When dealing with a governmental entity it is important to account for the possibility that information shared with that entity may be subject to disclosure under state and/or federal open records acts (e.g
., the federal Freedom of Information Act
or state public information acts; collectively “PIAs”). In Texas, for example, the Public Information Act
(the “Texas PIA”) provides that information that is written, produced, collected, assembled, or maintained under a law or ordinance or in connection with the transaction of official business by or for a governmental entity is subject to disclosure upon request. PIAs typically provide important exceptions to public disclosure requirements for certain types of information about private entities, including, as may be applicable, competitive or bidding information, trade secrets, and commercial or financial information. Appropriately contracting and dealing with governmental entities will allow for the greatest possible protection of information shared.
Of particular concern in the PIA context is competitors’ or adverse parties’ ability to obtain information about a private entity that was shared with a public entity subject to a PIA. There are methods to protect against these abuses and certain steps may be taken to reduce the chance that information could be prematurely released.
PIA-related issues may also arise where a private entity is required to provide personal information to a governmental entity, as may the case where a governmental agency examines an entity’s books and records in connection with an engagement. As demonstrated in the Texas Attorney General’s Public Information Handbook 2014, a number of exemptions may be applied to exclude personal information from PIA requirements (including: Social Security numbers, certain e-mail addresses, information about public officials and peace officers, student information protected by federal statute, payment card information, information held by municipalities about minors, and information concerning “the most intimate aspects of human affairs”). Private entities should carefully limit information they share with public entities to that which is minimally necessary, develop a clear and documented understanding of the exclusions from PIA disclosure requirements applicable to that information, and appropriately designate those types of information when disclosed to governmental entities.
Further, as private entities increasingly implement programs to protect critical information, detailed documentation of their information security measures itself becomes more of a concern. In the wrong hands, such information may well act as a road map for hackers, and that exact type of information may be subject to regulatory examination or disclosure requirements. The sensitivity of such information has been recognized in the context of information relating to governmental entities; for example, the Court of Appeals for the District of Columbia Circuit has held that information relating to certain Department of Homeland Security practices relating to telecommunications handling issues is not subject to requests under the Freedom of Information Act, and California’s PIA excludes public entities’ “information security” records from its disclosure requirements if disclosure might reveal vulnerabilities. The law is not clear cut as to exclusions that may be available for information security materials of private entities, but there is no good reason why such information should not be protected from public disclosure. As with personal information, private entities should carefully limit disclosure of information, document agreements with respect to PIA treatment of that information, and appropriately designate materials to provide for the greatest possible protection from PIA disclosures.
In any case, private companies that wish to protect information must be prepared to act quickly. For example, upon receipt of a request under the Texas PIA, a governmental entity must promptly produce the public information or within 10 days seek an attorney general decision on whether exceptions apply to the requested information. In many instances a government employee will not know whether certain information is confidential and should be protected, unless it is appropriately and clearly marked as such when provided to the governmental entity. Governmental entities may defer to the private entity’s designation and refrain from releasing the marked documents without first seeking an attorney general decision.
A sample provision governing PIA-treatment of information is provided as follows:
|[PRIVATE ENTITY] acknowledges that all information provided to the [PUBLIC ENTITY] is subject to the [APPLICABLE PIA]. The [PUBLIC ENTITY] cannot guarantee that information received from [PRIVATE ENTITY] will remain confidential if a request for such information is made under the [APPLICABLE PIA]. However, in the event that the [PUBLIC ENTITY] receives a request for any of the information provided by [PRIVATE ENTITY] that is clearly marked confidential or proprietary (or otherwise sensitive and protected), then the [PUBLIC ENTITY] shall notify [PRIVATE ENTITY] in writing in accordance with the requirements of the [APPLICABLE PIA] and will, if requested by [PRIVATE ENTITY], ask for a decision from the Open Records Division of the Office of the Attorney General regarding whether the information may be excepted from disclosure under the [APPLICABLE PIA]. The [PRIVATE ENTITY] bears the burden of demonstrating to the satisfaction of the Attorney General’s Office that the information relates to a [TYPE OF INFORMATION EXCLUDED FROM DISCLOSURE REQUIREMENTS] that the disclosure of such would cause substantial competitive harm to the [PRIVATE ENTITY].
It is important to keep an eye on statutory deadlines surrounding a request under the PIA. Attorneys General strictly enforce the deadlines set forth in the statue. Upon notification of a PIA request, quickly securing counsel and preparing an argument asserting the relevant exceptions is critical in order to maintain the confidentiality of your sensitive and protected information.
Brian O’Reilly is an Associate in Locke Lord’s Austin office. He can be reached at firstname.lastname@example.org.