[00:00:00] Speaker 05: Well, thank you all for being here in this snowy weather with us so that we can see you in person. [00:00:05] Speaker 05: We enjoy and benefit from these in-person arguments tremendously, so we're glad that you were able to do this. [00:00:12] Speaker 05: We're also very excited to welcome Chief Judge Rodney Gilstrap of the Eastern District of Texas to sit with us by designation today. [00:00:22] Speaker 05: We only invite the very best, and we got it today, so we're happy to have him join us. [00:00:26] Speaker 05: So let me call our first case. [00:00:29] Speaker 05: 23-1413, Military Veterans Advocacy versus the Secretary. [00:00:35] Speaker 05: Mr. Millican, please proceed. [00:00:38] Speaker 02: Thank you, Chief Judge Moore. [00:00:39] Speaker 02: Good morning, Your Honors, and may it please the Court. [00:00:42] Speaker 02: We're asking the Court to hold two narrow subsections of the VA's 2022 rule unlawful. [00:00:48] Speaker 02: These provisions assert sweeping authority but lack any basis in statutory text. [00:00:54] Speaker 02: Nor is best we can tell that they have any counterpart in the rules of any other agency. [00:00:59] Speaker 02: no one else claims the authority to subject users of its IT systems to warrantless searches and standardless background checks. [00:01:08] Speaker 05: Actually, hold on. [00:01:09] Speaker 05: When you say no, there are agencies. [00:01:11] Speaker 05: I mean, technically we're not an agency, but we do. [00:01:14] Speaker 05: Did you have to go through a metal detector and was all your stuff scanned before you walked in here? [00:01:18] Speaker 02: That's correct. [00:01:19] Speaker 05: Did you have to go through a background check to be able to stand here? [00:01:21] Speaker 02: A background check? [00:01:24] Speaker 02: when I applied for admission to the bar. [00:01:25] Speaker 05: Fair enough. [00:01:27] Speaker 05: And so your personal items were searched to enter the building? [00:01:31] Speaker 02: That's correct. [00:01:32] Speaker 05: So what's wrong with that? [00:01:34] Speaker 02: Well, what's wrong with that is that what the VA is claiming the authority to do here is to inspect the entirety of the computer equipment that's used to access the VBMS and also any location in which that computer equipment happens to be located. [00:01:50] Speaker 05: You may not know this, but the entire judiciary has a policy. [00:01:53] Speaker 05: And every user of the judiciary's network accepts that policy. [00:01:59] Speaker 05: Every time I log on to my government account, [00:02:03] Speaker 05: I have a pop-up screen that tells me I have no rights to privacy, and the government can inspect the device every time. [00:02:10] Speaker 05: Every single time I log on, I have to click OK before I'm allowed to continue. [00:02:16] Speaker 05: And that gives the government, if I'm using a personal device, the right to inspect my personal device. [00:02:22] Speaker 05: If I'm using a court device, the right to inspect my court device. [00:02:25] Speaker 05: It's letting people know that by accessing the court's network, [00:02:31] Speaker 05: You are no longer guaranteed those rights of privacy. [00:02:35] Speaker 05: So are you saying, does that feel also unconstitutional to you? [00:02:39] Speaker 02: No, because, Your Honor, the court staff is not entitled to come into your home unannounced and without a warrant just because the laptop on which you access the court systems happens to be in your home. [00:02:50] Speaker 02: And that's what these regulations say on their face. [00:02:53] Speaker 02: We flagged this issue during the rulemaking proceeding. [00:02:57] Speaker 05: But hold on, but do your clients, did they agree to it? [00:03:02] Speaker 05: Just like when you say they're not allowed to. [00:03:03] Speaker 05: Don't they have to affirm once a year, every single year, that they agree to all of these potential searches? [00:03:15] Speaker 02: So the two individuals from which we submitted declarations, the members of MVA, they do not access BBMS precisely because of these unlawful regulations. [00:03:26] Speaker 02: So they have not consented to these. [00:03:27] Speaker 01: But the people who do access the system, they have consented annually to that search or to the provision that says, [00:03:35] Speaker 01: that there can be an inspection of hardware, software, and location. [00:03:38] Speaker 02: They consent in the VA rules of behavior. [00:03:41] Speaker 02: But I want to be clear about this issue of consent. [00:03:44] Speaker 02: That is an issue with respect to our Fourth Amendment argument. [00:03:48] Speaker 02: The consent argument is not an answer to our Administrative Procedure Act argument, which is that the VA doesn't have any statutory authority to impose these inspections. [00:03:58] Speaker 02: even if they force users of the BBMS to sign a statement saying that they've read the VA rules of behavior and agree with them. [00:04:08] Speaker 03: Let me ask you this, counsel. [00:04:09] Speaker 03: The no notice inspection provision, is it limited to [00:04:15] Speaker 03: communications and information regarding counsel that use it? [00:04:18] Speaker 03: Are there also attorney-client privilege communications that are subject