Ala. Code § 36-12-40: Notwithstanding the foregoing, records concerning security plans, procedures, assessments, measures, or systems, and any other records relating to, or having an impact upon, the security or safety of persons, structures, facilities, or other infrastructures, including without limitation information concerning critical infrastructure (as defined at 42 U.S.C. § 5195c(e) as amended) and critical energy infrastructure information (as defined at 18 C.F.R. § 388.113(c)(1) as amended) the public disclosure of which could reasonably be expected to be detrimental to the public safety or welfare, and records the disclosure of which would otherwise be detrimental to the best interests of the public shall be exempted from this section.
Alaska Stat. § 40.25.120 (a)(10): Every person has a right to inspect a public record in the state, including public records in recorders' offices, except... records or information pertaining to a plan, program, or procedures for establishing, maintaining, or restoring security in the state, or to a detailed description or evaluation of systems, facilities, or infrastructure in the state, but only to the extent that the production of the records or information (A) could reasonably be expected to interfere with the implementation or enforcement of the security plan, program, or procedures; (B) would disclose confidential guidelines for investigations or enforcement and the disclosure could reasonably be expected to risk circumvention of the law; or (C) could reasonably be expected to endanger the life or physical safety of an individual or to present a real and substantial risk to the public health and welfare.
Ariz. Rev. Stat. § 39-126: Nothing in this chapter requires the disclosure of a risk assessment that is performed by or on behalf of a federal agency to evaluate critical energy, water or telecommunications infrastructure to determine its vulnerability to sabotage or attack.
The annotations of Ark. Code § 25-19-105 exempts CEII: (6) The federal government recognizes the importance of critical infrastructure information, and has created special policies to address its protection, including without limitation: (A) The Critical Infrastructure Information Act of 2002, 6 U.S.C. § 131 et seq., which prohibits federal agencies from disclosing certain information submitted to the United States Department of Homeland Security; and (B) Rules of the Federal Energy Regulatory Commission addressing critical energy infrastructure information, which limit access to certain information generated or collected by the commission and require the use of nondisclosure agreements when the information is provided; and (7) It is necessary to protect the security of the infrastructure of Arkansas's utility systems, including without limitation electric generation, transmission, and distribution. (8) Ensure the security of Arkansas's infrastructure by exempting utility infrastructure information from mandatory disclosure.
Cal. Gov't Code § 6254(ab): This chapter does not require the disclosure of any of the following records; Critical infrastructure information, as defined in Section 131(3) of Title 6 of the United States Code, that is voluntarily submitted to the Office of Emergency Services for use by that office, including the identity of the person who or entity that voluntarily submitted the information. As used in this subdivision, voluntarily submitted, means submitted in the absence of the office exercising any legal authority to compel access to or submission of critical infrastructure information. This subdivision shall not affect the status of information in the possession of any other state or local governmental agency.
The Colorado General Assembly enacted S.B. 40 (enacted, 2017), amending Colo. Rev. Stat. §24-72-204 as follows: (2) (a) The custodian may deny the right of inspection of the following records, unless otherwise provided by law, on the ground that disclosure to the applicant would be contrary to the public interest: (VIII) (A) Specialized details of either security arrangements or investigations or the physical and cyber assets of critical infrastructure, including the specific engineering, vulnerability, detail design information, protective measures, emergency response plans, or system operational data of such assets that would be useful to a person in planning an attack on critical infrastructure but that does not simply provide the general location of such infrastructure. Nothing in this subparagraph (VIII) SUBSECTION (2)(a)(VIII) prohibits the custodian from transferring records containing specialized details of EITHER security arrangements or investigations or the physical and cyber assets of critical infrastructure to the division of homeland security and emergency management in the department of public safety, the governing body of any city, county, city and county, or other political subdivision of the state, or any federal, state, or local law enforcement agency; except that the custodian shall not transfer any record received from a nongovernmental entity without the prior written consent of the entity unless such information is already publicly available.
