Preparing for the Worst
As reports continue to pour in offering critiques of what went wrong with the response to Hurricane Katrina, analysts say an important lesson is that reacting to widespread disasters is a private affair as well as a matter of government responsibility.
But there was growing recognition of the crucial role that the private sector plays in disaster response efforts even before Hurricane Katrina swept through Louisiana, Mississippi and Alabama nearly a year ago.
After all, most of the infrastructure that keeps a modern society functioning—and whose breakdown can lead to social collapse—is in the hands of private businesses, not government. Key elements of that infrastructure include telecommunications and information services, utilities, banking and finance, medical services, shipping and transportation, agriculture and food processing, and retail services.
The role of the private sector was acknowledged in a report —issued a year before Hurricane Katrina struck—by the 9/11 Commission, an independent bipartisan body created by Congress to assess preparedness for dealing with terrorist attacks like those that occurred on Sept. 11, 2001.
“The mandate of the Department of Homeland Security [created by the Homeland Security Act of 2002] does not end with government,” states the commission’s report. The department “is also responsible for working with the private sector to ensure preparedness. This is entirely appropriate, for the private sector controls 85 percent of the critical infrastructure in the nation. Indeed, unless a terrorist’s target is a military or other secure government facility, the ‘first’ first responders will almost certainly be civilians.”
That finding is echoed in a White House report issued in February that assesses the federal government’s response to Hurricane Katrina.
“Emergency plans at all levels of government, from small-town plans to the 600-page National Response Plan —the federal government’s plan to coordinate all its departments and agencies and integrate them with state, local and private sector partners—were put to the ultimate test and came up short,” states the report, titled The Federal Response to Hurricane Katrina: Lessons Learned.
Other studies, including those sponsored by the U.S. Senate and the House of Representatives, have reached similar conclusions. Those findings are cause for deep concern, especially if Hurricane Katrina, as destructive as it was, proves to be just a warm-up for even greater disasters to come.
Katrina left the Gulf Coast reeling, killing more than 1,300 people, destroying some 300,000 homes, wiping out businesses throughout the region and causing at least $100 billion in damage.
But a calamity of another type could be even worse. The Bush administration’s plan for responding to an avian flu pandemic estimates that a third of the U.S. population of some 300 million people could become infected if the virus jumps to the human population in a form that can be easily transmitted from person to person. The report, released in May, also projects that some 2 million people could die from the virus in the United States, that 40 percent of the work force might be absent during the height of the outbreak, and that some $600 billion in income could be lost.
“The implications are profound,” says Suzanne E. Spaulding of Washington, D.C., a past chair of the ABA Standing Committee on Law and National Security. “It will be like Katrina, except it will be everywhere at once.” The possibility of future terrorist attacks, especially involving some form of biological or nuclear weapon, also is cause for concern.
One illustration of how an avian flu outbreak could affect infrastructure was provided in January when a simulation was conducted by Booz Allen Hamilton Inc., a management consulting firm in McLean, Va., during the annual meeting of the World Economic Forum.
Participants in the exercise concluded that, under a likely scenario, companies would have to shut down nonessential operations, secure critical data and files, and protect assets. Meanwhile, the telecommunications infrastructure would be strained to its limits, perhaps even causing the Internet to overload and shut down. Government and business would need to coordinate the use of communications facilities. Government also might have to take responsibility for the final steps in delivering food and other necessities, and perhaps even take control of critical elements of the infrastructure.
“The economic, health and social consequences of an influenza pandemic could be devastating if effective and coordinated preparedness activities and timely response actions are not undertaken,” states a Booz Allen report summarizing the exercise. “Governments and businesses will face tough, practical, moral and ethical decisions as they enter a world where not all sections of society are equal, where infrastructure is debilitated, and where irresponsible behavior may emerge as a consequence.”
Lawyers working on these issues in the private sector welcome the growing recognition that the business community should have a role in responding to disasters, but they say that acknowledging a role for the private sector is only a first step.
“Ten years we’ve been talking about this,” says Lee M. Zeichner, a lawyer in Falls Church, Va., who runs a risk assessment company. “The private sector, after Katrina, is once again arguing they should be part of the first-responder community. Under the law, the private sector is not legally—and from an operational standpoint not treated as—part of the first-responder community. As a result, you have problems.”