to review that are embedded in these devices? [00:04:26] Speaker 03: I mean, does this reach the clients, not just the lawyers? [00:04:29] Speaker 02: That is precisely the concern, Judge Gilstrap. [00:04:32] Speaker 02: The regulation on its face says that the VA may at any time and without notice inspect the computer hardware and software utilized to obtain access in their location. [00:04:42] Speaker 02: So that's not saying just we'll monitor your access activities while you're accessing the BBMS. [00:04:49] Speaker 02: That might be a perfectly reasonable regulation. [00:04:52] Speaker 02: And we pointed that out in our response to the notice of proposed rulemaking at appendix 1181 to 1182. [00:04:58] Speaker 01: Can I ask you a question related to that? [00:05:01] Speaker 01: How would you change this provision? [00:05:03] Speaker 01: What language would you add at the end of Part C? [00:05:06] Speaker 01: What language are you asking, would you ask for? [00:05:10] Speaker 01: I mean, there are some times, of course, where such an inspection, like for example, to see if somebody's at Starbucks versus their home, makes a lot of sense. [00:05:21] Speaker 01: But I mean, if there was a phrase, the words added, to ensure compliance with [00:05:26] Speaker 01: these requirements. [00:05:28] Speaker 01: Would something like that be enough to satisfy you for all circumstances? [00:05:34] Speaker 02: Well, if it simply said to ensure compliance with these requirements, I don't think that that would narrow the scope of authority that's on the face of the regulation. [00:05:43] Speaker 02: But in response to your question, I think there are two things I would say. [00:05:48] Speaker 02: First, elsewhere in the rule, this is a 38 CFR 1.602C3. [00:05:54] Speaker 02: It says, by applying for and exercising these access privileges, the individual expressly consents to VA monitoring access activities at any time for the purpose of auditing system security. [00:06:07] Speaker 02: We think that's perfectly reasonable. [00:06:08] Speaker 02: If you're going to access the VA systems, they should be able to monitor what you're doing while you're accessing those systems. [00:06:15] Speaker 02: I think it would also be reasonable for the VA to put into place some sort of provision that allows them to ensure that when you access the VA systems, you're doing so only from an approved location and not a Starbucks. [00:06:29] Speaker 02: That could take the form of [00:06:31] Speaker 02: some sort of software that allows them to determine your location when you're logged on to the VBMS. [00:06:38] Speaker 02: It could take the form of some reasonable administrative process for them to go to check on you. [00:06:43] Speaker 01: Do you agree though that the language where it says inspect the location, that includes the narrow circumstance in which you just described? [00:06:51] Speaker 02: I think it includes that circumstance, but I think it is much broader than that circumstance, and that is our concern. [00:06:58] Speaker 03: Let me ask you this. [00:07:01] Speaker 03: You say that this is a facial challenge and the government says it's an as applied challenge. [00:07:07] Speaker 03: I can't find any clarity in the briefing on either side that tells me how much this no notice inspection provision has been used, the extent of its use, or anything about the real world and how it's applied or not applied at all. [00:07:22] Speaker 03: Can you give the court some representation as to whether this is something that's used once every [00:07:29] Speaker 03: Two times somebody logs on or is it never used at all or is it somewhere in between? [00:07:34] Speaker 03: The briefing is just silent on the real world application and use of this thing. [00:07:39] Speaker 02: We don't have access to that information, Your Honor. [00:07:42] Speaker 02: The MBA's attorneys do not access the BBMS precisely because of the existence of this provision, which would open up their attorney-client-privileged information. [00:07:55] Speaker 05: So you don't even have anecdotal information? [00:07:57] Speaker 02: I do not have anecdotal information. [00:07:59] Speaker 05: But following up on what Judge Wilstrup just asked you, are you [00:08:03] Speaker 05: suggesting that this particular challenge is an as applied challenge or a facial challenge. [00:08:09] Speaker 02: It is a facial challenge. [00:08:10] Speaker 05: So here's the problem. [00:08:11] Speaker 05: To succeed on a facial challenge, you have to conclude that all applications of the rule are unconstitutional. [00:08:19] Speaker 05: Do you agree with that? [00:08:20] Speaker 02: With respect to our constitutional argument, I agree. [00:08:23] Speaker 02: With respect to our APA argument, all we have to show is that it lacks statutory basis or that the agency didn't provide a reasoned basis for it in passing the rule. [00:08:34] Speaker 05: Well, a reasoned basis for it when passing the rule. [00:08:40] Speaker 05: I mean, if you agreed with Judge Stoll earlier that certain applications [00:08:47] Speaker 05: of it are completely acceptable to you. [00:08:49] Speaker 05: Isn't that sufficient to create a reasoned basis? [00:08:53] Speaker 02: No, because the agency has to provide a reasoned basis for