Protecting Vulnerability Assessment and Emergency Response Plans from Unauthorized Disclosure

Your Water Supply Emergency Response Plan (WSEP) consists of an Emergency Response Plan (ERP) and a Vulnerability Assessment (VA). Under the New York State Sanitary Code (10 NYCRR Part 5-1.33(d)), WSEP must be made available for public review. State and federal law require that the VA evaluate vulnerability to terrorist attack and cyber attack. By its nature, your VA will contain information that may pose a security risk to the operation of your community water system. Additionally, certain other information normally included in your ERP may also pose such risk.

Part 5-1.33(h) provides for exempting security sensitive information contained in your vulnerability assessment and emergency response plan from public disclosure. Information that may have been incorporated into your VA or ERP that can be of a sensitive nature and therefore exempt from public disclosure includes:

  • conclusions, recommendations and all other details from vulnerability assessments;
  • facility plans and specifications;
  • distribution system maps, plans & specifications;
  • operational details regarding critical water system functions;
  • details of emergency response capabilities and defined response actions;
  • security details - cameras, sensors, patrol schedules, response protocols, etc.;
  • names and contact information of individuals responsible for system security and emergency response activities, if personal phone numbers are included; and
  • other information as requested by the water system under Part 5-1.33(h).

To help improve the ability to protect these sensitive documents, while still providing for meaningful public review, the Department now requires that Vulnerability Assessments (VAs) be bound separately from the emergency response plan so that they can be protected from unauthorized disclosure. However, even with the VA in a separate document, most ERPs may contain sensitive information that could pose a security risk to the operation of the community water system. A water system can achieve information security and public review by structuring its ERP in one of two ways:

  • The water system can keep sensitive information within the ERP, and prepare a summary of the ERP for public release (i.e. with all security sensitive information removed). The ERP containing sensitive information should be bound in a separate volume prominently marked "CONFIDENTIAL", "DO NOT COPY" and is not to be subject to public review under Part 5-1.33(d) nor released in response to FOIL requests.
  • The water system can separate all security sensitive information into a separately bound "Confidential Appendix" to the ERP that is prominently marked "CONFIDENTIAL", "DO NOT COPY". The volume binding the Confidential Appendix is not to be subject to public review under Part 5-1.33(d) nor released in response to FOIL requests.
  • In either case, the water system is to include a separately bound Vulnerability Assessment, also marked "CONFIDENTIAL", "DO NOT COPY", that includes analysis of vulnerability to terrorist attack, cyber attack and sabotage.

The Department has implemented strict new document protection protocols to protect copies of sensitive documents that are submitted to State, County and City Health Departments as part of each water system's emergency response planning requirements. These protocols include secure storage of documents, access limited to authorized staff, destruction of drafts and duplicates, and protection from public release. The Department strongly encourages each water system, including its governing body (e.g. Village, Town, etc.) to implement similar document protection protocols.

The Department recommends that distribution of your ERP be limited to water system personnel, local law enforcement, local emergency management offices, essential governing officials, and the state and local health departments. Make sure that anyone receiving a copy of these documents knows that they are to be kept physically secured and confidential and are not to be copied or otherwise redistributed.