerability Assessment General Public Health/ Security Federal or State Law None or Unknown Alabama • Alaska Alaska Stat. §40-25-120(a)(10) • Arizona Ariz. Rev. Stat. §39-126 Ariz. Rev. Stat. §49-205(2) • Arkansas Ark. Stat. Ann. §25-19-105(b) (15) • California Cal. Gov. Code §6254(z) • Colorado Colo. Rev. Stat. §24-72-204(3) (a) (XVI) • Connecticut Conn. Gen. Stat. §§1-14,1-210(19) • Delaware 29 Del. Code Ann. §10002(16) • District of Columbia D.C. Statute §2-534(10) • National Conference of State Legislatures Figure 2. States That Have Exemptions for Information Protected by Federal or State Law Hawaii Illinois Indiana Kentucky Mississipp New York Pennsylvania Utah Vermont Wisconsin Source: NCSL, 2003. ------- 4 Water Security Table 1. Summary of Water Security Exemptions (continued) State/ Jurisdiction Statutory Citation Specific Vulnerability Assessment General Public Health/ Security Federal or State Law None or Unknown Florida Fla. Stat. §119.071 • Georgia Ga. Code §50-18-72(15) • Hawaii Hawaii Rev. Stat. §92F-13(4) • Idaho Idaho Code §9-34OB(3) (b) • Illinois 5 ILCS 140/7(1) (a) • Indiana Ind. Code §5-14-3-4(a) (3) • Iowa Iowa Code §22.7(45) • Kansas Kan. Stat. Ann. §45-221(12) • Kentucky Ky. Rev. Stat. §61-878(1) (k) • Louisiana La. Rev. Stat. §44:3 • Maine 402 Me. Rev. Stat. Ann. §3 • Maryland Md. State Gov. Code Ann. § 10-618(j) • Massachusetts Mass. Gen. L. ch. 4, §7(n) • Michigan Mich. Comp. Laws §15.243(y) • Minnesota • Mississippi Miss. Code Ann. §25-61-11 • Missouri Mo. Rev. Stat. §610.021 • Montana Mont. Code Ann. §2-6-102(3) • Nebraska Neb. Rev. Stat. §84-712.05(8) • Nevada 2003 Nev. Stats., Chap. 402 • New Hampshire N.H. Rev. Stat. Ann. §91-A:5(VI) • New Jersey N.J. Rev. Stat. §47:1 A-1.1 • New Mexico N.M. Stat. Ann. §14-2-1(8) • New York N.Y. Pub. Off. Law §47-6-87 • North Carolina N.C. Gen. Stat. §132-1.7 • North Dakota N.D. Cent. Code §44-04-18; 2003 N.D. Sess. Laws, Chap. 385. • Ohio Ohio Rev. Code §149.433 • Oklahoma Okla. Stat. §51-24A.13 • Oregon Or. Rev. Stat. 192.501(23); 192.502(8) • Pennsylvania 65 Pen. Cons. Stat. §66.1 • Puerto Rico • Rhode Island R.I. Gen. Laws §46-15.3-7.5(a) • South Carolina • South Dakota • Tennessee Tenn. Code Ann. §10-7-503(b), §10-7-504(a)(2) • Texas 2003 Tex. Gen. Laws, Chap. 1312. • Utah Utah Code Ann. §63-2-201 (3)(b); §§63-2- 304(10) and (11) • Vermont 1 Vt. Stat. Ann. §§317(1) and (2) • Virginia Va. Code §2.2-3705(57) • Washington Wash. Rev. Code §42.17.310(ww) • West Virginia W. Va. Code §29B-l-4 • Wisconsin Wise. Stat. §19.36(1) • Wyoming Wyo. Stat. §16-4-203 • Source: NCSL, 2003. National Conference of State Legislatures ------- Protecting Water System Security Information 5 Exemption for Privately Owned Public Water Supply Systems One issue that has arisen in conducting this study of statutory protections from disclosure of water security information under state FOIA laws is whether the protection extends to information held by privately owned public water systems, not only to publicly owned public water systems. EPA and the states regulate public water systems—which may be publicly owned or privately owned—that have at least 15 service connections or serve at least 25 people for 60 days or more per year. The Bioterrorism Preparedness and Response Act of 2002 requires every community water system that serves at least 3,300 people to conduct a vulnerability assessment, submit the vulnerability assessment to EPA, and prepare an emergency response plan. As noted in part one, at least 10 states provide a FOIA exemption to public water systems if federal law requires the water security information to be protected. In some cases, determining if the disclosure exemption applies to privately owned public water systems is clear because the statute specifically states that such entities are exempt. In many states, however, the statute fails to mention privately owned systems. In those states that include federal laws as a means of determining the applicability of an exemption, it is likely that information received by a state agency from a privately owned public water system that a federal law—like the Bioterrorism Preparedness and Response Act of 2002—requires to be protected would be exempt from disclosure. Those states that have some type of specific exemption for vulnerability assessments conducted by publicly owned public water systems—but that do not mention privately owned systems— present a different matter entirely. Generally, states require the disclosure of public records and define these as records made by, maintained by, compiled by, or submitted to a public agency. The information contained in these records would likely be available only from the state, not from a privately owned public water system. If a vulnerability assessment is considered to be a public record only because it is submitted to a state agency, then a strong argument could be made that the information is exempt from disclosure under the "submitted to a public agency" portion of the "public record" definition. Such an argument would likely be compelling to a court if the state noted that the same information received from a publicly owned system is exempt from disclosure. Based on an analysis of the statutory language and the written survey responses, at least 34 states and the District of Columbia appear to extend the exemption from public disclosure requirements for water security information in their FOIA statutes to privately owned public water systems as well as to publicly owned water systems. The states are shown in figure 3. Figure 3. States/Jurisdictions That Have an Exemption for Privately Owned Public Water Systems Arizona Nevada Arkansas New Jersey Delaware New Mexico District of Columbia New York Florida Ohio Georgia Oklahoma Hawaii Oregon Idaho Pennsylvania Illinois Rhode Island Indiana Tennessee Kansas Texas Kentucky Utah Maine Vermont Massachusetts Virginia Michigan Washington Mississippi West Virginia Montana Wsconsin Nebraska Source: NCSL, 2003. National Conference of State Legislatures ------- 6 Water Security At least 11 states do not appear to extend the FOIA exemption to privately owned public water systems. The states are shown in figure 4. The status of a FOIA exemption for privately owned public water systems in five states—Alaska, Colorado, Iowa, Maryland and South Carolina—and Puerto Rico is unclear. Exemption for Sanitary Surveys The U.S. Environmental Protection Agency (EPA) requires states to have "... a systematic program for conducting sanitary surveys of public water systems in the State, with priority given to sanitary surveys of public water systems not in compliance with State primary drinking water regulations" (40 CFR 142.10(b)(2)). EPA defines a sanitary survey to be " ... an on-site review of the water source (identifying sources of contamination using results of source water assessments where available), facilities, equipment, operation, maintenance and monitoring compliance of a public water system to evaluate the adequacy of the system, its sources and operations and the distribution of safe drinking water." Its primary purpose is to " ... evaluate and document the capabilities of the water system's sources, treatment, storage, distribution network, operation and maintenance, and overall management to continually provide safe drinking water and to identify any deficiencies that may adversely impact a water system's ability to provide a safe, reliable water supply." A sanitary survey contains many elements that are related to water system security and may include items of concern that are found in a vulnerability assessment. A majority of the information contained in a sanitary survey, however, is not related to water system security. In evaluating whether a sanitary survey is exempt from public disclosure, one must be able to determine whether a state statute: • Affords protection to the entire sanitary survey; • Affords protection only to security-related information that can be severed from the survey report in order to maintain public access to essential water quality information found in the rest of the report; or • Provides no exemption for sanitary surveys. The statutory language reviewed for this report is unclear as to whether exemptions from public disclosure for water system security information also apply to security related information contained in a sanitary survey. Although the authors had hoped to be able to ascertain whether amendments to state FOIA laws protected such information from disclosure, they were unable to do so given the ways the various statutes are written. In the written responses from the nine states surveyed in part five of this report, for example, three of the four states that indicated their statutory law protected water system security information from disclosure also stated that the protection does not apply to sanitary surveys (see appendix A for the actual statutory language). The statutes in those three states represent each of the three exemption categories used in the matrix above—specific vulnerability assessment, general public health/security, Figure 4. States That Do Not Have an Exemption for Privately Owned Public Water Systems Alabama New Hampshire California North Carolina Connecticut North Dakota Louisiana South Dakota Minnesota Wyoming Missouri Source: NCSL, 2003. National Conference of State Legislatures ------- Protecting Water System Security Information 7 and federal or state law. Relying solely on the statutory language is not sufficient to reach a definitive conclusion on this issue. After reviewing each FOIA statute, the intent of the statute (to the degree that legislative intent can be determined from the statutory language), and the types of information included in a sanitary survey, it appears that a legal argument could be made in a number of states to support keeping certain sanitary survey information exempt from public disclosure. If any security information in a sanitary survey were exempt, however, it is likely that the state agencies involved would have to separate the security-related information prior to the release of the sanitary survey. Narrative Summary of State Water Security Exemptions Table 2 contains summaries of provisions contained in state FOIA statutes that exempt water security system information from public disclosure requirements. It includes the statutory citation, the type of exemption provided and a brief narrative description. The full statutory language for each state is contained in appendix A. Table 2. Descriptions of FOIA Exemptions State/Jurisdiction Statutory Citation Type Exemption Description of Exemptions Alabama No exemption Alaska Alaska Stat. §40.25.120 (a) (10) Specific exemption Specific exemption for records pertaining to facilities and infrastructure when the release of the information would reasonably be expected to interfere with the implementation or enforcement of a security plan, or could reasonably be expected to endanger the life or physical safety of an individual, or present a real and substantial risk to the pubic health and welfare. Arizona Ariz. Rev. Stat. Ann. §39-126, §49-205(2) Specific exemption Specific exemptions for water system assessments. One specifically exempts federal risk or vulnerability assessments of infrastructure, including water, from disclosure. The other exempts water system vulnerability assessments from disclosure that are submitted to EPA pursuant to Public Law 107-188. Arkansas Ark. Stat. Ann.§25-19- 10S (b)(15) Specific exemption Specific exemption for risk and vulnerability assessments. California Cal. Gov. Code §6254(z) Specific exemption Specific exemption for documents prepared by a local agency that assess its vulnerability to terrorist or other criminal acts and that is for distribution or consideration in a closed session. Colorado Colo. Rev. Stat.