How can companies protect data?

The following question was asked by a company official: We often provide sensitive business information to government agencies as part of the proposals submitted under various solicitations. Standard solicitation provisions state that the information will be treated as confidential, and in this context we always have trusted the government to ensure that the information is protected properly from disclosure to others. However, we sometimes are asked to provide information in other contexts, such as when an agency is surveying the general market. How can we ensure that information provided in such circumstances is protected as well?

Under federal law, agencies are required to release information to the general public in many circumstances. Often, the information may include material that has been submitted by private parties. Whether information provided by a private party may be released publicly depends upon the application of several different laws. However, as discussed below, there are ways that a company can minimize the likelihood that its information will be disclosed.

By far the most important of the applicable laws is the Freedom of Information Act (FOIA), 5 U.S.C. 552. The purpose of FOIA is to make information available to the public. "Disclosure, not secrecy, is the dominant objective of the Act." Department of the Air Force v. Rose, 425 U.S. 352, 361 (1976).

Under the act, agencies must release requested records unless the records are covered by one of the specific exemptions set forth in the law. Furthermore, even if the records fall within a FOIA exemption, an agency in its discretion may disclose the records anyway. See, e.g., Chrysler Corp. v. Brown, 441 U.S. 281 (1979).

However, under Executive Order No. 12,600, agencies are supposed to provide advance notice to the submitter before releasing information received from outside the government. Furthermore, a submitter of information may challenge an agency's decision to release the information if it can show that the agency's exercise of discretion is arbitrary, capricious, an abuse of discretion or otherwise not in accordance with law. See Chrysler Corp. at 293. Such actions, which are pursued under the Administrative Procedures Act, are known as "reverse-FOIA" suits.

For those submitting information to the federal government, the most important FOIA exemption is No. 4, which says "trade secrets and commercial or financial information obtained from a person and privileged or confidential" are exempt from release. This exemption covers several types of information.

First, exemption No. 4 covers information that is properly considered a trade secret. Under FOIA, a "trade secret" is defined narrowly as "a secret, commercially valuable plan, formula, process or device that is used for the making, preparing, compounding or processing of trade commodities and that can be said to be the end product of either innovation or substantial effort." Public Citizen Health Research Group v. Food and Drug Administration, 704 F.2d 1280, 1288 (D.C. Cir. 1983).

No. 4 also covers information that is commercial or financial under certain conditions. In this context, the terms "commercial" and "financial" are given their ordinary, common meanings. See Public Citizen at 1290.

Whether the information is privileged or confidential is a more complicated question. In general, the issue of privilege is derived from the rules of discovery. If a document would be privileged from release in litigation because of the attorney-client communication, attorney work product or other recognized discovery privilege, it would be considered "privileged" under FOIA exemption No. 4 as well.

The issue of confidentiality is more involved and subject to more variation in interpretation by the courts.

When information is submitted to the government under compulsion, most courts would consider it confidential "if disclosure of the information is likely to have either of the following effects: (1) to impair the government's ability to obtain the necessary information in the future; or (2) to cause substantial harm to the competitive position of the person from whom the information was obtained." National Parks & Conservation Association v. Morton, 498 F.2d 765, 770 (D.C. Cir. 1974).

On the other hand, when information is submitted voluntarily, many courts would consider it confidential if the submitter can show that it does not customarily release that information to the public.

Obviously, this is a much lower standard for the submitter. However, the law in this area still is developing.

Based upon the current law in this area, anyone submitting sensitive information to the government should endeavor to obtain an express recognition from the recipient that the information is covered by FOIA exemption No. 4 and that it is being submitted voluntarily, where applicable, before the information is provided. Furthermore, the submitter should mark each page with a legend stating that the information therein constitutes trade secrets and commercial or financial information that is privileged or confidential.

Obtaining an advance commitment from the government to protect the information and marking each page with an appropriate legend are the most effective ways to protect information from disclosure outside the government.


Peckinpaugh is a member of the government contracts section of the law firm of Winston & Strawn, Washington, D.C. You can contact him at [email protected] This column also can be found on FCW's Web page at


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected