MISSISSIPPI BAR CONVENTION Coral C, Sandestin Hilton Sandestin, FL Government Law Section CLE Meeting July 12, 2018

Hot Topics & Recent Developments Impacting State and Local Government: Partisan Gerrymandering, Social Media Policies, Public Procurement, Cybersecurity Best Practices, and Disaster Preparedness

Benjamin E. Griffith* Griffith Law Firm P.O. Box 2248 Suite 1023, 2086 Old Taylor Road Oxford, MS 38655 662.402.3133 [email protected]

I. Partisan Gerrymandering “It is a core principle of our republican form of government ‘that voters should choose their representatives, not the other way around.’ ” Justice Debra McCloskey Todd, League of Women Voters of Pennsylvania v. Commonwealth of Pennsylvania (Pa. Feb. 7, 2018), quoting Arizona State Legislature v. Arizona Indep. Redistricting Comm'n, 135 S. Ct. 2652, 2677 (2015) (accessible at https://www.brennancenter.org/sites/default/files/legal- work/LWV_v_PA_Majority-Opinion.pdf)

Constitutional challenges to partisan gerrymanders were on the docket of the U.S. Supreme Court this term, and one challenge was in the hands of a state supreme court. Gill v. Whitford and Benisek v. Lamone were argued during the October 2017 term of Court, and decisions in both cases were handed down June 18, 2018, just in time for the Mississippi Bar’s Annual Meeting in Sandestin. Other cases pending before the Court included League of Women Voters v. Rucho, consolidated with Rucho v. Common Cause, both of which were vacated on June 25, 2018 and remanded for further consideration in light of Gill v. Whitford. See http://www.scotusblog.com/case-files/cases/rucho-v- common-cause/. The state supreme court case was League of Women Voters of Pennsylvania v. Commonwealth of Pennsylvania, discussed infra. For a more detailed background analysis of these and other pending partisan gerrymandering cases, see Election Law in the Trump Supreme Court, IMLA Midyear Conference, Washington, D.C.(April 21, 2018) (Benjamin E. Griffith and G. Michael Parsons) (pdf copy provided with this presentation).

Partisan Gerrymandering Decisions Delayed Decades of partisan gerrymandering have contributed to an unprecedented gridlock and lack of political accountability in our nation’s electoral process. Gill v. Whitford and Benisek v. Lamone initially gave hope that the Court may finally decide the issue of partisan gerrymandering’s constitutionality on the merits, and provide guidance for the electoral process at the federal, state and local levels. Near the end of the term ending in June 2018, the United States Supreme Court delayed decisions on the merits in two partisan gerrymandering challenges originating in Wisconsin and Maryland. Although the Court has struggled for over three decades to develop a judicially manageable standing for deciding such claims, its punt in Gill and Benisek made it clear that a majority of the Court is not ready to address the justiciability and merits of partisan gerrymandering claims. At the very least, the Court’s procedural decisions in both cases have moved the ball closer to the goal line, a final resolution of this constitutional issue remains beyond reach for now as the lower courts grapple with the Court’s remand instructions in both cases. Gill v. Whitford Chief Justice Roberts wrote the 9-0 opinion for the Court in Gill on June 18, 2018, vacating the Three-Judge District Court’s decision invalidating the Wisconsin legislative redistricting plan as an unconstitutional political gerrymander based on a theory of vote dilution. The Court held that the plaintiffs had not made the requisite showing for Article III standing, and remanded the case to provide the plaintiffs an opportunity to prove concrete and particularized injuries using evidence demonstrating a burden on their individual votes. Gill v. Whitford, 585 U.S.___ (2018), https://www.supremecourt.gov/opinions/17pdf/16-1161_dc8f.pdf Key issues before the Court in Gill were (1) whether the lower court erred in holding that it had the authority to entertain a statewide challenge to Wisconsin’s redistricting plan, rather than a district-by- district analysis; (2) whether the lower court erroneously held the

3 state’s redistricting plan was an impermissible partisan gerrymander despite complying with traditional redistricting principles; (3) whether the lower court erroneously adopted an incorrect standard for assessing partisan gerrymanders; and (4) whether the proponents of the challenged plan should have been allowed to present additional evidence that they would have prevailed under that test; and (5) whether the challengers’ partisan-gerrymandering claims were justiciable. Oral argument provided some measure of insight into the Court’s ultimate ruling on standing. The Court declined to direct the dismissal of the plaintiffs’ claims, noting that in the “usual case” where a plaintiff fails to demonstrate Article III standing it usually directs dismissal of those claims. Chief Justice Roberts reasoned that “This is not the usual case. It concerns an unsettled kind of claim this Court has not agreed upon, the contours and justiciability of which are unresolved. Under the circumstances, and in light of the plaintiffs’ allegations that [specific plaintiffs] live in districts where Democrats like them have been packed or cracked, we decline to direct dismissal.” In her concurring opinion, Justice Kagan characterized the Court’s holding, stating that “a plaintiff asserting a partisan gerrymandering claim based on a theory of vote dilution must prove that she lives in a packed or cracked district in order to establish standing, … and that none of the plaintiffs here have yet made that required showing.” Benisek v. Lamone The Court also handed down an unsigned per curiam order that same day in Benisek v. Lamone, 585 U. S. ____ (2018), at https://www.supremecourt.gov/opinions/17pdf/17-333_b97c.pdf. The pc order contained no recorded dissents. The challengers in Benisek had sought invalidate the partisan gerrymandered 6th Congressional District of Maryland on the ground that the state gerrymandered this district in 2011 in retaliation for the challengers’ support for Republican candidates. They argued in the

4 lower court that even though election officials only had to adjust the district by approximately 11,000 votes to account for the most recent census results, what they created was “more than a 90,000-voter swing in favor of registered Democrats.” When the elections were held under the new 6th Congressional District map in 2012, the incumbent Republican who two years earlier had been re-elected by a margin of nearly 30 percent lost to a Democrat by over 20 percent. In the summer of 2017, the challengers in Benisek sought and were denied a preliminary injunction by the lower court to block state officials from holding congressional elections under the 2011 map. The Supreme Court had before it an appeal by the Benisek challengers from the lower court’s denial of that motion for preliminary injunction. In a per curiam ruling, the Court upheld the lower court’s denial of injunctive relief and remanded to the lower court for further proceedings. While their constitutional challenge to the congressional district can and will go forward in the lower court, Maryland’s 2018 elections, including primaries scheduled for late June 2018, will use the current map. The Supreme Court explained in its per curiam ruling that the lower court’s denial of a preliminary injunction was not an abuse of discretion, reasoning that the challengers had waited six years after the map was adopted to raise their First Amendment retaliation claim, and that granting their request would have been disruptive to the 2018 elections. The Court also noted that the lower court’s order denying injunctive relief had been issued after the Supreme Court announced that it would review Gill v. Whitford, and that the lower court could have believed that it might be better off waiting for guidance from the Supreme Court, rather than “charging ahead.” Gill v. Whitford has now been vacated and remanded to the Three- Judge District Court in Wisconsin and Benisek v. Lamone is going back to the lower court for further proceedings following the lower court’s denial of injunctive relief. In addition to But there is still another partisan gerrymandering case on the Court’s docket that may address partisan gerrymandering: League of Women Voters of Pennsylvania v. Commonwealth of Pennsylvania, discussed infra.

League of Women Voters v. Rucho and Rucho v. Common Cause were partisan gerrymandering challenges to the First and Twelfth Congressional Districts and to North Carolina’s 2016 congressional map. Admittedly drawn by a Republican-dominated legislature to reflect a pro-Republican tilt and give Republicans a large majority, the N.C. map was struck down by the lower court as an unconstitutional partisan gerrymander. The lower court ordered the state legislature to draft and submit a new plan before the end of January 2018, but the U. S. Supreme Court stayed the lower court’s order on January 18, 2018, and the two cases were consolidated. The stay order in Rucho placed the N.C. Republicans’ appeal on hold for several months, presumably waiting for the Court to rule in Gill and Benisek, both of which were remanded on June 18, 2018 for further proceedings, Gill for lack of Article III standing and Benisek because the lower court had not erred when it decided not to require the state to redraw the challenged Maryland Congressional District map in time for the 2018 election. Political Divide vs. Political Reality In withholding judgment on the merits of Gill and Benisek, some argue that the Court may well have contributed to the political divide that has our nation in its grip, a divide that will likely be exacerbated once the replacement for retiring Justice Anthony Kennedy is nominated and confirmed. On the other hand, proponents of partisan gerrymandering continue to argue that political reality mandates rejecting any effort to enlist the judiciary in resolving essentially political issues for which politicized federal judges are ill-equipped. The core issue of whether, when and under what judicially manageable standard, if any, the Court can or will decide any of these partisan gerrymandering cases has yet to be resolved, but the machinery is in place to push toward a resolution possibly during the October 2018 term. The ball is in the challengers’ court, and the stakes can potentially be as high as which party ultimately commands even a razor-thin majority in the U.S. House of Representatives.

State Court Challenge Based On State Constitution In a partisan gerrymandering challenge that has gone the state court route, League of Women Voters of Pennsylvania v. Commonwealth of Pennsylvania, the Pennsylvania Supreme Court on January 22, 2018 held that the state’s 2011 congressional map was unconstitutional and enjoined the map for 2018 elections. The court gave the Pennsylvania General Assembly a February 15 deadline to submit a new congressional plan to the court with the governor's approval, and appointed Stanford Law Professor Nathaniel Persily to advise the court regarding a remedial plan. The legislative defendants’ application for stay of the court's order and emergency application for stay at the U.S. Supreme Court were denied by the Pennsylvania Supreme Court and Justice Alito, respectively. On February 13, the governor rejected the congressional map proposed by Republican legislative leaders since it failed to comply with either the Court’s January 22 order or the state constitution. With the legislature and the governor not agreeing on a map, the Pennsylvania Supreme Court released a new congressional map to be used in the 2018 elections. The court-drawn map is in effect for the 2018 midterm elections. Course of Proceedings in LWVPA v. Commonwealth of Pennsylvania It is important to note that this was not a federal-court challenge to a redistricting map based on the federal constitution, but a state-court challenge based on the state constitution. Following the 2010 census, Pennsylvania’s Republican-controlled legislature created the current congressional map in 2011. The original map drawn by the Republican majority was the butt of national jokes based on the strange, sprawling shapes it relied on to create a balance of electoral power tilted toward the Republican Party. While Democratic candidates for the state's 18 House seats tended to win about half of the popular vote statewide, they won just five of the 18 seats in each

7 election held since 2011. The map has been criticized by some experts as one of the most extreme examples of gerrymandering, with bizarrely shaped districts such as the one depicting the 7th Congressional District, aptly nicknamed “Goofy kicking Donald Duck”.

In its 5-2 decision striking down Pennsylvania’s Congressional Redistricting Act as violative of the Pennsylvania Constitution, the Pennsylvania Supreme Court held that that Republican legislators unlawfully sought partisan advantage and enjoined its further use in elections for seats in the U.S. House of Representatives. In proceedings to adopt a remedial redistricting plans, the court mandated that any congressional districting plan “shall consist of congressional districts composed of compact and contiguous territory; as nearly equal in population as practicable; and which to not divide any county, city, incorporated town, borough, township, or ward, except where necessary to ensure equality of population.” This decision has been seen by some as boosting Democratic chances of retaking the U.S. House of Representatives. Democrats in Pennsylvania hold five of the state’s 18 congressional districts even though it is an

8 electoral swing state, and a new congressional map could give Democratic candidates as many as half a dozen Republican seats in that state alone, where national polls show voters favoring Democrats in 2018. In light of the U.S. Supreme Court’s rejection of the state’s request for stay, it appears that the Supreme Court has indicated that it will not likely intervene, disturb or delay decisions made by state supreme courts interpreting their own state constitutions to preclude partisan gerrymandering. In Pennsylvania Supreme Court Justice Debra McCloskey Todd’s 139- page opinion for the court handed down February 7, there are two interesting features to consider. First, the opinion focuses largely on the map’s deviation from traditional redistricting principles, while describing the harm largely in terms of dilution. This, perhaps, leaves room for an even more aggressive interpretation of the state constitutional provisions in future rulings. Second, the reasoning and impact of the opinion isn’t entirely limited to Pennsylvania. Instead, Todd discusses how dozens of other state constitutions may be interpreted to protect voting rights more robustly than the U.S. Constitution does. Her decision will arm activists in many states with a powerful new tool in the fight against partisan gerrymandering. On June 18, 2018, as noted above, the U.S. Supreme Court deferred a ruling on the merits of whether partisan gerrymandering runs afoul of the First and/or Fourteenth Amendments. But, as Justice Todd explained, the Pennsylvania Supreme Court had no obligation to wait for the U.S. Supreme Court’s decision in Gill v. Whitford or Benisek v. Lamone, because the Pennsylvania Constitution provides rights independent from the U.S. Constitution. Specifically, the state constitution—which actually predates its federal counterpart—declares that all elections “shall be free and equal.”

With the Pennsylvania Supreme Court adoption of a remedial map of the state’s congressional districts, the result is a new map that, arguably, more closely reflects the partisan composition of Pennsylvania and adheres to the state constitution’s guarantee that voters would have the ability to participate in “free and equal” elections. This remedial map also introduced several new competitive seats (making it likely that Democrats pick up additional seats in the U.S. House of Representatives in the 2018 elections), provided a map that was more compact than the Republicans’ original map, and split fewer counties and municipalities. Over 1100 miles of district borders were erased along with the images of Goofy and Donald Duck. See https://www.washingtonpost.com/news/wonk/wp/2018/02/19/pennsylvan ia-supreme-court-draws-a-much-more-competitive-district-map-to- overturn-republican-gerrymander/?utm_term=.1941adab24cc Following the U.S. Supreme Court’s denial of the Pennsylvania legislative leaders' application for stay, the Pennsylvania Supreme Court closed the case following its final order, and it appeared that the court-drawn map is now in effect for the 2018 midterm elections. Questions Bedeveling Courts For Over 150 Years Following the U.S. Supreme Court’s June 18, 2018 vacature and remand of Gill and Benisek, the Pennsylvania legislative leaders filed a petition for writ of certiorari with the U.S. Supreme Court on June 21, 2018, appealing the Pennsylvania Supreme Court's decision to adopt a remedial map based on the Elections Clause of Article I, §4, cl. 1, of the United States Constitution. The Elections Clause provides the time, place, and manner rules governing federal congressional elections must be “prescribed” by “the Legislature” of each state. See Turzai v. Brandt, https://www.brennancenter.org/sites/default/files/legal- work/Turzai_v_Brandt_Petition-for-Cert.pdf. In their cert petition, the Pennsylvania legislative leaders noted that the following questions were of national importance relating to the role

10 of state courts in Congressional Redistricting “that have bedeviled courts for over 150 years”: 1. Whether the Pennsylvania Constitution’s substantive provisions and whatever interpretation Pennsylvania courts afford them, however atextual, can restrict time, place, and manner rules Pennsylvania’s lawmakers have passed to govern congressional elections pursuant to Article I, § 4, cl. 1, of the United States Constitution, known as the “Elections Clause.” 2. Whether the Pennsylvania Supreme Court, which has no lawmaking authority, may, consistent with the Elections Clause, adopt a redistricting plan as a remedy solely for state-law violations and, if so, whether it may, consistent with the Elections Clause, craft redistricting policy wholesale in creating that remedy.

Stay tuned, sports fans.

