Protecting Vulnerability Assessment and Emergency Response Plans from Unauthorized Disclosure
Under the New York State Sanitary Code (10 NYCRR Part 5-1.33(d)), Water Supply Emergency Response Plans (ERPs) must be made available for public review. State and federal law require that these emergency plans include a Vulnerability Assessment (VA) that must evaluate vulnerability to terrorist attack. By its nature, your VA will contain information that may pose a security risk to the operation of your community water system. Additionally, certain other information normally included in your emergency plan may also pose such risk.
Part 5-1.33(h) provides for exempting security sensitive information contained in your vulnerability assessment and emergency response plan from public disclosure. Information that may have been incorporated into your VA or ERP that can be of a sensitive nature and therefore exempt from public disclosure includes:
- conclusions, recommendations and all other details from vulnerability assessments;
- facility plans and specifications;
- distribution system maps, plans & specifications;
- operational details regarding critical water system functions;
- details of emergency response capabilities and defined response actions;
- security details - cameras, sensors, patrol schedules, response protocols, etc.;
- names and contact information of individuals responsible for system security and emergency response activities, if personal phone numbers are included; and
- other information as requested by the water system under Part 5-1.33(h).
To help improve the ability to protect these sensitive documents, while still providing for meaningful public review, the Department now requires that Vulnerability Assessments (VAs) be bound separately from the emergency response plan so that they can be protected from unauthorized disclosure. However, even with the VA in a separate document, most ERPs may contain sensitive information that could pose a security risk to the operation of the community water system. A water system can achieve information security and public review by structuring its ERP in one of two ways:
- The water system can keep sensitive information within the ERP, and prepare a summary of the ERP for public release (i.e. with all security sensitive information removed). The ERP containing sensitive information should be bound in a separate volume prominently marked "CONFIDENTIAL", "DO NOT COPY" and is not to be subject to public review under Part 5-1.33(d) nor released in response to FOIL requests.
- The water system can separate all security sensitive information into a separately bound "Confidential Appendix" to the ERP that is prominently marked "CONFIDENTIAL", "DO NOT COPY". The volume binding the Confidential Appendix is not to be subject to public review under Part 5-1.33(d) nor released in response to FOIL requests.
- In either case, the water system is to include a separately bound Vulnerability Assessment, also marked "CONFIDENTIAL", "DO NOT COPY", that includes analysis of vulnerability to terrorist attack and sabotage.
All revisions and resubmittals of vulnerability assessments and emergency response plans from this time forward should be structured as described above. Until that time, existing versions of these documents should not be made available to the public until you have deleted or blackened out security sensitive information.
The Department is implementing strict new document protection protocols to protect copies of sensitive documents that are submitted to State, County and City Health Departments as part of each water system's emergency response planning requirements. These protocols include secure storage of documents, access limited to authorized staff, destruction of drafts and duplicates, and protection from public release. The Department strongly encourages each water system, including its governing body (e.g. Village, Town, etc.) to implement similar document protection protocols.
The Department recommends that distribution of your ERP be limited to water system personnel, local law enforcement, local emergency management offices, essential governing officials, and the state and local health departments. Make sure that anyone receiving a copy of these documents knows that they are to be kept physically secured and confidential, and are not to be copied or otherwise redistributed.