§24-72- 204(3) (a) (XVI) Specific exemption Specific exemption for "specialized details" of security arrangements, which are considered to be records received by the Office of Preparedness, Security, and Fire Safety in connection with the performance of its duties, and records received by any state agency or political subdivision of the state from, or on behalf of, the Office of Preparedness, Security and Fire Safety. National Conference of State Legislatures ------- 8 Water Security Table 2. Descriptions of FOLA Exemptions (continued) State/Jurisdiction Statutory Citation Type Exemption Description of Exemptions Connecticut Conn. Gen. Stat. §1-14, 1- 210(19) Specific exemption Broad exemption for records that the Commissioner of Public Works has "reasonable" grounds to believe may result in a safety risk to any person, state-owned or leased facility or any fixture, and equipment attached to that facility. Delaware 29 Del. Code Ann. §10002(16) Specific exemption Specific exemptions for records, that if disclosed, could jeopardize the security of any facility owned by the state or a political subdivision, or could facilitate the planning of a terrorist attack, or could endanger the life or physical safety of an individual, including plans designed to prevent or respond to an emergency situation that would reveal vulnerability assessments, and plans or other records of waste and water systems. District of Columbia D.C. Statute §2-534(10) Specific exemption Specific exemption for "any specific vulnerability assessment.. .intended to prevent or mitigate an act of terrorism." Florida Fla. Stat. §119.071 Specific exemption Specific exemptions for a "security system plan" for any property owned by or leased to the state or a political subdivision. A security system plan includes records and information related to threat assessments conducted by any state or local agency or private entity, and threat response plans. Georgia Ga. Code §50-18-72(15) Specific exemption Specific exemption for security plans and vulnerability assessments, the nondisclosure of which is necessary to protect life, safety or public property. Hawaii Hawaii Rev. Stat. §92F- 13(4) Exemption for information protected by federal or state law Exemption for government records that are protected from disclosure pursuant to state or federal law. Idaho Idaho Code §9-340B (3)(b) Specific exemption Specific exemption for information, including vulnerability assessments, the disclosure of which would jeopardize people's safety. Illinois 5ILCS §140/7 (l)(a) Exemption for information protected by federal or state law Exemption of information that is specifically prohibited from disclosure by federal or state law. Indiana Ind. Code §5-14-3-4 (a)(3) Exemption for information protected by federal or state law Exemption of records required by federal law to be kept confidential. Iowa Iowa Code §22.7(45) Specific exemption Specific exemption for records of a municipal utility, including vulnerability assessments, the disclosure of which could reasonably be expected to jeopardize the security or the public health and safety of those served by the municipal utility. Kansas Kan. Stat. Ann.§45-221(12) Specific exemption Specific exemption for records of emergency or security information of a public agency, or plans used for the generation of or transmission of water, the disclosure of which would jeopardize the security of the public agency or facility. National Conference of State Legislatures ------- Protecting Water System Security Information 9 Table 2. Descriptions of FOLA Exemptions (continued) State/Jurisdiction Statutory Citation Type Exemption Description of Exemptions Kentucky Ky. Rev. Stat.§61.878(l)(k) Exemption for information protected by federal or state law Exemption of public records or information, the disclosure of which is prohibited by federal or state law. Louisiana La. Rev. Stat.§44:3(3) Specific exemption Specific exemption for records held by publicly owned water districts that contain threat or vulnerability assessments. Maine 402 Me. Rev. Stat. Ann. §3 Specific exemption Specific exemption for public records, including risk assessments prepared specifically to prevent or prepare for an act of terrorism, the disclosure of which could reasonably be expected to jeopardize the physical safety of the public. Maryland Md. State Govt. Code Ann.§10-618(j) Specific exemption Specific exemptions for plans prepared to prevent or respond to emergency situations, the disclosure of which would reveal vulnerability assessments, and plans or records of waste and water systems, the disclosure of which would reveal the building's structure and security systems. The exemptions are provided only where disclosure would jeopardize the security of any relevant structure, help plan a terrorist attack, or endanger people's lives or physical safety. Massachusetts Mass. Gen. L. ch. 4, §7(n) Specific exemption Specific exemption for records, including vulnerability assessments, the disclosure of which is likely to jeopardize public safety. Michigan Mich. Comp. Laws§ 15.243 (y) Specific exemption Specific exemptions for public or private records designed to protect people's security and safety, including public water supply designs, and risk planning documents and threat assessments. Minnesota No exemption Mississippi Miss. Code Ann.§25-61-11 Exemption for information protected by federal or state law Stipulates that Mississippi's exemptions shall not conflict with or supercede any state or federal law that specifically declares a public record to be confidential. Missouri Mo. Rev. Stat. §610.021 Specific exemption Specific exemption for security systems and structural plans of real property owned by a public agency, the disclosure of which would threaten the public safety. Montana Mont. Code Ann.§2-6- 102(3) Specific exemption Exempts information that is constitutionally protected from disclosure, which is information "... where there is an individual privacy interest that clearly exceeds the merits of the public disclosure ... and matters related to individual or public safety." (See part five of this report for state agency interpretation.) Nebraska Neb. Rev. Stat. §84- 712.05(8) Specific exemption Specific exemption for information, including vulnerability assessments intended to prevent or mitigate criminal acts, the disclosure of which would likely endanger public safety or property. National Conference of State Legislatures ------- 10 Water Security Table 2. Descriptions of FOIA Exemptions (continued) State/Jurisdiction Statutory Citation Type Exemption Description of Exemptions Nevada 2003 Nev. Stats., Chap 402 Specific exemption Protects the confidentially of information conveyed to the governor, including information pertaining to water utilities, when the entity conveying the information requests that it remain confidential. New Hampshire N.H. Rev. Stat. §91-A:5(VI) Specific exemption Specific exemption for records concerning the preparation and implementation of all emergency functions developed by state and local government officials intended to stop a deliberate act that may result in significant property damage, personal injury or loss of life. New Jersey N.J. Rev. Stat. §47:1 A-1.1 Specific exemption Specific exemption for emergency or security information for facilities, that if disclosed, would jeopardize the security of the facility or create a risk for the safety of people or property. New Mexico N.M. Stat. Ann. §14-2-1(8) Specific exemption Specific exemption for records that contain plans prepared by the state or a political subdivision, the publication of which could reveal vulnerabilities or risk assessments that could aid in a terrorist attack. New York N.Y. Pub. Off. Law §47-6- 87(a) Exemption for information protected by federal or state law Exemption of records when they are specifically exempted from disclosure by state or federal law. North Carolina N.C. Gen. Stat. §132-1.7 Specific exemption Specific exemption for information containing details of public security plans or plans of public infrastructure facilities. North Dakota N.D. Cent. Code §44-04- 18; 2003 N.D. Sess. Laws, Chap. 385. Specific exemption Specific exemption for a security system plan kept by a public entity, which is defined to include information related to vulnerability and capability assessments conducted by public or private entities. Ohio Ohio Rev. Code §149.433 Specific exemption Specific exemption for security records, which include vulnerability assessments designed to prevent or mitigate an act of terrorism. Oklahoma Okla. Stat. §51-24A.13 Specific exemption Specific exemption for vulnerability assessments of water and wastewater systems. A second exemption is provided for information obtained from the federal government that may be required to be kept confidential pursuant to federal law. Oregon Or. Rev. Stat.§§192.501(23), and 192.502(8) Specific exemption Specific exemption for records or information that would reveal security efforts taken to protect publicly owned buildings or other property. A second exemption is provided for information prohibited to be disclosed by federal law. Pennsylvania 65 Pa. Cons. Stat. §§66.1- 66.4 Exemption for information protected by federal or state law Exemption of records, the access to which is prohibited by state law, or which, if disclosed, would result in the loss of federal funds by the state or local governments. Puerto Rico Uncertain exemption Rhode Island R.I. Gen. Laws §46-15.3- 7.5(a) Specific exemption Specific exemption for information contained in water supply systems' management plans. National Conference of State Legislatures ------- Protecting Water System Security Information 11 Table 2. Descriptions of FOIA Exemptions (continued) State/Jurisdiction Statutory Citation Type Exemption Description of Exemptions South Carolina Uncertain exemption South Dakota No exemption Tennessee Tenn. Code Ann. §10-7- 503(b), §10-7-504(a)(2) Specific exemption Specific exemption for utility service providers' reports identifying areas that are vulnerable to terrorism or other unlawful disruptions of service. Texas 2003 Tex. Gen. Laws, Chap. 1312 Specific exemption Specific exemption for certain information relating to risk or vulnerability assessments designed to prevent, detect or investigate an act of terrorism. Utah Utah Code Ann.§63-2- 201 (3)(b); §63-2- 304(10)(11) Exemption for information protected by federal or state law Exemption of records, access to which is restricted by state or federal law, or the disclosure of which would result in the loss of state or federal funds. Vermont 1 Vermont Stat. Ann. §§317(c)(l) and (2) Exemption for information protected by federal or state law Exemption for records "which by law are designated as confidential." Virginia Va. Code §2.2-3705(57) Specific exemption Specific exemption for plans to prevent or respond to a terrorist activity, or specific security measures that, if disclosed, would jeopardize the public safety or the security of any governmental facility. Washington Wash. Rev. Code §42.17.310(ww) Specific exemption Specific exemption for records designed to prevent or mitigate terrorist acts, which specifically includes vulnerability assessments. A second exemption is for records that are not subject to disclosure under federal law. West Virginia W.Va. Code §29B-l-4 Specific exemption Specific exemption for records designed to prevent or mitigate terrorist acts, which specifically includes vulnerability assessments. Wisconsin Wis. Stat. §19-36(1) Exemption for information protected by federal or state law Exemption of records specifically exempted from disclosure by state or federal law. Wyoming Wyo. Stat. §16-4-203 Specific exemption Specific exemption for vulnerability assessments and building plans and other information related to waste and water systems. Source: NCSL, 2003. Summary of 2003 State Water System Security Bills Table 3 contains summaries of the provisions of proposed and enacted state legislation considered during the 2003 sessions that provides an exemption from public disclosure requirements for water system security information. The bill information has been incorporated into the summaries of state FOIA statutes contained in parts two and three of this report, where relevant. The information presented in the table includes the state, bill number, bill status and a summary of the bill's