II. Social Media Policies

Social media may be the new water cooler of the 21st century. Most of the circuits, including the Fifth, have addressed social media issues in the context of public schools, in the form of off-campus speech and the applicability of Tinker. In 2015, the Fifth Circuit en banc held that Tinker applies to off- campus speech in a case involving a rap song posted on Facebook by a student.1 Bell v. Itawamba Cty. Sch. Bd., 799

1 Bell’s rap recording had several instances of threatening, harassing, and intimidating language against the two coaches: ► "betta watch your back/I'm a serve this nigga, like I serve the junkies with some crack"; ►"Run up on T-Bizzle/I'm going to hit you with my rueger";

F.3d 379, 391 (5th Cir. 2015) (en banc), cert. denied, 136 S. Ct. 1166 (2016). The Court reasoned that a speaker’s intent matters when determining whether the off-campus speech being addressed is subject to Tinker. A speaker’s intention that his speech reach the school community, buttressed by his actions in bringing about that consequence, supports applying Tinker’s school-speech standard to such speech.2 Beyond the school context, placing limits on public employees’ freedom of expression under the First Amendment is not a new debate, nor have technological advances reached the point that the internet, Facebook, Twitter, Snapchat, texting and other forms on online communication Yulia A. Timofeeva, Hate Speech Online: Restricted or Protected? Comparison of Regulations in the United States and Germany, 12 J. Transnational L. & Policy 253 (2002-03) (noting that while the concept of the internet as a regulation-free medium is very appealing in principle, “[t]he more technology changes, the more free speech issues remain the same”). It was none other than Justice Oliver Wendell Holmes who opined in 1892 that a government employee “may have a right to talk politics but no constitutional right to be a policeman.” McAuliffe v. City of New Bedford, 155 Mass. 216, 220 (1892). Justice Holmes’ view that the free speech rights of government employees were not significant – or that they did not merit any protection under the First Amendment - was expressed almost a century before the advent of social media and the revolutionary

► "you fucking with the wrong one/going to get a pistol down your mouth/Boww"; and ► "middle fingers up if you want to cap that nigga/middle fingers up/he get no mercy nigga". As noted by the Court, Bell's use of "rueger" [sic] references a firearm manufactured by Sturm, Ruger & Co.; to "cap" someone is slang for "shoot". Id. at 384-85. 2 See Benjamin A. Holden, Tinker Meets the Cyberbully: A Federal Circuit Conflict Round-Up and Proposed New Standard for Off-Campus Speech, 28 Fordham Intell. Prop. Media & Ent. L. J. 233 (2018), accessible at https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1690&context=iplj

12 transformation of “the way, manner, and audience of public employees’ speech … as it relates to criticism of their employers.”3 Today the view expressed by Justice Holmes that the First Amendment acts as a limit on a public employee’s speech may still find its support in post-Garcetti precedent, particularly if that speech is expressed through social media. Indeed, at the local government level in 2018, interests and rights of government employers can and do clash with First Amendment protections accorded government employees, and in many instances the public employer prevails. Public comments and expressions by public employees often find their way onto a Facebook page or pop up in an online criticism of government officials, policy and conduct, on the heels of which disciplinary action by the public employer and First Amendment retaliation claims often arise. There are several guideposts that help us navigate through this area of the law, centering on whether the public employer’s conduct is actionable or non-actionable under Garcetti.

First Amendment Retaliation Claims Public employees are not stripped of their right to freedom of expression by virtue of their public employment. The United States Supreme Court has unequivocally rejected the notion that public employees forfeit their right to freedom of speech by virtue of their public employment. Pickering v. Bd. of Ed., 391 U.S. 563, 568, 88 S.Ct. 1731, 20 L.Ed.2d 811 (1968). While this is not an absolute right, a four-prong test is used to analyze whether the speech of a public employee is entitled to constitutional protection.

3 Sabrina Niewialkouski, Is Social Media the New Era’s “Water Cooler”? #NotIfYouAreAGovernmentEmployee (April 6, 2015), (U. Miami L. Rev., forthcoming), accessible at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2589040

In order for a public employee's speech to be entitled to First Amendment protection, a court must engage in a two-step inquiry. See Lane v. Franks, ___ U.S. ___, 134 S.Ct. 2369, 2378, 189 L.Ed.2d 312 (2014). 1. First, the court must determine whether the employee spoke as a citizen on a matter of public concern. Garcetti v. Ceballos, 547 U.S. 410, 418, 126 S.Ct. 1951, 164 L.Ed.2d 689 (2006). If the employee has spoken as a citizen on a matter of public concern, then a First Amendment claim may arise. Id. 2. Second, the court must determine "whether the relevant government entity had an adequate justification for treating the employee differently from any other member of the general public." Id.; see also Lane, 134 S.Ct. at 2380.If those elements are established, "the burden shifts to defendants to show by a preponderance of the evidence that they would have come to the same conclusion in the absence of the protected conduct." Beattie v. Madison Co. Sch. Dist., 254 F.3d 595, 601 (5th Cir.2001), applying Mt. Healthy City Sch. Dist. Bd. of Educ. v. Doyle, 429 U.S. 274, 285, 97 S.Ct. 568, 50 L.Ed.2d 471 (1977). Lane v. Franks was an effort by the Supreme Court to provide direction for the lower courts in determining whether speech was made as a citizen rather than as a public employee. See Lane, 134 S.Ct. at 2379. The Court in Lane held that a public employee who provided truthful sworn testimony spoke as a citizen. Id. at 2380. Providing sworn testimony was outside of the public employee's ordinary job responsibilities, but the Eleventh Circuit had nonetheless held that the public employee's speech was made pursuant to his official job duties, Id. at 2379, reasoning that under Garcetti, because the information was learned during the course of employment, the speech was that of an employee and not of a citizen. Id. The Eleventh Circuit’s broad reading of Garcetti was rejected by the Supreme Court: "[t]he critical question under Garcetti is whether the speech at issue is itself ordinarily within the scope of an employee's duties, not whether it merely concerns those duties." Id. (emphasis added).

Public employees who make statements pursuant to their official duties are not speaking as citizens for First Amendment purposes, and their communications are not constitutionally insulated from employer discipline. Garcetti v. Ceballos, 547 U.S. 410, 418, 126 S.Ct. 1951, 1958, 164 L.Ed.2d 689 (2006). This determination is a question of law, even though the court is required to consider factual circumstances to determine whether speech is official. Charles v. Grief, 522 F.3d 508, 513 n. 17 (5th Cir.2008). The black letter law of Garcetti and Lane, however, is easier to recite than to apply depending on the specific facts and circumstances. If an employee is determined to have spoken not in her role as an employee, but as a citizen on a matter of public concern, "the possibility of a First Amendment claim arises." Garcetti, 126 S.Ct. at 1958. The Pickering-Connick balancing test is then applied to determine whether the First Amendment protects the employee's speech, entailing an inquiry into whether the interest of the government employer "in promoting the efficiency of the public services it performs through its employees" outweighs the employee's interests, as a citizen, "in commenting upon matters of public concern." Pickering, 391 U.S. at 568, 88 S.Ct. 1731; Connick, 461 U.S. at 150, 103 S.Ct. 1684. In determining whether a public employee’s interest in protected conduct outweighs his public employer’s interest in the efficiency of its operations, cf. Reyes v. Weslaco Indep. Sch. Dist., 354 Fed.Appx. 904, 906-907 (5th Cir. 2009), the courts engaging in the Pickering-Connick balancing test must consider: (1) the degree to which the employee's activity involved a matter of public concern; (2) the time, place, and manner of the employee's activity; (3) whether close working relationships are essential to fulfilling the employee's public responsibilities and the potential effect of the employee's activity on those relationships; (4) whether the employee's activity may be characterized as hostile, abusive, or insubordinate;

(5) whether the activity impairs discipline by superiors or harmony among coworkers. Brady v. Fort Bend County, 145 F.3d 691, 707 (5th Cir. 1998).

Venting on Facebook: Graziosi v. City of Greenville These principles were applied in Graziosi v. City of Greenville, 985 F. Supp. 2d 808 (N.D. Miss. 2013), affirmed, 775 F.3d 731 (5th Cir. 2015),where the plaintiff brought a First Amendment retaliation claims against her public employer and chief of the police department alleging that she was wrongly discharged from her position as a sergeant of the police department because of comments she made on Facebook. The plaintiff’s comments on the social media website were not protected under the First Amendment because she was not a public employee engaging in public speech. The plaintiff had served as a police officer for 26 years until her termination. As the district court noted, Facebook claims to enable "fast, easy, and rich communication." However, with fast and easy communication comes the inherent risk of "posting" statements and pictures one would not normally tell or show off to their "friends" and even, sometimes, to the general public. The plaintiff posted a "status update" on Facebook and later posted the following statement on the mayor’s Facebook page that read: I just found out that Greenville Police Department did not send a representative to the funeral of Pearl Police Officer Mike Walter, who was killed in the line of duty on May 1, 2012. This is totally unacceptable. I don't want to hear about the price of gas-officers would have gladly paid for and driven their own vehicles had we known the city was in such dire straights (sic) as to not to be able

to afford a trip to Pearl, Ms., which, by the way, is where our police academy is located. The last I heard was the chief was telling the assistant chief about getting a group of officers to go to the funeral. Dear Mayor, can we please get a leader that understands that a department sends officers of (sic) the funeral of an officer killed in the line of duty? Thank you. In response to "comments" posted by other members of Facebook when others criticized the police department, the plaintiff posted: I am amazed everytime I walk into the door. The thing is the chief was discussing sending officers on Wednesday (after he suspended me but before the meeting was over). If he suddenly decided we "couldn't afford the gas" (how absurd — I would be embarrassed as a chief to make that statement) he should have let us know so we could have gone ourselves. Also, you'll be happy to know that I will no longer use restraint when voicing my opinion on things. Ha! The plaintiff later made an additional posted stating "If you don't want to lead, can you just get the hell out of the way" and then commented on her own post "seriously, if you don't want to lead, just go." While the plaintiff argued that her Facebook statements did not address or concern any ongoing internal policy or practice of the police department, the court noted that “it is evident that her post could be construed as an attack on (the police chief), and the other officers who were in charge now compared to the "leaders" of before.” According to the district court, the police chief terminated the plaintiff i due to the statements she made on Facebook, met with the city attorney to express his concerns that the Facebook postings were unacceptable, and, while the police chief “did not ask the city attorney in particular about the First Amendment or a written policy in the city's manual,” he did seek the city attorney’s opinion as to termination of the plaintiff. Further, the police chief instructed two Internal Affairs Division officers to investigate the plaintiff’s Facebook posting, resulting in a written report to the chief outlining the reasons for termination.

The plaintiff was then terminated from her employment for violation of the police department’s Policy and Procedure Manual, including the following specific provisions: ►Rules of Conduct 2.14 subsection 3.2 (Supporting Fellow Employees) (Employees will cooperate, support, and assist each other at every opportunity. Employees will not maliciously criticize the work or manner of performance of another. It is the duty of every officer and employee to refrain from originating or circulating any malicious gossip to the intended detriment of the department or any member thereof); ►Discipline & Accountability (3.8 page 6 of 7 #2(c)) (Chronic complaining about operations to the extent that supervisors must spend an excessive amount of time dealing with problems or issues caused by complaints); and ►Insubordination (3.7) (Any act of defiance, disobedience, dissension or resistance to authority). The city council upheld the termination, not persuaded by the plaintiff’s argument that she did not act with malice but expressed a difference of opinion with the police chief, that she was only expressing her opinion in her comments to other staff members, and that asking questions is not complaining. Undertaking the Garcetti analysis, the district court recognized that the task before it was to decide whether the plaintiff’s speech at issue was made primarily in her role as citizen or primarily in her role as a public employee. It was of little significance that the topic of the plaintiff’s speech was one in which the public might or would have had a great interest. Terrell v. Univ. of Texas Sys. Police, 792 F.2d 1360, 1362 (5th Cir.1986) (internal cites omitted); See also Evans v. City of Indianola, Mississippi, 778 F.Supp. 333, 337 (N.D.Miss.1991) (quoting, in part, Terrell, 792 F.2d at 1362)). Quoting Gibson v. Kilpatrick, 734 F. 3d 395 (5th Cir. 2013), the district court noted that "[a] test that allows a First Amendment retaliation claim to proceed whenever the government employee can identify a civilian analogue for his speech is about as useful as a mosquito net

18 made of chicken wire: [a]ll official speech, viewed at a sufficient level of abstraction, has a civilian analogue." The court reasoned that even if the plaintiff had spoken as a citizen on a matter of public concern, the police chief had reason to fire her in order to promote the efficiency of the services of the police department, and if that outweighs 9the plaintiff’s) interests as a citizen in commenting upon matter of public concern. "The question becomes whether the relevant government entity had an adequate justification for treating the employee differently from any other member of the general public." Garcetti, at 418, 126 S.Ct. 1951 (internal cite omitted). [T]he criticism of Chief Cannon had the ability to divide the department, or at least be a disruption to his leadership ability. The ability of a police department to maintain discipline and good working relationships amongst employees is a legitimate governmental interest. … In addition, police departments function as paramilitary organizations charged with maintaining public safety and order, and are given more latitude in their decisions regarding discipline and personnel regulations than an ordinary government employer. The Greenville Police Department's internal decision not to pay the costs associated with paying for fuel to attend a funeral may have been a paramount concern to the citizens, especially those who are supporters of law enforcement, but as a matter of law, (plaintiff’s) venting on Facebook does not enjoy First Amendment protection. Graziosi v. City of Greenville, 985 F. Supp.2d 808 (N.D. Miss. 2013). The Fifth Circuit affirmed the district court’s decision in Graziosi v. City of Greenville, 775 F. 3d 731 (5th Cir. 2015). The Fifth Circuit concluded that the plaintiff’s statements on Facebook were not within the ordinary scope of her duties as a police officer, and were speech made as a citizen. See Lane, 134 S.Ct. at 2378. Turning to whether the plaintiff spoke on a matter of public

concern, however, the Fifth Circuit held that the plaintiff’s Facebook posts, which started by addressing subjects that can be "fairly considered as relating to any matter of political, social, or other concern to the community," Connick, 461 U.S. at 146, 103 S.Ct. 1684, “quickly devolved into a rant attacking Chief Cannon's leadership and culminating with the demand that he "get the hell out of the way." Specifically, the Fifth Circuit held that the plaintiff’s concession that her displeasure with Chief Cannon's decision prompted her to make the Facebook posts underscored its characterization of her statements as a rant. Her speech was thus “akin to an internal grievance, the content of which is not entitled to First Amendment protection.” Further, the Fifth Circuit held that, weighing the content, form, and context of the plaintiff’s speech together, the speech was not entitled to First Amendment protection. While the form of her speech, a public post on the mayor's Facebook page, weighed in favor of finding that she spoke on a matter of public concern, using the Mayor's Facebook page which served as a community bulletin board upon which members of the community could lobby the Mayor to take a particular action or apprise members of the community of events occurring in town or things of general interest, the context weighed against a finding that she spoke on a matter of public concern. Her speech was made within the context of a private employee- employer dispute, which militates against a finding that her speech was public in nature. Her statements were primarily motivated by and primarily addressed her displeasure with Chief Cannon for his perceived lack of leadership concerning an intra-departmental decision. Finally, the Fifth Circuit agreed with the city’s contention that it justifiably dismissed the plaintiff to prevent insubordination within the department.

Through her statements, (the plaintiff) publicly criticized the decision of her superior officer and requested new leadership. Furthermore, she told leadership to "get the hell out of the way," underscoring that demand by stating, "seriously, if you don't want to lead, just go." Finally, (she) vowed to "no longer use restraint when voicing [her] opinions." These statements coupled with her vow of future and continued unrestrained conduct "smack of insubordination," and Greenville was well within its wide degree of latitude to determine that dismissal was appropriate. … Accordingly, Greenville has articulated a substantial interest in maintaining discipline and close working relationships and preventing insubordination. We hold that Greenville's substantial interests in maintaining discipline and close working relationships and preventing insubordination within the department out-weigh Graziosi's minimal interest in speaking on a matter of public concern. We do so in light of the wide latitude afforded police departments as paramilitary operations to discipline and otherwise regulate its employees. Id. at 740-41.

