WATER
SECURITY
State
National
Conference
slatures
Innovations in State Policy
Protecting Water System Security Information
By Cathy Atkins and Larry Morandi September 2003
Since the attacks of September 11, 2001, almost every state has considered
amendments to its Freedom of Information Act (FOIA) to exempt security
information related to drinking water systems from public disclosure under a
FOIA request. At least 36 states have enacted such legislation in the last two
years, bringing to 46 the number of states that appear to afford such protections
to water system security information. In an effort to determine which states have
statutory authority to protect such information from public disclosure, the
National Conference of State Legislatures (NCSL) conducted an extensive review
of state FOIA statutes for the U.S. Environmental Protection Agency's Drinking
Water Academy. NCSL also contacted state drinking water agency staff in nine
states where the statute was unclear to obtain clarification of the status of water
system security information protection.
The information in this report is presented in five parts. Part one presents an
overview of NCSL's analysis of the status of exemptions from public disclosure
requirements for water security system information in each state's FOIA statute.
Part two is a matrix summary of each state's exemptions, part three is a narrative
summary of each state's exemptions, part four summarizes relevant state FOIA
legislation considered during the 2003 sessions, and part five contains the results
of the survey responses from state drinking water agency staff.
It must be emphasized that the information presented in this report reflects the
interpretation of NCSL staff based on an exhaustive review of state FOIA statutes
and, in those instances where the statutory language was unclear, responses to a
written survey and follow-up telephone interviews with a select number of state
agency drinking water staff. The report's findings do not represent the legal
opinions of state attorneys general.
Analysis of Water Security System Exemptions
Based on the results of its statutory analysis and the state agency survey responses,
NCSL staff determined that 46 states and the District of Columbia appear to
have an exemption from public disclosure requirements for water security system
information in their FOIA statutes. The states fall into one of four FOIA
exemption categories:
CONTENTS
Analysis of Water Security
System Exemptions 1
Summary of Water System
Security Exemptions 3
Narrative Summary of
State Water Security
Exemptions 7
Summary of2003 State
Water System Security
Bills 11
Survey Responses from
State Drinking Water
Staff 14
Appendix A. Specific
Statutory Language 17
Appendix B. Survey of
Public Disclosure Require-
ments and Protections
under State Freedom of
Information Acts and
Open Record Laws 33
-------�
2
Water Security
1. States that have specific exemptions from public disclosure requirements for water system
security information (e.g., vulnerability assessments).
2. States that have an exemption for information protected by federal or state law, whether it
be statutory or judicial in origin.
3. States that do not have exemptions for water system security information.
4. States that have an uncertain exemption status.
States That Have Specific Exemptions
Thirty-six states and the District of Columbia have added a specific exemption from public
disclosure requirements for water security system information to their FOIA law since September
11, 2001. Although the wording of the statutes varies greatly, the relevant statute usually
provides that vulnerability assessments are not considered to be a public record that is required
to be disclosed under the state's FOIA law. The states are shown in figure 1.
Figure 1.
States/Jurisdictions That Have Specific Exemptions
Alaska
Kansas
New Mexico
Arizona
Louisiana
North Carolina
Arkansas
Maine
North Dakota
California
Maryland
Ohio
Colorado
Massachusetts
Oklahoma
Connecticut
Michigan
Oregon
Delaware
Missouri
Rhode Island
District of Columbia
Montana
Tennessee
Florida
Nebraska
Texas
Georgia
Nevada
Virginia
Idaho
New Hampshire
Washington
Iowa
New Jersey
West Virginia
Wyoming
Source: NCSL, 2003.
Although it is likely that information that is exempt under a federal law exemption (see the list
of states in the following category) is safe from having to be disclosed under an open records
law, a specific exemption for water system security information provides another layer of
protection. When a legislature enacts a law that specifically exempts water security information,
the withholding of such information is less likely to be successfully challenged on the basis of
legislative intent, since the legislature presumably made its intent clear within the legislation.
A state that enacts its own legislation to protect water system security information from disclosure
also has a second layer of coverage if the federal law is challenged and found to be void.
States That Have Exemptions for Information Protected by Federal or State
Law
Ten states provide for a FOIA exemption if statutory, regulatory or judicial law at the federal
or state level requires the information to be protected. The Federal Bioterrorism Preparedness
and Response Act of 2002 affords protection for vulnerability assessments that are required to
National Conference of State Legislatures
-------�
Protecting Water System Security Information
3
be conducted under the act. Nebraska and
Pennsylvania add the stipulation that the
information may be protected if its release would
result in the loss of federal funds. The states are
shown in figure 2.
States That Have No Specific Exemptions
Three states—Alabama, Minnesota and South
Dakota—that require a specific exemption before
information is excluded from a FOIA request do
not appear to have such an exemption in their
statutes.
States That Have an Uncertain Exemption Status
The status of any exemption for water system security information in South Carolina and
Puerto Rico is unclear.
Summary of Water System Security Exemptions
A summary is presented here of state exemptions from public disclosure requirements for
water security system information in each state's FOIA statute. The information that is presented
in the first two columns of table 1 relates directly to the states listed in the first category of part
one. Table 1 includes the name of the state, the statutory citation where an exemption exists,
and classification of each state in one of four categories: exemption specifically cites vulnerability
assessments; pertains to the protection of public health or security generally; is contingent
upon exemption under federal or other state law; or no exemption exists or the status of
exemption is unclear.
A narrative discussion follows the table of the degree to which a statutory exemption for water
system security information also may apply to information held by a privately owned public
water system and to information contained in a sanitary survey.
Table 1. Summary of Water Security Exemptions
State/
Jurisdiction
Statutory Citation
Specific
Vulnerability
Assessment
General Public
Health/
Security
Federal or
State Law
None or
Unknown
Alabama
•
Alaska
Alaska Stat. §40-25-120(a)(10)
•
Arizona
Ariz. Rev. Stat. §39-126
Ariz. Rev. Stat. §49-205(2)
•
Arkansas
Ark. Stat. Ann. §25-19-105(b) (15)
•
California
Cal. Gov. Code §6254(z)
•
Colorado
Colo. Rev. Stat. §24-72-204(3) (a) (XVI)
•
Connecticut
Conn. Gen. Stat. §§1-14,1-210(19)
•
Delaware
29 Del. Code Ann. §10002(16)
•
District of Columbia
D.C. Statute §2-534(10)
•
National Conference of State Legislatures
Figure 2.
States That Have Exemptions for
Information Protected by Federal or
State Law
Hawaii
Illinois
Indiana
Kentucky
Mississipp
New York
Pennsylvania
Utah
Vermont
Wisconsin
Source: NCSL,
2003.
-------�
4
Water Security
Table 1. Summary of Water Security Exemptions (continued)
State/
Jurisdiction
Statutory Citation
Specific
Vulnerability
Assessment
General Public
Health/
Security
Federal or
State Law
None or
Unknown
Florida
Fla. Stat. §119.071
•
Georgia
Ga. Code §50-18-72(15)
•
Hawaii
Hawaii Rev. Stat. §92F-13(4)
•
Idaho
Idaho Code §9-34OB(3) (b)
•
Illinois
5 ILCS 140/7(1) (a)
•
Indiana
Ind. Code §5-14-3-4(a) (3)
•
Iowa
Iowa Code §22.7(45)
•
Kansas
Kan. Stat. Ann. §45-221(12)
•
Kentucky
Ky. Rev. Stat. §61-878(1) (k)
•
Louisiana
La. Rev. Stat. §44:3
•
Maine
402 Me. Rev. Stat. Ann. §3
•
Maryland
Md. State Gov. Code Ann. § 10-618(j)
•
Massachusetts
Mass. Gen. L. ch. 4, §7(n)
•
Michigan
Mich. Comp. Laws §15.243(y)
•
Minnesota
•
Mississippi
Miss. Code Ann. §25-61-11
•
Missouri
Mo. Rev. Stat. §610.021
•
Montana
Mont. Code Ann. §2-6-102(3)
•
Nebraska
Neb. Rev. Stat. §84-712.05(8)
•
Nevada
2003 Nev. Stats., Chap. 402
•
New Hampshire
N.H. Rev. Stat. Ann. §91-A:5(VI)
•
New Jersey
N.J. Rev. Stat. §47:1 A-1.1
•
New Mexico
N.M. Stat. Ann. §14-2-1(8)
•
New York
N.Y. Pub. Off. Law §47-6-87
•
North Carolina
N.C. Gen. Stat. §132-1.7
•
North Dakota
N.D. Cent. Code §44-04-18; 2003 N.D. Sess.
Laws, Chap. 385.
•
Ohio
Ohio Rev. Code §149.433
•
Oklahoma
Okla. Stat. §51-24A.13
•
Oregon
Or. Rev. Stat. 192.501(23); 192.502(8)
•
Pennsylvania
65 Pen. Cons. Stat. §66.1
•
Puerto Rico
•
Rhode Island
R.I. Gen. Laws §46-15.3-7.5(a)
•
South Carolina
•
South Dakota
•
Tennessee
Tenn. Code Ann. §10-7-503(b), §10-7-504(a)(2)
•
Texas
2003 Tex. Gen. Laws, Chap. 1312.
•
Utah
Utah Code Ann. §63-2-201 (3)(b); §§63-2-
304(10) and (11)
•
Vermont
1 Vt. Stat. Ann. §§317(1) and (2)
•
Virginia
Va. Code §2.2-3705(57)
•
Washington
Wash. Rev. Code §42.17.310(ww)
•
West Virginia
W. Va. Code §29B-l-4
•
Wisconsin
Wise. Stat. §19.36(1)
•
Wyoming
Wyo. Stat. §16-4-203
•
Source: NCSL, 2003.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
5
Exemption for Privately Owned Public Water Supply Systems
One issue that has arisen in conducting this study of statutory protections from disclosure of
water security information under state FOIA laws is whether the protection extends to
information held by privately owned public water systems, not only to publicly owned public
water systems. EPA and the states regulate public water systems—which may be publicly
owned or privately owned—that have at least 15 service connections or serve at least 25 people
for 60 days or more per year. The Bioterrorism Preparedness and Response Act of 2002
requires every community water system that serves at least 3,300 people to conduct a
vulnerability assessment, submit the vulnerability assessment to EPA, and prepare an emergency
response plan. As noted in part one, at least 10 states provide a FOIA exemption to public
water systems if federal law requires the water security information to be protected.
