Most U.S. Government Agencies Still Not E-FOIA Compliant 10 Years Following Enactment; Disregard for Laws Also Leads to Disregard for Security Requirements
On March 12 the National Security Archive at George Washington University issued their report, "The Knight Open Government Survey 2007."
Basically the study looked at how many of the 149 U.S. government agencies they surveyed were in compliance with the provisions of the Electronic Freedom of Information Act (EFOIA) here at the 10 year anniversary of the Act going into effect.
It's an interesting read and quite a report card.
A passage from the Executive Summary of the report is revealing:
"The poor state of agencies’ FOIA Web sites forces the conclusion that not only did the agencies ignore Congress, but lack of interest in FOIA programs is so high that many agencies have failed even to keep their FOIA Web sites on par with their general agency Web sites. Congress’s best intentions have not had the desired impact."
Indeed. Laws are basically worthless if they are not consistently and actively enforced. What are the penalties U.S. government agencies face for regulatory and legal non-compliance?
The study reported the following agencies, in alphabetical not ranked order, as the top 5 "Best Overall Agencies" with regard to compliance:
"Department of Education Goes above and beyond what is required with guidance and tools for requesters Good guide, FAQs, FOIA request and appeal checklist Excellent online FOIA appeal and request forms Most of the required documents are available http://www.ed.gov/policy/gen/leg/foia/foiatoc.htmlDepartment of Justice
Portal scheme links component FOIA sites and reading rooms
Excellent FOIA Reference Guide
Comprehensive index of major information systems Well-organized electronic reading room
http://www.usdoj.gov/oip/Federal Trade Commission
Well-organized electronic reading room with extensive records
Good guidance
FOIA request checklist
http://www.ftc.gov/foia/National Aeronautics & Space Administration
Uses portal scheme to link all component FOIA Web sites
Good proactive disclosure (posted materials related to Space Shuttle Columbia)
Comprehensive guidance
http://www.hq.nasa.gov/office/pao/FOIA/agency/National Labor Relations Board
Excellent navigation scheme
Site is well organized and very easy to follow
Good guidance
Electronic reading room with a lot of available information
http://www.nlrb.gov/FOIA/"
I have used all these sites, and while I haven't looked at them specifically for FOIA data, I have found them all very useful when looking for other information applicable to the agencies. I particularly like the FTC site.
The study reported the following agencies, again in alphabetical and not ranked order, as the 12 "WORST OVERALL AGENCIES":
"Air Force (Department of Defense) Two distinct FOIA sites, one hidden from main agency home page Minimal guidance No required records Several broken links Inaccurate information for some sub-components http://www.af.mil/foia.asp and http://www.foia.af.mil/Department of Defense
Poor site structure and design
Disorganized, unsearchable electronic reading room
Many required documents could not be located
http://www.dod.mil/pubs/foi/Department of Interior
No guidance currently available
Poor organization and badly-identified links
Difficult to navigate
One large component, Bureau of Indian Affairs, has no FOIA site
http://www.doi.gov/foia/Department of Labor
No central reading room and no required documents available
Several components (ETA and EBSA) lack FOIA sites
http://www.dol.gov/dol/foia/main.htmFederal Labor Relations Authority
Two distinct FOIA pages, each very difficult to find from main site
Poor guidance
No required records available
http://www.flra.gov/hdbook4.htmlImmigration & Customs Enforcement (Department of Homeland Security)
No dedicated FOIA page
Very limited guidance
No required documents
http://www.ice.gov/about/legal.htm#foiaOffice of the Director of National Intelligence
No guidance for requesters, only contact information provided
Limited electronic reading room
http://www.dni.gov/foia.htmOffice of National Drug Control Policy
No substantive guidance
No required documents except annual reports
Poor navigation
http://www.whitehousedrugpolicy.gov/about/foia.htmlSmall Business Administration
Very poorly organized site, particularly guidance materials
Few required documents available
Documents and information very difficult to locate
http://www.sba.gov/aboutsba/sbaprograms/foia/Transportation Security Administration (Department of Homeland Security)
Limited guidance for requesters
Few, poorly-identified records in electronic reading room
Difficult to navigate http://www.tsa.gov/research/foia/index.shtmU.S. Trade Representative
No FOIA link on agency home page
No required documents identified on FOIA site
Guidance scattered and incomprehensible
http://www.ustr.gov/Legal/Reading_Room/FOIA/Section_Index.htmlDepartment of Veterans Affairs
Very limited guidance
Site is poorly organized
Information is difficult to locate
Several broken links to required documents
http://www.va.gov/oit/egov/rms/foia.asp"
It is worth noting that many of the agencies on the worst list have also had well-publicized security incidents and privacy breaches, most notably the VA.