provisions. National Conference of State Legislatures ------- 12 Water Security Table 3. Summaries of 2003 State Legislation State Bill Number Status Description of Exemptions Arizona S.B. 1167 Enacted Excludes from public inspection drinking water system security vulnerability assessments and energy, water or telecommunications infrastructure risk assessments. Arkansas H.B. 2245 Enacted Specifies that records, including risk and vulnerability assessments, are not deemed to be open to the public under the provisions of the state FOIA. The new law appears to exempt most public water system information related to security. Georgia S.B. 113 Enacted Amends existing law to provide an exemption from the state's open records requirements related to security plans and vulnerability assessments for any public utility, technology, infrastructure, building, facility, function or activity; any plan for protection against terrorist attacks; any document relating to the existence, nature, location or function of security devices designed to protect against terrorist attacks; and any plan or other material which, if made public, could compromise security against terrorist acts. Illinois H.B.305 Passed House; in Senate Rules Committee Would exempt from inspection and copying requirements a) a public body's records compiled for emergency and security procedures, to the extent disclosure would interfere with planning, training, and security; and b) information that could compromise the security of public or private personnel or property or emergency or disaster training, response and recovery. H.B.2443 In House Rules Committee Provides that the exemption from inspection and copying requirements for architects' plans and engineers' technical submissions includes, but is not limited to, specified utility, transportation, public and government facilities. H.B.2807 In House Rules Committee Would exempt from disclosure architectural and engineering plans for various utility, transportation and public facilities. S.B. 1034 Enacted Provides that the exemption from inspection and copying requirements for architects' plans and engineers' technical submissions includes, but is not limited to, specified utility (including water treatment), transportation, public and government facilities. Louisiana S.B. 787 In House Government Affairs Committee Expands the exemption from disclosure under current law to prohibit disclosure of certain records for utility systems that are owned and operated by political subdivisions. Massachusetts H.B.3863 In Joint Committee on Natural Resources and Agriculture This bill relates to the security of certain information obtained by, or in the possession of, the Department of Environmental Protection. (Editors note: The bill is new and additional information is not yet available; bills in Massachusetts often are not fully fleshed out until after committee deliberations.) National Conference of State Legislatures ------- Protecting Water System Security Information 13 Table 3. Summaries of 2003 State Legislation (continued) State Bill Number Status Description of Exemptions Nevada A.B. 441 Enacted Protects the confidentially of information conveyed to the governor, including information pertaining to water utilities, when the entity conveying the information requests that it remain confidential. New Mexico H.B. 254 Enacted Exempts from disclosure plans prepared by the state or a political subdivision, the publication of which could reveal vulnerabilities or risk assessments that could aid in a terrorist attack. North Dakota H.B. 1143 Enacted Exempts from disclosure security system plans for critical infrastructure that are " ... so vital to the state that the incapacity or destruction of these systems would have a debilitating impact on security, state economic security, state public health or safety, or any combination of those matters." A security system plan is defined to include a wide range of documents, including vulnerability and capability assessments con- ducted bv a oublic entity or bv anv private entity. Oklahoma H.B. 1146 Enacted Stipulates that w... any state environmental agency or public utility shall keep confidential vulnerability assessments of critical assets in both water and wastewater systems." Tennessee H.B. 2030 Enacted Clarifies that utility service providers' reports that identify areas vulnerable to terrorism or other unlawful disruptions of service are confidential. Texas H.B. 9 Enacted Provides a specific exemption for certain information relating to risk or vulnerability assessments designed to prevent, detect or investigate an act of terrorism. Virginia H.B. 2210 Enacted Exempts from disclosure information that the governor receives from either public or private entities and that relates to the protection of critical infrastructure, or that affects the health, safety and welfare of residents of the state. West Virginia H.B. 3009 Enacted Exempts from disclosure " records assembled, prepared or maintained to prevent, mitigate or respond to terrorist acts or the threat of terrorist acts, the public disclosure of which threatens the public safety or the public health, as well as those portions of records that contain specific or unique vulnerability assessments." Wisconsin S.B. 8 Passed Senate; in Assembly Energy Committee Would exempt records containing information about security measures for protecting the safety of facilities or people who operate a public water supply system. Wyoming S.F. 10 Enacted Exempts from disclosure information, including vulnerability assessments, to the extent disclosure would jeopardize the security of any facility owned, leased or operated by the state or a political subdivisions; assist the planning of a terrorist attack; or endanger the life or physical safety of an individual. Protected information also includes building plans and security measures related to waste and water systems. Source: NCSL, 2003. National Conference of State Legislatures ------- 14 Water Security Survey Responses from State Drinking Water Staff In order to confirm or amend its initial interpretation of some state laws, NCSL submitted a brief written survey to drinking water agency staff in nine states: Alabama, Minnesota, Montana, New Hampshire, North Dakota, Pennsylvania, South Dakota, Vermont and West Virginia. Each of the states responded. NCSL developed the survey instrument with assistance from the Association of State Drinking Water Administrators (ASDWA). ASDWA also identified the state drinking water agency staff to whom NCSL submitted the survey. The survey instrument containing each state's responses is included as appendix B. The survey asked the respondent whether the existing state FOIA law protected drinking water system security information from public disclosure. If the respondent indicated that it did, he or she was asked to indicate if that protection applied to vulnerability assessments, sanitary surveys, publicly owned systems and privately owned systems. If the respondent replied "no" to the initial question, he or she was asked about any proposed legislation that would change state law to provide such exemptions. Space was included for the respondent to add comments to help NCSL better understand the state's law pertaining to the protection of water system security information. Four states—New Hampshire, North Dakota, Pennsylvania and Vermont—indicated that state law protects drinking water security information from having to be made public. Four states—Alabama, Minnesota, South Dakota and West Virginia—responded that state law does not provide such protections (West Virginia's response was received before final enactment of House Bill 3009 during the 2003 session, which provides a specific protection—see part four). Montana was not sure. Of the four states that responded affirmatively to the first question, all four indicated that the protections apply to vulnerability assessments and to publicly owned water systems. Only Vermont responded that the protections apply to sanitary surveys for future security-related information. New Hampshire, Pennsylvania and Vermont said that privately owned water systems are covered. Four states that responded negatively to the first question or that were not sure—Alabama, Minnesota, Montana and South Dakota—indicated that efforts are under way to clarify the public disclosure requirements of water system security information. Montana's efforts, related specifically to water system security information, have been the most extensive to date. The Montana Department of Environmental Quality (MDEQ) asked for an opinion from the state attorney general regarding the protection of water system security information. The state's statute provides an exemption for information that is constitutionally protected from disclosure, and also for information pertaining to the security of public facilities. In a letter to the U.S. Environmental Protection Agency, MDEQ indicated that constitutionally protected information includes "... information in which there is an individual privacy interest that clearly exceeds the merits of public disclosure ... and matters related to individual or public safety." MDEQ concluded that this allowed the state to withhold from public disclosure information included in The Baseline Threat Information for Vulnerability Assessment of Community Water Systems report. The agency stated in the letter to EPA that it also intended to withhold any information in the report "that is contained in vulnerability assessments that National Conference of State Legislatures ------- Protecting Water System Security Information are submitted by public water suppliers to MDEQ." According to MDEQ, the Montana Attorney General's Office had reviewed the information and concurred that it is exempt from public disclosure. National Conference of State Legislatures ------- ------- Protecting Water System Security Information 17 Appendix A. Specific Statutory Language State/ Jurisdiction Specific Statutory Language 1. Alabama Ala. Code §36-12-40. Rights of citizens to inspect and copy public writings; exception for public library registration and circulation records. Every citizen has a right to inspect and take a copy of any public writing of this state, except as otherwise expressly provided by statute. Provided however, registration and circulation records and information concerning the use of the public, public school or college and university libraries of this state shall be exempted from this section. Provided further, any parent of a minor child shall have the right to inspect the registration and circulation records of any school or public library that pertain to his or her child. 2. Alaska Alaska Stat. §40.25.120. Public records; exceptions; certified copies. (a) Every person has a right to inspect a public record in the state, including public records in recorders' offices, except (10) records or information pertaining to a plan, program, or procedures for establishing, maintaining, or restoring security in the state, or to a detailed description or evaluation of systems, facilities, or infrastructure in the state, but only to the extent that the production of the records or information (A) could reasonably be expected to interfere with the implementation or enforcement of the security plan, program, or procedures; (B) would disclose confidential guidelines for investigations or enforcement and the disclosure could reasonably be expected to risk circumvention of the law; or (C) could reasonably be expected to endanger the life or physical safety of an individual or to present a real and substantial risk to the public health and welfare. 