In some cases, determining if the disclosure exemption applies to privately owned public water
systems is clear because the statute specifically states that such entities are exempt. In many
states, however, the statute fails to mention privately owned systems. In those states that
include federal laws as a means of determining the applicability of an exemption, it is likely
that information received by a state agency from a privately owned public water system that a
federal law—like the Bioterrorism Preparedness and Response Act of 2002—requires to be
protected would be exempt from disclosure.
Those states that have some type of specific exemption for vulnerability assessments conducted
by publicly owned public water systems—but that do not mention privately owned systems—
present a different matter entirely. Generally, states require the disclosure of public records
and define these as records made by, maintained by, compiled by, or submitted to a public
agency. The information contained in these records would likely be available only from the
state, not from a privately owned public water
system. If a vulnerability assessment is considered
to be a public record only because it is submitted
to a state agency, then a strong argument could
be made that the information is exempt from
disclosure under the "submitted to a public
agency" portion of the "public record" definition.
Such an argument would likely be compelling to
a court if the state noted that the same information
received from a publicly owned system is exempt
from disclosure.
Based on an analysis of the statutory language and
the written survey responses, at least 34 states and
the District of Columbia appear to extend the
exemption from public disclosure requirements
for water security information in their FOIA
statutes to privately owned public water systems
as well as to publicly owned water systems. The
states are shown in figure 3.
Figure 3. States/Jurisdictions That Have an
Exemption for Privately Owned Public Water
Systems
Arizona
Nevada
Arkansas
New Jersey
Delaware
New Mexico
District of Columbia
New York
Florida
Ohio
Georgia
Oklahoma
Hawaii
Oregon
Idaho
Pennsylvania
Illinois
Rhode Island
Indiana
Tennessee
Kansas
Texas
Kentucky
Utah
Maine
Vermont
Massachusetts
Virginia
Michigan
Washington
Mississippi
West Virginia
Montana
Wsconsin
Nebraska
Source: NCSL, 2003.
National Conference of State Legislatures
-------�
6
Water Security
At least 11 states do not appear to extend the FOIA exemption to privately owned public water
systems. The states are shown in figure 4.
The status of a FOIA exemption for privately owned public
water systems in five states—Alaska, Colorado, Iowa, Maryland
and South Carolina—and Puerto Rico is unclear.
Exemption for Sanitary Surveys
The U.S. Environmental Protection Agency (EPA) requires
states to have "... a systematic program for conducting sanitary
surveys of public water systems in the State, with priority given
to sanitary surveys of public water systems not in compliance
with State primary drinking water regulations" (40 CFR
142.10(b)(2)). EPA defines a sanitary survey to be " ... an on-site review of the water source
(identifying sources of contamination using results of source water assessments where available),
facilities, equipment, operation, maintenance and monitoring compliance of a public water
system to evaluate the adequacy of the system, its sources and operations and the distribution
of safe drinking water." Its primary purpose is to " ... evaluate and document the capabilities
of the water system's sources, treatment, storage, distribution network, operation and
maintenance, and overall management to continually provide safe drinking water and to identify
any deficiencies that may adversely impact a water system's ability to provide a safe, reliable
water supply."
A sanitary survey contains many elements that are related to water system security and may
include items of concern that are found in a vulnerability assessment. A majority of the
information contained in a sanitary survey, however, is not related to water system security. In
evaluating whether a sanitary survey is exempt from public disclosure, one must be able to
determine whether a state statute:
• Affords protection to the entire sanitary survey;
• Affords protection only to security-related information that can be severed from the survey
report in order to maintain public access to essential water quality information found in
the rest of the report; or
• Provides no exemption for sanitary surveys.
The statutory language reviewed for this report is unclear as to whether exemptions from
public disclosure for water system security information also apply to security related information
contained in a sanitary survey. Although the authors had hoped to be able to ascertain whether
amendments to state FOIA laws protected such information from disclosure, they were unable
to do so given the ways the various statutes are written. In the written responses from the nine
states surveyed in part five of this report, for example, three of the four states that indicated
their statutory law protected water system security information from disclosure also stated
that the protection does not apply to sanitary surveys (see appendix A for the actual statutory
language). The statutes in those three states represent each of the three exemption categories
used in the matrix above—specific vulnerability assessment, general public health/security,
Figure 4. States That Do Not Have an
Exemption
for Privately
Owned Public Water Systems
Alabama
New Hampshire
California
North Carolina
Connecticut
North Dakota
Louisiana
South Dakota
Minnesota
Wyoming
Missouri
Source: NCSL, 2003.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
7
and federal or state law. Relying solely on the statutory language is not sufficient to reach a
definitive conclusion on this issue.
After reviewing each FOIA statute, the intent of the statute (to the degree that legislative intent
can be determined from the statutory language), and the types of information included in a
sanitary survey, it appears that a legal argument could be made in a number of states to support
keeping certain sanitary survey information exempt from public disclosure. If any security
information in a sanitary survey were exempt, however, it is likely that the state agencies involved
would have to separate the security-related information prior to the release of the sanitary
survey.
Narrative Summary of State Water Security Exemptions
Table 2 contains summaries of provisions contained in state FOIA statutes that exempt water
security system information from public disclosure requirements. It includes the statutory
citation, the type of exemption provided and a brief narrative description. The full statutory
language for each state is contained in appendix A.
Table 2. Descriptions of FOIA Exemptions
State/Jurisdiction
Statutory Citation
Type Exemption
Description of Exemptions
Alabama
No exemption
Alaska
Alaska Stat. §40.25.120
(a) (10)
Specific exemption
Specific exemption for records pertaining to facilities
and infrastructure when the release of the
information would reasonably be expected to
interfere with the implementation or enforcement of
a security plan, or could reasonably be expected to
endanger the life or physical safety of an individual,
or present a real and substantial risk to the pubic
health and welfare.
Arizona
Ariz. Rev. Stat. Ann.
§39-126, §49-205(2)
Specific exemption
Specific exemptions for water system assessments.
One specifically exempts federal risk or vulnerability
assessments of infrastructure, including water, from
disclosure. The other exempts water system
vulnerability assessments from disclosure that are
submitted to EPA pursuant to Public Law 107-188.
Arkansas
Ark. Stat. Ann.§25-19-
10S (b)(15)
Specific exemption
Specific exemption for risk and vulnerability
assessments.
California
Cal. Gov. Code
§6254(z)
Specific exemption
Specific exemption for documents prepared by a local
agency that assess its vulnerability to terrorist or other
criminal acts and that is for distribution or
consideration in a closed session.
Colorado
Colo. Rev. Stat.§24-72-
204(3) (a) (XVI)
Specific exemption
Specific exemption for "specialized details" of security
arrangements, which are considered to be records
received by the Office of Preparedness, Security, and
Fire Safety in connection with the performance of its
duties, and records received by any state agency or
political subdivision of the state from, or on behalf
of, the Office of Preparedness, Security and Fire
Safety.
National Conference of State Legislatures
-------�
8
Water Security
Table 2. Descriptions of FOLA Exemptions (continued)
State/Jurisdiction
Statutory Citation
Type Exemption
Description of Exemptions
Connecticut
Conn. Gen. Stat. §1-14, 1-
210(19)
Specific exemption
Broad exemption for records that the Commissioner
of Public Works has "reasonable" grounds to believe
may result in a safety risk to any person, state-owned
or leased facility or any fixture, and equipment
attached to that facility.
Delaware
29 Del. Code Ann.
§10002(16)
Specific exemption
Specific exemptions for records, that if disclosed,
could jeopardize the security of any facility owned by
the state or a political subdivision, or could facilitate
the planning of a terrorist attack, or could endanger
the life or physical safety of an individual, including
plans designed to prevent or respond to an
emergency situation that would reveal vulnerability
assessments, and plans or other records of waste and
water systems.
District of
Columbia
D.C. Statute §2-534(10)
Specific exemption
Specific exemption for "any specific vulnerability
assessment.. .intended to prevent or mitigate an act
of terrorism."
Florida
Fla. Stat. §119.071
Specific exemption
Specific exemptions for a "security system plan" for
any property owned by or leased to the state or a
political subdivision. A security system plan includes
records and information related to threat assessments
conducted by any state or local agency or private
entity, and threat response plans.
Georgia
Ga. Code §50-18-72(15)
Specific exemption
Specific exemption for security plans and
vulnerability assessments, the nondisclosure of which
is necessary to protect life, safety or public property.
Hawaii
Hawaii Rev. Stat. §92F-
13(4)
Exemption for
information protected
by federal or state law
Exemption for government records that are protected
from disclosure pursuant to state or federal law.
Idaho
Idaho Code §9-340B (3)(b)
Specific exemption
Specific exemption for information, including
vulnerability assessments, the disclosure of which
would jeopardize people's safety.
Illinois
5ILCS §140/7 (l)(a)
Exemption for
information protected
by federal or state law
Exemption of information that is specifically
prohibited from disclosure by federal or state law.
Indiana
Ind. Code §5-14-3-4 (a)(3)
Exemption for
information protected
by federal or state law
Exemption of records required by federal law to be
kept confidential.
Iowa
Iowa Code §22.7(45)
Specific exemption
Specific exemption for records of a municipal utility,
including vulnerability assessments, the disclosure of
which could reasonably be expected to jeopardize the
security or the public health and safety of those
served by the municipal utility.
Kansas
Kan. Stat. Ann.§45-221(12)
Specific exemption
Specific exemption for records of emergency or
security information of a public agency, or plans
used for the generation of or transmission of water,
the disclosure of which would jeopardize the security
of the public agency or facility.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
9
Table 2. Descriptions of FOLA Exemptions (continued)
State/Jurisdiction
Statutory Citation
Type Exemption
Description of Exemptions
Kentucky
Ky. Rev. Stat.§61.878(l)(k)
Exemption for
information protected
by federal or state law
Exemption of public records or information, the
disclosure of which is prohibited by federal or state
law.
Louisiana
La. Rev. Stat.§44:3(3)
Specific exemption
Specific exemption for records held by publicly
owned water districts that contain threat or
vulnerability assessments.
Maine
402 Me. Rev. Stat. Ann. §3
Specific exemption
Specific exemption for public records, including risk
assessments prepared specifically to prevent or
prepare for an act of terrorism, the disclosure of
which could reasonably be expected to jeopardize
the physical safety of the public.