Importance of Record Evidence: Brown v. Leflore County In Brown v. Leflore County, 150 F. Supp. 3d 753 (N.D. Miss. 2015), District Judge Debra Brown denied the county’s motion for summary judgment in a First Amendment retaliation case in which the plaintiff, Troy Brown, alleged that he was wrongly discharged from his position as Director of the Greenwood Leflore Emergency Management Agency because of comments he made in two newspaper publications. The first was a guest column published on February 16, 2014, in the Greenwood Commonwealth entitled, "Sam Abraham has it out for me," in which the plaintiff detailed some of his concerns about Abraham and public safety. Abraham was the Chancery Clerk and

County Administrator of the county. In his guest column, the plaintiff discussed his concern that Chancery Clerk and County Administrator Sam Abraham exerted undue influence over the Board and stated that what makes Abraham's influence "a tragedy is that people's lives are at stake." He expanded on this public safety concern, identifying examples of problems purportedly caused by Abraham's influence. The County argued that many of the plaintiff’s examples of Abraham's influence and conduct were overstated or false. The second came after the Commonwealth published an editorial titled, "Troy Brown brings lots of drama," which was very critical of Brown's guest column, in response to which the plaintiff wrote a letter to the Commonwealth's Editor entitled, "This is more than a workplace tiff," published in the Commonwealth on February 23, 2014. The day after the plaintiff’s letter to the Editor appeared in the Commonwealth, the Board voted to terminate him. In the Executive Session where the Board voted 3-2 to terminate the plaintiff, his recent publications in the Commonwealth were a prominent topic in the prevote discussion, although the board’s minutes did not provide a reason for the termination. The county’s motion for summary judgment set forth the argument that the plaintiff had failed to state a First Amendment retaliation claim, and that his claims were barred under Mt. Healthy. Judge Brown set forth the framework for establishing a prima facie case for First Amendment retaliation, noting that a public employee must show that: (1) He suffered an adverse employment action; (2) He spoke as a citizen, rather than pursuant to his official job duties; (3) He spoke on a matter of public concern;

(4) His interest in the speech out-weighed the government's interest in the efficient provision of public services; and (5) His speech precipitated the adverse employment action.[8] Hardesty v. Cochran, 621 Fed.Appx. 771, 775-76, 2015 WL 4237656, at *3 (5th Cir. 2015)(citing Wilson v. Tregre, 787 F.3d 322, 325 (5th Cir.2015)). If the plaintiff establishes a prima facie case, moreover, the defendant may still prevail if it shows by a preponderance of the evidence that it would have come to the same conclusion in the absence of the protected conduct. Mt. Healthy, 429 U.S. at 287, 97 S.Ct. 568. The County contended that the plaintiff had failed to present evidence that could satisfy the second, third, fourth and fifth elements of the prima facie standard, and that summary judgment was appropriate under Mt. Healthy because it would have fired Brown even in the absence of his protected speech. Rejecting the county’s argument, Judge Brown found that the county had offered no authority or argument suggesting that the publications in the local newspaper about the County Administrator's interference with Brown's office was ordinarily within the scope of the plaintiff’s job duties. The county’s argument that in the publications, the plaintiff had complained about his duties as the Director of GLEMA and submitted his job title in conjunction with his guest column, “was squarely rejected in Lane, which held "the mere fact that a citizen's speech concerns information acquired by virtue of his public employment does not transform that speech into employee — rather than citizen — speech." Lane, 134 S.Ct. at 2379.” Judge Brown also found that the plaintiff’s speech was made as a citizen and not as a public employee, and rejected the county’s argument that the plaintiff submitted his job title along with the guest column, a claim that was not factually supported by the record evidence, since the plaintiff’s sworn testimony that the

Commonwealth added his job title to the guest column after he submitted it for publication was not rebutted by the county. In any event, citing oneself as a public employee does not forfeit one's ability to claim First Amendment protections. Turning to whether the plaintiff’s speech was on a matter of public concern, Judge Brown evaluated that content, form, and context of the plaintiff’s speech and concluded that it was on a matter of public concern, based on Fifth Circuit precedent in mixed speech cases. 1. The content of the speech may be public in nature if releasing it to the public would inform the populace of more than the fact of an employee's employment grievance. 2. Speech on a matter of public concern need not be made to the public, although it may relate to a matter of public concern if it is made against the backdrop of a public debate. 3. Speech cannot be made in furtherance of a personal employer- employee dispute if it is to relate to the public concern. Judge Brown found that the primary issues addressed in the plaintiff’s guest column — public safety and Abraham's purported undue influence over the Board — were matters that can fairly considered as relating to a matter of political, social, or other concern to the community, and that the plaintiff’s guest column and letter to the Editor weighed in favor of a finding that the plaintiff spoke primarily on a matter of public concern. Applying the Pickering balancing test, Judge Brown resolved this test in the plaintiff’s favor, addressing and then rejecting the county’s claim that the plaintiff's speech was potentially insubordinate, potentially detrimental to the working relationships of GLEMA department employees and intradepartmental employees, and had the potential to do further damage if left unaddressed by the Board of Supervisors, and that the plaintiff’s interest in publicly airing his disagreements with Abraham was outweighed by the county's interests in providing

24 efficient public services and promoting an environment of unity amongst county departments. Judge Brown noted that the county did not offer any record evidence to support its claims of disruption, and that “[t]his is fatal to the County's argument because in the absence of such evidence, "there simply is no countervailing state interest to weigh against [Brown's] First Amendment rights." Grogan, 617 Fed.Appx. at 292. Further, there was considerable record evidence that the plaintiff’s speech did not cause any disruptions. Three board members who voted to fire the plaintiff all testified that the plaintiff's speech did not interfere with the county's operations. Judge Brown then turned to the quintessentially fact-based causation question and the county’s argument that summary judgment was appropriate because the plaintiff could not show that his termination was motivated by his speech. The applicable causation standard, set forth in Boisseau v. Town of Walls, Miss., 138 F.Supp.3d 792, 797, 2015 WL 5883176, at *4 (N.D.Miss.2015), is that “the plaintiff need only demonstrate that his speech was one factor among others motivating the defendant's conduct, and, if such a showing is made, it falls to the latter to demonstrate that it would have made the same decision even absent retaliation." The county’s task in seeking summary judgment on the causation issue was a difficult one, since the question of whether an employee’s protected conduct was a substantial or motivating factor in an employer’s decision to take action against the employee is ordinarily a question of fact, and in this case, the county’s task was even more difficult in light of the temporal proximity involved in this case and the county's concession that the plaintiff’s “speech” was known to the Board before Brown was fired. Close timing between an employee's protected speech and an adverse employment action can be a sufficient basis for a court to find a causal connection required to make out a prima facie case of retaliation. Such temporal proximity between the plaintiff’s

25 speech and his termination established that a genuine issue of material fact existed on causation. With respect to the Mt. Healthy defense, Judge Brown concluded that the county was not entitled to summary judgment on this defense. The vote to terminate the plaintiff was held in a closed-door session, and only the Board members could provide testimony as to whether the Board would have voted to terminate Brown notwithstanding his protected speech. While the county argued that all supervisors testified that the failure to complete the inventory was the main reason the plaintiff was fired although his work habits, it provided no record evidence in support of these propositions, only unsubstantiated argument.

III. Public Procurement For as long as many of us can recall, Mississippi’s statutory scheme for public procurement has recognized a substantive difference between agencies and governing authorities. Agencies, as defined by Miss. Code Ann. §31-7-1, include any state board, commission, committee, council, university, or departments thereof. Governing authorities, as defined by Miss. Code Ann. §31-7-1, include county boards of supervisors. With last year’s enactment of House Bill No. 1106 (Laws of 2017, Regular Session), amending Miss. Code Ann. §31-7-13(1)(c)(i)(2) to authorize reverse auctions as the primary method for purchasing entities to receive bids during the bidding process, that distinction was obliterated, and a few needling questions popped up. These questions were compounded by the enactment of House Bill No. 1109 during that same legislative session, authorizing the Public Procurement Review Board to set policies, review policies, and make certain determinations with respect to purchases made by state agencies. One of those questions was whether this new amendment applies to governing authorities.

In an Official Attorney General Opinion to DeSoto County Board Attorney Anthony E. Nowak, dated June 9, 2017, the Attorney General opined that based on the language contained in the amendment to Miss. Code Ann. §31-7-13(c)(i)(2) and the intent of House Bills 1106 and 1109 (Laws of 2017, Regular Session), the amendment made to that statutory provision applies to governing authorities. The AG Opinion cited and discussed the specific language contained in the amendment to §31-7-13(c)(i)(2), in both House Bill 1106 and House Bill 1109: Reverse auctions shall be the primary method for receiving bids during the bidding process. If a purchasing entity determines that a reverse auction is not in the best interest of the state, then that determination must be approved by the Public Procurement Review Board. The purchasing entity shall submit a detailed explanation of why a reverse auction would not be in the best interest of the state and an alternative process to be approved by the Public Procurement Review Board. If the Public Procurement Review Board authorizes the purchasing entity to solicit bids with a method other than reverse auction, then the purchasing entity may designate the other methods by which the bids will be received, including, but not limited to, bids sealed in an envelope, bids received electronically in a secure system, bids received via a reverse auction, or bids received by any other method that promotes open competition and has been approved by the Office of Purchasing and Travel. However, reverse auction shall not be used for any public contract for design or construction of public facilities, including buildings, roads and bridges. The Public Procurement Review Board must approve any contract entered into by alternative process. The provisions of this item 2 shall not apply to the individual state institutions of higher learning. In the AG Opinion’s discussion of the legislative history, legislative intent, and the common and ordinary meaning of the term new statutory term “purchasing entity”, the following points were made,

27 leading to the conclusion that this amendment applies to governing authorities: (1) Historically, purchases made by governing authorities have not been subject to review and/or approval by the Public Procurement Review Board (“PPRB”). [footnote 2: Pursuant to Section 27-104-7, the Public Procurement Review Board approves purchasing regulations that govern purchases made by state agencies.] (2) The language contained in the amendment to Section 31-7- 13(c)(i)(2) specifically provides that in the event that a “purchasing entity” determines that a reverse auction is not in the best interest of the state, such determination must be approved by the PPRB. (3) There is no corresponding definition of “purchasing entity”3 in Section 31-7-1, which is the statutory provision that contains the definitions applicable to the public purchasing statutes found at Sections 31-7-1 et seq. [footnote 3: The term “purchasing entity” is not a newly-created term contained in the provisions of Section 31-7-13. In fact, Section 31-7-13(c)(i)(2) itself contained the language “purchasing entity” prior to the amendment made by House Bills 1106 and 1109. Clearly, Section 31-7-13(c)(i)(2), prior to the 2017 amendment, applied to any entity making a purchase in accordance with the provisions of Section 31-7-13, as Section 31-7-13(c)(i)(2) provided the method by which bids are to be received. We see no reason why the amendment to Section 31-7- 13(c)(i)(2) would not apply in the same manner.] (4) As a result, we must rely on the common and ordinary meaning of the term. Section 1-3-65 of the Mississippi Code Annotated provides that ““[a]ll words and phrases contained in the statutes are used according to their common and ordinary acceptation and meaning; but technical words and phrases according to their technical meaning.” (5) While we did not find the term ““purchasing entity,” we believe the term “purchaser” has the same connotation. The term “purchaser” is defined in Black's Law Dictionary, Fifth Edition as ““[o]ne who acquires either real or personal property buying it for

a price in money; a buyer; vendee” and “[o]ne who has contracted to purchase property or goods.” (6) Without question, the term “purchasing entity” is much broader than ““state agency” or “governing authority.” (7) We believe that the use of the term ““purchasing entity” applies to any entity that is subject to the provisions of Section 31-7-13 that is making a purchase. (8) In our opinion, had the Legislature intended to limit the requirement of PPRB approval to only determinations made by state agencies, it would have done so by using the term “agency” and not “purchasing entity.” (9) Furthermore, the nature of the amendments made by the passage of House Bills 1106 and 1109 indicates that the Legislature intended on reforming the procurement laws to put safeguards in place to prevent corruption and encourage accountability and transparency.

The AG Opinion concluded that based on the language contained in the amendment to Section 31-7-13(c)(i)(2) and the intent of House Bills 1106 and 1109, the amendment made by House Bills 1106 and 1109 to Section 31-7-1(c)(i)(2) applies to governing authorities. Mr. Nowak made a valiant and well-supported effort to seek reconsideration of this AG Opinion, but reconsideration was declined on October 13, 2017. Shortly before reconsideration of the Nowak AG Opinion was declined, the Chair of the House Ways and Means Committee, Jeffrey C. Smith, sought re-examination of the AG’s Opinion on House Bill 1106, to which the Attorney General’s Office in an Official Opinion dated September 29, 2017, 2017 WL 4790878 (Miss.A.G.), Opinion No. 2017-00279, reiterated and held fast to its opinion that we are of the opinion that the provisions of Section 31-7-13 are in no way ambiguous and such provisions plainly apply to state agencies and governing authorities. The September 29, 2017 AG Opinion further stated: “Section 31-7-1(c)(i)(2) clearly applies to all “purchasing entities.” As we have previously opined, we believe that the use of the term “purchasing

29 entity” was intended to capture any entity that is subject to the provisions of Section 31-7-13 that is purporting to make a purchase. MS AG Op., Nowak (June 9, 2017). Had the Legislature intended to limit the requirement of PPRB approval to only determinations made by state agencies, it could have done so by using the term ““agency” and not “purchasing entity” or by expressly exempting governing authorities, as it did in the last sentence of Section 31-7-13(c)(i)(2). In the last sentence of Section 31-7-13(c)(i)(2), the Legislature very clearly exempted “individual state institutions of higher learning.” The Supreme Court has held that exemption statutes must be strictly construed against those claiming the exemption, and those claiming the exemption have the burden to establish their right to same. City of Pascagoula v. First Chemical Corp., 388 So.2d 160 (Miss.1980); City of Jackson v. Sly, 343 So.2d 473 (Miss.1977). There is no reference whatsoever to governing authorities in the provision regarding exemptions, and we find no other indication in Section 31-7-13 itself that suggests that the Legislature intended to exempt governing authorities. Although the purpose of subjecting governing authorities to these requirements may be questioned, it is beyond the function of an Official Opinion to re-write the statute.”

In an Official Attorney General’s Opinion to Laura D. Jackson, dated November 9, 2017, the AG’s office opined that “[r]equiring a potential bidder to pay a fee to merely participate in a reverse auction has the potential to not only limit the number of prospective bidders who may desire to participate in the reverse auction, but may also result in an inflated bid to absorb the cost of the fee that would be paid to the auction company. This would be contrary to the intent of the Legislature in seeking the lowest and best bid in a public procurement.” In an Official Attorney General’s Opinion to John Keith Perry, Jr., dated December 1, 2017, the AG’s Office reaffirmed that the above opinion to Laura D. Jackson “remains our opinion whether the charge is a flat rate fee paid by all potential bidders or a percentage based commission paid by the lowest bidder of the public procurement.

Therefore, a percentage based commission may not be charged to the supplier of the winning bid of a reverse auction performed pursuant to Section 31-7-13(c)(i)(2). We also are of the opinion that it cannot be implied from Section 31-7-13(c)(i)(2) that a governing authority has the authority to require a supplier to pay a commission to a third party auction company for providing the winning bid in a public procurement.” *1 In response to your second question, we are unaware of a statute that exempts a county from paying for auctioneer services for reverse auctions required pursuant to Section 31-7-13(c)(i)(2).

In a Mississippi Business Journal article by long-time AP reporter Jeff Amy dated February 12, 2018, entitled “Analysis: Some Governments Revolt Against Purchasing Law,” accessible at http://msbusiness.com/2018/02/analysis-governments-revolt-purchasing- law/, Amy noted that this 2017 reverse auction legislation is a measure that few outside of government ever heard of, but that this is a new requirement to change how state agencies and local governments make purchases and it is infamous among county supervisors and others. Amy make a number of good points, pro and con. First, under prior law, cities, counties and other local governments have long used the competitive bidding process of taking sealed bids for purchases of supplies, equipment or certain services over $50,000. The new law requires agencies and local governments to use a reverse auction for such purchases. Second, a reverse auction allows bidders to undercut each other once the original bids are tallied. For example, a company selling dump trucks might see on a computer screen that it is not the lowest bidder to sell five trucks to a particular county, and the company could choose to lower its bid to win the business. Third, proponents of the reverse auction system say that it is a sure money-saver and according to one business that runs reverse auctions in this state in exchange for a fee, clients often saver 15% or more of the

31 amount they have budgeted. Using this process correctly would be like getting extra money, as in the case of one county supervisor who reported that his county saved $120,000.00 buying eight motorized road graders. Fourth, many county supervisors are unhappy about being forced into a new method of purchasing, and discussion is already underway on how to get required exemptions from the Public Procurement Review Board or how the Department of Finance and Administration was seeking to add dump trucks and garbage trucks to its state purchasing list, which would mean that cities and counties could buy such equipment without soliciting and taking bids. Fifth, as Amy reports, the procurement review board has delegated authority to the Department of Finance and Administration to continue approving exemptions for local governments through March 7, 2018. Sixth, at least one county supervisor has expressed concern that counties might end up overpaying for lower-quality trucks and construction equipment, given the great variety in quality of heavy equipment. A properly written bid specification, however, should ensure that a county gets the equipment it needs while making sure that price and not an existing business relationship determine who gets the business. 2018 Legislative Efforts to Address Reverse Auctions Amy also noted that during the 2018 Session of the Legislature, it appeared that House members might appear willing to let local governments out of the mandatory reverse auction requirement, using House Bill 1131 as the vehicle to let local governments decide for themselves whether they need or do not need a reverse auction. This move was supported by the Chair of the House Accountability, Efficiency and Transparency Committee, who said that the reverse auction requirements for local governments were inserted in the House- Senate conference in 2017 and were not adequately explained to House members before they voted. The Chair also noted that he still supports

32 reverse auction and would like to see it implemented for local governments after state agencies use if for a few years. As proposed and passed in the House, House Bill 1131 would have amended 31-7-13 to provide that if an agency or governing authority determines that a reverse auction would not be in the best interest of the agency of governing authority, that determination must be approved by the Public Procurement Review Board for an agency and by the governing authority for a governing authority; that a governing authority would be required to make findings in its minutes of why a reverse auction would not be in the best interest of the governing authority; and that if as to a governing authority, the governing board thereof authorizes the purchasing entity to solicit bids with a method other than reverse auction, then the purchasing entity may designate the methods by which bids will be received. House Bill 1131 died in the Senate Committee on Accountability, Efficiency, Transparency on February 27, 2018.