3. Arizona SB 1167, enacted in the 2003 legislative session. Section 1. Title 39, chapter 1, article 2, Arizona Revised Statutes, is amended by adding section 39-126, to read: 39-126. Federal risk assessments of infrastructure; confidentiality Nothing in this chapter requires the disclosure of a risk assessment that is performed by or on behalf of a federal agency to evaluate critical energy, water or telecommunications infrastructure to determine its vulnerability to sabotage or attack. Sec. 2. Section 49-205, Arizona Revised Statutes, is amended to read: 49-205- Availability of information to the public A. Any records, reports or information obtained from any person under this chapter, including records, reports or information obtained or prepared by the director or a department employee, shall be available to the public, except that: 2. Drinking water system security vulnerability assessments that are submitted to the United States Environmental Protection Agency pursuant to Public Law 107-188, are exempt from disclosure under this chapter and Title 39, Chapter 1. 4. Arkansas Act 763 (HB 2245) of the 2003 Legislative Session amends Arkansas Code §25-19-105 to read as follows: (b) It is the specific intent of this section that the following shall not be deemed to be made open to the public under the provisions of this chapter (15)(A) Records, including analyses, investigations, studies, reports, recommendations, requests for proposals, drawings, diagrams, blueprints, and plans, containing information relating to security for any public water system. (B) The records shall include: (i) Risk and vulnerability assessments; (ii) Plans and proposals for preventing and mitigating security risks; (iii) Emergency response and recovery records; (iv) Security plans and procedures; and (v) Any other records containing information that, if disclosed, might jeopardize or compromise efforts to secure and protect the public water system. (C) Subdivision (b)( 15) of this section shall expire on July 1, 2005. National Conference of State Legislatures ------- 18 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 5. California §6254(z) of the California Government Code exempts from public disclosure: (z) Records obtained pursuant to paragraph (2) of subdivision (c) of Section 2891.1 of the Public Utilities Code. (aa) A document prepared by a local agency that assesses its vulnerability to terrorist attack or other criminal acts intended to disrupt the public agency's operations and that is for distribution or consideration in a closed session. Nothing in this section prevents any agency from opening its records concerning the administration of the agency to public inspection, unless disclosure is otherwise prohibited by law. Nothing in this section prevents any health facility from disclosing to a certified bargaining agent relevant financing information pursuant to Section 8 of the National Labor Relations Act. 6. Colorado Colo. Rev. Stat. §24-72-204(XVI) exempts: Specialized details of security arrangements or investigations. Colo. Rev. Stat. §24-72-204(XVII) further provides that: Nothing in this subparagraph (XVII) shall prohibit the custodian from transferring such records to the office of preparedness, security, and fire safety in the department of public safety, the governing body of any city, county, or city and county, or any federal, state, or local law enforcement agency; except that the custodian shall not transfer any record received from a nongovernmental entity without the prior written consent of such entity unless such information is already publicly available. For purposes of this section, records received by the office of preparedness, security, and fire safety in the department of public safety in connection with the performance of its duties and records received by any state agency or political subdivision of the state from or on behalf of the office of preparedness, security, and fire safety shall constitute specialized details of security arrangements or investigations. 7. Connecticut Conn. Gen. Stat. §1-14,1-210(19) exempts: Records, the disclosure of which the Commissioner of Public Works or, in the case of records concerning Judicial Department facilities, the Chief Court Administrator, has reasonable grounds to believe may result in a safety risk, including the risk of harm to any person, any state-owned or leased institution or facility or any fixture or appurtenance and equipment attached to, or contained in, such institution or facility. Such records shall include, but are not limited to: (A) Security manuals or reports, including emergency plans contained or referred to in such security manuals; (B) Engineering and architectural drawings of state-owned or leased institutions or facilities; (C) Operational specifications of security systems utilized at any state-owned or leased institution or facility, except that a general description of any such security system and the cost and quality of such system, may be disclosed; (D) Training manuals prepared for state-owned or leased institutions or facilities that describe, in any manner, security procedures, emergency plans or security equipment; (E) Internal security audits of state-owned or leased institutions or facilities; (F) Minutes or recordings of meetings of the Department of Public Works or the Judicial Department, or portions of such minutes or recordings, that contain or reveal information relating to security or other records otherwise exempt from disclosure under this subdivision; and (G) Logs or other documents that contain information on the movement or assignment of security personnel at state- owned or leased institutions or facilities; (20) Records of standards, procedures, processes, software and codes, not otherwise available to the public, the disclosure of which would compromise the security or integrity of an information technology system. National Conference of State Legislatures ------- Protecting Water System Security Information 19 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 8. Delaware Del. Code Ann. §100002. (16)a. The following records, which, if copied or inspected, could jeopardize the security of any structure owned by the State or any of its political subdivisions, or could facilitate the planning of a terrorist attack, or could endanger the life or physical safety of an individual: 1. Response procedures or plans prepared to prevent or respond to emergency situations, the disclosure of which would reveal vulnerability assessments, specific tactics, specific emergency procedures or specific security procedures. 2. Building plans, blueprints, schematic drawings, diagrams, operational manuals or other records of mass transit facilities, bridges, tunnels, emergency response facilities or structures, buildings where hazardous materials are used or stored, arenas, stadiums, waste and water systems, electric transmission lines and substations, high-pressure natural gas pipelines and compressor stations, and telecommunications networks facilities and switching equipment, the disclosure of which would reveal the building's or structure's internal layout, specific location, life, safety and support systems, structural elements, surveillance techniques, alarm or security systems or technologies, operational and transportation plans or protocols, or personnel deployments. Records that disclose the substances being used or stored on a given piece of property are public records; however, records which disclose the specific location on that property of the substances being used or stored may be disclosed only if the chief administrative officer of the agency from which the record is requested determines that disclosure will not jeopardize the security of any structure owned by the State or any of its political subdivisions, or will not facilitate the planning of a terrorist attack, or will not endanger the life or physical safety of an individual. 3. Records of any building or structure operated by the State or any of its political subdivisions, the disclosure of which would reveal the building's or structure's life, safety and support systems, surveillance techniques, alarm or security systems or technologies, operational and evacuation plans or protocols, or personnel deployments. 4. Records prepared to prevent or respond to emergency situations identifying or describing the name, location, pharmaceutical cache, contents, capacity, equipment, physical features or capabilities of individual medical facilities, storage facilities, or laboratories established, maintained or regulated by the State or any of its political subdivisions. 5. Those portions of records assembled, prepared or maintained to prevent, mitigate or respond to criminal acts, the public disclosure of which would have a substantial likelihood of threatening public safety. The only items that are protected from disclosure by this paragraph are: A. Specific and unique vulnerability assessments or specific and unique response or deployment plans, including compiled underlying data collected in preparation of or essential to the assessments or to the response or deployment plans; and B. Records not subject to public disclosure under federal law that are shared by federal or international agencies and information prepared from national security briefings provided to state or local government officials related to domestic preparedness for criminal acts against United States citizens or targets. 6. Nothing in this subsection shall be deemed to prohibit the disclosure of information necessary to comply with the requirements of Chapter 8 of Title 26, the Underground Utility Damage Prevention and Safety Act. b. Nothing in this paragraph shall interfere with the right of any committee of the General Assembly to hear information in the committee at the request of the committee chair or, if appropriate, to hear information in an executive session of the committee, or to subpoena information pursuant to § 705 of this title. 9. District of Columbia D.C. Statute §2-534(10) exempts: Any specific response plan, including any District of Columbia response plan, as that term is defined in § 7-2301(1), and any specific vulnerability assessment, either of which is intended to prevent or to mitigate an act of terrorism, as that term is defined in § 22-3152(1). D.C. Statute §7-2301 (1A) defines response plan as " ... the plan for public emergency preparedness and prevention prepared pursuant to § 201 of the Disaster Relief Act of 1974 (42 U.S.C. § 5121) and § 7- 2302. National Conference of State Legislatures ------- 20 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 10. Florida Fla. Stat. §119.071. General exemptions from inspection or copying of public records. A security system plan or portion thereof for: (1) Any property owned by or leased to the state or any of its political subdivisions; or (2) Any privately owned or leased property which plan or portion thereof is in the possession of any agency, as defined ins. 119.Oil, is confidential and exempt from the provisions ofs. 119.07 (1) and s. 24(a), Art. I of the State Constitution. As used in this section, the term a "security system plan" includes all records, information, photographs, audio and visual presentations, schematic diagrams, surveys, recommendations, or consultations or portions thereof relating directly to the physical security of the facility or revealing security systems; threat assessments conducted by any agency as defined in s. 119.011 or any private entity; threat response plans; emergency evacuation plans; sheltering arrangements; or manuals for security personnel, emergency equipment, or security training. This exemption is remedial in nature and it is the intent of the Legislature that this exemption be applied to security system plans received by an agency before, on, or after the effective date of this section. Information made confidential and exempt by this section may be disclosed by the custodial agency to another state or federal agency to prevent, detect, guard against, respond to, investigate, or manage the consequences of any attempted or actual act of terrorism, or to prosecute those persons who are responsible for such attempts or acts, and the confidential and exempt status of such information shall be retained while in the possession of the receiving agency. This section is subject to the Open Government Sunset Review Act of 1995> in accordance with s. 119.15, and shall stand repealed on October 2, 2006, unless reviewed and saved from repeal through reenactment by the Legislature. 