Maryland
Md. State Govt. Code
Ann.§10-618(j)
Specific exemption
Specific exemptions for plans prepared to prevent or
respond to emergency situations, the disclosure of
which would reveal vulnerability assessments, and
plans or records of waste and water systems, the
disclosure of which would reveal the building's
structure and security systems. The exemptions are
provided only where disclosure would jeopardize the
security of any relevant structure, help plan a
terrorist attack, or endanger people's lives or physical
safety.
Massachusetts
Mass. Gen. L. ch. 4, §7(n)
Specific exemption
Specific exemption for records, including
vulnerability assessments, the disclosure of which is
likely to jeopardize public safety.
Michigan
Mich. Comp. Laws§ 15.243
(y)
Specific exemption
Specific exemptions for public or private records
designed to protect people's security and safety,
including public water supply designs, and risk
planning documents and threat assessments.
Minnesota
No exemption
Mississippi
Miss. Code Ann.§25-61-11
Exemption for
information protected
by federal or state law
Stipulates that Mississippi's exemptions shall not
conflict with or supercede any state or federal law
that specifically declares a public record to be
confidential.
Missouri
Mo. Rev. Stat. §610.021
Specific exemption
Specific exemption for security systems and
structural plans of real property owned by a public
agency, the disclosure of which would threaten the
public safety.
Montana
Mont. Code Ann.§2-6-
102(3)
Specific exemption
Exempts information that is constitutionally
protected from disclosure, which is information "...
where there is an individual privacy interest that
clearly exceeds the merits of the public disclosure ...
and matters related to individual or public safety."
(See part five of this report for state agency
interpretation.)
Nebraska
Neb. Rev. Stat. §84-
712.05(8)
Specific exemption
Specific exemption for information, including
vulnerability assessments intended to prevent or
mitigate criminal acts, the disclosure of which would
likely endanger public safety or property.
National Conference of State Legislatures
-------�
10
Water Security
Table 2. Descriptions of FOIA Exemptions (continued)
State/Jurisdiction
Statutory Citation
Type Exemption
Description of Exemptions
Nevada
2003 Nev. Stats., Chap 402
Specific exemption
Protects the confidentially of information conveyed
to the governor, including information pertaining to
water utilities, when the entity conveying the
information requests that it remain confidential.
New Hampshire
N.H. Rev. Stat. §91-A:5(VI)
Specific exemption
Specific exemption for records concerning the
preparation and implementation of all emergency
functions developed by state and local government
officials intended to stop a deliberate act that may
result in significant property damage, personal injury
or loss of life.
New Jersey
N.J. Rev. Stat. §47:1 A-1.1
Specific exemption
Specific exemption for emergency or security
information for facilities, that if disclosed, would
jeopardize the security of the facility or create a risk
for the safety of people or property.
New Mexico
N.M. Stat. Ann. §14-2-1(8)
Specific exemption
Specific exemption for records that contain plans
prepared by the state or a political subdivision, the
publication of which could reveal vulnerabilities or
risk assessments that could aid in a terrorist attack.
New York
N.Y. Pub. Off. Law §47-6-
87(a)
Exemption for
information protected
by federal or state law
Exemption of records when they are specifically
exempted from disclosure by state or federal law.
North Carolina
N.C. Gen. Stat. §132-1.7
Specific exemption
Specific exemption for information containing details
of public security plans or plans of public
infrastructure facilities.
North Dakota
N.D. Cent. Code §44-04-
18; 2003 N.D. Sess. Laws,
Chap. 385.
Specific exemption
Specific exemption for a security system plan kept by
a public entity, which is defined to include
information related to vulnerability and capability
assessments conducted by public or private entities.
Ohio
Ohio Rev. Code §149.433
Specific exemption
Specific exemption for security records, which
include vulnerability assessments designed to prevent
or mitigate an act of terrorism.
Oklahoma
Okla. Stat. §51-24A.13
Specific exemption
Specific exemption for vulnerability assessments of
water and wastewater systems. A second exemption
is provided for information obtained from the federal
government that may be required to be kept
confidential pursuant to federal law.
Oregon
Or. Rev.
Stat.§§192.501(23), and
192.502(8)
Specific exemption
Specific exemption for records or information that
would reveal security efforts taken to protect publicly
owned buildings or other property. A second
exemption is provided for information prohibited to
be disclosed by federal law.
Pennsylvania
65 Pa. Cons. Stat. §§66.1-
66.4
Exemption for
information protected
by federal or state law
Exemption of records, the access to which is
prohibited by state law, or which, if disclosed, would
result in the loss of federal funds by the state or local
governments.
Puerto Rico
Uncertain exemption
Rhode Island
R.I. Gen. Laws §46-15.3-
7.5(a)
Specific exemption
Specific exemption for information contained in
water supply systems' management plans.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
11
Table 2. Descriptions of FOIA Exemptions (continued)
State/Jurisdiction
Statutory Citation
Type Exemption
Description of Exemptions
South Carolina
Uncertain exemption
South Dakota
No exemption
Tennessee
Tenn. Code Ann. §10-7-
503(b), §10-7-504(a)(2)
Specific exemption
Specific exemption for utility service providers'
reports identifying areas that are vulnerable to
terrorism or other unlawful disruptions of service.
Texas
2003 Tex. Gen. Laws, Chap.
1312
Specific exemption
Specific exemption for certain information relating to
risk or vulnerability assessments designed to prevent,
detect or investigate an act of terrorism.
Utah
Utah Code Ann.§63-2-
201 (3)(b); §63-2-
304(10)(11)
Exemption for
information protected
by federal or state law
Exemption of records, access to which is restricted by
state or federal law, or the disclosure of which would
result in the loss of state or federal funds.
Vermont
1 Vermont Stat. Ann.
§§317(c)(l) and (2)
Exemption for
information protected
by federal or state law
Exemption for records "which by law are designated
as confidential."
Virginia
Va. Code §2.2-3705(57)
Specific exemption
Specific exemption for plans to prevent or respond to
a terrorist activity, or specific security measures that,
if disclosed, would jeopardize the public safety or the
security of any governmental facility.
Washington
Wash. Rev. Code
§42.17.310(ww)
Specific exemption
Specific exemption for records designed to prevent or
mitigate terrorist acts, which specifically includes
vulnerability assessments. A second exemption is for
records that are not subject to disclosure under
federal law.
West Virginia
W.Va. Code §29B-l-4
Specific exemption
Specific exemption for records designed to prevent or
mitigate terrorist acts, which specifically includes
vulnerability assessments.
Wisconsin
Wis. Stat. §19-36(1)
Exemption for
information protected
by federal or state law
Exemption of records specifically exempted from
disclosure by state or federal law.
Wyoming
Wyo. Stat. §16-4-203
Specific exemption
Specific exemption for vulnerability assessments and
building plans and other information related to waste
and water systems.
Source: NCSL, 2003.
Summary of 2003 State Water System Security Bills
Table 3 contains summaries of the provisions of proposed and enacted state legislation considered
during the 2003 sessions that provides an exemption from public disclosure requirements for
water system security information. The bill information has been incorporated into the
summaries of state FOIA statutes contained in parts two and three of this report, where relevant.
The information presented in the table includes the state, bill number, bill status and a summary
of the bill's provisions.
National Conference of State Legislatures
-------�
12
Water Security
Table 3. Summaries of 2003 State Legislation
State
Bill Number
Status
Description of Exemptions
Arizona
S.B. 1167
Enacted
Excludes from public inspection drinking water
system security vulnerability assessments and
energy, water or telecommunications
infrastructure risk assessments.
Arkansas
H.B. 2245
Enacted
Specifies that records, including risk and
vulnerability assessments, are not deemed to be
open to the public under the provisions of the
state FOIA. The new law appears to exempt
most public water system information related to
security.
Georgia
S.B. 113
Enacted
Amends existing law to provide an exemption
from the state's open records requirements related
to security plans and vulnerability assessments for
any public utility, technology, infrastructure,
building, facility, function or activity; any plan
for protection against terrorist attacks; any
document relating to the existence, nature,
location or function of security devices designed
to protect against terrorist attacks; and any plan
or other material which, if made public, could
compromise security against terrorist acts.
Illinois
H.B.305
Passed House; in
Senate Rules
Committee
Would exempt from inspection and copying
requirements a) a public body's records compiled
for emergency and security procedures, to the
extent disclosure would interfere with planning,
training, and security; and b) information that
could compromise the security of public or
private personnel or property or emergency or
disaster training, response and recovery.
H.B.2443
In House Rules
Committee
Provides that the exemption from inspection and
copying requirements for architects' plans and
engineers' technical submissions includes, but is
not limited to, specified utility, transportation,
public and government facilities.
H.B.2807
In House Rules
Committee
Would exempt from disclosure architectural and
engineering plans for various utility,
transportation and public facilities.
S.B. 1034
Enacted
Provides that the exemption from inspection and
copying requirements for architects' plans and
engineers' technical submissions includes, but is
not limited to, specified utility (including water
treatment), transportation, public and
government facilities.
Louisiana
S.B. 787
In House
Government
Affairs
Committee
Expands the exemption from disclosure under
current law to prohibit disclosure of certain
records for utility systems that are owned and
operated by political subdivisions.
Massachusetts
H.B.3863
In Joint
Committee on
Natural
Resources and
Agriculture
This bill relates to the security of certain
information obtained by, or in the possession of,
the Department of Environmental Protection.
(Editors note: The bill is new and additional
information is not yet available; bills in
Massachusetts often are not fully fleshed out until
after committee deliberations.)
National Conference of State Legislatures
-------�
Protecting Water System Security Information
13
Table 3. Summaries of 2003 State Legislation (continued)
State
Bill Number
Status
Description of Exemptions
Nevada
A.B. 441
Enacted
Protects the confidentially of information
conveyed to the governor, including information
pertaining to water utilities, when the entity
conveying the information requests that it remain
confidential.
New Mexico
H.B. 254
Enacted
Exempts from disclosure plans prepared by the
state or a political subdivision, the publication of
which could reveal vulnerabilities or risk
assessments that could aid in a terrorist attack.
North Dakota
H.B. 1143
Enacted
Exempts from disclosure security system plans for
critical infrastructure that are " ... so vital to the
state that the incapacity or destruction of these
systems would have a debilitating impact on
security, state economic security, state public
health or safety, or any combination of those
matters." A security system plan is defined to
include a wide range of documents, including
vulnerability and capability assessments con-
ducted bv a oublic entity or bv anv private entity.