IV. Cybersecurity Best Practices There is a growing public awareness that online computer system vulnerabilities in the public and private sector can conceivably lead to a cyber Pearl Harbor attack. As the number and extent of cyberincidents continue to grow at a geometric pace, and as our elected leaders tell us they are focused like a laser on The Next Big Attack, there are still many of us who measure life in terms of pre- and post-9/11. And collectively we have an uneasy feeling that our government may be failing to connect the dots, again. We are living in the information age where almost every part of our daily lives is in some way inextricably interwoven with the Internet. The problem is that those very networks on which we rely to enable and facilitate many critically important aspects of our increasingly digital lives, governments and systems of commercial activity are vulnerable to

33 cyberattack. Not a day passes when malicious cyber criminals, hacktivists and other highly motivated but misdirected actors are launching attacks that originate beyond our national borders. They are targeting our businesses, commercial and proprietary trade secrets, critical infrastructure, and sensitive information. The toughest challenges lie in developing effective tools that will enable our national, state and local governments to respond in an appropriate, proportionate and effective manner to malicious cyber attacks and cyber-enabled activities, and to provide a credible deterrence that will make others refrain from engaging in similar activities. Some countries have already begun efforts to confront these growing threats by malicious cyber attackers and cyber actors, but this is a problem that must be predicated on international coordination and development of capabilities beyond those presently existing. Interrelated Cybersecurity Issues It would be helpful to explore a number of interrelated cybersecurity issues that have a direct impact upon local government and the citizens it represents. 1. Vulnerability to attacks 2. Why hackers exploit local government websites and networks 3. Greatest vulnerabilities and need for protection 4. Best cybersecurity practices 5. Hacking vulnerabilities of vehicles and mandatory security standards 6. Feasible means of preventing local governments from becoming gateways to federal and state hacking Scope of the Problem Through efforts by government and the private sector in the early 1970s, various forms of cybersecurity were implemented in response to the hacking of telephone systems later expanded to computer systems. One analyst reported in an October 16, 2015 article that the U.S.

34 government had spent over $100 billion on cybersecurity over the past decade and had budgeted $14 billion for cybersecurity in 2016. With cyber-attacks costing businesses $400 to $500 billion a year, these figures to not take into account the thousands of cyberattacks that go unreported because they are small, undetected or do not include the explosive growth in mobile use and the internet. Steve Morgan, The Business of Cybersecurity: 2016 Market Size, Cyber Crime, Employment, and Industry Statistics, Forbes, October 16, 2015. Technological Innovation vs. New Opportunities for Exploitation Some have projected that by 2020, the worldwide cost attributable to cybersecurity breaches and attacks will approach trillions of dollars. This is a game in which cybersecurity will continue to play catchup, with no real prospect of gaining the upper hand over cybercrime for the next two to three decades. As we witness advances in the relentless march of technological innovation, each step forward is matched by a giant step backward as new opportunities surface for exploitation. The Changing Face of Cybersecurity & What it Means for Municipalities, Morris A. Enyeart, Ed.D. Jan. 2016.

Spearphishing One form of direct social engineering attack is spearphishing, delivered by e-mail and designed to exploit human vulnerabilities. Spearphishing exploits a weakness in the e-mail system technology: the sender address is assumed to be correct, hence the addressee routinely opens e-mails that purport to have originated with colleagues, business associates, acquaintances and friends. It the attackers can spoof a credible sender's address information, the recipient will be more likely to open the message. The attack delivery would be disrupted and the attack would fail if spurious e-mails were not delivered by the e-mail system, as when the e-mail recipient has an easily available means to verify the origin of

35 the message. Spearphishing is enabled when the recipient is unable to easily verify the message origin or guarantee of origin, and its success reveals serious shortcomings of current e-mail technology. Managing Attack Vectors. Disruption of Attack Delivery Many multi-stage cyber attacks begin with spearphishing that uses e- mail as the attack vector, with credible messages that the victim will likely open and respond to positively. Message credibility is a critical factor in such an attack. If the recipient of the message is aware that the message was not from a guaranteed origin, that is, not from whom it purported to be from, message credibility can become a significant hurdle for the attacker. Multi-Stage Attacks by State-Sponsored Actors During 2011-12, Coca-Cola Corporation was attacked with what began as a spear phishing targeting of a senior corporate executive with a malicious e-mail purporting to be from the CEO. Contained in the e- mail message was a link to a malicious website that performed a drive by download of keystroke logging malware. The goal of this attack was the theft of data relating to Coca Cola's acquisition of another company, but the attack may have had grander designs. The corporate network was accessed when malware compromised the logon credentials and enabled unauthorized but unrestricted access to the corporate resources on the network. The attackers used stub viruses, a new strain of malware that could be remotely updated with new capabilities. The attack was commenced and the theft of sensitive data was undetected for a lengthy period of time. Zeus Virus and Masquerading Conventional wisdom tells us that viruses spread through propagation and can be detected by behavior malware detection software. When a virus does not exhibit expected behavior, according to this conventional wisdom, the effectiveness of anti-malware protection controls can be seriously challenged. This brings us to the field of malicious software of a particularly problematic type: The Zeus Trojan Horse Virus.

Stealing Confidential Information from Compromised Systems The Zeus virus is a keystroke logging software delivered by drive by download, through a Zeus Trojan. It runs on versions of Microsoft Windows and steals information by man-in-the-browser keystroke logging and form grabbing. Zeus is designed to steal confidential information from the computer systems it has compromised and does so by specifically targeting system information, online login credentials and banking information. It has also been used to install the CryptoLocker ransomware and is spread through drive-by-downloads and phishing schemes. The Zeus Trojan can be customized to gather social security and credit card numbers. Targets In and Outside Government It was initially identified in July 2007 when it was used to steal information from the U.S. Department of Transportation. By June 2009, it was discovered that over 74,000 FTP accounts on websites at the Bank of America, NASA, Monster.com, ABC, Oracle, Cisco, Amazon and BusinessWeek had been compromised. Inability to Remove All Versions from Operating Systems While there are many forms and versions of the Zeus Trojan, it appears that no utility can effectively detect and remove all versions of it from all operating systems. Some estimates indicate that as of 2009, Zeus had infected 3.6 million personal computers in the United States, and security firms proactively advised businesses to continue to offer training to users to implement such practices as not clicking on hostile or suspicious links in e-mails or websites and to keep their antivirus software current. While some vendors represent that their software protection can prevent some infection attempts, none claim the ability to reliably prevent infection under all circumstances. See Removing the Zeus Malware Virus, Cox Tech Solutions, January 21, 2016, at http://www.cox.com/residential/support/internet/article.cox?articleId=9e 960f50-c2ae-11e4-52f6-000000000000; Zeus (Malware), at https://en.wikipedia.org/wiki/Zeus_(malware)

Replay Masquerades Logging user IDs and passwords is performed so the credentials can be used later to gain access to otherwise inaccessible systems. Reusing stolen logon credentials is known as "replay", and the attacker who uses replay "masquerades" as the legitimate owner of the replayed credentials. The highest level of masquerading is compromise and replay of the logon credentials of privileged users, since it opens up the resources of corporate information systems and networks to compromise. Protection Methodology The protection methodology against this is two-fold: first, disrupt the implanting of keystroke logging malware, just as one would disrupt drive by downloads and detect malware before it could be implanted. Second, design a one-time credential that cannot be replayed. Options for preventing replay are one-time passwords and adding a second factor to the authentication credential such as a one-time value like the one provided by the RSA SecureID device. Cat and Mouse Response to a cyber attack can depend largely the ability, talents and knowledge the attacker has about the human factors and human vulnerabilities of the target. Attack response can become a game of cat and mouse as defensive strategies are rolled out as quickly as attackers modify their attack strategy.

The Cybersecurity Information Sharing Act (CISA) The Cybersecurity Information Sharing Act (CISA) was quietly inserted into the $1.1 trillion December 18, 2015 Omnibus Budget Bill that was passed by the United States Senate and signed by the President. CISA was seen by its opponents as a seriously flawed governmental

38 surveillance bill while CISA’s proponents said it was a necessary tool to fight cybercrime, their rationale being that the tools and strategies successfully used against a private sector business would also be used against the government and other companies. CISA includes sections about Internet monitoring that modify the Internet surveillance laws, and it broadens the powers of network operators to conduct surveillance for cybersecurity purposes. In so doing, CISA dramatically expands those powers in significant ways, the extent of which is still unknown. See S.754 – Cybersecurity Information Sharing Act of 2015. Congress.gov, https://www.congress.gov/bill/114th- congress/senate- bill/754; Larry Greenemeier, A Quick Guide to the Senate’s Newly Passed Cybersecurity Bill, Scientific American, October 28, 2015. Immunity From Consumer Lawsuits One of CISA’s key features is that it enables private entities, non- federal government agencies, state, tribal and local governments who have been victims of cyber threats to share information with any federal entity and with each other. Companies who do share information with federal entities are immune from consumer lawsuits for sharing the data. Some have expressed concern that such sharing of consumer information to government agencies by private entities or other third parties will create new targets for hackers. Shortly before CISA was voting on by the Senate, the requirement to remove or redact any personal information from data that is shared was deleted, and some critics say this will result in further spreading of personal information. Sharing of information under CISA is voluntary, so one cannot tell how effective or widespread the data sharing program will be when it is fully implemented. Governmental Cybersecurity Clearinghouses at Federal & State Level The new clearing house created by CISA focuses on cyber threats. In addition, there are additional clearing houses at the federal and state level that include cyber incidents where hackers have gained access and control of private entity and governmental systems.

Cybersecurity Measures at the State & Local Government Level Level On May 20, 2015, Governor Chris Christie signed an Executive Order that set up New Jersey’s New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) as the State organization responsible for cybersecurity information sharing, cyber threat analysis and hacker incident reporting. New Jersey League of Municipalities Cybersecurity Awareness Efforts The New Jersey League of Municipalities is bringing awareness to the municipal level through its Issue Alerts, seminars, webinars, sample proclamations for municipalities and Annual Conference education sessions. See New Jersey State League of Municipalities. www.njslom.org Search cyber security. Awareness at the Municipal Level On September 29, 2015, the NJLM alerted it 565 member municipalities about recent attempts to defraud New Jersey municipalities using false emails from the Administrator to the CFO to request wire transfers. These efforts raised awareness about cybersecurity issues and specifically awareness at the municipal level. Marc Pfeiffer, Keeping your Humans Secure, November 19, 2014 www.njslom.org/99thconf/conf-presentations/Secured- Humans.pdf ; Minimum Cyber-Security Requirements: What you need to Know, March 7, 2014 www.njslom.org/presentations/League- Webinar- Minimum-Technology-Security-Requirements.pdf ; Managing Technology Risks Through Technological Proficiency, November 2015 http://blousteinlocal.rutgers.edu/wp- content/uploads/2015/11/BLGRC- managing-technology-risk.pdf

Education and Outreach at N.J. Local Government Level On April 7, 2016, GMIS New Jersey held its 7th Annual Technology Conference in Somerset, N.J. GMIS is an association of New Jersey municipal, Board of Education, county and state governmental members that deal with technology hardware, software and system issues affecting New Jersey governmental entities. Included in the conference will be a review of technology advances and investigation of problems and recommended solutions including cyber threats. Id. Franklin Township’s Fight Against Cyber Threats Franklin Township in Somerset County, New Jersey is taking the fight against cyber threats a step further by using its website to provide information, videos and hints to raise cybersecurity awareness for residents. This effort is a reflection of the level of electronic interaction that many municipalities have with the public, and it is a feasible means of arming residents with critical cybersecurity information that will make those citizens partners in the fight against cybercrime, while reducing the risk of accidental malware, phishing and other intrusions. See Cybersecurity resources for Residents. Franklin Township, Somerset, NJ Municipal Targets of Cyber Threats Police and court systems, financial systems, personnel records, payment systems for municipal water and electrical plants are common municipal targets. As ballot machines become more and more digitally and electronically cyberconnected, they too will become targets for cyber threats. See generally Election Security in All 50 States – Defending America’s Elections at n.10 (“This report is not an indictment of state and local election officials. Indeed, many of the procedures and requirements considered and contained within this report are created by statute and under the purview of state legislators instead of election officials. Election officials are tasked with protecting our elections, are the first to respond to problems on Election Day, and work diligently to defend

41 the security of elections with the resources available to them. Unfortunately, funding, personnel, and technological constraints have limited what they have been able to do related to election security. We hope that by identifying potential threats to existing state law and practice, this report helps lead to the allocation of much needed funding and resources to election officials and systems in the states and at the local level.), https://www.americanprogress.org/issues/democracy/reports/2018/02/12/ 446336/election-security-50-states/

DDoS: Distributed Denial of Service DDoS is a form of brute force attack in which the attacker buys access to a botnet system that directs thousands or even millions of computers to access the network, email system or website. It has been estimated that in 2015 one-third of website outages resulted from DDoS attacks, the result of which was that networks were overwhelmed, shut down, and normal traffic could not get through. This left municipal residents without electronic services to pay taxes and utilities online, interrupted 911 and emergency dispatch functions, and delayed communications with and essential functions of health departments, payroll departments, online facilities for payment of bills, for hours up to several days. Systems that crash due to DDoS attacks may in turn have data corruption problems and require expensive rebuilding in order to come back online. Purchase of DDoS Service on the Dark Web Why would a municipality be subjected to a DDoS attack? This might originate with criminal activity by gangs, political protests, revenge, or disgruntled employees. The cyber attacker need not have sophisticated technical skills to initiate a DDoS attack, but only needs to purchase the service on the dark web.

A few examples illustrate the range of this kind of attack. ►The Maine.gov website was disabled by DDoS attacks three times in March 2015 along with the Bangor, Maine municipal website and other websites. Craig Anderson, More Maine websites targeted on third day of cyberattacks, Portland Press Herald, March 25, 2015, www.centralmaine.com/2015/03/25/cyber-attacks-targets-maine- websites-for-a-third-day/ ►As a result of a DDoS attack in November 2015, the San Jose Police Department was offline for several days. ►Departments at Rutgers University were shut down by DDoS attacks in 2015. Kelly Heyboer, Cyber attack shuts down Rutgers online classroom site, NJ Advance for NJ.com. December 25, 2015 www.nj.com/middlesex/index.ssf/2015/12/ho_ho_hack_rutgers_u_hit_wit h_another_cyber_attack.html Approaches to Prevent DDoS Attacks DDoS attacks are designed to deny electronic access and functioning to a municipality. They shut down the city’s doors so no information can get in or out for a prolonged period. While they are not the most damaging of cyber threat to municipalities, they are disruptive and can cost valuable taxpayer dollars in times of limited local resources.

Several approaches have been used by cybersecurity vendors in an effort to prevent DDoS attacks on municipal governments, but these are not the only form of attack.