11. Georgia S.B. 113, enacted in the 2003 session, amends Ga. Code §50-18-72 to exempt from disclosure: (15) (A) Records, the disclosure of which would compromise security against sabotage or criminal or terrorist acts and the nondisclosure of which is necessary for the protection of life, safety, or public property, which shall be limited to the following: (i) Security plans and vulnerability assessments for any public utility, building, facility, function, or activity in effect at the time of the request for disclosure or pertaining to a plan or assessment in effect at such time; (ii) Any plan for protection against terrorist or other attacks, which plan depends for its effectiveness in whole or in part upon a lack of general public knowledge of its details; (iii) Any document relating to the existence, nature, location, or function of security devices designed to protect against terrorist or other attacks, which devices depend for their effectiveness in whole or in part upon a lack of general public knowledge; and (iv) Any plan, blueprint, or other material which if made public could compromise security against sabotage, criminal, or terroristic acts. 12. Hawaii Hawaii Rev. Stat. §92F-13. Government records; exceptions to general rule. This part shall not require disclosure of: (3) Government records that, by their nature, must be confidential in order for the government to avoid the frustration of a legitimate government function; (4) Government records which, pursuant to state or federal law including an order of any state or federal court, are protected from disclosure. 13. Idaho Idaho Code §9-340B(3) exempts: (b) Records of buildings, facilities, infrastructures and systems held by or in the custody of any public agency only when the disclosure of such information would jeopardize the safety of persons or the public safety. Such records may include emergency evacuation, escape or other emergency response plans, vulnerability assessments, operation and security manuals, plans, blueprints or security codes. For purposes of this section "system" shall mean electrical, heating, ventilation, air conditioning and telecommunication systems. National Conference of State Legislatures ------- Protecting Water System Security Information 21 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 14. Illinois S.B. 1034, enacted in the 2003 session, amends 5 ILCS 140/7 to exempt: (k) Architects' plans and engineers' technical submissions for projects not constructed or developed in whole or in part with public funds and for projects constructed or developed with public funds, to the extent that disclosure would compromise security, including but not limited to water treatment facilities, airport facilities, sport stadiums, convention centers, and all government owned, operated, or occupied buildings. 5 ILCS 140/7 also exempts: Information specifically prohibited from disclosure by federal or State law or rules and regulations adopted under federal or State law. 15. Indiana Ind. Code §5-14-3-4 exempts those records "... declared confidential by state statute; declared confidential by rule adopted by a public agency under specific authority to classify public records as confidential granted to the public agency by statute; those required to be kept confidential by federal law." 16. Iowa Iowa Code §22.7. 45. Records of a public airport, municipal corporation, municipal utility, jointly owned municipal utility, or rural water district organized under chapter 357A, where disclosure could reasonably be expected to jeopardize the security or the public health and safety of the citizens served by a public airport, municipal corporation, municipal utility, jointly owned municipal utility, or rural water district organized under chapter 357A. Such records include but are not limited to vulnerability assessments and information included within such vulnerability assessments; architectural, engineering, or construction diagrams; drawings, plans, or records pertaining to security measures such as security and response plans, security codes and combinations, passwords, passes, keys, or security or response procedures; emergency response protocols; and records disclosing the configuration of critical systems or infrastructures of a public airport, municipal corporation, municipal utility, jointly owned municipal utility, or rural water district organized under chapter 357A. This subsection is repealed effective June 30, 2007. 46. The critical asset protection plan or any part of the plan prepared pursuant to section 29C.8 and any information held by the emergency management division that was supplied to the division by a public or private agency or organization and used in the development of the critical asset protection plan to include, but not be limited to, surveys, lists, maps, or photographs. However, the administrator shall make the list of assets available for examination by any person. A person wishing to examine the list of assets shall make a written request to the administrator on a form approved by the administrator. The list of assets may be viewed at the division s offices during normal working hours. The list of assets shall not be copied in any manner. Communications and asset information not required by law, rule, or procedure that are provided to the administrator by persons outside of government and for which the administrator has signed a nondisclosure agreement are exempt from public disclosures. The emergency management division may provide all or part of the critical asset plan to federal, state, or local governmental agencies which have emergency planning or response functions if the administrator is satisfied that the need to know and intended use are reasonable. An agency receiving critical asset protection plan information from the division shall not redisseminate the information without prior approval of the administrator. 17. Kansas Kan. Stat. Ann. §45-221(12) exempts: Records of emergency or security information or procedures of a public agency, or plans, drawings, specifications or related information for any building or facility which is used for purposes requiring security measures in or around the building or facility or which is used for the generation or transmission of power, water, fuels or communications, if disclosure would jeopardize security of the public agency, building or facility. 18. Kentucky KRS 61.878(1) exempts: (k) All public records or information the disclosure of which is prohibited by federal law or regulation; and (1) Public records or information the disclosure of which is prohibited or restricted or otherwise made confidential by enactment of the General Assembly. National Conference of State Legislatures ------- 22 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 19. Louisiana La. Rev. Stat. §44:3. Records of prosecutive, investigative, and law enforcement agencies, and communications districts. A. Nothing in this Chapter shall be construed to require disclosures of records, or the information contained therein, held by the offices of the attorney general, district attorneys, sheriffs, police departments, Department of Public Safety and Corrections, marshals, investigators, public health investigators, correctional agencies, communications districts, intelligence agencies, or publicly owned water districts of the state, which records are: (3) Records containing security procedures, investigative training information or aids, investigative techniques, investigative technical equipment or instructions on the use thereof, criminal intelligence information pertaining to terrorist-related activity, or threat or vulnerability assessments collected or obtained in the prevention of terrorist- related activity, including but not limited to physical security information, proprietary information, operational plans, and the analysis of such information, or internal security information. 20. Maine MRSA §402:3 defines "public records" as " ... any written, printed or graphic matter or any mechanical or electronic data compilation from which information can be obtained, directly or after translation into a form susceptible of visual or aural comprehension, that is in the possession or custody of an agency or public official of this State or any of its political subdivisions, or is in the possession or custody of an association, the membership of which is composed exclusively of one or more of any of these entities, and has been received or prepared for use in connection with the transaction of public or governmental business or contains information relating to the transaction of public or governmental business. MRSA §402:3(L) exempts: Records describing security plans, security procedures or risk assessments prepared specifically for the purpose of preventing or preparing for acts of terrorism, but only to the extent that release of information contained in the record could reasonably be expected to jeopardize the physical safety of government personnel or the public. Information contained in records covered by this paragraph may be disclosed to the Legislature or, in the case of a political or administrative subdivision, to municipal officials or board members under conditions that protect the information from further disclosure. For purposes of this paragraph, "terrorism" means conduct that is designed to cause serious bodily injury or substantial risk of bodily injury to multiple persons, substantial damage to multiple structures whether occupied or unoccupied or substantial physical damage sufficient to disrupt the normal functioning of a critical infrastructure. National Conference of State Legislatures ------- Protecting Water System Security Information 23 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 21. Maryland Md. Code Ann. State Government §10-618. (j) (1) Subject to paragraph (2) of this subsection, a custodian may deny inspection of: (1) response procedures or plans prepared to prevent or respond to emergency situations, the disclosure of which would reveal vulnerability assessments, specific tactics, specific emergency procedures, or specific security procedures; (ii) 1. building plans, blueprints, schematic drawings, diagrams, operational manuals, or other records of airports and other mass transit facilities, bridges, tunnels, emergency response facilities or structures, buildings where hazardous materials are stored, arenas, stadiums, and waste and water systems, the disclosure of which would reveal the building's or structure's internal layout, specific location, life, safety, and support systems, structural elements, surveillance techniques, alarm or security systems or technologies, operational and transportation plans or protocols, or personnel deployments; or 2. records of any other building or structure owned or operated by the State or any of its political subdivisions, the disclosure of which would reveal the building's or structure's life, safety, and support systems, surveillance techniques, alarm or security systems or technologies, operational and evacuation plans or protocols, or personnel deployments; or (iii) records prepared to prevent or respond to emergency situations identifying or describing the name, location, pharmaceutical cache, contents, capacity, equipment, physical features, or capabilities of individual medical facilities, storage facilities, or laboratories established, maintained, or regulated by the State or any of its political subdivisions. (2) The custodian may deny inspection of a part of a public record under paragraph (1) of this subsection only to the extent that the inspection would: (i) jeopardize the security of any structure owned or operated by the State or any of its political subdivisions; (ii) facilitate the planning of a terrorist attack; or (iii) endanger the life or physical safety of an individual. 