Ask the Expert: How Do I Protect Risk Assessments from the Public?

Often during Circadian Risk demos, security professionals and companies ask me how they can protect their security risk analysis data. Not from a cybersecurity perspective, but from liability. Your assessment reports contain sensitive information about your organization, and a simple FOIA request or a civil liability claim can open the entire contents of those reports to the public. In short, every vulnerability in your facility would be public knowledge.

In many cases, there is a way to keep that information private. Most people aren’t even aware that there’s a Federal program to protect their data from being shared, called PCII.

Protections of PCII

The Protective Critical Infrastructure Information (PCII) is a designation provided by the Department of Homeland Security to entities. PCII allows organizations to keep assessment data from release to the public. If your risk and vulnerability reports have a PCII designation, the reports themselves are not subject to

• The Freedom of Information Act (FOIA)
• State, local, tribal, and territorial disclosure laws
• Use in regulatory actions
• Use in civil litigation

If you’re concerned about a threat and vulnerability assessment report revealing sensitive information about your organization, PCII allows you to protect the data so that it doesn’t go out to the world and create high vulnerabilities. The Federal government created PCII to protect those reports.

When I talk with companies about data protection, I recommend that anytime they do an assessment, they immediately apply for PCII. Even in a civil liability case, your risk increases when you expose your organization’s vulnerabilities to the world. It just doesn’t make sense to allow even the possibility of your assessments being subject to FOIA or a civil liability lawsuit.

Not even employees can access the report without your permission. In the case of a civil liability, such as a slip-and-fall incident, the plaintiff can’t have access to claim that your company knew about that crack in the sidewalk. Your primary concern is to keep the sensitive security information out of the public eyes to limit your vulnerabilities and exposure

IMPORTANT! The purpose of PCII isn’t to absolve you of your responsibilities to keep people safe from accidents. It is still your responsibility to protect your employees and the public. And you can still be successfully sued if an accident occurs at your facility. PCII doesn’t protect you from lawsuits or absolve you of ethical standards—it simply protects that particular security report from being released to the public.

How to Get PCII Protection

To get PCII protection, submit an application and the assessment report to the state police or DHS, depending on the state you’re located in. The best place to start the process of having a report PCII Certified is by contacting your State’s Intelligence/Fusion Center. Authorities will review the application to determine if the report should be protected. Expect anywhere from a couple weeks to a couple months for processing.

The number one factor in determining PCII is whether your organization is a critical infrastructure. DHS provides a list of critical infrastructure categories. In essence, your organization qualifies as a critical infrastructure if the economy of the area/region/state/country would be affected if a critical event occurred at your facility.

Today, 85 percent of our nation’s critical infrastructure is privately owned. If that includes your organization, there is essentially no automatic protection to ensure that your assessments stay within your company. But by applying for PCII, you can help guard your most sensitive information from the public domain.

Have a question about physical security, risks or vulnerabilities? Let us know and we’ll post an in-depth article from an industry insider’s perspective.