“Homeland Security and Your Business”
Remarks
By
Dick Thornburgh
Former Attorney General of the United States
Counsel, Kirkpatrick & Lockhart LLP
To
The North-Central Regional Conference
of the Risk and Insurance Management Society, Inc.
Tuesday, October 19, 2004
Pittsburgh, Pennsylvania
DC-674751 v2 0950000-0102
It is a pleasure to be participating in this Regional RIMS Conference,
and for those of your visiting from other states, let me first welcome you to
my home town of Pittsburgh. I am here today to share with you some
thoughts regarding issues of homeland security in the post-9/11 world and to
talk about the challenges that businesses and other private organizations
around the county are facing in this era of heightened concern about
terrorism.
There can be little doubt that the events of September 11, 2001 have
changed the way Americans think about the world and the way we do
business here and abroad. September 11th was a watershed moment. It
demonstrated that America is vulnerable and susceptible to terrorist attacks
within our own borders. And while earlier events of terrorism, both
domestic and foreign, including the bombing of the federal building in
Oklahoma City and the earlier attack on the World Trade Center, may have
opened the eyes of many to our vulnerability, the sheer magnitude of the loss
of life and property on that fateful September day sent a chilling wake-up
call that action must be taken at all levels to try to prevent another 9/11 from
happening.
In response to the events of 9/11, our government has taken action,
encompassed by initiatives at the federal, state and local level. As one might
expect, the effort by the federal government has been the most far-reaching.
2
Just six weeks after the terrorist attacks, President Bush signed into law the
USA Patriot Act, officially described as an act “to deter and punish terrorist
attacks in the United States and around the world [and] to enhance
investigatory tools.” One-year later, on November 25, 2002, President Bush
signed into law the Homeland Security Act of 2002, creating a new federal
agency, the Department of Homeland Security which has over 180,000
employees and which is involved in everything from assessing the
vulnerability of chemical plants to checking your bags at the airport to
assuring “cyber security.”
Although the Patriot Act and the creation of the DHS are perhaps the
two highest profile legislative enactments that can trace their origins to 9/11,
many other less publicized pieces of legislation were also enacted; existing
legislation was also strengthened and new regulations have been
implemented by the federal government – all to combat the risk of another
terrorist attack. This new legislative and regulatory regime has forced many
industries to change business practices in order to be “compliant”. In
addition to making changes to comply with these new laws, many
corporations and other organizations have taken it upon themselves to reexamine their business practices and have altered them where necessary to
respond to the heightened risks of terrorist activity. And so it is against this
3
backdrop that I would like to discuss some of the challenges that the private
sector faces today in this post 9/11 world.
Many of you may have seen the article on the front Business Page of
Sunday’s New York Times estimating that private sector outlays for antiterrorism measures and to guard against other forms of violence may now be
as much as $40 to $50 billion a year, two to three times higher than the
annual rate before 9/11. The federal government’s countribution has also
passed $40 billion, double what it was prior to 9/11. But it’s more than just
the dollars involved. It’s time and effort as well.
Foremost among the issues upon which corporate officers and risk
managers now must spend an increasing amount of time and effort include:
(1) providing physical security for the company’s employees and facilities;
(2) complying with new government laws and regulations relating to
homeland security; and (3) voluntarily cooperating with government in the
global fight against terrorism, particularly with regard to sharing corporate
information that the government believes will be helpful in that fight.
With respect to security issues, it is worth observing that, almost
overnight, security issues facing corporate America went from the backroom
to the boardroom as companies were forced to confront their newly-realized
vulnerabilities in the wake of 9/11. Before 9/11, security was principally
viewed as a “cost center” that tended to attract the most attention during
4
budgeting time, with thoughtful and well-intentioned corporate managers
questioning whether all of the costs being incurred were really necessary.
For many businesses, in the pre-9/11 era, corporate security focused
primarily on the protection of property and premises to deal with such
localized risks as theft and vandalism. Some more enlightened companies,
particularly those with a multi-national presence, had begun to think of
security operations as requiring something beyond being a simple extension
of local law enforcement. Many of these companies created corporate
security officers—though these people generally were not viewed within the
organization as indispensable members of the company’s management team.
