Back in October, I wondered whether companies would be able to claim they had chosen not to participate in CISA’s voluntary data sharing in their transparency reports. While CISA prohibits the involuntary disclosure of such participation, I don’t know that anything prohibits the voluntary disclosure, particularly of non-participation.
A related question is playing out right now over a shareholder resolution filed by Arjuna Capital asking AT&T to reveal its voluntary sharing with law enforcement and intelligence agencies.
The resolution asks only for a report on sharing that is not legally mandated, and exempts any information that is legally protected.
Resolved, shareholders request that the Company issue a report, at reasonable
expense and excluding proprietary or legally protected information, clarifying the
Company’s policies regarding providing information to law enforcement and
intelligence agencies, domestically and internationally, above and beyond what is legally required by court order or other legally mandated process, whether and how
the policies have changed since 2013, and assessing risks to the Company’s finances
and operations arising from current and past policies and practices.
AT&T has asked the SEC for permission to ignore this resolution based, in part, on the claim that its voluntary cooperation would be a state secret that requires AT&T to effectively Glomar its own shareholders.
The Sidley Austin opinion cites the Espionage Act for its claim that this information is a state secret. It also pretends this is all about the NSA, when FBI and DEA play a critical role in some of the surveillance AT&T is believed to willingly participate in.
The resolution doesn’t seem to include any question specifically addressing OmniCISA participation, though it was written before final passage of OmniCISA last month.
The response from AT&T raises interesting questions about whether a telecom (or other electronic communications service provider) can be obligated for voluntary activity.