Zeichner was a member of the ABA Task Force on Hurricane Katrina subcommittee that prepared a report assessing whether federal, state and local laws and regulations are sufficient to deal with a disaster of Katrina’s scope.
The report, issued in February, concludes that, overall, “The devastation wrought by Hurricane Katrina did not occur because laws were inadequate. Lack of adequate training and readiness, failure of various entities to ensure communications and coordination, delay from inaction, and breakdown of leadership all contributed.”
(The report, which has not been adopted by the ABA House of Delegates as a statement of formal association policy, is available online.)
While the overriding issue addressed in the subcommittee report is at what stage the government response to a disaster should become primarily federal rather than state or local, one chapter —written by Zeichner—analyzes the extent to which the private sector has been integrated into the disaster response network.
“The nation’s response to Hurricane Katrina reinforces what many in industry have known since Hurricane Andrew,” which struck Florida in 1992, writes Zeichner in the report. “Our legal framework for disaster response does not sufficiently account for private sector contributions or critical infrastructure services.”
THE MISSING LINK
The key measures, the ones that provide the basis for the government’s current disaster response system, are of relatively recent vintage. (Other federal laws dealing with disasters go back to 1950, when Congress passed the Civil Defense Act and the Defense Production Act to give the government sweeping authority to respond to national emergencies during the Cold War.)
The key element in the current legal framework is the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. § 5121 et seq., passed by Congress in 1988 and amended several times since. The Stafford Act authorizes the president to issue major disaster declarations that allow federal agencies to provide assistance to states in the wake of disasters. That assistance may be directed to state and local government, certain nonprofit organizations, and individuals and families.
Federal assistance under the Stafford Act is administered primarily by the Federal Emergency Management Agency within the guidelines of the National Response Plan. Since 2002, FEMA has been part of the Department of Homeland Security.
An important gap in that system, writes Zeichner in the subcommittee report for the ABA’s Hurricane Katrina Task Force, is that “both the Stafford Act and the NRP treat the private sector as a voluntary partner, as opposed to an integral stakeholder with specific roles and responsibility, requiring assistance in priority restoration treatment, and providing special liability protections during catastrophic incident response.” Moreover, the legal authority of the Homeland Security Act is “still inadequate to ensure effective public-private coordination and cooperation,” he writes.
While many private enterprises committed significant effort and resources to recovery efforts, Zeichner writes, “the National Response Plan (NRP)—and, more importantly, the legal authorities that support execution of the plan, such as the Stafford Act—neither fully permitted nor effectively encouraged and facilitated private sector involvement prior to, during or after the storm ravaged the Gulf.”
At the very least, said Zeichner in a follow-up interview, certain elements of the private sector, such as utility and transportation companies, should be privy to government disaster plans because so often they are among the first to respond when a disaster strikes. It also makes sense to give key members of these companies the same access credentials as other first responders, he says. After Katrina, he notes, employees of private companies seeking to do repair work often were stopped at roadblocks because they lacked the proper credentials to enter devastated areas.
John A. McCarthy, another member of the ABA’s Katrina task force subcommittee, agrees that some legislative retooling is probably in order, going all the way back to the Cold War disaster response laws.
“We need to rethink our basic authorities,” says McCarthy, director of the Critical Infrastructure Protection Program at George Mason University School of Law in Fairfax, Va. “It doesn’t mean we necessarily have to rewrite them. But we have to update them in the context of newer and broader technologies.”
Without stronger legal authority for including private companies in disaster response efforts, McCarthy says, cooperation can be tenuous, sometimes even relying on the strength of personal commitments.
“Think of the logistical capabilities of a company like FedEx,” McCarthy says. “They rival the military. How do we work with an organization like that in a time of disaster? They are there and are willing to help. But a lot of it is ad hoc. We should move beyond the trusted individual, no matter who the CEO is. There has to be a good process in place for the CEO and the government to link up.”
The reach of the Stafford Act also should be reconsidered, McCarthy says.
“The threats and scale and scope of disasters have changed, so we need to think who we need to include in that,” he says. “Can you extend this to an Internet provider? We know we can buy water and mattresses. Can you buy Internet time? Who sets priorities on who gets fixed first? Who does that during a technological event?”