22. Massachusetts Mass. Gen. Laws Ann. ch 4, §7 exempts: (n) records, including, but not limited to, blueprints, plans, policies, procedures and schematic drawings, which relate to internal layout and structural elements, security measures, emergency preparedness, threat or vulnerability assessments, or any other records relating to the security or safety of persons or buildings, structures, facilities, utilities, transportation or other infrastructure located within the commonwealth, the disclosure of which, in the reasonable judgment of the record custodian, subject to review by the supervisor of public records under subsection (b) of section 10 of chapter 66, is likely to jeopardize public safety. 23. Michigan Mich. Comp. Laws §15.243(y) exempts: Records or information of measures designed to protect the security or safety of persons or property, whether public or private, including, but not limited to, building, public works, and public water supply designs to the extent that those designs relate to the ongoing security measures of a public body, capabilities and plans for responding to a violation of the Michigan anti-terrorism act, chapter LXXXIII-A of the Michigan penal code, 1931 PA 328, MCL 750.543a to 750.543z, emergency response plans, risk planning documents, threat assessments, and domestic preparedness strategies, unless disclosure would not impair a public body's ability to protect the security or safety of persons or property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular instance. 24. Minnesota Minn. Stat. §13.02 Subd. 9. Nonpublic data. "Nonpublic data" means data not on individuals that is made by statute or federal law applicable to the data: (a) not accessible to the public; and (b) accessible to the subject, if any, of the data. 25. Mississippi Miss. Code Ann. § 25-61-11. Records exempted or privileged by law. The provisions of this chapter shall not be construed to conflict with, amend, repeal or supersede any constitutional or statutory law or decision of a court of this state or the United States which at the time of this chapter is effective or thereafter specifically declares a public record to be confidential or privileged, or provides that a public record shall be exempt from the provisions of this chapter. National Conference of State Legislatures ------- 24 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 26. Missouri Mo. Rev. Stat. 610.021 exempts the following from disclosure: (18) A municipal utility receiving a public records request for information about existing or proposed security systems and structural plans of real property owned or leased by the municipal utility, the public disclosure of which would threaten public safety, shall within three business days act upon such public records request, pursuant to section 610.023. Records related to the procurement of or expenditures relating to security systems shall be open except to the extent provided in this section; (19) Existing or proposed security systems and structural plans of real property owned or leased by a public governmental body, the public disclosure of which would threaten public safety. Records related to the procurement of or expenditures relating to security systems shall be open except to the extent provided in this section. When seeking to close information pursuant to this exception, the public governmental body shall affirmatively state in writing that disclosure would impair the public governmental body's ability to protect the security or safety of persons or real property, and shall in the same writing state that the public interest in nondisclosure outweighs the public interest in disclosure of the records. This exception shall sunset on December 31, 2006; (20) Records that identify the configuration of components or the operation of a computer, computer system, computer network, or telecommunications network, and would allow unauthorized access to or unlawful disruption of a computer, computer system, computer network, or telecommunications network of a public governmental body. This exception shall not be used to limit or deny access to otherwise public records in a file, document, data file or database containing public records. Records related to the procurement of or expenditures relating to such computer, computer system, computer network, or telecommunications network, including the amount of moneys paid by, or on behalf of, a public governmental body for such computer, computer system, computer network, or telecommunications network shall be open except to the extent provided in this section. 27. Montana Mont. Code Ann. 2-6-102 (3) exempts: Records and materials that are constitutionally protected from disclosure are not subject to the provisions of this section. Information that is constitutionally protected from disclosure is information in which there is an individual privacy interest that clearly exceeds the merits of public disclosure, including legitimate trade secrets, as defined in 30- 14-402, and matters related to individual or public safety. 28. Nebraska Neb. Rev. Stat. §84-712.05(8) exempts: Information solely pertaining to protection of the security of public property and persons on or within public property, such as specific, unique vulnerability assessments or specific, unique response plans, either of which is intended to prevent or mitigate criminal acts the public disclosure of which would create a substantial likelihood of endangering public safety or property; computer or communications network schema, passwords, and user identification names; guard schedules; or lock combinations. Neb. Rev. Stat. §84-712.08. Records; federal government; exception. If it is determined by any federal department or agency or other federal source of funds, services, or essential information, that any provision of sections 84-712, 84-712.01, 84-712.03 to 84-712.09, and 84-1413 would cause the denial of any funds, services, or essential information from the United States Government which would otherwise definitely be available to an agency of this state, such provision shall be suspended as to such agency, but only to the extent necessary to prevent denial of such funds, services, or essential information. National Conference of State Legislatures ------- Protecting Water System Security Information 25 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 29. Nevada A.B. 441, enacted in the 2003 legislative session. Section 27. 1. Each utility shall: (a) Conduct a vulnerability assessment in accordance with the requirements of the federal and regional agencies that regulate the utility; and (b) Prepare and maintain an emergency response plan in accordance with the requirements of the federal and regional agencies that regulate the utility. 2. Each utility shall: (a) As soon as practicable but not later than December 31, 2003, submit its vulnerability assessment and emergency response plan to the Division of Emergency Management of the Department of Public Safety; and (b) At least once each year thereafter, review its vulnerability assessment and emergency response plan and, as soon as practicable after its review is completed but not later than December 31 of each year, submit the results of its review and any additions or modifications to its emergency response plan to the Division of Emergency Management of the Department of Public Safety. 3. Each vulnerability assessment and emergency response plan of a utility and any other information concerning a utility that is necessary to carry out the provisions of this section is confidential and must be securely maintained by each person or entity that has possession, custody or control of the information. 4. A person shall not disclose such information, except: (a) Upon the lawful order of a court of competent jurisdiction; (b) As is reasonably necessary to carry out the provisions of this section or the operations of the utility, as determined by the Division of Emergency Management of the Department of Public Safety; or (c) As is reasonably necessary in the case of an emergency involving public health or safety, as determined by the Division of Emergency Management of the Department of Public Safety. Section 27.5. 1. Except as otherwise provided in subsection 3, records and portions of records that are assembled, maintained, overseen or prepared by the Department to mitigate, prevent or respond to acts of terrorism, the public disclosure of which would, in the determination of the Director, create a substantial likelihood of threatening the safety of the general public are confidential and not subject to inspection by the general public to the extent that such records and portions of records consist of or include: (a) Information regarding the infrastructure and security of information systems, including, without limitation: (1) Access codes, passwords and programs used to ensure the security of an information system; (2) Access codes used to ensure the security of software applications; (3) Procedures and processes used to ensure the security of an information system; and (4) Plans used to reestablish security and service with respect to an information system after security has been breached or service has been interrupted. (b) Assessments and plans that relate specifically and uniquely to the vulnerability of an information system or to the measures which will be taken to respond to such vulnerability, including, without limitation, any compiled underlying data necessary to prepare such assessments and plans. (c) The results of tests of the security of an information system, insofar as those results reveal specific vulnerabilities relative to the information system. 30. New Hampshire N.H. Rev. Stat. §91-A:5(VI) exempts: Records pertaining to matters relating to the preparation for and the carrying out of all emergency functions, including training to carry out such functions, developed by local or state safety officials that are directly intended to thwart a deliberate act that is intended to result in widespread or severe damage to property or widespread injury or loss of life. 31. New Jersey N.J. Rev. Stat. §47:1A-1.1 exempts: Emergency or security information or procedures for any buildings or facility which, if disclosed, would jeopardize security of the building or facility or persons therein; and security measures and surveillance techniques which, if disclosed, would create a risk to the safety of persons, property, electronic data or software. National Conference of State Legislatures ------- 26 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 32. New Mexico N.M. Stat. Ann. §14-2-1 exempts: (8) records that contain tactical response plans or procedures prepared for or by the state or a political subdivision of the state, the publication of which could reveal specific vulnerabilities, risk assessments or tactical emergency security procedures that could be used to facilitate the planning or execution of a terrorist attack. 33. New York N.Y. Pub. Off. Law §47-6-87 allows records to be exempt from disclosure when they: (a) are specifically exempted from disclosure by state or federal statute; (f) if disclosed, would endanger the life or safety of any person; (i) if disclosed, would jeopardize an agency's capacity to guarantee the security of its information technology assets, such assets encompassing both electronic information systems and infrastructures. 34. North Carolina N.C. Gen. Stat. §132-1.7 states that "... public records ... shall not include information containing specific details of public security plans and arrangements or the detailed plans and drawings of public buildings and infrastructure facilities. Information relating to the general adoption of public security plans and arrangements, and budgetary information concerning the authorization or expenditure of public funds to implement public security plans and arrangements, or for the construction, renovation, or repair of public buildings and infrastructure facilities shall be public records." 35. North Dakota H.B. 1143, enacted in the 2003 legislative session. A new section to chapter 44-04 of the North Dakota Century Code is created and enacted as follows: Security system plan - Exemption. I. A security system plan kept by a public entity is exempt from the provisions of section 44-04-18 and section 6 of article XI of the Constitution of North Dakota. 