HOW TO AVOID HAVING SENSITIVE DISASTER RECOVERY INFORMATION

HOW TO AVOID HAVING SENSITIVE DISASTER RECOVERY INFORMATION RELEASED UNDER PIA By Ryan Henry Law Offices of Ryan Henry, PLLC 1380 Pantheon Way, Suite 215 San Antonio, Texas 78232 Phone: 210 -257 -6357 Facsimile: 210 -569 -6494

Town of Murphy’s Law

City Manager Arthur “Art” I. Right

City Engineer Dexter “Dex” Aster

April 1, 2013 Natural Disaster

Water System Failures

Just fix it – darn it!

After long hours of work, Dex gets the system fixed 1. Evaluated what went wrong 2. Evaluated vulnerabilities to other natural disasters 3. Fixed problems but noted existing and new vulnerabilities 4. Proposed and implemented protections and backups

Then comes the PIA from Natasha “Nosey” Buttinsky- Reporter

Sensitive Information

City Attorney and AG Must release

Mr. Right promptly has a heart attack

After being revived-

Homeland Security Act • § 418. 177. Confidentiality of Certain Information Relating to Risk or Vulnerability Assessment • Information is confidential if the information: • (1) is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, or investigating an act of terrorism or related criminal activity; and • (2) relates to an assessment by or for a governmental entity, or an assessment that is maintained by a governmental entity, of the risk or vulnerability of persons or property, including critical infrastructure, to an act of terrorism or related criminal activity.

• § 418. 181. Confidentiality of Certain Information Relating to Critical Infrastructure • Those documents or portions of documents in the possession of a governmental entity are confidential if they identify the technical details of particular vulnerabilities of critical infrastructure to an act of terrorism.

• § 418. 176. Confidentiality of Certain Information Relating to Emergency Response Providers • (a) Information is confidential if the information is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism or related criminal activity and: • …. • (2) relates to a tactical plan of the provider; or • (3) consists of a list or compilation of pager or telephone numbers, including mobile and cellular telephone numbers, of the provider.

• § 418. 179. Confidentiality of Certain Encryption Codes and Security Keys for Communications System • (a) Information is confidential if the information: • (1) is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, or investigating an act of terrorism or related criminal activity; and • (2) relates to the details of the encryption codes or security keys for a public communications system. • (b) This section does not prohibit a governmental entity from making available, at cost, to bona fide local news media, for the purpose of monitoring emergency communications of public interest, the communications terminals used in the entity’s trunked communications system that have encryption codes installed.

• § 418. 182. Confidentiality of Certain Information Relating to Security Systems • a) Except as provided by Subsections (b) and (c), information, including access codes and passwords, in the possession of a governmental entity that relates to the specifications, operating procedures, or location of a security system used to protect public or private property from an act of terrorism or related criminal activity is confidential. • (b) Financial information in the possession of a governmental entity that relates to the expenditure of funds by a governmental entity for a security system is public information that is not excepted from required disclosure under Chapter 552.

AG Opinion (not a ruling) • The fact that information may relate to a governmental body’s security measures does not make the information confidential. See Open Records Decision No. 649 at 3 (1996) • The mere recitation of a statute’s key terms is not sufficient to demonstrate protection.

• A governmental body asserting one of the confidentiality provisions of the Texas Homeland Security Act must adequately explain how the responsive records fall within the scope of the claimed provision. See Gov’t Code § 552. 301(e)(1)(A) (SUBJECTIVE OPINION OF ASSISTANT AG ASSIGNED TO YOUR CASE) • Public information is not rendered confidential merely because it can be combined with other information or knowledge to reveal confidential information

Subjective AAG Review

Not adequately explained • Failed to establish how air filtration systems to dispel bio toxins from research area is a critical infrastructure (must release) • How bio toxins can be used as a weapon (must release) • Exterior elevations, the landscape plan, and the tree survey in relation to location of water utility points (must release) • Water system assessment which was not comprehensive • Three sentence overradaction

Adequately explained • Electronic backup for billions of commercial transactions. Supported by report issued by the U. S. Securities and Exchange Commission • Waste water infrastructure, with explanations of exact locations, type of equipment, and types of weaknesses which could be exploited. • Vulnerability assessment - the facility’s power sources, communication feeds, utility and drainage routes, and other critical access points. • Specifications of the security system that record DVDs

Example and Tips • Detail the problems and failures with the utility and the exact locations where the system has been identified as faulty or ineffective. (Add a few sentences of criminal element vulnerability) • Detail the location, type of equipment, power source, operating procedures, and security positions. No. OR 2004 -5654 (2004) • Note you are conducting a vulnerability assessment for your disaster purpose AND assessment to identify vulnerabilities to the criminal element.

No release if properly identified at front end

Know better for the next disaster – The End