Oklahoma
H.B. 1146
Enacted
Stipulates that w... any state environmental
agency or public utility shall keep confidential
vulnerability assessments of critical assets in both
water and wastewater systems."
Tennessee
H.B. 2030
Enacted
Clarifies that utility service providers' reports that
identify areas vulnerable to terrorism or other
unlawful disruptions of service are confidential.
Texas
H.B. 9
Enacted
Provides a specific exemption for certain
information relating to risk or vulnerability
assessments designed to prevent, detect or
investigate an act of terrorism.
Virginia
H.B. 2210
Enacted
Exempts from disclosure information that the
governor receives from either public or private
entities and that relates to the protection of
critical infrastructure, or that affects the health,
safety and welfare of residents of the state.
West Virginia
H.B. 3009
Enacted
Exempts from disclosure " records assembled,
prepared or maintained to prevent, mitigate or
respond to terrorist acts or the threat of terrorist
acts, the public disclosure of which threatens the
public safety or the public health, as well as those
portions of records that contain specific or unique
vulnerability assessments."
Wisconsin
S.B. 8
Passed Senate; in
Assembly
Energy
Committee
Would exempt records containing information
about security measures for protecting the safety
of facilities or people who operate a public water
supply system.
Wyoming
S.F. 10
Enacted
Exempts from disclosure information, including
vulnerability assessments, to the extent disclosure
would jeopardize the security of any facility
owned, leased or operated by the state or a
political subdivisions; assist the planning of a
terrorist attack; or endanger the life or physical
safety of an individual. Protected information
also includes building plans and security measures
related to waste and water systems.
Source: NCSL, 2003.
National Conference of State Legislatures
-------�
14
Water Security
Survey Responses from State Drinking Water Staff
In order to confirm or amend its initial interpretation of some state laws, NCSL submitted a
brief written survey to drinking water agency staff in nine states: Alabama, Minnesota, Montana,
New Hampshire, North Dakota, Pennsylvania, South Dakota, Vermont and West Virginia.
Each of the states responded. NCSL developed the survey instrument with assistance from the
Association of State Drinking Water Administrators (ASDWA). ASDWA also identified the
state drinking water agency staff to whom NCSL submitted the survey. The survey instrument
containing each state's responses is included as appendix B.
The survey asked the respondent whether the existing state FOIA law protected drinking
water system security information from public disclosure. If the respondent indicated that it
did, he or she was asked to indicate if that protection applied to vulnerability assessments,
sanitary surveys, publicly owned systems and privately owned systems. If the respondent
replied "no" to the initial question, he or she was asked about any proposed legislation that
would change state law to provide such exemptions. Space was included for the respondent to
add comments to help NCSL better understand the state's law pertaining to the protection of
water system security information.
Four states—New Hampshire, North Dakota, Pennsylvania and Vermont—indicated that
state law protects drinking water security information from having to be made public. Four
states—Alabama, Minnesota, South Dakota and West Virginia—responded that state law does
not provide such protections (West Virginia's response was received before final enactment of
House Bill 3009 during the 2003 session, which provides a specific protection—see part four).
Montana was not sure.
Of the four states that responded affirmatively to the first question, all four indicated that the
protections apply to vulnerability assessments and to publicly owned water systems. Only
Vermont responded that the protections apply to sanitary surveys for future security-related
information. New Hampshire, Pennsylvania and Vermont said that privately owned water
systems are covered.
Four states that responded negatively to the first question or that were not sure—Alabama,
Minnesota, Montana and South Dakota—indicated that efforts are under way to clarify the
public disclosure requirements of water system security information. Montana's efforts, related
specifically to water system security information, have been the most extensive to date.
The Montana Department of Environmental Quality (MDEQ) asked for an opinion from the
state attorney general regarding the protection of water system security information. The
state's statute provides an exemption for information that is constitutionally protected from
disclosure, and also for information pertaining to the security of public facilities. In a letter to
the U.S. Environmental Protection Agency, MDEQ indicated that constitutionally protected
information includes "... information in which there is an individual privacy interest that
clearly exceeds the merits of public disclosure ... and matters related to individual or public
safety." MDEQ concluded that this allowed the state to withhold from public disclosure
information included in The Baseline Threat Information for Vulnerability Assessment of
Community Water Systems report. The agency stated in the letter to EPA that it also intended
to withhold any information in the report "that is contained in vulnerability assessments that
National Conference of State Legislatures
-------�
Protecting Water System Security Information
are submitted by public water suppliers to MDEQ." According to MDEQ, the Montana
Attorney General's Office had reviewed the information and concurred that it is exempt from
public disclosure.
National Conference of State Legislatures
-------�
-------�
Protecting Water System Security Information
17
Appendix A. Specific Statutory Language
State/
Jurisdiction
Specific Statutory Language
1. Alabama
Ala. Code §36-12-40. Rights of citizens to inspect and copy public writings; exception for public library registration
and circulation records.
Every citizen has a right to inspect and take a copy of any public writing of this state, except as otherwise expressly
provided by statute. Provided however, registration and circulation records and information concerning the use of the
public, public school or college and university libraries of this state shall be exempted from this section. Provided
further, any parent of a minor child shall have the right to inspect the registration and circulation records of any school
or public library that pertain to his or her child.
2. Alaska
Alaska Stat. §40.25.120. Public records; exceptions; certified copies.
(a) Every person has a right to inspect a public record in the state, including public records in recorders' offices, except
(10) records or information pertaining to a plan, program, or procedures for establishing, maintaining, or restoring
security in the state, or to a detailed description or evaluation of systems, facilities, or infrastructure in the state, but
only to the extent that the production of the records or information
(A) could reasonably be expected to interfere with the implementation or enforcement of the security plan, program, or
procedures;
(B) would disclose confidential guidelines for investigations or enforcement and the disclosure could reasonably be
expected to risk circumvention of the law; or
(C) could reasonably be expected to endanger the life or physical safety of an individual or to present a real and
substantial risk to the public health and welfare.
3. Arizona
SB 1167, enacted in the 2003 legislative session.
Section 1. Title 39, chapter 1, article 2, Arizona Revised Statutes, is amended by adding section 39-126, to read:
39-126. Federal risk assessments of infrastructure; confidentiality
Nothing in this chapter requires the disclosure of a risk assessment that is performed by or on behalf of a federal agency
to evaluate critical energy, water or telecommunications infrastructure to determine its vulnerability to sabotage or
attack.
Sec. 2. Section 49-205, Arizona Revised Statutes, is amended to read:
49-205- Availability of information to the public
A. Any records, reports or information obtained from any person under this chapter, including records, reports or
information obtained or prepared by the director or a department employee, shall be available to the public, except
that:
2. Drinking water system security vulnerability assessments that are submitted to the United States Environmental
Protection Agency pursuant to Public Law 107-188, are exempt from disclosure under this chapter and Title 39,
Chapter 1.
4. Arkansas
Act 763 (HB 2245) of the 2003 Legislative Session amends Arkansas Code §25-19-105 to read as follows:
(b) It is the specific intent of this section that the following shall not be deemed to be made open to the public under
the provisions of this chapter
(15)(A) Records, including analyses, investigations, studies, reports, recommendations, requests for proposals,
drawings, diagrams, blueprints, and plans, containing information relating to security for any public water system.
(B) The records shall include:
(i) Risk and vulnerability assessments;
(ii) Plans and proposals for preventing and mitigating security risks;
(iii) Emergency response and recovery records;
(iv) Security plans and procedures; and
(v) Any other records containing information that, if disclosed, might jeopardize or compromise efforts to secure and
protect the public water system.
(C) Subdivision (b)( 15) of this section shall expire on July 1, 2005.
National Conference of State Legislatures
-------�
18
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
5. California
§6254(z) of the California Government Code exempts from public disclosure:
(z) Records obtained pursuant to paragraph (2) of subdivision (c) of Section 2891.1 of the Public Utilities Code.
(aa) A document prepared by a local agency that assesses its vulnerability to terrorist attack or other criminal acts
intended to disrupt the public agency's operations and that is for distribution or consideration in a closed session.
Nothing in this section prevents any agency from opening its records concerning the administration of the agency to
public inspection, unless disclosure is otherwise prohibited by law. Nothing in this section prevents any health facility
from disclosing to a certified bargaining agent relevant financing information pursuant to Section 8 of the National
Labor Relations Act.
6. Colorado
Colo. Rev. Stat. §24-72-204(XVI) exempts:
Specialized details of security arrangements or investigations.
Colo. Rev. Stat. §24-72-204(XVII) further provides that:
Nothing in this subparagraph (XVII) shall prohibit the custodian from transferring such records to the office of
preparedness, security, and fire safety in the department of public safety, the governing body of any city, county, or city
and county, or any federal, state, or local law enforcement agency; except that the custodian shall not transfer any
record received from a nongovernmental entity without the prior written consent of such entity unless such
information is already publicly available. For purposes of this section, records received by the office of preparedness,
security, and fire safety in the department of public safety in connection with the performance of its duties and records
received by any state agency or political subdivision of the state from or on behalf of the office of preparedness,
security, and fire safety shall constitute specialized details of security arrangements or investigations.
7. Connecticut
Conn. Gen. Stat. §1-14,1-210(19) exempts:
Records, the disclosure of which the Commissioner of Public Works or, in the case of records concerning Judicial
Department facilities, the Chief Court Administrator, has reasonable grounds to believe may result in a safety risk,
including the risk of harm to any person, any state-owned or leased institution or facility or any fixture or appurtenance
and equipment attached to, or contained in, such institution or facility. Such records shall include, but are not limited
to:
(A) Security manuals or reports, including emergency plans contained or referred to in such security manuals;
(B) Engineering and architectural drawings of state-owned or leased institutions or facilities;
(C) Operational specifications of security systems utilized at any state-owned or leased institution or facility, except that
a general description of any such security system and the cost and quality of such system, may be disclosed;
(D) Training manuals prepared for state-owned or leased institutions or facilities that describe, in any manner, security
procedures, emergency plans or security equipment;
(E) Internal security audits of state-owned or leased institutions or facilities;
(F) Minutes or recordings of meetings of the Department of Public Works or the Judicial Department, or portions of
such minutes or recordings, that contain or reveal information relating to security or other records otherwise exempt
from disclosure under this subdivision; and
(G) Logs or other documents that contain information on the movement or assignment of security personnel at state-
owned or leased institutions or facilities;
(20) Records of standards, procedures, processes, software and codes, not otherwise available to the public, the
disclosure of which would compromise the security or integrity of an information technology system.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
19
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
8. Delaware
Del. Code Ann. §100002.