2. As used in this section: a. "Critical infrastructure" means public buildings, systems, including telecommunications centers and computers, power generation plants, dams, bridges, and similar key resources, whether physical or virtual, so vital to the state that the incapacity or destruction of these systems would have a debilitating impact on security, state economic security, state public health or safety, or any combination of those matters. b. "Security system plan" includes all records, information, photographs, audio and visual presentations, schematic diagrams, surveys, recommendations, communications, or consultations or portions of any such plan relating directly to the physical or electronic security of a public facility, or any critical infrastructure, whether owned by or leased to the state or any of its political subdivisions, or any privately owned or leased critical infrastructure if the plan or a portion of the plan is in the possession of a public entity; threat assessments; vulnerability and capability assessments conducted by a public entity, or any private entity; threat response plans; and emergency evacuation plans. 3. This exemption applies to security system plans received by a public entity before, on, or after the effective date of this Act. 4. Nothing in this section may be construed to limit disclosure required for necessary construction, renovation, or remodeling work on a public building. Disclosure under this subsection does not constitute public disclosure. National Conference of State Legislatures ------- Protecting Water System Security Information 27 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 36. Ohio Ohio Rev. Code §149.011. Definitions. As used in this chapter: (A) "Public office" includes any state agency, public institution, political subdivision, or any other organized body, office, agency, institution, or entity established by the laws of this state for the exercise of any function of government. Ohio Rev. Code §149.433 Exemption of security and infrastructure records. (A) As used in this section: (1) "Act of terrorism" has the same meaning as in section 2909.21 of the Revised Code. (2) "Infrastructure record" means any record that discloses the configuration of a public office's critical systems including, but not limited to, communication, computer, electrical, mechanical, ventilation, water, and plumbing systems, security codes, or the infrastructure or structural configuration of the building in which a public office is located. "Infrastructure record" does not mean a simple floor plan that discloses only the spatial relationship of components of a public office or the building in which a public office is located. (3) "Security record" means either of the following: (a) Any record that contains information directly used for protecting or maintaining the security of a public office against attack, interference, or sabotage; (b) Any record assembled, prepared, or maintained by a public office or public body to prevent, mitigate, or respond to acts of terrorism, including any of the following: (i) Those portions of records containing specific and unique vulnerability assessments or specific and unique response plans either of which is intended to prevent or mitigate acts of terrorism, and communication codes or deployment plans of law enforcement or emergency response personnel; (ii) Specific intelligence information and specific investigative records shared by federal and international law enforcement agencies with state and local law enforcement and public safety agencies; (iii) National security records classified under federal executive order and not subject to public disclosure under federal law that are shared by federal agencies, and other records related to national security briefings to assist state and local government with domestic preparedness for acts of terrorism. (B) A record kept by a public office that is a security record or an infrastructure record is not a public record under section 149.43 of the Revised Code and is not subject to mandatory release or disclosure under that section. (C) Notwithstanding any other section of the Revised Code, a public office's or a public employee's disclosure of a security record or infrastructure record that is necessary for construction, renovation, or remodeling work on any public building or project does not constitute public disclosure for purposes of waiving division (B) of this section and does not result in that record becoming a public record for purposes of section 149.43 of the Revised Code. 37. Oklahoma Okla. Stat. §51-24A.13. Records coming into the possession of a public body from the federal government or records generated or gathered as a result of federal legislation may be kept confidential to the extent required by federal law. HB 1146, enacted in the 2003 session. Any state environmental agency or public utility shall keep confidential vulnerability assessments of critical assets in both water and wastewater systems. 38. Oregon Or. Rev. Stat. §192.501(23) exempts: Records or information that would reveal the security measures taken or recommended to be taken to protect: (a) An officer or employee of a public body; (b) Buildings or other property used or owned by a public body; (c) Information processing, communication or telecommunication systems, including the information contained therein, that are used or operated by a public body; or (d) Those operations of the Oregon State Lottery the security of which are subject to study and evaluation under ORS 461.180(6). Or. Rev. Stat. §192.502(8) exempts: Any public records or information the disclosure of which is prohibited by federal law or regulations. National Conference of State Legislatures ------- 28 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 39. Pennsylvania 65 Pa. Cons. Stat. §66.1 states that "public record" does not include "... any record, document, material, exhibit, pleading, report, memorandum or other paper, access to or the publication of which is prohibited, restricted or forbidden by statute law or order or decree of court, or which would operate to the prejudice or impairment of a person's reputation or personal security, or which would result in the loss by the Commonwealth or any of its political subdivisions or commissions or State or municipal authorities of Federal funds." 40. Rhode Island R.I. Gen. Laws §46-15.3-5.1 Water supply systems management plans. (A) All parties involved in the supply, transmission, and/or distribution of drinking water shall prepare, maintain, and carry out a water supply system management plan as described by this chapter. R.I. Gen. Laws §46-15.3-7.5. (a) Municipalities and water suppliers subject to the requirements of § 46-15.3-5.1 of this chapter shall file a copy of all plans and amendments thereto with the water resources board. The plans shall be treated as confidential documents. The water resources board shall establish procedures that permit parties that review the plans under rules adopted by the water resources board to obtain sensitive information essential to performance of their reviews, including minimum measures necessary to transmit, use, store, and maintain such sensitive information under conditions that insure its security to the maximum possible. These procedures may include designation of those persons within each reviewing agency authorized to use or inspect sensitive information, and exclusion of all others. 41. South Carolina S.C. Code Ann. §30-4-45. Information concerning safeguards and off-site consequence analyses; regulation of access; vulnerable zone defined. (A) The director of each agency that is the custodian of information subject to the provisions of 42 U.S.C. 74l2(r)(7)(H), 40 CFR 1400 "Distribution of Off-site Consequence Analysis Information", or 10 CFR 73.21 "Requirements for the protection of safeguards information", must establish procedures to ensure that the information is released only in accordance with the applicable federal provisions. (B) The director of each agency that is the custodian of information, the unrestricted release of which could increase the risk of acts of terrorism, may identify the information or compilations of information by notifying the Attorney General in writing, and shall promulgate regulations in accordance with the Administrative Procedures Act, Sections 1- 23-110 through l-23-120(a) and Section 1-23-130, to regulate access to the information in accordance with the provisions of this section. (C) Regulations to govern access to information subject to subsections (A) and (B) must at a minimum provide for: (1) disclosure of information to state, federal, and local authorities as required to carry out governmental functions; and (2) disclosure of information to persons who live or work within a vulnerable zone. For purposes of this section, "vulnerable zone" is defined as a circle, the center of which is within the boundaries of a facility possessing hazardous, toxic, flammable, radioactive, or infectious materials subject to this section, and the radius of which is that distance a hazardous, toxic, flammable, radioactive, or infectious cloud, overpressure, radiation, or radiant heat would travel before dissipating to the point it no longer threatens serious short-term harm to people or the environment. Disclosure of information pursuant to this subsection must be by means that will prevent its removal or mechanical reproduction. Disclosure of information pursuant to this subsection must be made only after the custodian has ascertained the person's identity by viewing photo identification issued by a federal, state, or local government agency to the person and after the person has signed a register kept for the purpose. National Conference of State Legislatures ------- Protecting Water System Security Information 29 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 42. South Dakota S.D. Codified Laws Ann. §1-27-1. Records open to inspection — Sale of lists. If the keeping of a record, or the preservation of a document or other instrument is required of an officer or public servant under any statute of this state, the officer or public servant shall keep the record, document, or other instrument available and open to inspection by any person during normal business hours. S.D. Codified Laws Ann. §1-27-3. Records declared confidential or secret. Section 1-27-1 shall not apply to such records as are specifically enjoined to be held confidential or secret by the laws requiring them to be so kept. 43. Tennessee Tenn. Code §10-7-503(b). The head of a governmental entity may promulgate rules in accordance with the Uniform Administrative Procedures Act, compiled in title 4, chapter 5, to maintain the confidentiality of records concerning adoption proceedings or records required to be kept confidential by federal statute or regulation as a condition for the receipt of federal funds or for participation in a federally funded program. HB 2030, enacted in the 2003 session, amends Tenn. Code §10-7-504(a)(2) to " ... [c]larif[y] that utility service providers' reports identifying areas vulnerable to terrorism or other unlawful disruptions of service are confidential." 44. Texas Tex. Government Code §552.101. (b) Information is excepted from the requirements of Section 552.021 if it is information considered to be confidential by law, either constitutional, statutory, or by judicial decision. 45- Utah Utah Code §63-2-201 (3) (b) exempts: Records to which access is restricted pursuant to court rule, another state statute, federal statute, or federal regulation, including records for which access is governed or restricted as a condition of participation in a state or federal program or for receiving state or federal funds. Utah Code §63-2-304 exempts: (10) records the disclosure of which would jeopardize the life or safety of an individual; (11) records the disclosure of which would jeopardize the security of governmental property, governmental programs, or governmental recordkeeping systems from damage, theft, or other appropriation or use contrary to law or public policy. 