Of course, the events of 9/11 profoundly changed the way many
businesses currently view security issues. With the mandate now to guard
against loss of life and business disruption—if not business destruction—
corporate security no longer is viewed as a luxury expense or cost center, but
rather it is viewed as an essential area within which the organization’s
continued viability may be at stake. With this new mind-set, it is not
surprising that many companies have created or enhanced their security
capabilities and have designated skilled individuals to oversee this effort. In
fact, many of the larger companies have elevated so-called “security
officers” to higher levels within the organization and have brought them into
the upper levels of corporate strategy and planning. The role of security in
5
facilitating corporate governance is also beginning to demonstrate its worth.
As companies implement strong strategic risk management, they find they
can achieve improved control of other types of risks that can adversely
impact their overall value. So, by avoiding incidents of loss through good
strategy and planning, corporations are delivering stronger results to their
shareholders.
No doubt the specific challenges of addressing these new-world
security issues will vary among those of you participating in this conference,
given that you represent many different industries and sectors of our
economy. In fact, even within the same industry, the locale and
geographical reach, as well as the size of a company’s business operations,
will cause security issues to be considered and solutions implemented in
varying ways.
Nevertheless, no matter what industry one comes from, in order to
meet the security challenges facing us today, those who lead today’s
organizations have a responsibility to analyze the risks that pose the greatest
threats to their companies and to formulate plans to minimize those risks. In
undertaking such an analysis, many businesses have focused on trying to
identify what “risk events” they are trying to guard against. For example, a
nuclear power company may be concerned about the potential for the release
of hazardous radioactive material into the environment as a result of a
6
terrorist event taking place at one of its facilities. A financial services or
internet provider company, on the other hand, may be concerned about the
potential consequences of a terrorist attack that may cripple its computer
networking and data storage facilities.
Whatever those unique “risk events” are, once they are identified,
corporate managers must undertake to determine what are the probabilities
of such an event occurring, and if so, what are the likely consequences of
such an occurrence. In tandem with this analysis, each company will have to
ask itself some fundamental questions including: (1) What assets does the
company most want to protect? (2) What can the company do about
protecting those assets from foreseeable risks? (3) How much will it cost to
protect those assets? (4) How does the company go about implementing its
protection plan? and (5) Who will lead that effort? The answers to these
questions must then be viewed through the prism of risk tolerance, i.e., what
is the organization’s appetite for risk.
At the end of the day, those organizations that will be best suited to
withstand another terrorist attack are those which have conducted a
systematic analysis of their own vulnerabilities, which have implemented
and tested preventive and detective controls to manage the new security
risks; and which have established a disaster response and crisis management
7
team (for their employees, customers and suppliers) that is ready to act in the
event of an emergency.
By anticipating and planning for the risks of terrorism, companies
should be able to take account of and plan against other types of risks that,
while not likely the results of terrorism, nevertheless place the assets and
operations of a company in jeopardy. For example, helping protect against
outside terrorist intrusions also helps make a company more secure against
the possibility of internal thefts or improper conduct by disgruntled
employees. The overall impact of these results can add additional value to a
company’s homeland security effort.
In analyzing security issues, corporate managers should be mindful of
legal issues that will crop up along the way. Let me give you some
examples:
1.
If your company is conducting a vulnerability assessment of its
physical plant and facilities—and particularly if that assessment is reduced
to writing − can that assessment be used against you in a legal proceeding if
the company fails to implement security recommendations called for by the
assessment and later such failure results in injury to persons or property?
2.
If your company is instituting tighter background checks and
investigations of current or potential new employees, or current or potential
8
new customers, are you properly respecting the privacy rights of those
individuals?
3.
If your company is imposing new requirements on foreign
vendors and suppliers to help ensure the safety of their materials and the
uninterrupted flow of those materials in the event of a terrorist incident, do
those new requirements infringe on any third-party contact rights?
Alternatively, does the failure to impose such requirements expose a
corporation and its officers to potential liability to customers, employees or
shareholders?
These are but a few examples of the tricky questions whose answers
may differ after 9/11, as compared to before. You may deem it prudent to
seek legal advice when addressing these issues. Many law firms, including
my own, have created interdisciplinary Homeland Security practice groups
to help corporate clients grapple with these complex issues.
In addition to the internal security challenges that private
organizations are now dealing with, a second set of issues that I would like
to touch upon are the ever-increasing challenges of complying with new
government laws and regulations relating to Homeland Security.