Ga. Code §50-18-72(a)(16): Public disclosure shall not be required for records that are … Agricultural or food system records, data, or information that are considered by the Department of Agriculture to be a part of the critical infrastructure, provided that nothing in this paragraph shall prevent the release of such records, data, or information to another state or federal agency if the release of such records, data, or information is necessary to prevent or control disease or to protect public health, safety, or welfare. As used in this paragraph, the term “critical infrastructure” shall have the same meaning as in 42 U.S.C. Section 5195c(e). Such records, data, or information shall be subject to disclosure only upon the order of a court of competent jurisdiction.
Haw. Rev. Stat. §92F-11- 92F-19 does not explicitly contain the CEII exemption but it exists in an opinion letter, Haw. OIP Opinion Letter No. 07-05 (April 13, 2007), 2007 WL 1267787: To the extent that public disclosure of information about the physical security of critical energy infrastructure would compromise the security of that infrastructure and expose it to hazards such as vandalism, copper or equipment theft, or other criminal activity, the Department of Business, Economic Development & Tourism may withhold the information under the Uniform Information Practices Act's exception for information whose disclosure would frustrate a legitimate government function.
Ind. Code §5-14-3-4 (b)(19)(J): Except as otherwise provided by subsection (a), the following public records shall be excepted from section 3 of this chapter at the discretion of a public agency... A record or a part of a record, the public disclosure of which would have a reasonable likelihood of threatening public safety by exposing a vulnerability to terrorist attack. A record described under this subdivision includes the following... Infrastructure records that disclose the configuration of critical systems such as communication, electrical, ventilation, water, and wastewater systems.
Iowa added an exemption for CEII in the 2017 legislative session. Iowa Code §22.7 (70): The following public records shall be kept confidential, unless otherwise ordered by a court, by the lawful custodian of the records, or by another person duly authorized to release such information... Information and records related to cyber security information or critical infrastructure, the disclosure of which may expose or create vulnerability to critical infrastructure systems, held by the utilities board of the department of commerce or the department of homeland security and emergency management for purposes relating to the safeguarding of telecommunications, electric, water, sanitary sewage, storm water drainage, energy, hazardous liquid, natural gas, or other critical infrastructure systems. For purposes of this subsection, “cyber security information” includes but is not limited to information relating to cyber security defenses, threats, attacks, or general attempts to attack cyber system operations
Kan. Stat. §45-221 (a) (45) & (54): (45) Records, other than criminal investigation records, the disclosure of which would pose a substantial likelihood of revealing security measures that protect: (A) Systems, facilities or equipment used in the production, transmission or distribution of energy, water or communications services... For purposes of this paragraph, security means measures that protect against criminal acts intended to intimidate or coerce the civilian population, influence government policy by intimidation or coercion or to affect the operation of government by disruption of public services, mass destruction, assassination or kidnapping. Security measures include, but are not limited to, intelligence information, tactical plans, resource deployment and vulnerability assessments... (54) Records of a utility concerning information about cyber security threats, attacks or general attempts to attack utility operations provided to law enforcement agencies, the state corporation commission, the federal energy regulatory commission, the department of energy, the southwest power pool, the North American electric reliability corporation, the federal communications commission or any other federal, state or regional organization that has a responsibility for the safeguarding of telecommunications, electric, potable water, waste water disposal or treatment, motor fuel or natural gas energy supply systems.
Ky. Rev. Stat. §61.878(1)(m)(1)(f): The following public records are excluded from the application of KRS 61.870 to 61.884 and shall be subject to inspection only upon order of a court of competent jurisdiction, except that no court shall authorize the inspection by any party of any materials pertaining to civil litigation beyond that which is provided by the Rules of Civil Procedure governing pretrial discovery… Public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act and limited to… Infrastructure records that expose a vulnerability referred to in this subparagraph through the disclosure of the location, configuration, or security of critical systems, including public utility critical systems. These critical systems shall include but not be limited to information technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage, and gas systems.