46. Vermont 1 Vt. Stat. Ann. §317. (c) The following public records are exempt from public inspection and copying: (1) records which by law are designated confidential or by a similar term; (2) records which by law may only be disclosed to specifically designated persons. National Conference of State Legislatures ------- 30 Water Security Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 47. Virginia Va. Code §2.2-3705. Exclusions to application of chapter. A. The following records are excluded from the provisions of this chapter but may be disclosed by the custodian in his discretion, except where such disclosure is prohibited by law: 57. Plans to prevent or respond to terrorist activity, to the extent such records set forth specific tactics, or specific security or emergency procedures, the disclosure of which would jeopardize the safety of governmental personnel or the general public, or the security of any governmental facility, building, structure, or information storage system. HB 2210, enacted in the 2003 session, amends Va. Code 44-146.22 to read: B. The Governor or agencies acting on his behalf may receive information, voluntarily submitted from both public and nonpublic entities, related to the protection of the nation's critical infrastructure sectors and components that are located in Virginia or affect the health, safety, and welfare of the citizens of Virginia. Information submitted by any public or nonpublic entity in accordance with the procedures set forth in subdivision A 57 of §2.2-3705 shall not be disclosed unless: 1. It is requested by law-enforcement authorities in furtherance of an official investigation or the prosecution of a criminal act; 2. The agency holding the record is served with a proper judicial order; or 3. The agency holding the record has obtained the written consent to release the information from the entity voluntarily submitting it. 48. Washington Wash. Rev. Code §42.17.310(ww) exempts: Those portions of records assembled, prepared, or maintained to prevent, mitigate, or respond to criminal terrorist acts, which are acts that significantly disrupt the conduct of government or of the general civilian population of the state or the United States and that manifest an extreme indifference to human life, the public disclosure of which would have a substantial likelihood of threatening public safety, consisting of: (i) Specific and unique vulnerability assessments or specific and unique response or deployment plans, including compiled underlying data collected in preparation of or essential to the assessments, or to the response or deployment plans; and (ii) Records not subject to public disclosure under federal law that are shared by federal or international agencies, and information prepared from national security briefings provided to state or local government officials related to domestic preparedness for acts of terrorism. 49. West Virginia W.Va. Code §29B-l-4. That Section four, article one, chapter twenty-nine b of the code of West Virginia, one thousand nine hundred thirty- one, as amended, be amended and reenacted to read as follows: Article 1 - Public Records. §29B-l-4. Exemptions (a) The following categories of information are specifically exempt from disclosure under the provisions of this article: (9) Records assembled, prepared or maintained to prevent, mitigate or respond to terrorist acts or the threat of terrorist acts, the public disclosure of which threaten the public safety or the public health; (10) Those portions of records containing specific or unique vulnerability assessments or specific or unique response plans, data, databases, and inventories goods or materials collected or assembled to respond to terrorist acts; and communication codes or deployment plans of law enforcement or emergency response personnel; (14) Security or disaster recovery plans, risk assessments, tests, or the results of those tests; (c) Nothing in the provisions of subdivisions (9) through (16), subsection (a) of this section, should be construed to make subject to the provisions of this chapter any evidence of an immediate threat to public health or safety unrelated to a terrorist act or the threat thereof which comes to the attention of a public entity in the course of conducting a vulnerability assessment response or similar activity. National Conference of State Legislatures ------- Protecting Water System Security Information 31 Appendix A. Specific Statutory Language (continued) State/ Jurisdiction Specific Statutory Language 50. Wisconsin Wise. Stat §19.36 Limitations upon access and withholding. (1) Application of other laws. Any record which is specifically exempted from disclosure by state or federal law or authorized to be exempted from disclosure by state law is exempt from disclosure under s. 19.35(1). except that any portion of that record which contains public information is open to public inspection as provided in sub. (6). 51. Wyoming Wyo. Stat.§16-4-203 Right of inspection; grounds for denial; access of news media; order permitting or restricting disclosure; exceptions. (b) The custodian may deny the right of inspection of the following records, unless otherwise provided by law, on the ground that disclosure to the applicant would be contrary to the public interest: (vi) To the extent that the inspection would jeopardize the security of any structure owned, leased or operated by the state or any of its political subdivisions, facilitate the planning of a terrorist attack or endanger the life or physical safety of an individual, including: (A) Vulnerability assessments, specific tactics, emergency procedures or security procedures contained in plans or procedures designed to prevent or respond to terrorist attacks or other security threats; (B) Building plans, blueprints, schematic drawings, diagrams, operational manuals or other records that reveal the building's or structure's internal layout, specific location, life and safety and support systems, structural elements, surveillance techniques, alarms, security systems or technologies, operational and transportation plans or protocols, personnel deployments for airports and other mass transit facilities, bridges, tunnels, emergency response facilities or structures, buildings where hazardous materials are stored, arenas, stadiums and waste and water systems; (C) Records of any other building or structure owned, leased or operated by the state or any of its political subdivisions that reveal the building's or structure's life and safety systems, surveillance techniques, alarm or security systems or technologies, operational and evacuation plans or protocols or personnel deployments; and (D) Records prepared to prevent or respond to terrorist attacks or other security threats identifying or describing the name, location, pharmaceutical cache, contents, capacity, equipment, physical features, or capabilities of individual medical facilities, storage facilities or laboratories established, maintained, or regulated by the state or any of its political subdivisions. National Conference of State Legislatures ------- ------- Protecting Water System Security Information 33 Appendix B. Survey of Public Disclosure Requirements and Protections under State Freedom of Information Acts and Open Record Laws 1) Are you aware of existing state law that protects drinking water security system information from having to be made public? Yes: New Hampshire, North Dakota, Pennsylvania, Vermont No: Alabama, Minnesota, South Dakota, West Virginia Not Sure: Montana 2) If yes to question 1, a) Does the protection apply to vulnerability assessments? New Hampshire: Yes North Dakota: Yes Pennsylvania: Yes Vermont: Yes Sanitary surveys? New Hampshire: No North Dakota: No Pennsylvania: No Vermont: Yes, for future security related information b) Does the protection apply to publicly owned water systems? New Hampshire: Yes North Dakota: Yes Pennsylvania: Yes Vermont: Yes Privately owned water systems? New Hampshire: Yes North Dakota: No Pennsylvania: Yes Vermont: Yes c) If you know the statutory citation for the applicable law, please provide it below. New Hampshire: N.H. Rev. Stat. §91-A North Dakota: N.D. Cent. Code §44-04 Pennsylvania: 65 Pa. Cons. Stat. §66.1 Vermont: 1 Vt. Stat. Ann. §317(c)(25) 3) If no to question 1, are you aware of proposed legislation to change your state's law to provide additional protections to water system security information? Alabama: No Minnesota: No South Dakota: No West Virginia: No Please add any other comments you feel appropriate to help NCSL better understand your state's law as it pertains to protecting water system security information. Alabama: There is a push to modify or amend existing laws to include protection to water system security information under existing laws; the status of that modification is unknown at this time. Minnesota: The Minnesota Health Department currently is working with its attorneys to determine if the state has existing legal authority to withhold locational information from public requests for information. National Conference of State Legislatures ------- 34 Water Security Montana: The Montana Department of Environmental Quality currently is seeking an opinion from the Montana attorney general to determine whether protection of this information exists in current statutes. An opinion is expected soon. (Part five of this report contains additional information regarding the Montana Department of Environmental Quality's interpretation of its legal standing to protect water system security information.) New Hampshire: A procedure is in place for public file review requests. If a particular request seems suspicious or sensitive in nature, these requests can be forwarded to the New Hampshire attorney general's office. Pennsylvania: Pennsylvania's Right-to-Know law has nothing specific relating to water system security. Section 1 of the law, however, has at least two exemption provisions that may be applicable. One exemption authorizes the Commonwealth to not provide records "... which would operate to the prejudice or impairment of a person's ... personal security." The other exemption authorizes withholding of records "the publication of which is prohibited, restricted or forbidden by statute law..." The vulnerability assessments mandated by the federal government after September 11, 2001, are covered under the second exemption. If the federal law requiring the water suppliers to perform those assessments also requires that those assessments not be made available to the public, Pennsylvania, under its Right-to-Know law, is not required to provide those vulnerability assessments to the public. Pending legislation (House Bill 1017) relates to development of security criteria that could result in keeping out of the public domain certain records, maps or other information deemed necessary for homeland security purposes. The submitting agency has no knowledge regarding future passage or amendment of the legislation. South Dakota: The attorney general has developed a task force to examine the issues of public records and records disclosure. The task group findings will likely address the issue of terrorism sensitive public records. Vermont: The statutory section does not specifically list vulnerability assessments or water system information. It provides general language for the protection of security-related information that would threaten the safety of people or the security of public property. National Conference of State Legislatures ------- This report was prepared under a subcontract (Task Order Agreement No. 069-NCSL- 1) with the Cadmus Group, Inc. (Cadmus). The U.S. Environmental Protection Agency (EPA), Drinking Water Academy, provided funding for the subcontract. The National Conference of State Legislatures (NCSL) would like to thank James Bourne with EPA and Denise Hawkins with Cadmus for their support in this effort. Any opinions, findings or conclusions in this report are those of NCSL staff and do not necessarily reflect the views of Cadmus or EPA. DRINKING WATER ACADEMY ------- ------- |