(16)a. The following records, which, if copied or inspected, could jeopardize the security of any structure owned by the
State or any of its political subdivisions, or could facilitate the planning of a terrorist attack, or could endanger the life
or physical safety of an individual:
1. Response procedures or plans prepared to prevent or respond to emergency situations, the disclosure of which would
reveal vulnerability assessments, specific tactics, specific emergency procedures or specific security procedures.
2. Building plans, blueprints, schematic drawings, diagrams, operational manuals or other records of mass transit
facilities, bridges, tunnels, emergency response facilities or structures, buildings where hazardous materials are used or
stored, arenas, stadiums, waste and water systems, electric transmission lines and substations, high-pressure natural gas
pipelines and compressor stations, and telecommunications networks facilities and switching equipment, the disclosure
of which would reveal the building's or structure's internal layout, specific location, life, safety and support systems,
structural elements, surveillance techniques, alarm or security systems or technologies, operational and transportation
plans or protocols, or personnel deployments. Records that disclose the substances being used or stored on a given piece
of property are public records; however, records which disclose the specific location on that property of the substances
being used or stored may be disclosed only if the chief administrative officer of the agency from which the record is
requested determines that disclosure will not jeopardize the security of any structure owned by the State or any of its
political subdivisions, or will not facilitate the planning of a terrorist attack, or will not endanger the life or physical
safety of an individual.
3. Records of any building or structure operated by the State or any of its political subdivisions, the disclosure of which
would reveal the building's or structure's life, safety and support systems, surveillance techniques, alarm or security
systems or technologies, operational and evacuation plans or protocols, or personnel deployments.
4. Records prepared to prevent or respond to emergency situations identifying or describing the name, location,
pharmaceutical cache, contents, capacity, equipment, physical features or capabilities of individual medical facilities,
storage facilities, or laboratories established, maintained or regulated by the State or any of its political subdivisions.
5. Those portions of records assembled, prepared or maintained to prevent, mitigate or respond to criminal acts, the
public disclosure of which would have a substantial likelihood of threatening public safety. The only items that are
protected from disclosure by this paragraph are:
A. Specific and unique vulnerability assessments or specific and unique response or deployment plans, including
compiled underlying data collected in preparation of or essential to the assessments or to the response or deployment
plans; and
B. Records not subject to public disclosure under federal law that are shared by federal or international agencies and
information prepared from national security briefings provided to state or local government officials related to domestic
preparedness for criminal acts against United States citizens or targets.
6. Nothing in this subsection shall be deemed to prohibit the disclosure of information necessary to comply with the
requirements of Chapter 8 of Title 26, the Underground Utility Damage Prevention and Safety Act.
b. Nothing in this paragraph shall interfere with the right of any committee of the General Assembly to hear
information in the committee at the request of the committee chair or, if appropriate, to hear information in an
executive session of the committee, or to subpoena information pursuant to § 705 of this title.
9. District of
Columbia
D.C. Statute §2-534(10) exempts:
Any specific response plan, including any District of Columbia response plan, as that term is defined in § 7-2301(1),
and any specific vulnerability assessment, either of which is intended to prevent or to mitigate an act of terrorism, as
that term is defined in § 22-3152(1).
D.C. Statute §7-2301 (1A) defines response plan as " ... the plan for public emergency preparedness and prevention
prepared pursuant to § 201 of the Disaster Relief Act of 1974 (42 U.S.C. § 5121) and § 7- 2302.
National Conference of State Legislatures
-------�
20
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
10. Florida
Fla. Stat. §119.071. General exemptions from inspection or copying of public records.
A security system plan or portion thereof for:
(1) Any property owned by or leased to the state or any of its political subdivisions; or
(2) Any privately owned or leased property which plan or portion thereof is in the possession of any agency, as defined
ins. 119.Oil, is confidential and exempt from the provisions ofs. 119.07 (1) and s. 24(a), Art. I of the State
Constitution. As used in this section, the term a "security system plan" includes all records, information, photographs,
audio and visual presentations, schematic diagrams, surveys, recommendations, or consultations or portions thereof
relating directly to the physical security of the facility or revealing security systems; threat assessments conducted by any
agency as defined in s. 119.011 or any private entity; threat response plans; emergency evacuation plans; sheltering
arrangements; or manuals for security personnel, emergency equipment, or security training. This exemption is
remedial in nature and it is the intent of the Legislature that this exemption be applied to security system plans received
by an agency before, on, or after the effective date of this section. Information made confidential and exempt by this
section may be disclosed by the custodial agency to another state or federal agency to prevent, detect, guard against,
respond to, investigate, or manage the consequences of any attempted or actual act of terrorism, or to prosecute those
persons who are responsible for such attempts or acts, and the confidential and exempt status of such information shall
be retained while in the possession of the receiving agency. This section is subject to the Open Government Sunset
Review Act of 1995> in accordance with s. 119.15, and shall stand repealed on October 2, 2006, unless reviewed and
saved from repeal through reenactment by the Legislature.
11. Georgia
S.B. 113, enacted in the 2003 session, amends Ga. Code §50-18-72 to exempt from disclosure:
(15) (A) Records, the disclosure of which would compromise security against sabotage or criminal or terrorist acts and
the nondisclosure of which is necessary for the protection of life, safety, or public property, which shall be limited to
the following:
(i) Security plans and vulnerability assessments for any public utility, building, facility, function, or activity in effect at
the time of the request for disclosure or pertaining to a plan or assessment in effect at such time;
(ii) Any plan for protection against terrorist or other attacks, which plan depends for its effectiveness in whole or in part
upon a lack of general public knowledge of its details;
(iii) Any document relating to the existence, nature, location, or function of security devices designed to protect against
terrorist or other attacks, which devices depend for their effectiveness in whole or in part upon a lack of general public
knowledge; and
(iv) Any plan, blueprint, or other material which if made public could compromise security against sabotage, criminal,
or terroristic acts.
12. Hawaii
Hawaii Rev. Stat. §92F-13. Government records; exceptions to general rule.
This part shall not require disclosure of:
(3) Government records that, by their nature, must be confidential in order for the government to avoid the frustration
of a legitimate government function;
(4) Government records which, pursuant to state or federal law including an order of any state or federal court, are
protected from disclosure.
13. Idaho
Idaho Code §9-340B(3) exempts:
(b) Records of buildings, facilities, infrastructures and systems held by or in the custody of any public agency only
when the disclosure of such information would jeopardize the safety of persons or the public safety. Such records may
include emergency evacuation, escape or other emergency response plans, vulnerability assessments, operation and
security manuals, plans, blueprints or security codes. For purposes of this section "system" shall mean electrical,
heating, ventilation, air conditioning and telecommunication systems.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
21
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
14. Illinois
S.B. 1034, enacted in the 2003 session, amends 5 ILCS 140/7 to exempt:
(k) Architects' plans and engineers' technical submissions for projects not constructed or developed in whole or in part
with public funds and for projects constructed or developed with public funds, to the extent that disclosure would
compromise security, including but not limited to water treatment facilities, airport facilities, sport stadiums,
convention centers, and all government owned, operated, or occupied buildings.
5 ILCS 140/7 also exempts:
Information specifically prohibited from disclosure by federal or State law or rules and regulations adopted under
federal or State law.
15. Indiana
Ind. Code §5-14-3-4 exempts those records "... declared confidential by state statute; declared confidential by rule
adopted by a public agency under specific authority to classify public records as confidential granted to the public
agency by statute; those required to be kept confidential by federal law."
16. Iowa
Iowa Code §22.7.
45. Records of a public airport, municipal corporation, municipal utility, jointly owned municipal utility, or rural
water district organized under chapter 357A, where disclosure could reasonably be expected to jeopardize the security
or the public health and safety of the citizens served by a public airport, municipal corporation, municipal utility,
jointly owned municipal utility, or rural water district organized under chapter 357A. Such records include but are not
limited to vulnerability assessments and information included within such vulnerability assessments; architectural,
engineering, or construction diagrams; drawings, plans, or records pertaining to security measures such as security and
response plans, security codes and combinations, passwords, passes, keys, or security or response procedures; emergency
response protocols; and records disclosing the configuration of critical systems or infrastructures of a public airport,
municipal corporation, municipal utility, jointly owned municipal utility, or rural water district organized under
chapter 357A. This subsection is repealed effective June 30, 2007.
46. The critical asset protection plan or any part of the plan prepared pursuant to section 29C.8 and any information
held by the emergency management division that was supplied to the division by a public or private agency or
organization and used in the development of the critical asset protection plan to include, but not be limited to, surveys,
lists, maps, or photographs. However, the administrator shall make the list of assets available for examination by any
person. A person wishing to examine the list of assets shall make a written request to the administrator on a form
approved by the administrator. The list of assets may be viewed at the division s offices during normal working hours.
The list of assets shall not be copied in any manner. Communications and asset information not required by law, rule,
or procedure that are provided to the administrator by persons outside of government and for which the administrator
has signed a nondisclosure agreement are exempt from public disclosures. The emergency management division may
provide all or part of the critical asset plan to federal, state, or local governmental agencies which have emergency
planning or response functions if the administrator is satisfied that the need to know and intended use are reasonable.
An agency receiving critical asset protection plan information from the division shall not redisseminate the information
without prior approval of the administrator.
17. Kansas
Kan. Stat. Ann. §45-221(12) exempts:
Records of emergency or security information or procedures of a public agency, or plans, drawings, specifications or
related information for any building or facility which is used for purposes requiring security measures in or around the
building or facility or which is used for the generation or transmission of power, water, fuels or communications, if
disclosure would jeopardize security of the public agency, building or facility.
18. Kentucky
KRS 61.878(1) exempts:
(k) All public records or information the disclosure of which is prohibited by federal law or regulation; and
(1) Public records or information the disclosure of which is prohibited or restricted or otherwise made confidential by
enactment of the General Assembly.
National Conference of State Legislatures
-------�
22
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
19. Louisiana
La. Rev. Stat. §44:3. Records of prosecutive, investigative, and law enforcement agencies, and communications
districts.