McCarthy urges that some form of economic recovery assessment process be incorporated into the disaster response structure. “There is no comprehensive program that is run out of FEMA or DHS that looks at economic impact as well as the restoration of the infrastructure.” He also calls for more attention to be given to security issues for private companies after disasters.
The new national infrastructure protection plan, released on June 30 by the Department of Homeland Security, appears to recognize some of these concerns.
As described by DHS, the plan will provide a coordinated approach between government at various levels and the private sector to identify threats to the nation’s infrastructure and steps necessary to protect it.
“The NIPP is the path forward on building and enhancing protective measures for the critical infrastructure assets and cybersystems that sustain commerce and communities throughout the United States,” said George Foresman, DHS undersecretary for preparedness. “The NIPP formalizes and strengthens existing critical infrastructure partnerships and creates the baseline for how the public and private sectors will work together to build a safer, more secure and resilient America.”
Others say practicalities must be taken into account when evaluating how closely government and the private sector can work in disaster recovery efforts. A key question is how much more access private companies should have to government relief funds beyond such programs as loans from the Small Business Administration.
At some point, the cost of helping the private sector with public funds may become too prohibitive, says Joe Whitley, the Department of Homeland Security’s first general counsel and now a partner at Alston & Bird in Washington, D.C.
“There is a lot of demand for that money in lots of places,” Whitley says. “I think it’s incumbent upon business to develop as much as they can to protect their infrastructure with corporate money and not expect they will be bailed out with provisions of the Stafford Act or any legislation.”
Another unresolved financial issue is the amount of government reimbursement that companies should receive for supplies and services at a time when the normal procurement process is up for grabs, says George Koenig, who served as counsel to the general counsel for the Department of Homeland Security during the immediate aftermath of Hurricane Katrina. He now is counsel in the legislative and public policy group at Alston & Bird’s Washington, D.C., office.
“There was an interesting issue down there as to what you could spend money on,” Koenig says, particularly when it came to paying for security at a vital plant or refinery. “Whether or not you could use federal funds—that was an issue above my pay grade.”
Marcia G. Madsen, who co-chairs the Homeland Security Committee in the ABA Section of Public Contract Law, agrees that purchasing procedures in a disaster setting are a bit uncertain.
“There’s probably some disagreement on how the Stafford Act should be interpreted,” says Madsen, a partner at Mayer, Brown, Rowe & Maw in Washington, D.C. “The federal government bought huge amounts of products, from ice to body bags. They bought trailers, food, ice. Everything. The government spent billions of dollars on relief supplies.”
Recently, there have been growing concerns that funds were misspent, but Madsen says, “Two days after a natural disaster you need to get things to people. Yes, you could contract with local people, but you’ve got to be confident they can deliver immediately.”
While there have been complaints that the government should have sought more competitive bidding for disaster relief supplies and equipment, Madsen says, “There are statutory provisions that allow competition to be avoided if the circumstances are justified.” She notes that the General Services Administration maintains a catalog of 17,000 contractors with prearranged pricing and contracts.
Two bills addressing spending issues are pending in the House of Representatives: the Restoring Emergency Services to Protect Our Nation from Disasters Act, which would give FEMA Cabinet status as a separate department with coordinating responsibility for most disaster preparedness and response efforts by the federal government; and the National Emergency Management Reform and Enhancement Act, which would make FEMA part of a new Department of Homeland Security entity called the Directorate of Emergency Management.
TIME FOR CREATIVE THINKING
Ahile there is growing consensus after hurricane Katrina that effective disaster response will require closer cooperation between government and the private sector, accomplishing that goal likely will require some rethinking about the relationship between private enterprise and government, say experts in the field.
Whitley says businesses participating in disaster response efforts will have to be more flexible about sharing information with government partners. While some in the field maintain that government bodies need to share more information with companies regarding disaster response, there may be some reluctance when companies are asked to do the same, he says.
“We’re calling for a higher degree of sharing of information between the private sector and the government—critical information,” says Whitley. “A lot of what is in the Homeland Security Act calls for a voluntary sharing of information with government. That process of sharing is foreign to most corporations and businesses.”
But information protection is an issue that concerns many in the private sector. Those concerns are acknowledged in the newly released National Infrastructure Protection Plan, which calls for the private sector to share more security information with government entities.