Frankly, the scope of this new legislative and regulatory regime is
truly remarkable. As a starting point one need only consider for a moment
that the federal government created an entirely new cabinet-level
9
department, the Department of Homeland Security, whose primary mission
includes the pursuit of the following broad-based objectives:
• preventing terrorist attacks within the United States;
• reducing the vulnerability of the United States to terrorism;
• minimizing the damages, and assisting in the recovery, from
domestic terrorist attacks;
• carrying out all of the functions of various entities transferred to
DHS; and
• ensuring that the overall economic security of the United States is
not diminished by homeland security efforts, activities and
programs.
In addition to this very broad mandate given to DHS, numerous other
federal agencies are also empowered to address America’s vulnerability to
terrorist attack, including, but not limited to: the Environmental Protection
Agency, the Department of Transportation, the Department of Health and
Human Services, the Department of Justice and the Department of
Agriculture, to name a few. And each of these agencies has promulgated
many new regulations designed to police various industries as a direct
consequence of 9/11.
10
By way of a few brief examples, some of the private sector industries
affected by the 9/11 legislation and regulations include:
• The Financial Services Industry is affected by the Patriot Act that
requires that designated financial institutions (and other related
entities) develop anti-money-laundering programs to prevent their
facilities from being used inadvertently for terrorist moneylaundering or financing activities. These programs must include
customer-identification programs and procedures to monitor
accounts for suspicious behavior, for which reports must be filed
with the government.
• Food Manufacturing and Processing Companies are subjected to
new regulations under the auspices of the Food and Drug
Administration pursuant to the Public Health Security and
Bioterrorism Preparedness Response Act in order to protect the US
from threats to its food supply and other health-related
emergencies. Under this Act, domestic and foreign food facilities
must register with the government, and the government must be
given advance notice of imported food shipments. The FDA
estimates that over 420,000 food facilities worldwide will have to
register and that it expects to receive about 25,000 import notices
per day.
11
• In a move that cuts across different industry groups, in 2002
President Bush signed the Maritime Transportation Security Act of
2002, whose purpose is to deter and minimize damage associated
with marine transportation incidents, including terrorist attacks.
The Act subjects owners and operators of certain facilities located
“near” land to additional regulations, inspections and possible
penalties and also requires certain facilities to perform security
assessments, implement or amend security plans and conduct
regular training and drills at the facility. According to DHS
estimates, these facility security requirements will impact the
manner in which over 5,000 facilities conduct business in the
United States.
• In addition to the enactment of new laws and regulations, the
government is placing new emphasis on the enforcement of
existing laws (including the environmental acts known as RCRA
and CERCLA, to name just two) to ensure enhanced security
pertaining to the manufacture, use, transportation and disposal of
hazardous substances and materials.
The volume and, in turn, the sheer complexity of the post-9/11
legislation and regulations are staggering. They pose formidable challenges
to the private sector because they require companies to alter business
12
practices and necessitate that they stay abreast of an ever-changing legal
landscape.
A third area of homeland security challenges to corporate managers is
the issue of whether to voluntarily provide information in response to a
government request when compliance with the request is not mandated by
law.
It is often said that today we live in the information age. And a vast
amount of that information resides in the hands of private industry. Not
surprisingly, particularly in these precarious times, the government is often
eager to obtain information that would help in the pursuit of homeland
security objectives.
A company may be naturally inclined to assist the government in its
efforts to protect the homeland. Nonetheless, in some cases where the
government approaches a company and requests that it voluntarily furnish
information, that company may be reluctant to do so for any number of
legitimate business reasons. Thus, before a private organization decides
whether to respond to voluntary requests by the government for information,
careful thought must be undertaken to determine what, if any, consequences
can result from voluntarily disclosing information to the government. For
example, information voluntarily provided to the government may thereafter
be obtained by private individuals or entities through the use of Freedom of
13
Information Act requests directed to the government. The government has
recently addressed some of these concerns when, in 2002, Congress passed
the Critical Infrastructure Information Act. The Act was designed to
encourage private organizations to share information with government
concerning the country’s critical infrastructure so that the government may:
• analyze and secure critical infrastructure and protected systems;
• identify vulnerabilities and develop risk assessments; and
• enhance recovery preparedness measures.