Me. Rev. Stat. tit. 1, §402(3)(L) [Exempts] [r]ecords describing security plans, security procedures or risk assessments prepared specifically for the purpose of preventing or preparing for acts of terrorism, but only to the extent that release of information contained in the record could reasonably be expected to jeopardize the physical safety of government personnel or the public. Information contained in records covered by this paragraph may be disclosed to the Legislature or, in the case of a political or administrative subdivision, to municipal officials or board members under conditions that protect the information from further disclosure. For purposes of this paragraph, “terrorism” means conduct that is designed to cause serious bodily injury or substantial risk of bodily injury to multiple persons, substantial damage to multiple structures whether occupied or unoccupied or substantial physical damage sufficient to disrupt the normal functioning of a critical infrastructure.
Mich. Comp. Laws. Ann. § 15.243: Records or information of measures designed to protect the security or safety of persons or property, whether public or private, including, but not limited to, building, public works, and public water supply designs to the extent that those designs relate to the ongoing security measures of a public body, capabilities and plans for responding to a violation of the Michigan anti-terrorism act, chapter LXXXIII-A of the Michigan penal code, 1931 PA 328, MCL 750.543a to 750.543z, emergency response plans, risk planning documents, threat assessments, and domestic preparedness strategies, unless disclosure would not impair a public body's ability to protect the security or safety of persons or property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular instance.
Minnesota keeps energy data private but it does not specifically exempt information about critical energy infrastructure. Minn. Stat. §13.68 Subdivision 1. Nonpublic data. Energy and financial data, statistics, and information furnished to the commissioner of commerce by a coal supplier or petroleum supplier, or information on individual business customers of a public utility pursuant to section 216C.16 or 216C.17, either directly or through a federal department or agency are classified as nonpublic data as defined by section 13.02, subdivision 9.
Mo. Rev. Stat. §610.021 (19) [Exempts] [e]xisting or proposed security systems and structural plans of real property owned or leased by a public governmental body, and information that is voluntarily submitted by a nonpublic entity owning or operating an infrastructure to any public governmental body for use by that body to devise plans for protection of that infrastructure, the public disclosure of which would threaten public safety: (a) Records related to the procurement of or expenditures relating to security systems purchased with public funds shall be open; (b) When seeking to close information pursuant to this exception, the public governmental body shall affirmatively state in writing that disclosure would impair the public governmental body's ability to protect the security or safety of persons or real property, and shall in the same writing state that the public interest in nondisclosure outweighs the public interest in disclosure of the records.
Neb. Rev. Stat. §84-712.05 (8) [Exempts] [i]nformation solely pertaining to protection of the security of public property and persons on or within public property, such as specific, unique vulnerability assessments or specific, unique response plans, either of which is intended to prevent or mitigate criminal acts the public disclosure of which would create a substantial likelihood of endangering public safety or property; computer or communications network schema, passwords, and user identification names; guard schedules; lock combinations; or public utility infrastructure specifications or design drawings the public disclosure of which would create a substantial likelihood of endangering public safety or property, unless otherwise provided by state or federal law.
Nev. Rev. Stat. §239C.210 1. [Exempts] a document, record or other item of information described in subsection 2 that is prepared and maintained for the purpose of preventing or responding to an act of terrorism is confidential, not subject to subpoena or discovery, not subject to inspection by the general public and may only be inspected by or released to [certain parties]... 2. The types of documents, records or other items of information subject to executive order pursuant to subsection 1 are as follows... (b) Drawings, maps, plans or records that reveal the critical infrastructure of primary buildings, facilities and other structures used for storing, transporting or transmitting water or electricity, natural gas or other forms of energy, fiber optic cables, microwave towers or other vertical assets used for the transmission or receipt of data or communications used by response agencies and public safety and public health personnel.
N.Y. Pub. Off. Law §89 5. (a) (1) (1-a) A person or entity who submits or otherwise makes available any records to any agency, may, at any time, identify those records or portions thereof that may contain critical infrastructure information, and request that the agency that maintains such records except such information from disclosure under subdivision two of section eighty-seven of this article. Where the request itself contains information which if disclosed would defeat the purpose for which the exception is sought, such information shall also be excepted from disclosure.