Companies should receive some guarantee that the government will not disclose to the general public (under a Freedom of Information Act request) security measures the banks and financial institutions have taken, says Brian Tishuk, executive director of ChicagoFirst, a nonprofit association representing Chicago’s financial sector in developing cooperative disaster response arrangements with the city government. Tishuk formerly worked as deputy director of the U.S. Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy.
“FOIA can be an issue if the Department of Homeland Security starts implementing its infrastructure protection plan,” Tishuk says. “If they want information, then there may be some issues. We’ve had no problem, but it’s always an issue that’s been out there. It’s just a matter of what you submit. It could be your vulnerabilities, what you’ve done to address them, what your security measures are, what your business continuity plan is. I’m not saying it is a problem. But it could become an issue if that information was requested for some reason.”
At the same time, however, ChicagoFirst has gained more access for the Chicago financial community to the city government’s disaster planning operations, according to Tishuk. The group has access to the city’s emergency operations center, and it conducts ongoing discussions with city officials on such issues as evacuation plans.
Tishuk says this arrangement enables him to provide his private sector clients with prompt, accurate information about disaster planning and recovery efforts.
Now ChicagoFirst is seeking to develop similar relationships with utility, communication and transportation companies, says Tishuk.
The private sector also is showing more interest in developing partnerships with government bodies on a regional basis, according to Demetria Giannisis, president of Great Lakes Partnership Ltd. in Chicago. The organization is seeking to develop regional partnerships between government bodies and the private sector in eight states in the upper Midwest.
“I’m a big proponent of regional disaster planning,” says Stephen C. King, a member of the Emergency Response and Homeland Security Group at Hunton & Williams in New York City. “Instead of local governments coming up with something on their own, corporations band together. Disasters don’t just happen to one firm. It can save you money in the long run.”
Koenig of Alston & Bird says more companies should take disaster preparedness into their own hands.
The New York Stock Exchange, for instance, requires publicly traded companies to have a backup plan in place in the event of an emergency. At the very least, says Koenig, companies are expected to have redundancy in their information technology systems in case their computer systems crash.
It’s an example other companies should follow, Koenig says. “A private corporation doesn’t have to abide by that, but it’s good business,” he says.
Another important step for companies to take is to conduct vulnerability assessments. “That could be a chemical plant, a security plant, a nuclear power plant, a pharmaceutical plant,” notes Koenig. “What are you doing on physical security? What are you doing to prepare for pandemic flu? Some people really get it, some don’t.”
Bill Thoet, vice president at consultant Booz Allen, concurs. “Some businesses have no margin in terms of operation,” he says. “A lot of small businesses disappeared after 9/11 because they were so dependent upon an infrastructure that they thought would be there.”
All aspects of disaster preparedness and response raise delicate legal issues, says King. Some of those issues include security arrangements, credential issues so key people can reach areas where they are needed, contingency contracting to assure that necessary supplies and equipment will be provided, confidentiality issues, and environmental issues.
“You definitely want the lawyers sitting next to the planners when it comes to emergency planning,” King says.
Another key role for lawyers, says King, is information management during a crisis. “Lawyers are usually critical to managing information as it comes in,” he says. “During the course of a disaster, faxes are coming in. You need to track who does what, when. All of that will be critical after the fact, whether you are applying for [government] funds or insurance.”
For companies, King says, the most important quality in responding to a disaster may be resiliency. “After 9/11, you heard a lot of talk about preventing disasters,” he says. “But the fact of the matter is, you can only protect so much. The real issue is how can you take a hit and bounce back without losing continuity of operations.”
The larger issue for both the private sector and government is credibility, suggests Zeichner. “It goes to the issue of public trust and confidence,” he says. “If you turned a light switch on and it didn’t go on, if that happened on a regular basis, you would consider whether you had confidence in the supply of electricity. You recalibrate your expectations.
“People are still trying to figure out what is this critical infrastructure and how do we prioritize it,” he says. “It’s a difficult area. We’re just beginning to lay a new foundation about how we think about disasters and the private sector response.”
Siobhan Morrissey is a lawyer and freelance writer in Miami.
Siobhan Morrissey is a lawyer and freelance writer in Miami.