Mr. N. Wayne Ruthven, Director Mr. Doug Elkins State Homeland Security Adviser Executive Chief Information Officer Ark. Dept. of Emergency Management Office of Information Technology Post Office Box 758 124 West Capitol, Suite 990 Conway, Arkansas 72033-0758 Little Rock, Arkansas 72201Dear Mr. Ruthven and Mr. Elkins:
I am writing in response to your joint request for an opinion on whether the State's "disaster recovery planning system database" is protected from public disclosure under Act 1366 of 2003, or any other act, law or regulation. You state the following as background information for this question:
Under the "Homeland Security Information Act" (Arkansas Act 1366 of 2003), government data disclosure which would be likely to substantially jeopardize the security of information within threat assessments, plans, operational policies or procedures for the purpose of preventing, investigating, or responding to a catastrophic event, may be withheld from public disclosure for the purpose of preventing acts of terrorism. The Arkansas Department of Emergency Management and the Office of Information Technology believe that the State's disaster recovery planning system database holds "security information" within the meaning of Act 1366 of 2003.
* * *
The information and planning contained in the plans within this database provides a roadmap to any individual or group wishing to take advantage of instances where business operations are disrupted to further harm or disable the State's ability to maintain operations. The plans document state agency strategies, required resources (including but not limited to non-public contact information on agency personnel), and incident recovery procedures. Specifically, a Continuity of Operations Plan provides an analysis of the threats and vulnerabilities the agencies face. It detail[s] the risks the agencies are mitigating (and in what way) along with the risks that remain unmitigated. This information would be useful to those planning to tamper with or improperly use agency information or cause physical injury to property or persons. The plans identify key employees and their role in the event of an incident. Access and use of such information either prior to or in response to an incident poses substantial risk to information, persons, and property of Arkansas and therefore is being classified as security information.
The use of this database for purposes other than planning by state agencies is restricted to data analysis for projects which will improve the overall preparedness of the State. The database will also be use[d] by the Office of Information Technology for analysis which will improve state government operations and services.
You therefore ask "whether . . . the information held within the State's disaster recovery planning system database is protected from public disclosure under Act 1366 of 2003, or any other act, law, or regulation."
RESPONSE
The answer to your question will obviously require a factual review of the information contained in the database you describe. I cannot, from a bare description of the information contained in the database, determine whether any or all of it is shielded from public inspection under Act 1366 of 2003 or any other law. It may well be that substantial portions of the database qualify for exemption under Act 1366 or other law. It is impossible to determine the issue without reference to the database's substance. Initial conclusions about the public nature of information in the database should be made by the affected agencies, with the advice of their appointed counsels. Ultimate conclusions, of necessity, must be made by a court conducting an in camera review. I have set out below a discussion of Act 1366 of 2003, which may be of help in addressing the points you raise.
As you note, Act 1366 of 2003 contains provisions exempting certain types of information from public disclosure. This Act may therefore operate to shield from public inspection records that would otherwise be available to the public under the Arkansas Freedom of Information Act ("FOIA") (A.C.A. §§ 25-19-101 to -109) (Supp. 2005).1 Act 1366 is uncodified, but appears as a "note" at the beginning of A.C.A. § 12-75-subchapter 1. (Supp. 2005).2 The Act exempts from public disclosure three categories of information and contains three salient definitions.
The three categories of information exempted are as follows:
. . . threat assessments, plans, operational policies or procedures, and training developed or maintained by any emergency service agency for the purpose of preventing, investigating, or responding to a catastrophe or use of weapons of mass destruction. . . .
Any document or information received by an emergency service agency from an agency of the United States government, another state, or its political subdivisions that is not subject to disclosure under the laws governing the source agency. . . .
Investigative files of emergency services agencies relating to a catastrophe or use of a weapon of mass destruction. . . .
Act 1366, § 3(a)(1), (2) and (3).
The first category of records (threat assessments, etc.), is not subject to public disclosure unless disclosure "is determined in the best public interest by the head of the emergency service agency." Id. at (a)(1). Release of the second category of information (documents received from certain other sources) depends upon the law of the sending jurisdiction.Id. at (a)(2). The third category of records (investigative records relating to a catastrophe or the use of a weapon of mass destruction), are not subject to public disclosure until after "final adjudication."Id. at (a)(3).