N.C. Gen. Stat. §132-1.7(a) Public records, as defined in G.S. 132-1, shall not include information containing specific details of public security plans and arrangements or the detailed plans and drawings of public buildings and infrastructure facilities or plans, schedules, or other documents that include information regarding patterns or practices associated with executive protection and security… (b) Public records as defined in G.S. 132-1 do not include plans to prevent or respond to terrorist activity, to the extent such records set forth vulnerability and risk assessments, potential targets, specific tactics, or specific security or emergency procedures, the disclosure of which would jeopardize the safety of governmental personnel or the general public or the security of any governmental facility, building, structure, or information storage system… (c) Information relating to the general adoption of public security plans and arrangements, and budgetary information concerning the authorization or expenditure of public funds to implement public security plans and arrangements, or for the construction, renovation, or repair of public buildings and infrastructure facilities shall be public records.
NDCC §44-04-24. Security system plan--Exemption: 1. A security system plan kept by a public entity is exempt from the provisions of section 44-04-18 and section 6 of article XI of the Constitution of North Dakota. 2. As used in this section: a. “Critical infrastructure” means public buildings, systems, including telecommunications centers and computers, power generation plants, dams, bridges, and similar key resources, whether physical or virtual, so vital to the state that the incapacity or destruction of these systems would have a debilitating impact on security, state economic security, state public health or safety, or any combination of those matters. b. “Security system plan” includes all records, information, photographs, audio and visual presentations, schematic diagrams, surveys, recommendations, communications, or consultations or portions of any such plan relating directly to the physical or electronic security of a public facility, or any critical infrastructure, whether owned by or leased to the state or any of its political subdivisions, or any privately owned or leased critical infrastructure if the plan or a portion of the plan is in the possession of a public entity; threat assessments; vulnerability and capability assessments conducted by a public entity, or any private entity; threat response plans; and emergency evacuation plans. 3. This exemption applies to security system plans received by a public entity before, on, or after March 20, 2003. 4. Nothing in this section may be construed to limit disclosure required for necessary construction, renovation, or remodeling work on a public building. Disclosure under this subsection does not constitute public disclosure.
Ohio Rev. Code §149.433 (A) As used in this section... “Infrastructure record” means any record that discloses the configuration of critical systems including, but not limited to, communication, computer, electrical, mechanical, ventilation, water, and plumbing systems, security codes, or the infrastructure or structural configuration of a building. “Infrastructure record” includes a risk assessment of infrastructure performed by a state or local law enforcement agency at the request of a property owner or manager. “Infrastructure record” does not mean a simple floor plan that discloses only the spatial relationship of components of the building... (B)(1) A record kept by a public office that is a security record is not a public record under section 149.43 of the Revised Code and is not subject to mandatory release or disclosure under that section... (3) A record kept by a public office that is an infrastructure record of a private entity may be exempted from release or disclosure under division (C) of this section. (C) A record prepared by, submitted to, or kept by a public office that is an infrastructure record of a private entity, which is submitted to the public office for use by the public office, when accompanied by an express statement, is exempt from release or disclosure under section 149.43 of the Revised Code for a period of twenty-five years after its creation if it is retained by the public office for that length of time. (D) Notwithstanding any other section of the Revised Code, disclosure by a public office, public employee, chartered nonpublic school, or chartered nonpublic school employee of a security record or infrastructure record that is necessary for construction, renovation, or remodeling work on any public building or project or chartered nonpublic school does not constitute public disclosure for purposes of waiving division (B) of this section and does not result in that record becoming a public record for purposes of section 149.43 of the Revised Code.