These issues, EFOIA noncompliance and security assurance, are related; when organizations disregard laws and regulatory requirements, it makes sense that their personnel will also disregard security policies and not consistently apply safeguards, which will lead to security incidents and privacy breaches.
Organizational leaders must be good role models; their personnel will mirror them, good behavior and bad.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
The VA's mistakes have been uncomprehendable they lose hardware then make comments about upping security. Only to have the same thing happen again. I understand that bizarre circumstances But use heavy encryption to protect the information at least.
Also these regulations have been all the same. HIPAA (article I wrote about HIPAA Regulations) has some powerful incentives for compliance but they mean nothing when they aren't enforced. I would wager the fines they raise would cover the enforcement.
Posted by: Michael | March 21, 2007 4:00 PM
Indeed, HIPAA has yet to have any penalties applied for noncompliance by either the Office of Civil Rights (OCR, the regulatory oversight for the Privacy Rule) or the Centers for Medicare and Medicaid Services (CMS, the regulatory oversight for the Security Rule). If there are laws, they must be enforced or they will just be viewed as an empty placation for the public who demand their personal information must be strongly safeguarded.
To date there have only been two HIPAA criminal cases (I wrote about these a few times last year on this blog).
Posted by: Rebecca | March 23, 2007 5:00 PM
Do you think that adding new compliance laws and regulations will accomplish anything or will it reinforce to companies that compliances is a hollow threat. Like you said there have only been two HIPAA criminal cases and both those were beyond extreme. The way the system is set up regulatory compliance is a joke to several companies and when the government begins to enforce it will be devastating. While I have no sympathy for groups who ignore the regulations it is easy to see why the wag of a finger isn't getting the job done and forcing them into compliance.
Posted by: Michael | March 26, 2007 12:37 PM
It is a very frustrating predicament we are in. I absolutely agree about enabling. I was just reading a story this morning about laptops loaded with medical information of children that were stolen and protected solely by a single password.
Now its bad news if my 14 year old cousin can circumvent your security situation. With the cost this incident even without HIPAA penalties they could afford at least some of the cheaper encryption software or security suites and save not only the money but face.
Sadly with out regulations companies run around thinking they are invincible and will not be victim to these situations.
Posted by: Michael | March 27, 2007 1:27 PM
Yes, it is sad that many organizations do not stop and think about the impacts of security incidents and privacy breaches to their business. A couple of years ago I created a type of privacy breach impact calculator that I've used with organizations, with great awareness raising results, to demonstrate through this type of finanical modelling exercise what the potential impact could be upon their business following a privacy breach. You can see an abbreviated version of my calculator at http://www.informationshield.com/privacybreachcalc.html.
Because of this general lack of awareness of the true potential impact to business of privacy breaches, we must have laws to require personal information safeguards.
It is too bad that businesses do not protect personal information just because it is the right and ethical thing to do. Unfortunately almost all business decisions are based purely upon financial expenditure consideration.
Posted by: Rebecca | March 28, 2007 12:06 PM
Hi. This is really interesting post. Thank You! I have just subscribed to Your rss!
Best regards
Posted by: Forexman | May 24, 2008 9:43 PM
hey ))
its very unconventional point of view.
Nice post.
realy good post
thx :-)
Posted by: bad personal | September 2, 2008 12:22 AM