1. Cybersecurity firms can build a firewall that analyzes incoming traffic in real time and blocks incoming traffic when certain characteristics trigger a response. Hosting and network vendors offer cloud and hardware devices that range from $500/month for three million packets per second to $2,500 per month for twelve million packets per second that would protect most municipalities. Larger cities

43 may need the services of companies like Akamai, IBM, Microsoft and Amazon that can run into the hundreds of thousands or millions of dollars depending on the level of DDoS protection needed. 2. Policies, procedures and controlled access methods can be developed and implemented to minimize the risk of such everyday cyber threats as (a) Exposure of municipal networks and websites by which hackers gain access to the municipal network, utility systems, or website, and the intrusion cyber threat seeks to gain internal control in order to steal personal/financial information or disrupt the operation while doing maximum damage. (b) Theft of personal and financial information on the Internet, through which the hacker’s breach may force the municipality to spend hundreds of thousands of dollars to rebuild and harden the network against future intrusions while limiting services to residents, and then hope the system will withstand the next attempted intrusion. (c) Despite constant attention to alerts and periodic tests, and even if the municipality’s network and systems are hardened and up to date, there will be upgrades and patches to apply constantly over time, and another Trojan or malware could be accidently introduced through a trusted vendor patch, an employee’s flash drive or similar network appliance, or human error as when an employee opens an e-mail and clicks on a link or opens an attached file that releases a virus, malware or a Trojan into the network as it is downloaded to the computer attached to the network, or when an employee accesses a non-municipal system that risks introducing viruses, ransomware, or Trojans into the municipal network as he or she checks social media, personal e-mail or conduct personal business using the municipal work station.

Notwithstanding this daunting cat-and-mouse game, there are practices and measures through which municipalities can help ensure the security of their network and systems are secure.

(a) Financial systems and personnel data should be encrypted. (b) Administrative functions can be tightly controlled. (c) Strong system passwords can be changed every thirty to sixty days, using password manager software for staff to enter passwords to systems or access the network. (d) Access via persons using TOR as their website browser should also be blocked since it is a favorite tool used by hackers to hide their origin while hacking a network. (e) A full time cybersecurity officer may be hired by the largest municipalities, although this is not feasible for most municipalities due to cost. Further, cybersecurity staff are in short supplyvand are paid more than most municipalities can afford. (f) Municipalities can consider using a shared-service agreement to hire a cybersecurity resource to be shared across multiple municipalities. This resource could create common policies, monitor their implementation, conduct training, work with individual departments where needed and bring best practices to the municipalities at a level they can afford. (g) Municipalities can establish a comprehensive cybersecurity policy that is reviewed twice a year with staff to ensure they understand all of its elements, including holding separate meetings where policy elements apply only to a single department, and creating a video with a form quiz where the policy applies to volunteers and elected/appointed officials, providing them with a good overview of their responsibilities and restrictions. See Cybersecurity for Municipalities, Colorado Municipal League June 2015 Annual Conference. Grass Roots Approach to Cyber Security Cyber-attacks affect more and more organizations in both the public sector and the private sector. While interconnectedness through the internet, the cloud, mobile devices and social media has increased productivity and commerce, these trends also are making businesses, governments and individuals more vulnerable to cyber-attack. The

45 federal government and large corporations constantly seek news ways to fortify their enterprises against attack. However, what is overlooked in cyber-security planning and responses are local governments and small businesses. A “grass-roots” approach to cyber-security is required to compliment the efforts of large enterprises and governments. Recognizing the Problem The first step in this grass-roots approach is the recognition of the importance of cyber-security by local leaders to include mayors and town councils, chambers of commerce, school boards and civic groups. Such leadership has the ability to raise awareness of cyber-security among their respective constituencies. They can direct the attention of citizens to the importance of cyber-security. Leaders should use their respective forums to discuss cyber-security at given opportunities. Coordinated Governance The next step is for local governments to develop cyber-security committees to bring together stakeholders for the following purpose: • Raise awareness among citizens; • Improve cyber-security posture of local government institutions; • Share best practices with local businesses and organizations; • Develop a cyber-security curriculum for local schools; • Coordinate law enforcement response options to reported cyber- crimes. This cyber-security governance committee would develop, implement and monitor plans to meet these objectives. Engaging Stakeholders To meet these objectives, the committee should consist of at a minimum the following individuals:

• Cyber-Security Expert: Municipalities can recruit a volunteer through their local ISACA chapter (www.isaca.org). Service on such a board can count as continuing education credits to maintain good standing as a Certified Information Systems Auditor (CISA). • Head Law Enforcement Official: This individual will be able to assist in creating mechanisms for reporting cyber-crime. • Member of Council: This individual assures that planning aligns with local strategic vision and facilitates the approval of resolutions to support the effort. • Municipal Information Technology Professional: This individual’s knowledge of systems, data and access levels are necessary for risk assessments, implementation and monitoring. • Municipal Manager or Administrator: This individual brings strong knowledge of functional processes in the local government that aid with both risk assessments and implementation and monitoring. • School Board Representative: This individual assists with improving the school district’s cyber-security posture and provides insight into developing a cyber-security curriculum. • Government Sub-unit Representative(s): These are individuals representing any independent or quasi-independent agencies that have separate information technology systems. Industrial automation in utilities is a focus of these individuals. • Educational Institutional Representative(s): These individuals represent colleges or community colleges in the municipality to assist with awareness and educational development. • Business and Labor Representative(s): These individuals represent business groups and labor organizations in the municipality. These individuals can assist with awareness and dissemination of best practices.

Protection of Citizens from Cyberattacks Ultimately, all governments have a duty to protect its citizens. Cyber- attacks represent a new threat from which citizens require protection. As with any other type of crime, any decrease in cyber-attacks represents an increase in quality of life and a boost to economic development. Post-Ferguson DDoS Attack Following the fatal shooting of Michael Brown by a Ferguson, MO police officer on August 9, 2014, the City of Ferguson found itself at the epicenter of worldwide attention, including that of hackers with a sociopolitical agenda. In an excellent article by Colin Wood entitled Unmasking Hacktivism and Other High-Profile Cyberattacks, Government Technology, August 28, 2015, accessible at http://www.govtech.com/public-safety/Unmasking-Hacktivism.html According to Wood, the hactivists at Anonymous engaged in a “shotgun approach to retribution” by mounting a vigilante assault that began with the online release of the home address, phone number and photo of the house of the St. Louis County Police Chief, shortly after which photos of the Chief’s daughter and wife began circulating on Twitter. This was only the beginning of their furor as Anonymous expressed its indignation over what its minions perceived as a violation of its moral code. Its online efforts led to others making veiled threats against the safety of the Chief and his family. Anonymous launched DDoS attacks, SQL injection attacks and a phishing campaign against the Missouri state government’s digital infrastructure and that of law enforcement agencies and regional governments not directly related to Michael Brown’s death. The collateral damage to those targeted by this cyber attack was extensive, and the State of Missouri was not fully prepared.

Similar cyber attacks had been launched by Anonymous as far back as 2008, when it “cut[] its havtivist teeth” in online attacks against Sony, PayPal, Visa, MasterCard, the Motion Picture Association of America, ISIS, Koch Industries, the Westboro Baptist Church, the New York

Stock Exchange, and the federal governments of the U.S., Australia, Uganda, Israel, Canada, Tunisia and Egypt. Each target has somehow been selected by Anonymous based on a perceived transgression of its sense of moral propriety.

According to the chief information security officer for the state of Missouri, as Wood explained, the state had not completely implemented its security plan at the time the cyber attacks took place, although overall the state did a good job minimizing their impact. There were several things the state would have done differently when it was subjected to the three forms of attacks in the middle of the night on a weekend. These consisted of DDoS attacks that disabled websites, SQL injections that infiltrated databases and a phishing campaign that sought to obtain security credentials. Some of the large DDoS partners were hard to reach, and some of the state’s vendors wanted an emergency setup fee of $20,000 to $40,000. While the cyber attacks actually helped improve the state’s security posture, the state has now contracted with several new vendors to manage security operations, uses a managed DNS provider, and has in place border gateway protocol and application-layer protection to mitigate DDoS attacks.

According to Woods, “Groups like Anonymous attack their enemies to prove a point. They want to show the government, or whomever, that evil deeds don’t go unpunished. It’s out of a perceived lack of legitimate recourse that hacktivists disable websites and make personal threats, but of the 10,000 arrows fired, many land on innocent villagers. Roling didn’t shoot anyone, but he and the rest of the state’s IT team are the ones left picking up the pieces. The more time and money the state spends on its cybersecurity, the less taxpayer funding there is left for citizen services. The people Anonymous wants to advocate for are the same ones footing the $40,000 emergency setup fees and new vendor contracts. Anonymous might mean well, but pestering the state won’t stop the

49 next race riot. It’s just another thing that poorly funded state and local governments must worry about.” The post-Ferguson cyber attacks on the State of Missouri demonstrate graphically that governments do not have the option of doing nothing, unless they relish the idea of getting pounded repeatedly as “easy, soft targets” and allow citizens’ trust in their government to be sacrificed on the alter of cost-control. Understanding Hactivists’ Motivation, Means and Opportunity There are ways to prepare for hactivist attacks like those spearheaded by grass-roots political movements like Anonymous, and they begin with an understanding of motivation, means and opportunity. As Wood notes, Preparing for hacktivism differs little from other forms of cyberdefense. Control frameworks like the one outlined by the National Institute of Standards and Technology are good road maps for governments, Brasso said. Even if organizations aren’t ready to implement every piece of the framework, they can know where they stand compared to where they should be. Tools include things like firewalls, advanced malware protection, intrusion prevention tools, vulnerability assessment tools and education to prevent simple mistakes by employees. Encrypted IPhones and the battle for encrypted data access Encrypted handhelds, iPhones, cell phones and other products are being rolled out that will allow users alone to access their data. In the wake of the Charlie Hebdo attacks in Paris and the terrorist attacks in San Bernardino, California, the fears of law enforcement officials are being realized. In its pitched battle with Apple over access to encrypted data stored on the county-owned iPhone of one of the San Bernardino attackers, the FBI says its ability to uncover terrorism plots can be hindered by encrypted messaging apps like the one on this iPhone. In that battle, Apple claims a First Amendment right of privacy bars governmental access to the data, and the FBI says it needs immediate access to the contacts made by the terrorist before he himself was killed. See Adam Segal and Alex Grigsby, 3 ways to break the Apple-

FBI encryption deadlock, The Washington Post, March 14, 2016, at http://www.syracuse.com/opinion/index.ssf/2016/03/3_ways_to_break_th e_apple-fbi_encryption_deadlock_commentary.html Device management feature lacking According to a recent investigative report by the Washington Post, the iPhone in question did not have a device management feature that could have been purchased by the county that, if installed on the iPhone, would have given the FBI investigating team easy, immediate access to that data. See Adam Segal and Alex Grigsby, 3 ways to break the Apple-FBI encryption deadlock, The Washington Post, March 14, 2016, at http://www.syracuse.com/opinion/index.ssf/2016/03/3_ways_to_break_th e_apple-fbi_encryption_deadlock_commentary.html Going Dark According to Segal and Grigsby, U.S. law enforcement has expressed concern over “going dark” since the 1990s, meaning its inability to access encrypted data, even when armed with a court order. Encryption Backdoors To prevent future terrorist attacks, tech giants like Apple are being urged to incorporate "backdoors" or "front doors" in their products that will assure the technical ability to decrypt communications pursuant to a warrant. Apple and other tech manufacturers claim that if someone other than the owner of the data is allowed to decrypt communications, such a flaw could be exploited by criminals and state actors, weakening security for everyone. There is a technological workaround, however, through which the encrypted devices can be broken into, and the government is actively seeking to compel cooperation by the tech companies. The choice need not come down to an absolutist immediate, on-demand decryption capability or caving in to business interests that favor going dark.

On the contrary, there are existing solutions that would enable law enforcement to gather the evidence it needs without creating encryption backdoors. 1. Congress can empower law enforcement to have the legal ability to hack into a terrorist suspect’s handheld or computer with a court order, exploiting existing security flaws in communications software to access the data it needs. As Segal and Grigsby point out, It's no secret that software is riddled with security flaws. …[S]ome prominent computer security experts have argued such lawful hacking would allow authorities to use existing vulnerabilities to obtain evidence instead of creating new backdoors. Although this would entail law enforcement adopting the same techniques as criminals, tight judicial oversight would ensure that lawful hacking is employed responsibly, much like the restrictions that already apply to wiretapping. Adam Segal and Alex Grigsby, 3 ways to break the Apple- FBI encryption deadlock, The Washington Post, March 14, 2016, at http://www.syracuse.com/opinion/index.ssf/2016/03/3_ways_to_break_th e_apple-fbi_encryption_deadlock_commentary.html 2. A national capacity to decrypt data for low enforcement purposes should be explored by the Executive Branch. The challenge of "going dark" affects state and local law enforcement the most: They are the least likely to have the resources and technical capabilities to decrypt data relevant to an investigation. Creating a national decryption capability, housed within the FBI and drawing upon the expertise of the National Security Agency, would provide assistance to state and local law enforcement, similar to what the FBI provides for fingerprint and biometric data. Adam Segal and Alex Grigsby, 3 ways to break the Apple-FBI encryption deadlock, The Washington Post, March 14, 2016, at http://www.syracuse.com/opinion/index.ssf/2016/03/3_ways_to_break_th e_apple-fbi_encryption_deadlock_commentary.html 3. Law enforcement needs to ramp up its tech literacy. Just as law enforcement in the 1990s dealt with a problem similar to "going dark"

52 when organized-crime suspects began using disposable phones that hampered wiretaps, it adapted its procedures, and arrests and prosecution of organized-crime suspects continued. Alternative Avenues to Encryption: Cloud Backup Encryption of data can occur on a device when data is transmitted and stored in the cloud, but this does not automatically mean the evidence trail will go cold. Encryption in one avenue does not necessarily mean other avenues will be encrypted. It an encrypted iPhone had been backed up to the Apple’s cloud storage system known as the iCloud, Apple can still access the content of the encrypted iPhone if it has been backed up to iCloud. As Segal and Grigsby note, Recognizing how and when encryption occurs, and the different security offerings of the more popular service providers, may help law enforcement access data. Better tech literacy might have avoided the current Apple-FBI fight. The FBI could have obtained more information from the San Bernardino attacker's iPhone if it had not hastily ordered the county to reset his iCloud password. Adam Segal and Alex Grigsby, 3 ways to break the Apple-FBI encryption deadlock, The Washington Post, March 14, 2016, at http://www.syracuse.com/opinion/index.ssf/2016/03/3_ways_to_break_th e_apple-fbi_encryption_deadlock_commentary.html

While these proposals may not be fully acceptable to law enforcement or the tech sector, and while it is unlikely that a one-size-fits-all solution will be forthcoming, the time is rapidly approaching to consider and develop realistic solutions. Albuquerque P.D. Going Dark The City of Albuquerque, New Mexico, is considered a leader in open data and transparency. In August 2014, after members of the Albuquerque, N.M., Police Department fatally shot a mentally ill homeless man who had been camping in the wilderness, the Police

Department’s website went dark on the heels of cyber attacks from Anonymous. The attacks were seen by some police personnel as tests of how well the city had been maintaining its security program. The cyber attacks brought down the APD’s website for a few hours, but unlike Missouri, the city was able to mitigate the attacks by working with such groups as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the FBI. While it may be problematic to predict when the threat of hacktivism will surface, whether arising from a police officer’s use of force or something that a group sees as social injustice, there are still practical considerations for maintaining a robust social media presence, and promoting city information, but the trick is to “be smart about what’s being publicized.” In light of emerging technologies like police body cams, moreover, amidst growing public demands for open data and transparency, the line between good practice and threat to the public servant can become a thin one. “[I]n the online world, everything that has a good motive also can be exploited.” Essential Preparation and Planning According to the digital services coordinator for Evanston, Ill., one of the best things governments can do when it comes to any disaster is to prepare and plan ahead. Make sure you have a robust social media presence up and running, because a lot of these government agencies are slow to adopt and waiting until after that natural disaster hits to start a Twitter account, [but] it’s too late….You want to build up those relationships ahead of time.” Basic measures local governments can take Among the basic measures local governments can take are getting verified status on Twitter and using two-factor authentication. According to an official with the FBI’s Cyber Division, state and local governments should expect DDoS attacks and have a mitigation plan and vendor relationships in place. They should monitor how often their networks are being pinged so they can quickly recognize when an attack