A. Nothing in this Chapter shall be construed to require disclosures of records, or the information contained therein,
held by the offices of the attorney general, district attorneys, sheriffs, police departments, Department of Public Safety
and Corrections, marshals, investigators, public health investigators, correctional agencies, communications districts,
intelligence agencies, or publicly owned water districts of the state, which records are:
(3) Records containing security procedures, investigative training information or aids, investigative techniques,
investigative technical equipment or instructions on the use thereof, criminal intelligence information pertaining to
terrorist-related activity, or threat or vulnerability assessments collected or obtained in the prevention of terrorist-
related activity, including but not limited to physical security information, proprietary information, operational plans,
and the analysis of such information, or internal security information.
20. Maine
MRSA §402:3 defines "public records" as " ... any written, printed or graphic matter or any mechanical or electronic
data compilation from which information can be obtained, directly or after translation into a form susceptible of visual
or aural comprehension, that is in the possession or custody of an agency or public official of this State or any of its
political subdivisions, or is in the possession or custody of an association, the membership of which is composed
exclusively of one or more of any of these entities, and has been received or prepared for use in connection with the
transaction of public or governmental business or contains information relating to the transaction of public or
governmental business.
MRSA §402:3(L) exempts:
Records describing security plans, security procedures or risk assessments prepared specifically for the purpose of
preventing or preparing for acts of terrorism, but only to the extent that release of information contained in the record
could reasonably be expected to jeopardize the physical safety of government personnel or the public. Information
contained in records covered by this paragraph may be disclosed to the Legislature or, in the case of a political or
administrative subdivision, to municipal officials or board members under conditions that protect the information
from further disclosure. For purposes of this paragraph, "terrorism" means conduct that is designed to cause serious
bodily injury or substantial risk of bodily injury to multiple persons, substantial damage to multiple structures whether
occupied or unoccupied or substantial physical damage sufficient to disrupt the normal functioning of a critical
infrastructure.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
23
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
21. Maryland
Md. Code Ann. State Government §10-618.
(j) (1) Subject to paragraph (2) of this subsection, a custodian may deny inspection of:
(1) response procedures or plans prepared to prevent or respond to emergency situations, the disclosure of which would
reveal vulnerability assessments, specific tactics, specific emergency procedures, or specific security procedures;
(ii) 1. building plans, blueprints, schematic drawings, diagrams, operational manuals, or other records of airports and
other mass transit facilities, bridges, tunnels, emergency response facilities or structures, buildings where hazardous
materials are stored, arenas, stadiums, and waste and water systems, the disclosure of which would reveal the building's
or structure's internal layout, specific location, life, safety, and support systems, structural elements, surveillance
techniques, alarm or security systems or technologies, operational and transportation plans or protocols, or personnel
deployments; or
2. records of any other building or structure owned or operated by the State or any of its political subdivisions, the
disclosure of which would reveal the building's or structure's life, safety, and support systems, surveillance techniques,
alarm or security systems or technologies, operational and evacuation plans or protocols, or personnel deployments; or
(iii) records prepared to prevent or respond to emergency situations identifying or describing the name, location,
pharmaceutical cache, contents, capacity, equipment, physical features, or capabilities of individual medical facilities,
storage facilities, or laboratories established, maintained, or regulated by the State or any of its political subdivisions.
(2) The custodian may deny inspection of a part of a public record under paragraph (1) of this subsection only to the
extent that the inspection would:
(i) jeopardize the security of any structure owned or operated by the State or any of its political subdivisions;
(ii) facilitate the planning of a terrorist attack; or
(iii) endanger the life or physical safety of an individual.
22. Massachusetts
Mass. Gen. Laws Ann. ch 4, §7 exempts:
(n) records, including, but not limited to, blueprints, plans, policies, procedures and schematic drawings, which relate
to internal layout and structural elements, security measures, emergency preparedness, threat or vulnerability
assessments, or any other records relating to the security or safety of persons or buildings, structures, facilities, utilities,
transportation or other infrastructure located within the commonwealth, the disclosure of which, in the reasonable
judgment of the record custodian, subject to review by the supervisor of public records under subsection (b) of section
10 of chapter 66, is likely to jeopardize public safety.
23. Michigan
Mich. Comp. Laws §15.243(y) exempts:
Records or information of measures designed to protect the security or safety of persons or property, whether public or
private, including, but not limited to, building, public works, and public water supply designs to the extent that those
designs relate to the ongoing security measures of a public body, capabilities and plans for responding to a violation of
the Michigan anti-terrorism act, chapter LXXXIII-A of the Michigan penal code, 1931 PA 328, MCL 750.543a to
750.543z, emergency response plans, risk planning documents, threat assessments, and domestic preparedness
strategies, unless disclosure would not impair a public body's ability to protect the security or safety of persons or
property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular
instance.
24. Minnesota
Minn. Stat. §13.02 Subd. 9. Nonpublic data.
"Nonpublic data" means data not on individuals that is made by statute or federal law applicable to the data: (a) not
accessible to the public; and (b) accessible to the subject, if any, of the data.
25. Mississippi
Miss. Code Ann. § 25-61-11. Records exempted or privileged by law.
The provisions of this chapter shall not be construed to conflict with, amend, repeal or supersede any constitutional or
statutory law or decision of a court of this state or the United States which at the time of this chapter is effective or
thereafter specifically declares a public record to be confidential or privileged, or provides that a public record shall be
exempt from the provisions of this chapter.
National Conference of State Legislatures
-------�
24
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
26. Missouri
Mo. Rev. Stat. 610.021 exempts the following from disclosure:
(18) A municipal utility receiving a public records request for information about existing or proposed security systems
and structural plans of real property owned or leased by the municipal utility, the public disclosure of which would
threaten public safety, shall within three business days act upon such public records request, pursuant to section
610.023. Records related to the procurement of or expenditures relating to security systems shall be open except to the
extent provided in this section;
(19) Existing or proposed security systems and structural plans of real property owned or leased by a public
governmental body, the public disclosure of which would threaten public safety. Records related to the procurement of
or expenditures relating to security systems shall be open except to the extent provided in this section. When seeking to
close information pursuant to this exception, the public governmental body shall affirmatively state in writing that
disclosure would impair the public governmental body's ability to protect the security or safety of persons or real
property, and shall in the same writing state that the public interest in nondisclosure outweighs the public interest in
disclosure of the records. This exception shall sunset on December 31, 2006;
(20) Records that identify the configuration of components or the operation of a computer, computer system,
computer network, or telecommunications network, and would allow unauthorized access to or unlawful disruption of
a computer, computer system, computer network, or telecommunications network of a public governmental body.
This exception shall not be used to limit or deny access to otherwise public records in a file, document, data file or
database containing public records. Records related to the procurement of or expenditures relating to such computer,
computer system, computer network, or telecommunications network, including the amount of moneys paid by, or on
behalf of, a public governmental body for such computer, computer system, computer network, or telecommunications
network shall be open except to the extent provided in this section.
27. Montana
Mont. Code Ann. 2-6-102 (3) exempts:
Records and materials that are constitutionally protected from disclosure are not subject to the provisions of this
section. Information that is constitutionally protected from disclosure is information in which there is an individual
privacy interest that clearly exceeds the merits of public disclosure, including legitimate trade secrets, as defined in 30-
14-402, and matters related to individual or public safety.
28. Nebraska
Neb. Rev. Stat. §84-712.05(8) exempts:
Information solely pertaining to protection of the security of public property and persons on or within public property,
such as specific, unique vulnerability assessments or specific, unique response plans, either of which is intended to
prevent or mitigate criminal acts the public disclosure of which would create a substantial likelihood of endangering
public safety or property; computer or communications network schema, passwords, and user identification names;
guard schedules; or lock combinations.
Neb. Rev. Stat. §84-712.08. Records; federal government; exception.
If it is determined by any federal department or agency or other federal source of funds, services, or essential
information, that any provision of sections 84-712, 84-712.01, 84-712.03 to 84-712.09, and 84-1413 would cause the
denial of any funds, services, or essential information from the United States Government which would otherwise
definitely be available to an agency of this state, such provision shall be suspended as to such agency, but only to the
extent necessary to prevent denial of such funds, services, or essential information.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
25
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
29. Nevada
A.B. 441, enacted in the 2003 legislative session.
Section 27.
1. Each utility shall:
(a) Conduct a vulnerability assessment in accordance with the requirements of the federal and regional agencies that
regulate the utility; and
(b) Prepare and maintain an emergency response plan in accordance with the requirements of the federal and regional
agencies that regulate the utility.
2. Each utility shall:
(a) As soon as practicable but not later than December 31, 2003, submit its vulnerability assessment and emergency
response plan to the Division of Emergency Management of the Department of Public Safety; and
(b) At least once each year thereafter, review its vulnerability assessment and emergency response plan and, as soon as
practicable after its review is completed but not later than December 31 of each year, submit the results of its review
and any additions or modifications to its emergency response plan to the Division of Emergency Management of the
Department of Public Safety.
3. Each vulnerability assessment and emergency response plan of a utility and any other information concerning a
utility that is necessary to carry out the provisions of this section is confidential and must be securely maintained by
each person or entity that has possession, custody or control of the information.
4. A person shall not disclose such information, except:
(a) Upon the lawful order of a court of competent jurisdiction;
(b) As is reasonably necessary to carry out the provisions of this section or the operations of the utility, as determined
by the Division of Emergency Management of the Department of Public Safety; or
(c) As is reasonably necessary in the case of an emergency involving public health or safety, as determined by the
Division of Emergency Management of the Department of Public Safety.
Section 27.5.
1. Except as otherwise provided in subsection 3, records and portions of records that are assembled, maintained,
overseen or prepared by the Department to mitigate, prevent or respond to acts of terrorism, the public disclosure of
which would, in the determination of the Director, create a substantial likelihood of threatening the safety of the
general public are confidential and not subject to inspection by the general public to the extent that such records and
portions of records consist of or include:
(a) Information regarding the infrastructure and security of information systems, including, without limitation:
(1) Access codes, passwords and programs used to ensure the security of an information system;
(2) Access codes used to ensure the security of software applications;
(3) Procedures and processes used to ensure the security of an information system; and
(4) Plans used to reestablish security and service with respect to an information system after security has been breached
or service has been interrupted.
(b) Assessments and plans that relate specifically and uniquely to the vulnerability of an information system or to the
measures which will be taken to respond to such vulnerability, including, without limitation, any compiled underlying
data necessary to prepare such assessments and plans.
(c) The results of tests of the security of an information system, insofar as those results reveal specific vulnerabilities
relative to the information system.