Okla. Stat. tit. 51, §24A.27: A. Any state environmental agency or public utility shall keep confidential vulnerability assessments of critical assets in both water and wastewater systems. State environmental agencies or public utilities may use the information for internal purposes or allow the information to be used for survey purposes only. The state environmental agencies or public utilities shall allow any public body to have access to the information for purposes specifically related to the public bodies function. B. For purposes of this section: 1. “State environmental agencies” includes the: a. Oklahoma Water Resources Board, b. Oklahoma Corporation Commission, c. State Department of Agriculture, d. Oklahoma Conservation Commission, e. Department of Wildlife Conservation, f. Department of Mines, and g. Department of Environmental Quality; 2. “Public Utility” means any individual, firm, association, partnership, corporation or any combination thereof, municipal corporations or their lessees, trustees and receivers, owning or operating for compensation in this state equipment or facilities for: a. producing, generating, transmitting, distributing, selling or furnishing electricity, b. the conveyance, transmission, reception or communications over a telephone system, c. transmitting directly or indirectly or distributing combustible hydrocarbon natural or synthetic natural gas for sale to the public, or d. the transportation, delivery or furnishing of water for domestic purposes or for power.
Oregon enacted HB2906 in the 2017 legislative session. HB2906(2)(b) A public body that shares geospatial framework data in accordance with subsection (1) of this section may: ... (D) Withhold from public disclosure geospatial framework data that the council designates by rule as critical infrastructure information.
Or. Rev. Stat. §192.690 (2) Because of the grave risk to public health and safety that would be posed by misappropriation or misapplication of information considered during such review and approval, ORS 192.610 to 192.690 shall not apply to review and approval of security programs by the Energy Facility Siting Council pursuant to ORS 469.530.
65 Pa. Stat. §67.708 (b) Exceptions… the following are exempt from access by a requester under this act… (3) A record, the disclosure of which creates a reasonable likelihood of endangering the safety or the physical security of a building, public utility, resource, infrastructure, facility or information storage system, which may include: (i) documents or data relating to computer hardware, source files, software and system networks that could jeopardize computer security by exposing a vulnerability in preventing, protecting against, mitigating or responding to a terrorist act; (ii) lists of infrastructure, resources and significant special events, including those defined by the Federal Government in the National Infrastructure Protections, which are deemed critical due to their nature and which result from risk analysis; threat assessments; consequences assessments; antiterrorism protective measures and plans; counterterrorism measures and plans; and security and response needs assessments; and (iii) building plans or infrastructure records that expose or create vulnerability through disclosure of the location, configuration or security of critical systems, including public utility systems, structural elements, technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage and gas systems.
Texas exempts meetings about critical infrastructure from its Open Meetings law. However, CEII is not specifically exempted from information requests under the state's Open Records law.
Tex. Gov't Code § 551.089: This chapter does not require a governmental body to conduct an open meeting to deliberate: (1) security assessments or deployments relating to information resources technology; (2) network security information as described by Section 2059.055(b); or (3) the deployment, or specific occasions for implementation, of security personnel, critical infrastructure, or security devices.
Vt. Stat. tit. 1, § 317 (32) With respect to publicly owned, managed, or leased structures, and only to the extent that release of information contained in the record would present a substantial likelihood of jeopardizing the safety of persons or the security of public property, final building plans, and as-built plans, including drafts of security systems within a facility, that depict the internal layout and structural elements of buildings, facilities, infrastructures, systems, or other structures owned, operated, or leased by an agency before, on, or after the effective date of this provision; emergency evacuation, escape, or other emergency response plans that have not been published for public use; and vulnerability assessments, operation and security manuals, plans, and security codes. For purposes of this subdivision, “system” shall include electrical, heating, ventilation, air conditioning, telecommunication, elevator, and security systems. Information made exempt by this subdivision may be disclosed to another governmental entity if disclosure is necessary for the receiving entity to perform its duties and responsibilities; to a licensed architect, engineer, or contractor who is bidding on or performing work on or related to buildings, facilities, infrastructures, systems, or other structures owned, operated, or leased by the State. The entities or persons receiving such information shall maintain the exempt status of the information. Such information may also be disclosed by order of a court of competent jurisdiction, which may impose protective conditions on the release of such information as it deems appropriate. Nothing in this subdivision shall preclude or limit the right of the General Assembly or its committees to examine such information in carrying out its responsibilities or to subpoena such information. In exercising the exemption set forth in this subdivision and denying access to information requested, the custodian of the information shall articulate the grounds for the denial.