54 has begun. Once due diligence has been performed, the most realistic advice may be that offered by Robert Louis Stevenson, author of Treasure Island, who once wrote “Our business in life is not to succeed, but to continue to fail in good spirits.” Developing Nations’ Reach for Cyberspying Capabilities The norms of behavior by nation states in cyberspace like the Peoples Republic of China and the USA may set a lofty standard, but less technologically advanced countries may lack the skill or motivation to follow that lead. Instead, increasing literature indicates a mounting interest among these less sophisticated countries in acquiring cyber espionage capabilities. At a time when governments are trying to curb the volume of hostile activity occurring in cyberspace, the media have revealed instances of suspected U.S. global surveillance and China’s rampant commercial cyber espionage. These and similar episodes that unfortunately resemble the old days of Mad Magazine’s Spy vs. Spy cartoon, have given rise to serious discussions about how and in what manner to establish a baseline for accepted actions for governments to take in cyber space. China, Russia, and the United Nations Governmental Group of Experts on Information Security have developed proposals addressing these concerns. Cyber Sanctions Coupled with this trend for nation state cyber responsibility, the President of the United States in an April 1, 2015 Executive Order established “cyber sanctions” that granted authority to the U.S. Department of Treasury to sanction “individuals or entities” that pose a cyber threat to the “national security, foreign policy, or economic health or financial stability of the United States.” This was the first sanctions program to allow the Obama administration to impose penalties on individuals overseas who engage in destructive cyber attacks or commercial espionage in cyberspace. Executive order: Obama establishes sanctions program to combat cyberattacks, The Washington Post, April 1, 2015, cyberspyinghttp://apps.washingtonpost.com/g/documents/world/executiv

55 e-order-obama-establishes-sanctions-program-to-combat-cyberattacks- cyberspying/1502/ As the President put it when he signed this EO, "Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit." Our latest took to combat cyberattacks, https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat- cyber-attacks-what-you-need-know The rationale underlying this executive order is that malicious cyber actors often rely on U.S. infrastructure to commit the acts described in the EO, and they often use U.S. financial institutions or partners to transfer their money. By sanctioning these actors, the U.S. can limit their access to the U.S. financial system and U.S. technology supply and infrastructure. Basically, sanctioning them can harm their ability to both commit these malicious acts and to profit from them. In a landmark agreement in November 2015, governments of the 20 leading global economies – including China – pledged not to engage in cyber-enabled commercial espionage for profit. FinFisher FinFisher Gamma Group in Munich has developed and produced a sophisticated, user-friendly spyware that is sold exclusively to government agencies and police forces. It has risen in popularity with government agencies across the world, and over 32 countries – including our host country for this Congress - have been identified as users. FinFisher’s software can remotely control any computer it infects, read and copy encrypted files, intercept Skype calls, log keystrokes, and activate webcams. The software has been touted as a way to "help government law enforcement and intelligence agencies identify, locate and convict serious criminals."

In August 2015, a data breach placed FinFisher’s business practices and clients under scrutiny. Stolen files and client information of 33 customers was placed on the web, and some of it suggested that FinFisher was being used for activities beyond tracking criminals. The other activities entailed spying on high-profile Bahraini activists. According to some reports, it was believed that dissidents, law firms, journalists and political opposition in Bahrain and from Ethiopia had been monitored through FinFisher. Yet despite this progress, revelations exposed with the Gamma breach, as well as the one suffered by Italy’s Hacking Team in July 2015, continue to demonstrate that states desire to acquire offensive cyber surveillance capabilities, even if they can’t develop them indigenously. Some of the customers identified in data were notably states that are neither considered cyber powers, nor considered leading economies. Some of the governments identified in data taken from the breach include Bangladesh, Kenya, Macedonia, and Paraguay. In two of these cases, the intelligence agencies of the governments were linked to FinFisher products. While these states may not use these capabilities in order to conduct cyber espionage, some of the governments exposed in the data breach are those that Reporters without Borders have identified as “Enemies of the Internet” for their penchant for censorship, information control, surveillance, and enforcing draconian legislation to curb free speech. National security is the reason many of these governments provide in ratcheting up authoritarian practices, particularly against online activities. Indeed, even France, which is typically associated with liberalism, has implemented strict laws fringing on human rights. In December 2013, the Military Programming Law empowered authorities to surveil phone and Internet communications without having to obtain legal permission. After the recent terrorist attacks in Paris, French law enforcement wants to add addendums to a proposed law that blocks the use of the TOR anonymity network, as well as forbids the provision of free Wi-Fi during states of emergency. To put it in context, China, one

57 of the more aggressive state actors monitoring Internet activity, blocks TOR as well for its own security interests. Cyberspace has been called “the great equalizer” because it is an environment that can be leveraged by smaller, less industrialized nations in order to compete with larger ones. The Snowden document leaks and rampant, unchecked cyber espionage have created an environment in which all governments—regardless of size—want a modern, relatively inexpensive capability indicative of their ability to keep pace with the times. Despite the lead taken by larger governments to reach consensus on some unacceptable actions in cyberspace, Pandora’s box may have reached an aperture too great to close. Whether these poorer nations use the tools they obtain for legitimate national security or law enforcement reasons, or to oppress and keep populations in check will largely rest on perception and interpretation. What City Officials Need to Know About Cybersecurity In the wake of highly publicized data breaches and cybersecurity attacks, city officials have begun looking at historically underfunded municipal cyber-defense programs. See Lea Deesing, What City Officials Need to Know About Cybersecurity, June 23, 2015, at http://www.govtech.com/opinion/What-City-Officials-Need-to-Know- About-Cybersecurity.html Lea Deesing paints an all-too realistic scenario for a municipal government that has been subjected to a well-orchestrated cybersecurity attack. In her hypothetical scenario, the signs of a cyber attack are everywhere: ►city staff unable to log in to their computer network, ►fire and police departments forced to rely solely on radio communications rather than mobile data systems to receive and respond to incidents,

►city staff are limited to communicating through text using the phone numbers in their personal smartphones since the telephone and e-mail systems are down, ►no city employees receive their electronic paycheck via direct deposit the night before payday, ►counter staff do not know how to handle manual transactions and cannot log in to their systems, ►staff who attempt to call the IT department help desk do not even get a dial tone, ►massive lines begin to form in the planning, permitting and cashiering departments, and ►residents and business owners who need to conduct business with the city are getting frustrated.

And all of this has taken place on a Friday.

IT staff finally determine that many city servers have been compromised through a well-organized cybersecurity attack. Weeks later the IT Department discovers the cause of the chaos was a Trojan horse virus that had been transmitted via a city staff member’s personal flash drive. Lea Deesing, What City Officials Need to Know About Cybersecurity, June 23, 2015, at http://www.govtech.com/opinion/What-City-Officials-Need-to-Know- About-Cybersecurity.html Deesing notes that recent cybersecurity breaches in both the private and public sectors have captured the attention of local government agencies. Highly publicized data breaches and cybersecurity attacks raised awareness of these challenges, and consequently many city officials are looking at historically underfunded municipal cyber-defense programs.

Cybersecurity Awareness Training Cyber Hackers usually hit the easiest targets first, much like thieves operating in a neighborhood during the holidays. A common breach can occur after a user clicks on a link in a spam or phishing email, and whether such an attack is financially motivated, or an attempt to cause mayhem in the city, or an act of revenge by a terminated city employee, its must be confronted and effectively mitigated. Cryptolocker A well-designed trojan horse virus writing like Cryptolocker can generate for its writers millions of dollars in revenue by encrypting the target’s data and holding it for ransom until the target pays a fee. According to one cybersecurity expert, top coding talent is being recruited to write these Trojan horse viruses that lie undetected until a future date and contain malicious code that can carry out a specific action when the hacker signals the software. The cyber hacker has the choice of trying to breach a $20,000 security device or convincing someone to insert an infected $5 thumb drive. Cybersecurity Awareness Programs Among the simplist ways to mitigate the risk of such cyberattacks is a good security awareness training program. Prevention of internal breaches can be much more effective through utilization of low cost end- user security awareness videos that are available through private- sector security organizations. These preparedness measures can be coupled with good awareness training, and a cybersecurity policy in place that deals with unknown media, suspicious calls or online messages that try to get staff to visit a website, e-mails with suspicious attachments. End-User Education It is no longer sufficient for local governments to continue to rely on anti-virus and firewall protections along while ignoring end-user education.

Security Audits, Penetration Tests and Monitoring Additional security efforts can be implemented by local government in the form of security audits and penetration test. These measures entail getting paid ethical hackers to try to breach the local government’s system, then report back their findings so the government officials can take pre-emptive action. There must be an understanding of the long- term cost of a data security breach, and that understanding must reach the highest level of government management. The cost must be quantified not only in monetary terms but in terms of loss of citizens’ and customers’ trust. The cost for a full security audit cannot be understood out of context. Further, a decision must be made on whether an annual or biennial security audit is sufficient in the present and future cyber landscape. Attention should be given to such emerging trends as hiring 24/7 managed professional security service providers. These professional can operate from remote security operations centers with fully dedicated certified security teams. The teams watch the local government’s network, inside and out, and can identify real time security threats and help develop preventive counter measures. It is not cheap, but its cost in relative terms may make it a bargain. Security Information and Event Management (SIEM) Tools Managed security service providers often use special Security Information and Event Management (SIEM) tools. These tools provide a dashboard view into security and server logs that the local government’s IT staff likely does not have time or capability to monitor. The IT staff may view these security and server logs after an incident has already occurred, but usually not before. Continuity of Operations Plan In the scenario described by Lea Deesing in What City Officials Need to Know About Cybersecurity, June 23, 2015, at http://www.govtech.com/opinion/What-City-Officials-Need-to-Know- About-Cybersecurity.html, systems must be prioritized in advance through a continuity of operations plan.

Continuity of operations plans can be vetted through departmental meetings where questions are asked, such as, “What would happen if your computer system went down for two hours? A day? A week? A month?” It’s surprising what occurs when you have these discussions with departmental staff. They may say, “I never thought it would be possible for systems to be down that long. If we simply take this extra step, in advance, we will be as prepared as possible when the systems fail.” For example, a payroll team saves the last successfully run payroll in a PDF format and stores it in a secured location, along with blank check stock. On the day of a disaster, all checks are printed and signed, and required payroll adjustments are made after system recovery. Questions for Local Government Leaders to Consider Security measures and security efforts may already be underway in a local government’s IT department, but consideration should be given to supporting and implementing the current cybersecurity efforts in a collaborative way. Steps should be taken to require that policies be written and be grounded upon executive sponsorship. ►Questions should be asked of the human resources department on whether it can help support a security awareness training program. ►Consideration should be given to support for new hardware, software or services. ►Given limitations on local government funding, an assessment should be performed at the executive management level regarding the amount of risk the local government is willing to mitigate or simply accept. ►In short, a backup and recovery plan should be a good as the government can afford, since a cyber attacker with the time and desire will gain access one way or another.

State of Cybersecurity in Local, State & Federal Government In the Ponemon Institute’s study of The State of Cybersecurity in Local, State and Federal Government sponsored by Hewlett Packard Enterprise, the report concluded that government is the target of cybercriminals and nation state attackers. See State of Cybersecurity in Local, State & Federal Government at http://www.ponemon.org/library/the-state-of-cybersecurity-in-local- state-and-federal-government At both the local and state level as well as the federal level, a key challenge is the lack of skilled personnel. This is a major challenge at the state and local level. Lack of budgetary resources is a key issue. State and local governments may not be as involved as they should be in sharing of threat intelligence. Top security threats for local government can fall in the category of failure to patch known vulnerabilities, negligent insiders and zero-day attacks. State and local governments are not prepared to deal with cybersecurity threats, and often their agencies have achieved a less than optimal level of maturity in their cybersecurity initiatives.

V. Disaster Preparedness Preservation of the Right to Vote after Disaster Events Remember Sandy, Katrina, and Camille? Superstorm Sandy struck the East Coast eight days before the 2012 general election. It caused widespread disruption of the electoral process, underscoring the need to prepare contingency election plans to address the impact of natural disasters. It had a devastating impact upon property and infrastructure, residents, communications networks, transportation systems, and the electricity and other utilities of at least 15 states. The eastern seaboard was left in horrific disarray as a result of the deadliest hurricane of the 2012 Atlantic hurricane season, with damage costs estimated at over $65 billion dollars. Loss of life reached

63 catastrophic levels, with 117 people killed from October 28 to November 3; globally, Hurricane Sandy was blamed for the deaths of 286 people. Over eight million people were left homeless, with over 650,000 houses damaged or destroyed as a result of the storm. Damage to power lines resulted in more than eight million customers losing power, some for weeks or even months. Thousands of miles of roads and highways were severely damaged and covered by sand or otherwise rendered impassable by storm waves and surge. Sewer systems, wastewater systems, and water infrastructure were decimated. A vast swath of destruction rendered thousands of homes uninhabitable, many washed off their foundations, and thousands of commercial buildings were rendered unusable. In New Jersey almost 900 of that state’s 3,500 polling places were destroyed or otherwise rendered unusable. Thousands of people experienced long gas lines reminiscent of the 1973 Arab oil embargo. The widespread decimation of both New York and New Jersey’s infrastructure impacted utilities, communications, roads, and public transportation. The crippling combination of flooding, power outages, and gasoline shortages threatened to prevent voters and officials from getting to the polls for the general election. The New York City Board of Elections headquarters was flooded. Both New York and New Jersey sought to put in place remedial electoral measures in an effort to deal with the confusion, difficulties, and mounting frustration facing voters and the obstacles that threatened the voting infrastructure of each state. Governors of both states issued emergency orders relaxing normal voting laws and allowing displaced voters to vote by extraordinary means, including e- mail and fax. The states did what they could to equip election officials and volunteers with the means to carry out their duties under stressful, compromised, and unique circumstances.

EMERGENCY REMEDIAL DIRECTIVES IN ABSENCE OF COMPREHENSIVE PLANNING Neither state was fully prepared to deal with the scope of the emergency conditions faced during the November 2012 general election. Appropriate disaster contingency plans with key elements of emergency planning could have alleviated and mitigated the most severe effects of Hurricane Sandy for both states. For example, the New Jersey emergency directives initially issued by Governor Chris Christie had the salutary aim of enabling every registered voter in the state to cast a vote in the upcoming election; but not all of these ad hoc provisions were successful. Coupled with a weakened infrastructure that was unable to support the overload resulting from multiple ad hoc remedial measures, the resulting problems were daunting, and the severity of many of those problems could have been reduced by additional advanced planning and measures recommended in Resolution 113A, adopted by the ABA House of Delegates in 2014, and discussed in more detail later on in the chapter. Among the numerous ad hoc directives issued by New Jersey, the first, issued on November 1, 2012, sought to ease voting restrictions, extend deadlines for county clerks to receive mailed applications for mail-in ballots, required all county clerks and election offices to remain open during business hours through the day before the election, required county clerks and election officials to take all reasonable measures to notify voters of extended office hours, and required county boards of election to ascertain and report which polling places were likely to be inaccessible on election day (and to identify alternative sites). New Jersey also relaxed the requirement that an authorized messenger of mail-in ballots could serve as such only for ten or fewer voters, waived the requirement that members of a district’s board of election reside in the county where the district is located, and allowed polling places to be located more than 1,000 feet from an election district’s boundary line. The next three directives, issued November 3, 2012, allowed e-mail voting and mail-in ballots for displaced voters, extended the deadline

65 for election boards’ receipt of marked mail-in ballots, required county boards of election to make all efforts to inform voters of polling place changes by posting the information on county and municipal websites, arranged for reverse 911 phone calls, made public service announcements on local media outlets, posted notices at closed polling places advising voters where they could vote, expanded voting for displaced voters by allowing them to vote by provisional ballot at any polling place in the state, and allowed county boards of election to count ballots in the voter’s county of registration even if cast outside the county. All county boards were instructed to count all “eligible votes” which the voter was qualified to cast, but unfortunately excluded voters from participating in local races and on local initiatives if the displaced voter used an out-of-district ballot. A fifth directive, issued November 6, required county clerks to continue processing all mail-in ballot applications until noon on November 9, provided they were received by e-mail or fax by 5:00 p.m. on election day, November 6, and extended the time for voters to cast the ballots they received in response to their applications to three days after the election. A sixth and final directive, issued November 9, extended election-related deadlines, including the certification of county election results, and federal and state elections, the filing of election contest petitions, and the impoundment of voting machines. Due to widespread storm-related damage, many New Jersey polling places were unusable and were relocated. This was coupled with creation of mobile polling places and installation of voting machines in buses and at shelters to enable displaced voters to exercise their right to vote. County officials were instructed to assess the extra demand and ensure an adequate supply of paper ballots, but ultimately they had to use personal cell phones to arrange emergency deliveries of hundreds of boxes of paper ballots that had to be transported through a maze of obstructed roads.

