Three Things to Consider When Sharing Confidential or Proprietary Information with State and Municipal Governments

April.05.2022

Many companies find themselves in the position of voluntarily sharing some of their most sensitive data and other confidential information with state and local governments. For example, this type of information-sharing may occur in the pursuit of a public-private partnership, or in the course of soliciting business from a government agency. The type of information shared runs the gamut from highly sensitive trade secrets to proprietary methods of doing business and may include employee names, addresses, and telephone numbers as well as confidential financial information.

In many instances, the business personnel assigned to a particular project may simply assume that marking the documents as “Confidential” or “Exempt from the FOIA or Public Records Disclosure” or with some other similar label means just that: the records will invariably remain confidential and forever exempt from disclosure by the state or municipal agency that possess them. As we discuss below, however, this is a misconception that can leave companies vulnerable to public disclosure of their proprietary information.

1. State Freedom of Information Act (FOIA)/Public Records Act (PRA) Requests Have Increased and Been Weaponized by Litigants

Over the last decade, the number of FOIA and PRA requests submitted to state and local governments has increased exponentially. For example, the city of Lakewood, WA – a small municipality of just 60,000 residents – has reported receiving 1,200 FOIA/PRA requests in 2018 alone, and over 2,500 more since then. This is by no means an outlier.

While many FOIA/PRA requests are made by concerned citizens who seek information about a discrete matter of interest, others are not. A growing number of requestors seek access to a much wider array of information in the government’s possession, including public-private contracts, bid data, and other information that a company may deem sensitive or proprietary. And a claim of confidentiality or “trade secret” alone may not exempt the record from governmental disclosure.

Problematically, more sophisticated record requesters are using state FOIA/PRA laws to troll for data to support lawyer-driven class action lawsuits and to probe for sensitive data provided by competitors. In the past, it was generally difficult to know of the existence of these types of records because they were sensitive and therefore not “advertised.” But a more recent trend, and one that we expect will only continue to grow, is for state and local governments to provide public-facing indices of documents in their possession and routinely post pending government actions on their websites and social media. These new processes make it easier for requestors with whatever motives to identify records they want to pursue.

2. Know the FOIA/PRA Rules of the Road

Every company doing business in the United States knows that differences in state and local regulation are as varied as state and local governments themselves. This is no less true when it comes to FOIA/PRA laws.

Using the “trade secrets” exemption as an example, most states follow the Uniform Trade Secrets Act to determine whether certain information is, in fact, a trade secret. And while most state laws exempt trade secret information from a FOIA/PRA request in one form or another, most courts have interpreted the trade secret FOIA/PRA exemption quite narrowly. One such statute explains why this is (see Revised Code of Washington, 42.56.030):

Construction.

The people of this state do not yield their sovereignty to the agencies that serve them. The people, in delegating authority, do not give their public servants the right to decide what is good for the people to know and what is not good for them to know. The people insist on remaining informed so that they may maintain control over the instruments that they have created. This chapter shall be liberally construed and its exemptions narrowly construed to promote this public policy and to assure that the public interest will be fully protected. In the event of conflict between the provisions of this chapter and any other act, the provisions of this chapter shall govern.

For these reasons, labeling a document “Confidential” or “Exempt from the FOIA or Public Records Disclosure” alone will be generally insufficient to prevent disclosure unless the records fall within a recognized FOIA/PRA exemption. The government official charged with analyzing a FOIA/PRA request, and the court that may be called to assess whether the government official’s decision was correct, will generally look beyond labels and decide “ties” in favor of disclosure. This is especially true in those states where erroneously withholding information, even in good faith, means the requester may recover attorney’s fees and a per page penalty from the governmental entity.

3. Enhanced Business Practices and Disclosures

While labels alone will often not suffice to block disclosure in response to a FOIA/PRA request, there are some things companies can do to protect their most sensitive information. We encourage companies to consider this list in light of the particular local and state laws that govern records requests, as a tailored approach may be needed in different jurisdictions.

  1. Know the local law. In advance of entering into an information sharing agreement with a state or local government, have a general sense of what FOIA/PRA exemptions may apply to the information you intend to share. Most state statutes provide an exhaustive list of what kinds of information are exempt from FOIA/PRA laws, and many state Attorney General’s offices post FOIA/PRA information so that they can be readily reviewed by the public.

  2. Segregate records. In agreements with state and local governments, strive to include language that requires non-sensitive information subject to disclosure be kept separate from highly sensitive data that is potentially exempt.Definitions of “confidential” information under such agreements should also be tailored (to the extent possible) to describe the specific types of information that the company expects to not be disclosed and to make clear that the company is providing that information to the government conditioned on that shared understanding of what qualifies for exemption from disclosure.A “kitchen sink approach,” by contrast, can weaken protection for truly sensitive information rather than strengthening protection for non-sensitive information.

  3. Consider alternatives to providing or generating documents. To the extent information is being collected by the government entity and then reported out to the company as part of an agreement, explore a portal or some other mechanism where the information is aggregated and analyzed outside of the government agency. In most cases, if the government doesn’t have possession of the information, they need not provide it in response to a FOIA/PRA request.

  4. Define permissible uses. Consider expressly limiting what the government entity may do with sensitive information under the agreement. For example, if entering into a public-private partnership where the government agency is gathering information to be shared, consider whether the agency should be prohibited from analyzing the data itself, generating any of its own reports, or making recommendations about action in light of that data. To the extent they must do so, address in the agreement the possibility of a right to review and redact any underlying sensitive information.

  5. Excise non-essential but potentially sensitive information. Limit the provision of non-sensitive information and communications that clearly will not be exempt from disclosure. Non-exempt comments in email messages accompanying agreements, non-essential employee addresses and telephone numbers, and other seemingly innocuous items may be provided in response to a FOIA/PRA request even if more sensitive information is not – so it’s best to excise those types of items before providing records to the government unless they are necessary to the purpose of the information sharing.

  6. Require notice of FOIA/PRA requests and an opportunity to respond. Finally, when entering into an agreement to share sensitive information, consider a clause in the agreement that requires the government agency to provide the company with advance “third-party” notification if the information is the subject of a FOIA/PRA request. Similarly, consider a clause that the government agency shall be required to provide the company with the maximum possible time allowed under the state’s FOIA/PRA laws in order to facilitate further administrative or judicial review of the government’s decision to release the information.

Through these and other thoughtful practices, companies can better balance their interest in information-sharing with governmental partners and clients with protection of sensitive information about their business and their employees.