30. New Hampshire
N.H. Rev. Stat. §91-A:5(VI) exempts:
Records pertaining to matters relating to the preparation for and the carrying out of all emergency functions, including
training to carry out such functions, developed by local or state safety officials that are directly intended to thwart a
deliberate act that is intended to result in widespread or severe damage to property or widespread injury or loss of life.
31. New Jersey
N.J. Rev. Stat. §47:1A-1.1 exempts:
Emergency or security information or procedures for any buildings or facility which, if disclosed, would jeopardize
security of the building or facility or persons therein; and security measures and surveillance techniques which, if
disclosed, would create a risk to the safety of persons, property, electronic data or software.
National Conference of State Legislatures
-------�
26
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
32. New Mexico
N.M. Stat. Ann. §14-2-1 exempts:
(8) records that contain tactical response plans or procedures prepared for or by the state or a political subdivision of
the state, the publication of which could reveal specific vulnerabilities, risk assessments or tactical emergency security
procedures that could be used to facilitate the planning or execution of a terrorist attack.
33. New York
N.Y. Pub. Off. Law §47-6-87 allows records to be exempt from disclosure when they:
(a) are specifically exempted from disclosure by state or federal statute;
(f) if disclosed, would endanger the life or safety of any person;
(i) if disclosed, would jeopardize an agency's capacity to guarantee the security of its information technology assets,
such assets encompassing both electronic information systems and infrastructures.
34. North Carolina
N.C. Gen. Stat. §132-1.7 states that "... public records ... shall not include information containing specific details of
public security plans and arrangements or the detailed plans and drawings of public buildings and infrastructure
facilities. Information relating to the general adoption of public security plans and arrangements, and budgetary
information concerning the authorization or expenditure of public funds to implement public security plans and
arrangements, or for the construction, renovation, or repair of public buildings and infrastructure facilities shall be
public records."
35. North Dakota
H.B. 1143, enacted in the 2003 legislative session.
A new section to chapter 44-04 of the North Dakota Century Code is created and enacted as follows:
Security system plan - Exemption.
I. A security system plan kept by a public entity is exempt from the provisions of section 44-04-18 and section 6 of
article XI of the Constitution of North Dakota.
2. As used in this section:
a. "Critical infrastructure" means public buildings, systems, including telecommunications centers and computers,
power generation plants, dams, bridges, and similar key resources, whether physical or virtual, so vital to the state that
the incapacity or destruction of these systems would have a debilitating impact on security, state economic security,
state public health or safety, or any combination of those matters.
b. "Security system plan" includes all records, information, photographs, audio and visual presentations, schematic
diagrams, surveys, recommendations, communications, or consultations or portions of any such plan relating directly
to the physical or electronic security of a public facility, or any critical infrastructure, whether owned by or leased to the
state or any of its political subdivisions, or any privately owned or leased critical infrastructure if the plan or a portion
of the plan is in the possession of a public entity; threat assessments; vulnerability and capability assessments conducted
by a public entity, or any private entity; threat response plans; and emergency evacuation plans.
3. This exemption applies to security system plans received by a public entity before, on, or after the effective date of
this Act.
4. Nothing in this section may be construed to limit disclosure required for necessary construction, renovation, or
remodeling work on a public building. Disclosure under this subsection does not constitute public disclosure.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
27
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
36. Ohio
Ohio Rev. Code §149.011. Definitions.
As used in this chapter:
(A) "Public office" includes any state agency, public institution, political subdivision, or any other organized body,
office, agency, institution, or entity established by the laws of this state for the exercise of any function of government.
Ohio Rev. Code §149.433 Exemption of security and infrastructure records.
(A) As used in this section:
(1) "Act of terrorism" has the same meaning as in section 2909.21 of the Revised Code.
(2) "Infrastructure record" means any record that discloses the configuration of a public office's critical systems
including, but not limited to, communication, computer, electrical, mechanical, ventilation, water, and plumbing
systems, security codes, or the infrastructure or structural configuration of the building in which a public office is
located. "Infrastructure record" does not mean a simple floor plan that discloses only the spatial relationship of
components of a public office or the building in which a public office is located.
(3) "Security record" means either of the following:
(a) Any record that contains information directly used for protecting or maintaining the security of a public office
against attack, interference, or sabotage;
(b) Any record assembled, prepared, or maintained by a public office or public body to prevent, mitigate, or respond to
acts of terrorism, including any of the following:
(i) Those portions of records containing specific and unique vulnerability assessments or specific and unique response
plans either of which is intended to prevent or mitigate acts of terrorism, and communication codes or deployment
plans of law enforcement or emergency response personnel;
(ii) Specific intelligence information and specific investigative records shared by federal and international law
enforcement agencies with state and local law enforcement and public safety agencies;
(iii) National security records classified under federal executive order and not subject to public disclosure under federal
law that are shared by federal agencies, and other records related to national security briefings to assist state and local
government with domestic preparedness for acts of terrorism.
(B) A record kept by a public office that is a security record or an infrastructure record is not a public record under
section 149.43 of the Revised Code and is not subject to mandatory release or disclosure under that section.
(C) Notwithstanding any other section of the Revised Code, a public office's or a public employee's disclosure of a
security record or infrastructure record that is necessary for construction, renovation, or remodeling work on any public
building or project does not constitute public disclosure for purposes of waiving division (B) of this section and does
not result in that record becoming a public record for purposes of section 149.43 of the Revised Code.
37. Oklahoma
Okla. Stat. §51-24A.13.
Records coming into the possession of a public body from the federal government or records generated or gathered as a
result of federal legislation may be kept confidential to the extent required by federal law.
HB 1146, enacted in the 2003 session.
Any state environmental agency or public utility shall keep confidential vulnerability assessments of critical assets in
both water and wastewater systems.
38. Oregon
Or. Rev. Stat. §192.501(23) exempts:
Records or information that would reveal the security measures taken or recommended to be taken to protect:
(a) An officer or employee of a public body;
(b) Buildings or other property used or owned by a public body;
(c) Information processing, communication or telecommunication systems, including the information contained
therein, that are used or operated by a public body; or
(d) Those operations of the Oregon State Lottery the security of which are subject to study and evaluation under ORS
461.180(6).
Or. Rev. Stat. §192.502(8) exempts:
Any public records or information the disclosure of which is prohibited by federal law or regulations.
National Conference of State Legislatures
-------�
28
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
39. Pennsylvania
65 Pa. Cons. Stat. §66.1 states that "public record" does not include "... any record, document, material, exhibit,
pleading, report, memorandum or other paper, access to or the publication of which is prohibited, restricted or
forbidden by statute law or order or decree of court, or which would operate to the prejudice or impairment of a
person's reputation or personal security, or which would result in the loss by the Commonwealth or any of its political
subdivisions or commissions or State or municipal authorities of Federal funds."
40. Rhode Island
R.I. Gen. Laws §46-15.3-5.1 Water supply systems management plans.
(A) All parties involved in the supply, transmission, and/or distribution of drinking water shall prepare, maintain, and
carry out a water supply system management plan as described by this chapter.
R.I. Gen. Laws §46-15.3-7.5.
(a) Municipalities and water suppliers subject to the requirements of § 46-15.3-5.1 of this chapter shall file a copy of all
plans and amendments thereto with the water resources board.
The plans shall be treated as confidential documents. The water resources board shall establish procedures that permit
parties that review the plans under rules adopted by the water resources board to obtain sensitive information essential
to performance of their reviews, including minimum measures necessary to transmit, use, store, and maintain such
sensitive information under conditions that insure its security to the maximum possible. These procedures may include
designation of those persons within each reviewing agency authorized to use or inspect sensitive information, and
exclusion of all others.
41. South Carolina
S.C. Code Ann. §30-4-45. Information concerning safeguards and off-site consequence analyses; regulation of access;
vulnerable zone defined.
(A) The director of each agency that is the custodian of information subject to the provisions of 42 U.S.C.
74l2(r)(7)(H), 40 CFR 1400 "Distribution of Off-site Consequence Analysis Information", or 10 CFR 73.21
"Requirements for the protection of safeguards information", must establish procedures to ensure that the information
is released only in accordance with the applicable federal provisions.
(B) The director of each agency that is the custodian of information, the unrestricted release of which could increase
the risk of acts of terrorism, may identify the information or compilations of information by notifying the Attorney
General in writing, and shall promulgate regulations in accordance with the Administrative Procedures Act, Sections 1-
23-110 through l-23-120(a) and Section 1-23-130, to regulate access to the information in accordance with the
provisions of this section.
(C) Regulations to govern access to information subject to subsections (A) and (B) must at a minimum provide for:
(1) disclosure of information to state, federal, and local authorities as required to carry out governmental functions; and
(2) disclosure of information to persons who live or work within a vulnerable zone.
For purposes of this section, "vulnerable zone" is defined as a circle, the center of which is within the boundaries of a
facility possessing hazardous, toxic, flammable, radioactive, or infectious materials subject to this section, and the radius
of which is that distance a hazardous, toxic, flammable, radioactive, or infectious cloud, overpressure, radiation, or
radiant heat would travel before dissipating to the point it no longer threatens serious short-term harm to people or the
environment.
Disclosure of information pursuant to this subsection must be by means that will prevent its removal or mechanical
reproduction. Disclosure of information pursuant to this subsection must be made only after the custodian has
ascertained the person's identity by viewing photo identification issued by a federal, state, or local government agency
to the person and after the person has signed a register kept for the purpose.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
29
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
42. South Dakota
S.D. Codified Laws Ann. §1-27-1. Records open to inspection — Sale of lists.
If the keeping of a record, or the preservation of a document or other instrument is required of an officer or public
servant under any statute of this state, the officer or public servant shall keep the record, document, or other
instrument available and open to inspection by any person during normal business hours.
S.D. Codified Laws Ann. §1-27-3. Records declared confidential or secret.
Section 1-27-1 shall not apply to such records as are specifically enjoined to be held confidential or secret by the laws
requiring them to be so kept.
43. Tennessee
Tenn. Code §10-7-503(b).
The head of a governmental entity may promulgate rules in accordance with the Uniform Administrative Procedures
Act, compiled in title 4, chapter 5, to maintain the confidentiality of records concerning adoption proceedings or
records required to be kept confidential by federal statute or regulation as a condition for the receipt of federal funds or
for participation in a federally funded program.
HB 2030, enacted in the 2003 session, amends Tenn. Code §10-7-504(a)(2) to " ... [c]larif[y] that utility service
providers' reports identifying areas vulnerable to terrorism or other unlawful disruptions of service are confidential."