Va. Code § 2.2-3705.2 (14) Information contained in (i) engineering, architectural, or construction drawings; (ii) operational, procedural, tactical planning, or training manuals; (iii) staff meeting minutes; or (iv) other records that reveal any of the following, the disclosure of which would jeopardize the safety or security of any person; governmental facility, building, or structure or persons using such facility, building, or structure; or public or private commercial office, multifamily residential, or retail building or its occupants: a. Critical infrastructure information or the location or operation of security equipment and systems of any public building, structure, or information storage facility, including ventilation systems, fire protection equipment, mandatory building emergency equipment or systems, elevators, electrical systems, telecommunications equipment and systems, or utility equipment and systems; b. Vulnerability assessments, information not lawfully available to the public regarding specific cybersecurity threats or vulnerabilities, or security plans and measures of an entity, facility, building structure, information technology system, or software program… The same categories of records of any person or entity submitted to a public body for the purpose of antiterrorism response planning or cybersecurity planning or protection may be withheld from disclosure if such person or entity in writing (a) invokes the protections of this subdivision, (b) identifies with specificity the records or portions thereof for which protection is sought, and (c) states with reasonable particularity why the protection of such records from public disclosure is necessary to meet the objective of antiterrorism, cybersecurity planning or protection, or critical infrastructure information security and resilience. Such statement shall be a public record and shall be disclosed upon request. Any public body receiving a request for records excluded under clauses (a) and (b) of this subdivision 14 shall notify the Secretary of Public Safety and Homeland Security or his designee of such request and the response made by the public body in accordance with § 2.2-3704.
Washington’s Court of Appeals interpreted a statute to exempt critical infrastructure information from its Public Records Act, although the phrase is not used in the statute. The court granted an injunction for an information request seeking a detailed map and attribute-level pipeline data under the terrorist security exemption of the Public Records Act. Washington Utilities and Transportation Commission (WUTC) was not required to disclose the data, although the data was not initially compiled to combat terrorism. More than 20 industry representatives asserted that gas pipeline system was part of critical energy infrastructure of state and region and that incapacity or destruction of the system would have potentially catastrophic consequences. Northwest Gas Ass'n v. Washington Utilities and Transp. Com'n (2007) 141 Wash. App. 98, 168 P.3d 443, review denied 163 Wash.2d 1049, 187 P.3d 750.
Wash. Rev. Code § 42.56.420 The following information relating to security is exempt from disclosure under this chapter: (1) Those portions of records assembled, prepared, or maintained to prevent, mitigate, or respond to criminal terrorist acts, which are acts that significantly disrupt the conduct of government or of the general civilian population of the state or the United States and that manifest an extreme indifference to human life, the public disclosure of which would have a substantial likelihood of threatening public safety, consisting of: (a) Specific and unique vulnerability assessments or specific and unique response or deployment plans, including compiled underlying data collected in preparation of or essential to the assessments, or to the response or deployment plans; and (b) Records not subject to public disclosure under federal law that are shared by federal or international agencies, and information prepared from national security briefings provided to state or local government officials related to domestic preparedness for acts of terrorism... (4) Information regarding the public and private infrastructure and security of computer and telecommunications networks, consisting of security passwords, security access codes and programs, access codes for secure software applications, security and service recovery plans, security risk assessments, and security test results to the extent that they identify specific system vulnerabilities, and other such information the release of which may increase risk to the confidentiality, integrity, or availability of security, information technology infrastructure, or assets.
W. Va. Code § 29B-1-4 (a) There is a presumption of public accessibility to all public records, subject only to the following categories of information which are specifically exempt from disclosure under the provisions of this article… (15) Architectural or infrastructure designs, maps or other records that show the location or layout of the facilities where computing, telecommunications or network infrastructure used to plan against or respond to terrorism are located or planned to be located; (16) Codes for facility security systems; or codes for secure applications for facilities referred to in subdivision (15) of this subsection; (17) Specific engineering plans and descriptions of existing public utility plants and equipment.