INSUFFICIENCY OF AD HOC REMEDIAL MEASURES As pointed out in the report accompanying Resolution 113A, the ad hoc remedial measures overloaded the state’s compromised infrastructure, one that was not adequately equipped to handle the changes on such short notice. Many problems resulted; for example, voters, who in normal times would have been able to look up their polling places online, faced a system overloaded by the volume of voters seeking the information because many of New Jersey’s polling places closed and relocated due to storm damage. When a given municipality’s polling place look-up did work, it often did not reflect the relocated polling place information, or the correct information was not readily accessible to or easily digestible by the average voter. Though the objective of the emergency directives was to enable voters to use e-mail and fax balloting, New Jersey lacked the resources and infrastructure needed for this option to function smoothly. Overloaded systems repeatedly rejected e-mail and fax requests for ballots, and individual counties had neither the staff nor the technological capacity to process the thousands of requests received in the days leading up to election day. The November 6 directive, which allowed county clerks to process all mail-in ballot applications until November 9 if received by e-mail or fax by 5:00 p.m. on election day, and allowing voters to vote their ballot by e-mail or fax until 8:00 p.m. on November 9, frustrated voters’ desire to vote in an open election and forced the election outcome to be determined on the night of the election. In the face of this unprecedented upheaval less than a week before the November 6, 2012, election, New Jersey election officials were prompted to extend hours to give citizens an opportunity to vote by mail, and provide an opportunity for an estimated 50,000 citizens to vote by e-mail or fax. Surprisingly, voter turnout in New Jersey was actually higher than the national average compared to earlier years, and the combination of six ad hoc directives ultimately gave thousands of New Jersey residents the opportunity to vote in an otherwise compromised situation. The storm surge accounted for a significant amount of the hurricane- related destruction and damage, particularly felt by coastal areas in

New Jersey and New York. Storm surge is a phenomenon by which the sea rises as a result of changes in atmospheric pressure and wind associated with the storm. The massive size of the surge resulting from Hurricane Sandy created a wind field that pushed Atlantic Ocean waters inland and caused widespread flood damage. The U.S. Department of Commerce published a report in September 2013 entitled Economic Impact of Hurricane Sandy— Potential Economic Activity Lost and Gained in New Jersey and New York, setting forth the results of a detailed examination of the economic impacts to New Jersey and the 13 FEMA-declared disaster counties in New York hit hardest by Hurricane Sandy. The report provides a detailed estimate of the ultimate change in economic activity ranging from industry production to employment, the bottom line of which is this region experienced large one-time losses in travel and tourism spending and potential gains in construction spending as a result of the storm. It concludes with a somewhat counterintuitive but optimistic suggestion that spending from rebuilding after this natural disaster will generate job growth and help offset initial losses. The report also noted that a rebuilding strategy was delivered to President Obama in August 2013 by the President’s Hurricane Sandy Rebuilding Task Force, setting forth 69 policy recommendations, many already in place, to help homeowners remain in and repair their homes, strengthen small businesses, revitalize local economies, and ensure coast communities are better able to withstand and recover from similar natural disasters. One of the direct long-term remedial responses to the surge was an ambitious effort by the U.S. Geological Survey (USGS) beginning in the summer of 2014 to develop and implement a monitoring network to “provide emergency managers and hurricane scientists with vital coastal storm-tide information during and after major storms affecting the Atlantic Coast.” As part of a massive project to install storm-tide sensors to track and measure storm tide inundation, first employed for Hurricane Rita in 2005, the USGS began developing a new network

68 that could more quickly and accurately make essential information available to those who need it. Over 600 specific sites were pinpointed along the Atlantic Coast from Virginia to Maine by USGS as the foundation for a network of hydrological sensors capable of being installed days to hours before a storm makes landfall, decreasing the time it would otherwise take for FEMA, NOAA, and other emergency response agencies to marshal the necessary information needed for tailored response and recovery efforts and relay it to emergency managers and responders more quickly, hopefully leading to a dramatic improvement in community safety and resilience as the new information is incorporated into building codes and land use policies. THE NEW YORK AND NEW JERSEY EXPERIENCES Hurricane Sandy’s deadly wrath was particularly brutal for two states, New York and New Jersey; the responses of each state to this disaster were dramatically different. This chapter will conclude with the harsh lessons learned from Hurricane Sandy about the need for contingency planning. By taking a close look at the responses of New York and New Jersey, we will see how differently each state approached the pre- disaster preparation and post-disaster response to this act of God, and in that comparison, we will try to discern the key factors that comprise effective and comprehensive election-day disaster planning. The experience and quite different outcomes in these two states will help to identify what actions are essential in order to minimize the destructive, disruptive effect of disasters on the fundamental right to vote. Starting with 9/11 and moving forward to Hurricane Katrina and then the aftermath of other man-made and natural disasters, we will set the stage for a very revealing comparison of the pre-election and post-election measures undertaken in New York and New Jersey as each state braced itself for Hurricane Sandy. WHAT WE HAVE LEARNED Much has been learned about disaster planning since the September 11, 2001, terrorist attacks on the World Trade Center and the Pentagon

69 and a thwarted attempt by a plane that crashed in farm land of Pennsylvania while heading back to D.C. The 9/11 attacks took place on a day when New York City was holding its regularly scheduled municipal elections. We have also learned much about the need for effective, focused contingency planning after Hurricane Katrina struck New Orleans and the Mississippi Gulf Coast in August 2005, just on the eve of primary elections in the state of Louisiana. Finally, the essential elements of contingency plans, precautions, and preparations that can prevent, minimize, mitigate, or help speed the recovery of a state or local government from a natural or man-made disaster or emergency situation that may otherwise disrupt an election. Contingency planning has not frequently been a focus on reporting and analysis of such disastrous events until the work of the President’s Commission released in 2014. An approach in addressing preservation of the right to vote after natural and man-made disaster events should be simple and direct: (1) gather and refine the specialized knowledge, principles, and practices of states and local governments that have developed plans or portions of plans; (2) draw upon the experience of those states that have been proactive in their development of comprehensive Election Day contingency plans; and (3) set forth the essential elements and characteristics of the most effective of those plans in developing the resiliency necessary to protect and preserve all components of the electoral process before, during, and after disaster events. PRESIDENTIAL COMMISSION: WIDESPREAD DISRUPTION OF THE ELECTORAL PROCESS Following President Obama’s appointment of the Presidential Commission on Election Administration, the commission compiled its report, entitled “The American Voting Experience: Report and Recommendations of the Presidential Commission on Election Administration” and made it available to the public in January 2014. According to the presidential commission, the foreseeable result of

Hurricane Sandy was widespread disruption of the electoral process. Sandy was perceived to be the latest clarion call for the United States to take action, and in the most painful way, it highlighted the paramount need for states and local jurisdictions to prepare contingency plans to address the impact of natural disasters, man-made disasters, and other states of emergency. COMPONENTS OF AN EFFECTIVE AND COMPREHENSIVE ELECTION DAY DISASTER PLAN The components of an effective and comprehensive election day disaster plan should include at a minimum: 1. Competent advance planning with input from relevant stakeholders, including representatives of the disabled; 2. Appropriately tailored emergency management policies; 3. Implementation of those policies pursuant to legislative authorization and guidance; and 4. Common-sense measures that are based on the past decade of experience, measured from and after September 11, 2001. These and other appropriate steps can go a long way toward minimizing the disruptive effect of natural and man-made disasters on the fundamental right to vote. They will also provide greater assurance that when, not if, disasters strike during or near an election day, the affected states and local jurisdictions will be in a state of readiness to hold timely elections. FOCUS ON STRICTLY LOCAL EFFECTS It is true that many states have already adopted contingency plans for conducting elections in the wake of natural disasters, terrorist attacks, or other emergency circumstances. Unfortunately, these plans tend to focus on strictly local effects such as moving polling places over to a neighboring precinct. Much more depth and detail is called for.

EAC’S CONTINGENCY DISASTER PLANNING The U.S. Election Assistance Commission (EAC) has published election management guidelines in order to assist state and local election officials in the effective management and administration of elections. While these guidelines are not intended to be requirements or mandates by which state and local governments must abide, they are designed to serve as a source of information for election officials. Published in October 2007, the EAC’s report on contingency disaster planning provided a concise, focused, and well-organized format for contingency planning in elections. The EAC’s report provides detailed recommendations for the development of a “continuity of operations plan” for elections to be placed on file with the state’s chief election office and local county election officials. COORDINATION OF CONTINUITY OF OPERATIONS PLANS The contingency disaster planning report calls for the continuity of operations plans to be coordinated through the establishment of a task force that includes (1) all of the subdivisions of government within the county, (2) law enforcement, (3) fire district agencies, (4) school district representatives, and (5) area power and light administrative staff. These connections and their resources should be available to provide assistance in the event of an emergency. In this regard, the report specifically recommends that a complete listing of all polling place locations, along with expected voter turnout for each location, be distributed to area law enforcement and fire departments prior to every election. CONTINGENCY PLANNING FOR COUNTYWIDE EVENTS The contingency disaster planning report then recommends contingency planning for countywide events, including a brainstorming session with staff to develop a list of various election day worst-case scenarios. The report provides helpful examples for possible action plans for worst case scenarios that include such events as shortage of poll workers, phone system crashes, relocation or consolidation of polling places, inclement weather taking place after the polls are open, shortage of supplies

72 and/or ballots, establishing a bomb threat protocol (described on a laminated card placed in all polling place supply kits with instructions for poll workers to follow the guidelines on the card, and to call 911 immediately in the event of bomb threats), and power failure at polling places. The report recommends that an action plan be developed for each of these scenarios, including: 1. Who is responsible for each task; 2. What resources are required for each task; 3. What agency or agencies will be called upon to assist; and 4. Where the designated area for the media will be located for the designated media coordinator. CONTINGENCY PLANNING FOR INTERNAL OPERATIONS The EAC’s contingency disaster planning report concludes with a detailed delineation of key aspects of contingency planning for internal operations, including the following: 1. Bringing in the county’s information technology staff to assist in developing procedures for creating a computer and server action plan when internal operations are affected due to unforeseen circumstances; 2. Determining alternative office space if a facility is unusable or staff needs to be relocated due to disaster effects on facilities, lack of computer access, or phone failure; 3. Sending written requests to area power and light companies notifying them of election day activities and asking that they limit any work in the area that could cause power outages. CRS REPORT: POSTPONING & RESCHEDULING ELECTIONS A few states have also enacted state laws that provide express authority to postpone or reschedule elections within their jurisdictions based on certain emergency contingencies. Unfortunately, there is no controlling authority that addresses the rescheduling of presidential voting when

73 roads are blocked, power grids are down in half a dozen states all at once, and transportation is at a standstill. In Maskell’s CRS report, he noted that “the United States Constitution does not provide any express language or any current authority for a federal official or institution to ‘postpone’ an election for federal office.” {{AU: Pls provide footnoted source for quote}}Maskell also concluded that “in addition to the absence of an express constitutional direction, there is also no federal law which currently provides express authority to ‘postpone’ an election, although the potential operation of federal statutes regarding vacancies and the consequences of the state’s failure to select on the prescribed Election Day might allow the states to hold subsequent elections in exigent circumstances.” Maskell’s CRS report called for Congress to exercise its express constitutional authority over the timing of federal elections, stating: It could enact a federal law setting conditions, times and dates for rescheduling of elections to federal offices in the states in emergency or other exigent circumstances, and with the proper standards and guidelines could delegate the execution and application of those provisions to the executive branch or state officials. STATE LEGISLATION AUTHORIZING POSTPONEMENT OR RESCHEDULING OF ELECTIONS Maskell’s CRS report also noted that a number of states have taken the initiative to provide through appropriate legislation express authorization for the postponement or rescheduling of elections based on emergency contingencies, and that sufficient authority may exist under the United States Constitution “to enact legislation to deal with emergency and exigent circumstances concerning federal elections, as long as such laws do not conflict with federal law enacted under Congress’ superseding constitutional authority.” In this regard, Maskell’s CRS report points out that federal courts have generally

74 interpreted federal law to permit the states to reschedule elections to congressional office when ‘exigent’ circumstances have necessitated a postponement. There may be different issues raised in the case of the election of presidential electors, however, since the federal statute regarding the failure to make a choice on the prescribed Election Day for presidential electors is different from that regarding congressional elections. ABA STANDING COMMITTEE ON ELECTION LAW’S DIALOGUES ON ELECTION REFORM In 2013, then ABA President James R. Silkenat announced his election law initiative in which he charged the ABA Standing Committee on Election Law with developing and examining ways to improve the federal election process in order to permit the broadest, least restrictive access by Americans to the ballot box. The standing committee spearheaded a series of four town hall meetings strategically held in different parts of the nation during the first quarter of 2014. In early spring 2014, the standing committee hosted several town halls with a particular focus on election reform: one at the University of Miami School of Law in Miami, Florida, focusing on election day and early voting; one at the Philadelphia Bar Association in Philadelphia, Pennsylvania, on voter identification; one at the Ohio State University Moritz College of Law in Columbus, Ohio, on voter registration and election administration; one at the Austin Bar Association in Austin, Texas, on redistricting and election administration; and finally, one at the Sandra Day O’Connor College of Law at Arizona State University in Tempe, Arizona, on election reform and next steps. Each of the town halls was created with the purpose of promoting a dialogue on election reform within the states with members of state and local bar associations, state and local election administrators and civic groups, local election lawyers, as well as representatives of both political parties. Superb research and drafting assistance was provided by William and Mary School of Law, and the Standing Committee on Election Law

75 released its report on election reform on May 1, 2014, entitled “Dialogues on Election Reform: A Continuing Conversation With the States” (May 2014). The report is a basis for promotion of ongoing dialogue between the standing committee and the states on matters related to election reform. It is clearly “not a response to the report of the Presidential Commission on Election Reform issued in January 2014,” but instead seeks to bring “a different focus and is representative of our continued study of the issue.” The standing committee’s “Dialogues on Election Reform” also represents the best efforts of committed legal professionals and academics to work with state and local election administrators, civic and political party organizations, and the organized bar, to create and promote practical and achievable next steps toward election reform. The Standing Committee on Election Law provided a helpful discussion regarding the benefits of early voting in the context of a natural disaster like Hurricane Katrina and Hurricane Sandy. THE LOUISIANA CASE STUDY: EARLY VOTING HELPFUL WHEN CRISIS HITS Hurricane Katrina hit New Orleans and the Mississippi Gulf Coast in August 2005, but with tremendous effort and coordination, Louisiana was able to hold the 2006 mid-term elections even while the most dramatic effects of Hurricane Katrina were still being felt. Seven years post-Katrina, Louisiana Secretary of State Tom Schedler was in a good position to advise the states that were in the path of Hurricane Sandy, like New York, New Jersey, Vermont, and Maryland, as Sandy came ashore just eight days before election day. As noted, at least 15 states were seriously impacted by what many realized was a Superstorm of deadly and destructive proportions, with power failures occurring in at least 17 states. Louisiana Secretary of State Schedler stressed to his colleagues in these northeast states the importance of communicating and securing voting equipment before the storm “so that administrators and poll workers could spring into action afterwards and move polling places on the fly as needed and keep in close touch at all administrative levels.”

