FOIA: Everything You Ever Wanted to Know (But Were Afraid to Ask)

For corporate America, a new exemption to the Freedom of Information Act is a comforting notion—but one that's vastly misunderstood. Here's what FOIA is and what it isn't.

1 2 Page 2
Page 2 of 2

"The concern that we see expressed is that we're trying to cover something like the accidental release of chemicals," says Bobby R. Gillham, manager of global security for ConocoPhillips and a liaison between the government and the oil and natural gas industry. "That's not what we're talking about at all. The only exemptions are just in the critical infrastructure and just in that narrow range of vulnerability, threats and incidents."

David Sobel, general counsel for the Electronic Privacy Information Center, sees it differently. He says that the FOIA exemption is a red herring, and that the real issue is the possibility that voluntarily submitted information couldn't be used in litigation. "It's all about accountability," he says. "It's about whether security flaws will ever be made public and whether the government or other interested parties would have the ability to seek corrective action against companies that are negligently ignoring security concerns."

Even if the FOIA exemption doesn't become law this year, the debate has clearly shifted from whether the FOIA exemption should become reality to exactly what form it should take. It's unlikely that President Bush would fail to approve the exemption because the Bush administration has encouraged agencies to give requesters only the bare minimum of required information. (In fact, author Foerstel believes that in some ways, the manner in which exemptions are written is less important than the administrative guidelines issued by the attorney general on how to treat FOIA requests. "With [Attorney General John] Ashcroft, his frame of mind is basically, don't give them anything," Foerstel says. "His guidelines are very strong in the direction of discouraging the release of information.")

Whatever final form the exemption takes, there's no way to know if it will actually improve information sharing or just change the reasons companies are reluctant to talk to the government about security. "We've been building relationships and procedures, so the technical ability to share information is there," says MassMutual's Bonsall, a member of the Partnership for Critical Infrastructure Security, which includes both federal agencies and critical infrastructure companies. "We have to get beyond the apprehension, and some exemptions from FOIA will help with that."

But will it open the floodgates? "Absolutely not," he says. "[Building trust] is an ongoing process. It just doesn't start and stop."

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies