Contributing Lawyers

Canada

Cyndee Todgham Cherniak

United States

Susan Kohn Ross

Australia

Andrew Hudson



Homeland Security and the Private Sector

Originally published by the Journal of Commerce

On March 3 and 4, 2010, the American Bar Association’s 5th Annual Homeland Security Conference was held in Washington, D.C. This year’s program had a number of high level speakers, many of whom had served in the Bush Administration. In fact, President’s Obama’s Deputy National Security Advisor for Homeland Security and Counter Terrorism was among them.. While it was understandable that much of the focus continues be on terrorism and other government, military and law enforcement functions, including preparedness, what was surprising is the lack of attention when it comes to the private sector and business continuity. Yes, there was acknowledgment that trade exists. In fact, one familiar speaker was Jayson P. Ahern, the now retired Acting Commissioner of Customs, who spoke about security as it relates to ocean transportation. There was even some passing acknowledgment that TSA is on course to implement 100% scanning by August 3, 2010 of all cargo being loaded on passenger aircraft. There was also recognition that about 85% of all the critical infrastructure in the U.S. is in private hands, but that’s about it, but for one very seriously disturbing topic – PS-Prep.

Public Law 110-53, Section 523 contains provisions for a "voluntary" program called Public Sector Preparedness or PS-Prep. DHS has delegated development of the program to FEMA since its focus is preparedness, but in the law, DHS is tasked with consulting with the private sector to "develop guidance or recommendations and identify best practices to assist or foster action by the private sector" regarding "(1) identifying potential hazards and assessing risks and impacts; (2) mitigating the impact of a wide variety of hazards, including weapons of mass destruction; (3) managing necessary emergency preparedness and response resources; (4) developing mutual aid agreements; (5) developing and maintaining emergency preparedness and response plans, and associated operational procedures; (6) developing and conducting training and exercises to support and evaluate emergency preparedness and response plans and operational procedures; (7) developing and conducting training programs for security guards to implement emergency preparedness and response plans and operations procedures; and (8) developing procedures to respond to requests for information from the media or the public."

Read literally, this law requires that every business in America develop a plan to deal with identifying and managing hazards and implementing preparedness plans. This might seem a desirable idea on its face. After all, every company wants to quickly get back to business after an incident. But in the case of this law, its provisions are vague in nature, leaving the final decisions for down the road, but fortunately mandating private sector input. DHS has yet to significantly increase the number of private sector advisory groups, so will this input come from notice and comment, or can we expect a meaningful dialog? From experience, we all know how the government develops standards – it is generally a very painful process that typically results in vague and not particularly practical guidelines. Perhaps more questionable is that an accreditation program is called for that demands third party certification. Oh, and by the way, even though no standards have yet been set, DHS has already designated the certifying agency – ANSI-ASQ. So, guess which entity will have a major influence over the standards-setting? For international traders, all that good work in setting up C-TPAT or any other internal security program could go out the window because this third party decides your program is not good enough to meet the standards, whenever they are articulated!

We have heard repeatedly from government officials in both the Bush and Obama Administrations that heightened security efforts by the private sector should be accomplished through voluntary programs. In fact, the lack of regulations is one of the biggest criticisms of C-TPAT. When it comes to dealing with the actions of companies regarding security, only the chemical industry has been hit with regulations, the Chemical Facility Anti-Terrorism Standards. Yes, there are regulations dealing with advance manifest reporting, the Importer Security Filing, and the like, but they arise in the context of an effort at either moving goods or getting them released under government oversight. When it comes to how companies themselves function, we have the C-TPAT and FAST standards, but nothing formally binding on either the government or companies. So, if you are in an industry for which standards are finally set and you chose to not adopt those standards or change them, when an event occurs, you will likely quickly find yourself on the nasty end of a lawsuit with a resulting sizable damage award against you. One only has to look at the judgment entered in the post-Towers destruction World Trade Center civil suit. In the end, the jury found the Port Authority significantly more liable than the terrorists (68 v 32)! Why? Because the Port Authority had done vulnerability assessments and, in the eyes of the jury, did not take adequate steps to address the short-comings identified! Will the same fate await any company which deviates from the PS-Prep standards in its industry?

For more information about PS-Prep, see

www.fema.gov/privatesector/preparedness/index.htm. Congress has enacted yet another law with the best of intentions, but having no idea how much damage could be done to companies of all sizes. Other than mandating some level of private sector input, there is no further guidance to DHS. While emergency preparedness is a prudent step for all companies to take, and the PS-Prep standards are supposedly going to be stylized to each industry and set with significant private sector input, you can bet there will be significant hurdles with clarity and implementation, and then there is the certification and auditing process. This sort of effort is not what industry had in mind when it asked the government what it was going to do regarding business continuity/recovery.

Leave a Reply

remember my information