44. Texas
Tex. Government Code §552.101.
(b) Information is excepted from the requirements of Section 552.021 if it is information considered to be confidential
by law, either constitutional, statutory, or by judicial decision.
45- Utah
Utah Code §63-2-201 (3) (b) exempts:
Records to which access is restricted pursuant to court rule, another state statute, federal statute, or federal regulation,
including records for which access is governed or restricted as a condition of participation in a state or federal program
or for receiving state or federal funds.
Utah Code §63-2-304 exempts:
(10) records the disclosure of which would jeopardize the life or safety of an individual;
(11) records the disclosure of which would jeopardize the security of governmental property, governmental programs,
or governmental recordkeeping systems from damage, theft, or other appropriation or use contrary to law or public
policy.
46. Vermont
1 Vt. Stat. Ann. §317.
(c) The following public records are exempt from public inspection and copying:
(1) records which by law are designated confidential or by a similar term;
(2) records which by law may only be disclosed to specifically designated persons.
National Conference of State Legislatures
-------�
30
Water Security
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
47. Virginia
Va. Code §2.2-3705. Exclusions to application of chapter.
A. The following records are excluded from the provisions of this chapter but may be disclosed by the custodian in his
discretion, except where such disclosure is prohibited by law:
57. Plans to prevent or respond to terrorist activity, to the extent such records set forth specific tactics, or specific
security or emergency procedures, the disclosure of which would jeopardize the safety of governmental personnel or the
general public, or the security of any governmental facility, building, structure, or information storage system.
HB 2210, enacted in the 2003 session, amends Va. Code 44-146.22 to read:
B. The Governor or agencies acting on his behalf may receive information, voluntarily submitted from both public and
nonpublic entities, related to the protection of the nation's critical infrastructure sectors and components that are
located in Virginia or affect the health, safety, and welfare of the citizens of Virginia. Information submitted by any
public or nonpublic entity in accordance with the procedures set forth in subdivision A 57 of §2.2-3705 shall not be
disclosed unless:
1. It is requested by law-enforcement authorities in furtherance of an official investigation or the prosecution of a
criminal act;
2. The agency holding the record is served with a proper judicial order; or
3. The agency holding the record has obtained the written consent to release the information from the entity
voluntarily submitting it.
48. Washington
Wash. Rev. Code §42.17.310(ww) exempts:
Those portions of records assembled, prepared, or maintained to prevent, mitigate, or respond to criminal terrorist acts,
which are acts that significantly disrupt the conduct of government or of the general civilian population of the state or
the United States and that manifest an extreme indifference to human life, the public disclosure of which would have a
substantial likelihood of threatening public safety, consisting of:
(i) Specific and unique vulnerability assessments or specific and unique response or deployment plans, including
compiled underlying data collected in preparation of or essential to the assessments, or to the response or deployment
plans; and
(ii) Records not subject to public disclosure under federal law that are shared by federal or international agencies, and
information prepared from national security briefings provided to state or local government officials related to domestic
preparedness for acts of terrorism.
49. West Virginia
W.Va. Code §29B-l-4.
That Section four, article one, chapter twenty-nine b of the code of West Virginia, one thousand nine hundred thirty-
one, as amended, be amended and reenacted to read as follows:
Article 1 - Public Records.
§29B-l-4. Exemptions
(a) The following categories of information are specifically exempt from disclosure under the provisions of this article:
(9) Records assembled, prepared or maintained to prevent, mitigate or respond to terrorist acts or the threat of terrorist
acts, the public disclosure of which threaten the public safety or the public health;
(10) Those portions of records containing specific or unique vulnerability assessments or specific or unique response
plans, data, databases, and inventories goods or materials collected or assembled to respond to terrorist acts; and
communication codes or deployment plans of law enforcement or emergency response personnel;
(14) Security or disaster recovery plans, risk assessments, tests, or the results of those tests;
(c) Nothing in the provisions of subdivisions (9) through (16), subsection (a) of this section, should be construed to
make subject to the provisions of this chapter any evidence of an immediate threat to public health or safety unrelated
to a terrorist act or the threat thereof which comes to the attention of a public entity in the course of conducting a
vulnerability assessment response or similar activity.
National Conference of State Legislatures
-------�
Protecting Water System Security Information
31
Appendix A. Specific Statutory Language (continued)
State/
Jurisdiction
Specific Statutory Language
50. Wisconsin
Wise. Stat §19.36 Limitations upon access and withholding.
(1) Application of other laws. Any record which is specifically exempted from disclosure by state or federal law or
authorized to be exempted from disclosure by state law is exempt from disclosure under s. 19.35(1). except that any
portion of that record which contains public information is open to public inspection as provided in sub. (6).
51. Wyoming
Wyo. Stat.§16-4-203 Right of inspection; grounds for denial; access of news media; order permitting or restricting
disclosure; exceptions.
(b) The custodian may deny the right of inspection of the following records, unless otherwise provided by law, on the
ground that disclosure to the applicant would be contrary to the public interest:
(vi) To the extent that the inspection would jeopardize the security of any structure owned, leased or operated by the
state or any of its political subdivisions, facilitate the planning of a terrorist attack or endanger the life or physical safety
of an individual, including:
(A) Vulnerability assessments, specific tactics, emergency procedures or security procedures contained in plans or
procedures designed to prevent or respond to terrorist attacks or other security threats;
(B) Building plans, blueprints, schematic drawings, diagrams, operational manuals or other records that reveal the
building's or structure's internal layout, specific location, life and safety and support systems, structural elements,
surveillance techniques, alarms, security systems or technologies, operational and transportation plans or protocols,
personnel deployments for airports and other mass transit facilities, bridges, tunnels, emergency response facilities or
structures, buildings where hazardous materials are stored, arenas, stadiums and waste and water systems;
(C) Records of any other building or structure owned, leased or operated by the state or any of its political subdivisions
that reveal the building's or structure's life and safety systems, surveillance techniques, alarm or security systems or
technologies, operational and evacuation plans or protocols or personnel deployments; and
(D) Records prepared to prevent or respond to terrorist attacks or other security threats identifying or describing the
name, location, pharmaceutical cache, contents, capacity, equipment, physical features, or capabilities of individual
medical facilities, storage facilities or laboratories established, maintained, or regulated by the state or any of its political
subdivisions.
National Conference of State Legislatures
-------�
-------�
Protecting Water System Security Information
33
Appendix B. Survey of Public Disclosure Requirements and
Protections under State Freedom of Information Acts and Open Record
Laws
1) Are you aware of existing state law that protects drinking water security system information from
having to be made public?
Yes: New Hampshire, North Dakota, Pennsylvania, Vermont
No: Alabama, Minnesota, South Dakota, West Virginia
Not Sure: Montana
2) If yes to question 1,
a) Does the protection apply to vulnerability assessments?
New Hampshire: Yes
North Dakota: Yes
Pennsylvania: Yes
Vermont: Yes
Sanitary surveys?
New Hampshire: No
North Dakota: No
Pennsylvania: No
Vermont: Yes, for future security related information
b) Does the protection apply to publicly owned water systems?
New Hampshire: Yes
North Dakota: Yes
Pennsylvania: Yes
Vermont: Yes
Privately owned water systems?
New Hampshire: Yes
North Dakota: No
Pennsylvania: Yes
Vermont: Yes
c) If you know the statutory citation for the applicable law, please provide it below.
New Hampshire: N.H. Rev. Stat. §91-A
North Dakota: N.D. Cent. Code §44-04
Pennsylvania: 65 Pa. Cons. Stat. §66.1
Vermont: 1 Vt. Stat. Ann. §317(c)(25)
3) If no to question 1, are you aware of proposed legislation to change your state's law to provide
additional protections to water system security information?
Alabama: No
Minnesota: No
South Dakota: No
West Virginia: No
Please add any other comments you feel appropriate to help NCSL better understand your state's law
as it pertains to protecting water system security information.
Alabama: There is a push to modify or amend existing laws to include protection to water system
security information under existing laws; the status of that modification is unknown at this time.
Minnesota: The Minnesota Health Department currently is working with its attorneys to determine
if the state has existing legal authority to withhold locational information from public requests for
information.
National Conference of State Legislatures
-------�
34
Water Security
Montana: The Montana Department of Environmental Quality currently is seeking an opinion from
the Montana attorney general to determine whether protection of this information exists in current
statutes. An opinion is expected soon. (Part five of this report contains additional information
regarding the Montana Department of Environmental Quality's interpretation of its legal standing to
protect water system security information.)
New Hampshire: A procedure is in place for public file review requests. If a particular request seems
suspicious or sensitive in nature, these requests can be forwarded to the New Hampshire attorney
general's office.
Pennsylvania: Pennsylvania's Right-to-Know law has nothing specific relating to water system
security. Section 1 of the law, however, has at least two exemption provisions that may be applicable.
One exemption authorizes the Commonwealth to not provide records "... which would operate to
the prejudice or impairment of a person's ... personal security." The other exemption authorizes
withholding of records "the publication of which is prohibited, restricted or forbidden by statute
law..." The vulnerability assessments mandated by the federal government after September 11,
2001, are covered under the second exemption. If the federal law requiring the water suppliers to
perform those assessments also requires that those assessments not be made available to the public,
Pennsylvania, under its Right-to-Know law, is not required to provide those vulnerability assessments
to the public. Pending legislation (House Bill 1017) relates to development of security criteria that
could result in keeping out of the public domain certain records, maps or other information deemed
necessary for homeland security purposes. The submitting agency has no knowledge regarding future
passage or amendment of the legislation.
South Dakota: The attorney general has developed a task force to examine the issues of public
records and records disclosure. The task group findings will likely address the issue of terrorism
sensitive public records.
Vermont: The statutory section does not specifically list vulnerability assessments or water system
information. It provides general language for the protection of security-related information that
would threaten the safety of people or the security of public property.
National Conference of State Legislatures
-------�
This report was prepared under a subcontract (Task Order Agreement No. 069-NCSL-
1) with the Cadmus Group, Inc. (Cadmus). The U.S. Environmental Protection Agency
(EPA), Drinking Water Academy, provided funding for the subcontract. The National
Conference of State Legislatures (NCSL) would like to thank James Bourne with EPA
and Denise Hawkins with Cadmus for their support in this effort. Any opinions, findings
or conclusions in this report are those of NCSL staff and do not necessarily reflect the
views of Cadmus or EPA.
DRINKING
WATER
ACADEMY
-------�
-------� |