Industry questions DHS liability plan
Seeks better safeguards to protect company information
- By Gail Repsher Emery
- Oct 23, 2003
The department is asking for "extremely detailed financial information that we don't think is necessary for DHS to have." ? Harris Miller of ITAA
Henrik G. de Gyor
The department is asking for "the minimum amount of information necessary to do what Congress asked us to do." ? Parney Albright of DHS
Henrik G. de Gyor
Kent Blossom of IBM Corp. is one of many company officials concerned over product and service information DHS wants in order to grant liability protection.
The government's plan for giving limited liability protection to homeland security products and services is coming under fire from contractors and some lawmakers, who said the government is unnecessarily requesting detailed information about the companies and their products.
Government contractors also expressed concern about how well the Homeland Security Department, which oversees the limited liability program, will safeguard proprietary company information.
The department Oct. 16 released the application form that companies would use to apply for protection. Comments are due Dec. 15 on an interim rule that details how the protections will be implemented.
Harris Miller, president of the Arlington, Va.-based Information Technology Association of America, said the department is asking for "extremely detailed financial information that we don't think is necessary for DHS to have. The kind of information they require would take an econometrist months to analyze."
The Safety Act, part of the Homeland Security Act of 2002, limits the liability of sellers of qualified anti-terrorism technologies if a terrorist attack occurs and the sellers' products or services fail through no fault of their own.
When companies apply for protection, Homeland Security officials will determine if their technologies merit liability protection and what level of insurance the companies should be required to carry.
Industry executives said that, in some cases, companies have been reluctant to sell their technologies to the government without liability protection. They said Safety Act protection is needed to defend their firms from financial ruin if their technologies fail because of a terrorist attack.
A day after the form was published at http://www.safetyact.gov, Rep. Tom Davis, R-Va., complained that Homeland Security Department officials had not finalized the application process more quickly.
"We're fighting a war on terror. If we're going along as business as usual, we're not going to get the technology products out there that we need. We have companies out there screaming and not knowing what is going on," Davis told department officials at an Oct. 17 hearing of the House Government Reform Committee.
[IMGCAP(2)]DHS official Parney Albright told Davis he agreed that anti-terrorism technologies must be protected under the act as quickly as possible, but said implementing the Safety Act has been swifter than a typical 18 to 24 month government rule-making.
The Safety Act became law in November 2002. The process of implementing the act has taken seven months so far, from proposed rule to interim rule to published application form. Albright, the department's assistant secretary for science and technology, said the final rule should be published within three months.
"This is not a situation where we want to act as business as usual," Albright said. "I'm proud of the fact that the department has gotten an extremely lengthy process condensed to seven months."
But now that the application has been published, industry executives said they have new fears:
- That the Department of Homeland Security is asking for too much company data that is either proprietary or nonexistent;
- That the application will take hundreds -- or even thousands ? of hours to fill out;
- That sensitive information about their technologies and company finances will not be adequately safeguarded.
At the Oct. 17 hearing, industry and Homeland Security officials seemed so far apart in their evaluations of the application process that Rep. Ed Schrock, R-Va., said the department seems "on a different planet."
At the hearing, Albright said the information DHS requested about the cost of the technology should be readily available to applicants. In interviews and at the hearing, industry executives said in many cases it is not.
[IMGCAP(3)]The department is asking for extremely detailed profit and loss information on a unit-by-unit basis for covered products and services, said Kent Blossom, director of safety and security services for Armonk, N.Y.-based IBM Corp.
"That type of information may be available from companies that strictly make widgets, but in many cases, companies are going to be applying for or looking at a complex, system-integration services program as a total solution. That doesn't necessarily lend itself to a financial analysis seeking minute, product-oriented detail," he said.
Albright said the application for Safety Act protection should take about 108 hours to complete. He said the department is asking for "the minimum amount of information necessary to do what Congress asked us to do."
But Miller testified that ITAA members estimated the application would take 1,000 hours to complete.
The application requirements include three previous years of cost and revenue data for the technology, and projections for cost and revenue three years into the future. Applicants are also required to provide past and future capital and project-related spending necessary to deploy the technology.
Additional requirements call for an insurance evaluation, including coverage levels and expenditures, loss history and risk management plan; and a technical evaluation, including a description of the technology, what it will do, how it will be used, an assessment of its effectiveness and the risk to the public if the technology is not deployed.
Industry executives also said they're afraid Homeland Security officials won't be able to protect the proprietary information they'll have to submit in the application.
"While the department continues to make strong statements recognizing the importance of protecting proprietary data, it remains to be seen how that protection will be provided," said Stan Soloway, president of the Professional Services Council, an Arlington, Va., trade group. He recommended that department officials develop proprietary data marking, by which applicants could highlight the parts of their applications they consider proprietary.
Albright said Homeland Security officials believe legal protections for proprietary data and national security information, such as the Freedom of Information Act and the Trade Secrets Act, will be enough to preserve applicants' sensitive data.
At a DHS seminar on the Safety Act this month in Washington, department official Holly Dockery, DHS director of Safety Act implementation, told industry attendees that everyone who touches the applications will be bound by nondisclosure agreements and conflict of interest restrictions.
And Albright said department officials are still discussing the protection of proprietary data. "Should we find we need more protection, we'll work with Congress to make that happen," he said.
Despite their concerns, executives said they're fairly pleased with the department's efforts to implement the act. Now they're hoping for some changes.
"We've had extensive discussions with DHS, and I think the department has made significant progress, but we've got significant hurdles to overcome to bring these products to market," Soloway said.
And although Albright said department officials don't think the application process is burdensome, he said the department would try to change the application form if it proves unworkable.
"If it turns out the balance between the burden on the seller and our ability to do due diligence has gotten out of whack, we will be the first to try to fix that," he said. "We really want this to work."
Staff Writer Gail Repsher Emery can be reached at firstname.lastname@example.org.