Rather than exempting some broadly-defined concept of "security information" as your request for an opinion implies, the exemptions to public access in the act are specific and limited. The words "security information" do not appear anywhere in the text of Act 1366. These words only appear in the title of the Act ("The Homeland Security Information Act"). The title of an act is not part of the law, but may be referred to only to ascertain the intent of the General Assembly in the case of an ambiguity in the act. Routh Wrecker Service, Inc. v. Wins, 312 Ark. 123,847 S.W.2d 707 (1993); and Plugge v. McCuen, 310 Ark. 654, 841 S.W.2d 139 (1992). In my opinion, therefore, in order for information in the "State's disaster recovery planning system database" to be exempt from public disclosure, the information contained therein must fit within one of the three listed categories above or be exempted by some other law or regulation.
The Act provides some pertinent definitions of the terms used in the above three categories of exempted information, which must be referenced in determining whether information in the database fits within the exemptions.
"Catastrophe" means a man-made event that causes disastrous property damage, death, or serious physical injury to multiple people by explosion, fire, flood, avalanche, collapse of a building, distribution of poison, radioactive material, bacteria, virus, or other dangerous and difficult to confine force or substance;
"Emergency service agency" means an agency or department of the State of Arkansas3 or any county or city that has first responder or investigative responsibilities in the event of a catastrophe or use of a weapon of mass destruction; and
"Weapon of mass destruction" means an explosive, chemical, radioactive, or biological agent, or any other substance or device capable of causing extensive property damage, death, or serious physical injury to multiple persons in a single act or series of acts.
Act 1366, § 2(1), (2) and (3) (emphasis added).
As you will note, the definition of "catastrophe" is limited to "man-made" events. This becomes relevant for purposes of the first category of records exempted from public disclosure under Act 1366 (i.e., "threat assessments, plans, operational policies or procedures, and training developed or maintained by any emergency service agency forthe purpose of preventing, investigating, or responding to a catastrophe or use of weapons of mass destruction"). (Emphasis added.) Act 1366 shields such assessments, plans, policies and procedures or training to the extent they are developed or maintained for the purpose of preventing "man-made" catastrophes or use of weapons of mass destruction.
I am uncertain whether the information in the "State's disaster recovery planning system database" contains information regarding both natural and man-made disasters and if so, whether the information is in some way segregated or reasonably segregable such that portions of the database would be exempt under Act 1366 and others would not. See e.g., A.C.A. §12-75-110(a) (requiring the Arkansas Department of Emergency Management to prepare and maintain a "state disaster plan") and A.C.A. §12-75-103(3) (defining "disaster" as including those caused by "natural forces" or by "enemy attack, or any other means"). Again, your question may not be answered in the abstract without scrupulous reference to the information contained in the database. This will involve a factual inquiry that is beyond the scope of an official Attorney General's opinion. I am not empowered as a fact-finder in my issuance of official opinions. As stated earlier, initial conclusions about the public nature of specific information in the database should be made by the affected agencies, with the advice of their appointed counsels. Ultimate conclusions, of necessity, must be made by a court conducting an incamera review. See e.g., Johninson v. Stodola, 316 Ark. 423,872 S.W.2d 374 (1994) (where testimony only presented an overview of the records and the dangers that might result from disclosure, but the scope of those files and what information comprised them was left vague and undefined, it was incumbent on the trial court to determine whether an exemption applied, which could be done only by reviewing the relevant information in question).
As for whether any other "act, law, or regulation" would support the confidentiality of the information in the database, again, I cannot analyze this issue in the abstract, without specific reference to the particular information.
Deputy Attorney General Elana C. Wills prepared the foregoing opinion, which I hereby approve.
Sincerely,
MIKE BEEBE Attorney General
MB:ECW/cyh
1 The FOIA states in pertinent part that "[e]xcept as otherwise specifically provided by this section or by laws specifically enacted to provide otherwise, all public records shall be open to inspection and copying. . . ." A.C.A. § 25-19-105(a)(1)(A) (Supp. 2005).
2 The Act is presumably uncodified because at the time of its adoption, it contained a "sunset" clause, which mandated the expiration of the Act on July 1, 2005. The Arkansas Code Revision Commission typically does not codify "temporary" language. See A.C.A. §1-2-303(e)(2)(L) (Supp. 2005). The Act was extended, however, by Act 1823 of 2005, until July 1, 2007.
3 Act 1823 of 2005 added the language "the State of Arkansas or" in the sentence. Previous law defined such agencies as including only agencies or departments of "any county or city."