PUTTING EARLY VOTING ON STEROIDS The Louisiana Secretary of State also advised administrators to “put early voting on steroids,” and in this regard he encouraged the extensive use of early voting in the run-up to Hurricane Sandy as a stop-gap measure to avoid extraordinary lines and the confusion of a post-hurricane election day. By finding a way to “bank” these votes before the election, election officials may be able to relieve the pressure of communicating with thousands of workers, securing and evaluating the physical condition of election machines, physically relocating polling locations, and providing publicity for new locations in the wake of another catastrophe. As the Louisiana Secretary of State noted, “New Jersey implemented early voting on the fly despite not ordinarily providing it, ordering elections to open the Friday before the Election Day to encourage voters to participate early.” DISASTER RESILIENCE: A NATIONAL IMPERATIVE Aside from the immediate recovery and rebuilding efforts that cities, regions, and states have to undertake following a massive disaster on the scale of Hurricane Sandy, the focus must shift to resilience. In other words, the focus of state and local government entities should be on preparing to better anticipate disasters through regulatory reforms like zoning codes, building standards, and infrastructure standards in tandem with protective measures against coastal flooding, sea gates, storm barriers, and other infrastructure investments. In light of the increasing frequency of natural and man-made disasters and the increasing severity, sheer magnitude, and destructive consequences of those disasters, a paramount need now exists for governments at the local, state, regional, and federal levels to become more resilient. This is the message of the National Research Council’s 2012 study. The approaches for building resilience are numerous, as are the fiscal and physical challenges associated with their implementation. EFFECTIVE AND PRACTICAL RESILIENCE EFFORTS Some of the steps that may be considered in implementing effective and practical resilience efforts have been summarized and are reflected in

77 six recommendations by the Committee on Increasing National Resilience to Hazards and Disasters; the Committee on Science, Engineering and Public Policy; and the National Academies, acting in tandem with a number of federal agencies, as set forth in “Disaster Resilience—A National Imperative.” These measures include the following: 1. A national data inventory or repository for information about disasters and the losses they caused that would provide an evidence base for evaluating the effectiveness of interventions and investments to build resilience; 2. A risk management strategy for both structural and non- structural measures and approaches, including disaster-resistant construction, retrofitting of existing buildings, well-enforced building codes, wetlands that act as natural defenses, timely forecasts and warning systems, changes in zoning and land use, improved risk communication, economic and tax incentives, and insurance; 3. Community resilience coalitions at the local and regional levels, capable of assessing a community’s vulnerability, educating and communicating about risk, and evaluating and expanding a community’s capacity to handle risk; 4. Federal government incorporation of national resilience as a guiding principle for its overall vision and coordinating strategy, with effective inter-agency coordination of work on resilience, consistent and coordinated communications and outreach strategy to the general public, and infusion of principles of resilience into routine functions of government at all levels; 5. Resilience policy review and self-assessment within agencies, including interactions between federal agencies and with state and local governments and with the public; 6. Development of a national resilience scorecard identifying priorities for improvement and comparing costs and benefits as well as societal and economic burdens.

RESOLUTION 113A TO THE ABA HOUSE OF DELEGATES On August 11, 2014, the Standing Committee on Election Law submitted to the American Bar Association’s House of Delegates a resolution, Resolution 113A, calling on the ABA to urge states, localities, and territories to “develop written contingency plans to preserve the election process in the event of an emergency.” Minimum Requirements for Disaster Contingency Plans to Preserve the Election Process The House of Delegates approved and adopted Resolution 113A, under which written contingency plans should include, at a minimum, the following: 1. Designation of alternative locations and times for conducting elections; 2. Provision for the back-up and preservation of election and voter data; 3. Storage and testing of back-up voting equipment to be used in an emergency; 4. Establishment of systems that will ensure continued reliable communications between election administrators and poll workers; 5. Development of effective plans for communicating with voters during emergencies; and 6. Recruitment and training of poll workers in the event of an emergency. Through Resolution 113A, the ABA urges federal, state, and local officials “to enact measures to ensure that voters assisting in recovery efforts are able to vote by absentee ballot or otherwise, including those who travel outside their state of residence to assist in recovery.” Effect of Disasters on Every Aspect of Voting In the detailed report accompanying Resolution 113A, the Standing Committee on Election Law noted that voters in every election, federal,

79 state or municipal, general or primary, “must make their way to the polls or receive and send ballots by mail to vote for the candidates of their choosing.” Unfortunately, unforeseen disasters can make voting not just difficult, but impossible. These disasters come in all shapes and sizes— from snowstorms to hurricanes to even terrorist attacks—and can cause significant disruption, including power outages, gasoline shortages, flooding, or other widespread destruction. Disasters often force those affected to seek refuge in communities far from home while bringing emergency responders, such as police and firefighters, utility and construction workers, and insurance adjusters, to the affected area and away from their home jurisdictions. Because those impacted by these events and those assisting in recovery are rarely focused on voting until it may be too late, the onus falls on election officials to ensure that unforeseen emergencies do not threaten the right to vote of those they serve and those who assist their communities with recovery. The report accompanying Resolution 113A provided a helpful discussion of the history of emergency-related election day problems, including those experienced in the aftermath of the terrorist attacks of September 11, 2001, during New York’s municipal primary election; the impact of Superstorm Sandy, as the mass power outages that affected 50 million people across eight different states on August 14, 2003; and the combined impact of Hurricanes Katrina and Rita in August and September 2005, which destroyed electrical infrastructure, limited available poll workers, damaged buildings and voting equipment, and displaced voters. Indeed, Hurricane Katrina displaced over half of the residents of New Orleans. Resolution 113A was adopted and approved by the ABA House of Delegates in 2014. It focused on the impact of unforeseen disasters on elections and offered recommendations to assist communities responding to emergency situations. Several interdependent components made this a much-needed pragmatic response to the recent

80 ravages of Hurricane Sandy. Resolution 113A’s accompanying report provided a roadmap for states, localities, and territories to develop written contingency plans detailing what should be done to protect the election process in the event of an emergency. These contingency plans address major elements of elections likely affected by an emergency: • Designation of alternative locations and times for conducting elections, • Sufficient back-up measures to ensure that election and voter data is preserved, • Proper storage and testing procedures for back-up voting equipment to be used in the event of an emergency, • Reliable communication methods between election administrators, poll workers, and voters in the event of an emergency, and • Additional recruitment and training of poll workers that should be anticipated. Resolution 113A also called for enactment of measures by federal, state, and local officials to ensure that voters assisting in recovery efforts are able to vote by absentee ballot or other similar methods. It calls for measures to address the needs of emergency first responders, repair crews, and aid workers, including those who travel outside of their state of residence to assist in recovery. A significant portion of the report accompanying Resolution 113A described state-level efforts to address problems on election days that might be posed by widescale power outages. The state of Connecticut, for example, implemented regulations in 2012 that would prove to be critically important if a significant power outage threatens an election in that state. These regulations included steps that polling place monitors should take in the event of a black out: 1. Alert everyone to the situation; 2. Contact the power supply company;

3. Contact the facility management staff; 4. Find an alternate source of light such as flashlights; 5. Use an area of the building where natural light is available; 6. Connect a generator if the backup power supply for the voting machines has been depleted; and 7. Vote using paper ballots if a generator is unavailable. The report accompanying Resolution 113A also described how several states require local jurisdictions to create election disaster contingency plans to deal with such disasters as loss of power, fire, or other disasters in and around polling places. Several states require the secretary of state to draft model plans that must be used by any municipality that fails to create its own plan, or to adopt rules describing the emergency powers that would function as a contingency plan for particular situations. Other states direct their secretary to provide a regulatory framework for state election disaster procedures that in turn require county boards of election to create local contingency plans and file them with the state. In New York, for example, each county election board is required to adopt a contingency plan that addresses how an election shall be configured, tested, conducted, and tabulated, in the event of an unanticipated or unavoidable event. Ohio’s secretary of state requires county boards of election to draft an election administration plan that contains a contingency plan, while other states provide a purely administrative route to planning for election disaster contingencies. Current State Practices for Emergency Planning The report accompanying Resolution 113A also provided a detailed survey of current state practices regarding emergency planning, including a discussion of the provisions of federal law affecting state authority to address election emergencies, state laws governing postponement of elections and relocation of polling places, state and local practices regarding contingency planning, and state emergency worker statutes. For example, specific emergency worker statutes in

Alabama define “qualified voters who respond to an emergency” in broad language, and Maine grants emergency workers with wide latitude regarding deadlines for returning ballots following the close of the polls. These and similar emergency worker statutes all have the goal of protecting the voting rights of emergency workers without having to extend the ballot receipt deadline. COMPARISON OF NEW YORK AND NEW JERSEY’S RESPONSES The report concluded with a case study of Superstorm Sandy and a detailed comparison of the response of the states of New York and New Jersey to this Superstorm. Voting-Related Directives For example, in anticipation of Hurricane Sandy, Governor Chris Christie issued executive orders declaring a state of emergency statewide, followed by six voting-related directives from November 1 to November 9, 2012, aimed at easing numerous voting restrictions to make it easier for New Jersey residents to cast their votes. Easing of Voting Restrictions One directive issued on November 1, 2012, was aimed at easing voting restrictions and did so by: 1. Extending the deadline by which county clerks could receive mailed applications from mail-in ballots; 2. Requiring all county clerks and election offices to remain open during business hours every day, including Saturday and Sunday through Monday, November 5, 2012, the day before the election; 3. Requiring county clerks and election officials to take all reasonable measures to notify voters of extended office hours; 4. Requiring county boards of election to ascertain and report on which polling places were likely to be inaccessible on election day and to identify alternative sites;

5. Relaxing the requirement that an authorized messenger of mail-in ballots could serve as such only for ten or few voters; 6. Waiving the requirement that members of a district’s board of election reside in the county where the district was located; and, 7. Allowing polling places to be located more than 1,000 feet from an election district’s boundary line. E-mail Voting, Extended Deadlines for Mail-in Ballots, and Notice of Polling Place Changes Among the directives issued on November 3, 2012, one allowed e-mail voting and mail-in ballots for displaced voters and extended the deadline for election boards’ receipt of marked mail-in ballots. Another required county boards of election to make all efforts to inform voters of polling place changes by posting the information on county and municipal websites, arranging for reverse 911 phone calls, making public service announcements on local media outlets, and posting notices at closed polling places advising voters where they could vote. Provisional Ballots at Any Polling Place for Displaced Voters The third of these directives expanded voting for displaced voters by allowing them to vote by provisional ballot at any polling place in the state. It also required county boards of election to count ballots in the voter’s county of registration even if the vote was cast outside the county. Finally, the third directive instructed county boards to count all “eligible votes” including those which the voter was qualified to cast, thereby excluding voters from participating in local races and on local initiatives if the displaced voter used an out-of-district ballot. Relocated Polling Places and Mobile Polling Places According to the report accompanying Resolution 113A, the state of New Jersey responded to the widespread damage caused by Superstorm Sandy by relocating many polling places throughout the state and creating mobile polling places, installing voting machines in buses to shelters so that displaced voters could exercise their right to vote. The report concluded:

“The combination of directives aimed at improving voter participation and the scrambled efforts of election workers afforded countless New Jersey residents the opportunity to vote in an otherwise compromised situation.” NEW YORK’S EMERGENCY MEASURES New York was a different story. New York instituted numerous emergency measures to provide greater access to polling places in the midst of the damage caused by Superstorm Sandy. However, even when poll workers and voters were properly given information about the details of the governor’s executive order that authorized the printing of 1.3 million affidavit ballots in a race to mitigate the effects of the hurricane on displaced voters, polling places were simply unprepared to handle the sheer volume of voters who sought to cast their votes. Thousands of displaced voters strained an already crippled election infrastructure. Relocated polling places did not have enough ballots to meet the demands of displaced and properly there situated voters, resulting in long lines and hours of wait time. Some polling places lost power and electricity due to the storm and were operating on generators, and some even operated via flashlight, further adding to the general confusion and disorder.” Displaced Voter Confusion and Insufficient Provisional Ballots In addition to the frustration and difficulty of voting faced by displaced voters, and the enhanced level of polling place confusion, many polling places did not have sufficient provisional ballots to meet the needs of voters, and those voters who were not displaced had to contend with relocated polling places, many being unaware that their polling places were relocated and others being aware that their polling places were relocated but often not knowing where. The confusion was increased by the fact that many voters “thought they could vote at any polling place in New York state even though they were not from one of the affected counties.” Disenfranchisement from Lack of Advance Planning

The report accompanying Resolution 113A concluded that a lack of advanced planning resulted in unnecessary disenfranchisment of thousands of voters both in New York and New Jersey. Without an established contingency plan, displaced voters were left scrambling, unsure of how or where to vote, with some denied the opportunity to vote. Voters who were not displaced faced similar difficulties with confusing relocation information, long lines, impassible roads, or the inability to travel to a polling place due to a gasoline shortage. Poll workers and election volunteers were often ill informed about the states’ last-minute remedial measures, resulting in further misinformation. Resolution 113A sets forth specific, concrete recommendations intended to help state and local jurisdictions develop the contingency plans necessary to minimize the previously mentioned types of problems in the future. As the report accompanying Resolution 113A concluded: “The right to vote is fundamental. Because a large-scale emergency that occurs on or right before Election Day can make voting impracticable or impossible for those affected by the emergency and those assisting in recovery efforts, state and local governments should take appropriate steps to develop and implement emergency contingency plans to enable these individuals to vote.” CONCLUSION Our knowledge and awareness of the need for contingency plans for elections in the event of disasters or emergencies has not developed in a linear fashion. The accumulation of this knowledge has been largely gathered through the school of hard knocks and the university of deadly disasters. It is submitted that the most appropriate response for states, local governments, and territories in light of this accumulated knowledge is to proceed apace with the development of written contingency plans that will preserve the right to vote and preserve the election process in the event of an emergency or disaster, whether man-made or natural. The disaster contingency plans contemplated by state election law

86 provisions in Connecticut and New York provide concrete examples of plans that have sufficient scope and breadth to apply to natural disasters on the scale of Hurricane Sandy, provided those plans are re- evaluated in light of the specific recommendations of Resolution 113A approved by the ABA in 2014. Those plans must reflect essential advanced planning in order to avoid unnecessary disenfranchisement of voters during and immediately after a disaster. An established contingency plan will minimize instances in which voters are displaced and clueless about how and where they are to vote, and will sharply reduce instances of inadvertent denial of the opportunity to vote to those caught in the pincers of displacement in the midst of a disaster. Adequate contingency plans can also minimize voter confusion over precinct relocation information, minimize long waiting lines at the polls, and minimize the impact on voters faced with impassable roads or otherwise unable to travel to a polling place due to a gasoline shortage. Finally, carefully drafted disaster contingency plans can minimize the level of misinformation and enable poll workers and election volunteers to be fully informed about and responsive to their states’ last-minute remedial measures. For New Jersey and New York elections held on the cusp of Hurricane Sandy, an established contingency plan available to officials and voters well in advance of the epic storm would have ensured that election officials, poll workers, and voters would be familiarized with and prepared to address the many avoidable problems that descended on these two states in October and November 2012. The recommendations in Resolution 113A are intended to help state and local jurisdictions develop the plans necessary to minimize these types of problems in the future. The contents of such contingency plans, as set forth in Resolution 113A, are described broadly enough and with sufficient flexibility to enable each state and locality to develop such contingency plans in light of and responsive to the particularized needs and concerns of the citizens within each jurisdiction, whether a state, county, municipality, or other unit of government. The experience and shortcomings noted in the aftermath of Hurricane Sandy, particularly in the states of New

York and New Jersey, serve not so much as a basis for criticism, but more as a solid foundation for appropriately tailored, effective, and pragmatic contingency planning that will preserve the right to vote in times of emergency and disaster.

Ben Griffith is principal of Griffith Law Firm in Oxford, Mississippi. He enjoys a civil practice that is focused on federal civil litigation, insurance defense, election law and voting rights. Since 2014 he has served as adjunct professor with the University of Mississippi School of Law for municipal law practice skills and election law. He serves on the ABA Board of Governors’ Finance and Internal Operations Committee, the ABA House of Delegates, and chairs the International Steering Committee of the International Municipal Lawyers Association. He is past chair of the Government Law Section of the Mississippi Bar, past president of the Mississippi Association of County Board Attorneys, and past president of the National Association of County Civil Attorneys. He is chapter author and editor of the three editions of America Votes! Challenges to Modern Election Law & Voting Rights (ABA 2008, 2012, 2016). He is board certified in Civil Practice Advocacy and Civil Pretrial Practice Law by the ABA-sanctioned National Board of Trial Advocacy, and has been recognized by his peers with inclusion in Best Lawyers of America (Municipal Law) and Mid-South Super Lawyers (Municipal Law) from 2007 to the present.