Now under the Act, such information voluntarily disclosed by private
industry will be shielded from FOIA requests, provided that the information
meets the regulatory definition of “critical infrastructure information” and is
accompanied by an “Express Statement” and “Certification Statement.”
As an additional incentive to promote voluntary disclosure of
information to the government, Congress has also provided that such
information may not be used in any civil action arising under federal or state
law by any governmental body or third-party, provided that the information
is submitted in good-faith, and that the disclosure of information does not
waive any other legal privilege or protection, including trade-secret
protection.
14
Notwithstanding the incentives for disclosure provided under the Act,
it should be noted that voluntarily disclosed information nevertheless may be
disclosed by the government under certain limited circumstances. For
example, under the Act, among other exceptions, a government employee
may disclose subject information “in furtherance of an investigation or the
prosecution of a criminal act”. As a consequence, information provided to
help protect the homeland may, in fact, be used in a criminal investigation
involving the company. That has given many companies reason to pause
before volunteering information to the government.
When the information that a company is considering disclosing to the
government involves people, and in particular employees, customer or
patient information, privacy rights and civil liberty issues are undoubtedly
implicated. Again, it is important that the legal consequences of such
disclosure be fully considered. In addition to securing the advice of legal
counsel, those in the private sector may be well advised to establish controls
such that a particular individual within their organization serves as a clearing
house for these types of voluntary requests so that consistent responses are
provided.
Having discussed the various challenges that private industry faces in
addressing the risk of another terrorist attack, I would be remiss, particularly
with this audience, if I didn’t briefly mention terrorist insurance as another
15
vehicle for addressing that risk. As many of you are aware, on
November 26, 2002, President Bush signed into law the Terrorism Risk
Insurance Act of 2002, which requires that all commercial property and
casualty insurers offer terrorism coverage, and which also provides a federal
backstop for these insurers in the event of a future terrorist strike. Coverage
for terrorism had been routinely provided until the September 11th terrorist
attacks caused the insurance industry losses reported to be more than $40
billion. These losses prompted many insurers to withdraw offering terrorism
coverage and to seek federal assistance. For over a year after the attacks,
insurers and businesses sought, and lawmakers worked to craft, legislation
providing a short-term federal terrorism insurance program to address the
lack of terrorism insurance and related economic considerations.
The Terrorism Risk Insurance Act establishes a federal Terrorism
Insurance Program, to be administered by the Secretary of the Treasury,
which:
• requires that insurers make available to their policyholders
coverage for losses from acts of terrorism;
• temporarily nullifies terrorism exclusions in existing property and
casualty insurance policies;
16
• requires that insurers disclose to policyholders the premium
charged for terrorism risk insurance; and
• allocates to the federal government a large share of losses resulting
from any future terrorist attacks.
In June of this year, the Treasury Department announced its decision to
extend the “make available” provisions of the Act through 2005.
By all accounts, there is a growing demand from private industry to
purchase terrorism insurance. Estimates are that premium payments for this
coverage now total at least $10 billion a year. And, a study by Marsh
released in June of this year, found that some 44% of the more than 600
public and private entities surveyed that had bought or renewed property
coverage in the first quarter of this year also bought terrorism coverage, a
figure that is up from just over 32% in the fourth quarter of 2003. No doubt
there are many of you in this room who have studied the terrorism coverages
available in the market today that can help manage the risk of catastrophic
loss for your organization. And to close the circle, the Chief Economist of
the Insurance Institute notes: “Anything you do to mitigate a terrorist attack
on your property has a favorable impact on premiums.” But I’ll let all that
be the subject of another speech by one of you insurance experts present
here today.
17
Let me conclude by reminding you that the homeland security
challenges that I have identified today are real and they are formidable.
While some of these challenges existed well before 9/11, there can be no
debate that 9/11 elevated those challenges to new heights. In order to meet
these challenges, corporations and other private organizations must adapt to
the new world. Corporate risk managers and other corporate officers must
be focused and well-informed, and they should not be hesitant to rely, in
some measure, on experienced professionals such as security experts,
insurance consultants and lawyers who specialize in addressing these issues.
Together, working as a team to confront these challenges, I have no doubt
that corporate managers will succeed in preventing the threat of terrorism
from hindering the growth and development of their businesses in the future.
I wish all of you involved in these efforts great success. We are depending
on you.
18