the rule that it passed. [00:08:58] Speaker 02: And the rule that it passed stretches far beyond the reasonable circumstances that Judge Stoll and I were discussing. [00:09:07] Speaker 01: But let me think about this. [00:09:08] Speaker 01: I'm also having a problem with this very point, which is you say there's no statutory basis for it, and there's no reason basis for it. [00:09:17] Speaker 01: But if looking to see what the location is to make sure that the user is accessing it from a private Wi-Fi network, for example, that clearly falls within the scope of the rule. [00:09:36] Speaker 01: So why is that not a proper application of the rule? [00:09:42] Speaker 02: It would be a permissible action for the agency [00:09:47] Speaker 02: to take if they passed a narrower rule. [00:09:50] Speaker 01: But the agency- Well, in other words, why should we speculate as to the nefarious ways in which the agency could use this when we can see plain on the face the more reasonable ways that they could use it? [00:10:05] Speaker 01: And it's not until something nefarious happens that there would be an as applied challenge. [00:10:10] Speaker 02: So two responses, Your Honor. [00:10:11] Speaker 02: The first is that we don't have to speculate, because we pointed out in our response to the notice of proposed rulemaking that this was far too broad, that there was room for reasonable inspection provisions, but that this went too broad. [00:10:25] Speaker 02: And the VA just simply said, no, we're going to leave it as it is. [00:10:29] Speaker 02: So the VA is trying to assert this extremely capacious authority. [00:10:32] Speaker 02: That's the first answer. [00:10:34] Speaker 01: So we're doing fur intent from the agency based on that. [00:10:37] Speaker 02: Intent for the agency to assert the authority to conduct these unannounced and warrantless searches of any premises on which the computer happens to be located. [00:10:46] Speaker 02: The second response is a higher level. [00:10:48] Speaker 03: You don't really contend that people are going to break down doors and go in homes and break in businesses physically. [00:10:55] Speaker 03: This is really about seeing what's on the computer. [00:10:57] Speaker 03: Is it not? [00:10:58] Speaker 02: I'm saying that that is the scope of the authority that the VA has asserted in this case. [00:11:04] Speaker 02: I have no insight into their subjective motivations about how they wish to use this. [00:11:10] Speaker 02: But when we look at the lawfulness of agency rules, [00:11:14] Speaker 02: We do not look at, oh, yeah, maybe this is a little broad, but we just trust the agency that they're going to exercise this power in reasonable ways. [00:11:24] Speaker 02: We say, what power is the agency asserting, and does its enabling statute give it the power to assert that authority? [00:11:34] Speaker 05: You agreed with Judge Stoll that there were certain narrower location-oriented [00:11:39] Speaker 05: uh... reviews that the agency could have implemented and that the real problem here is that this is just too broad it might is that right and that that's it so what is the statutory authority that you think expressly supports their ability to adopt a narrower uh... rules like the one that you said would be okay [00:12:03] Speaker 02: To give you two examples, Section 5722B2 gives the secretary authority to establish policies and procedures that quote, cost-effectively reduce security risk to an acceptable level. [00:12:17] Speaker 02: I think that making sure attorneys are accessing DBMS from a private location comfortably fits within that. [00:12:25] Speaker 02: Section 5723A2. [00:12:28] Speaker 02: gives the Secretary authority to ensure that information security protections are commensurate with the risk and magnitude of the potential harm. [00:12:36] Speaker 05: So here's the key. [00:12:38] Speaker 05: Because honestly, on their face, both of those could arguably justify the breadth of the agency's thing, but only if they did the risk assessment. [00:12:46] Speaker 05: That's a piece I have found not to have occurred here, right? [00:12:50] Speaker 02: Agreed, Your Honor. [00:12:51] Speaker 05: So explain that one to me again. [00:12:52] Speaker 05: And do you agree? [00:12:55] Speaker 05: So explain that last one, the 5727A2, because I kind of cut you off and I didn't mean to, I just got excited. [00:13:01] Speaker 02: So explain that one again. [00:13:06] Speaker 02: A2 says that the Secretary should ensure that information security protections are commensurate with the risk and magnitude of the potential harm. [00:13:14] Speaker 02: And then in 5722B2, it says that the policies and procedures that are promulgated pursuant to this authority have to be based on risk assessments. [00:13:26] Speaker 02: That's a separate basis for our challenge to these rules, which is that there's no indication that these policies were based on risk assessment. [00:13:34] Speaker 05: So let me just say, I think, arguably, when I look back at what they did, that they arguably articulated a risk assessment for the background check. [00:13:42] Speaker 05: So let's just put that to one side. [00:13:44] Speaker 05: You just assume that I think that. [00:13:46] Speaker 05: But I am struggling to see where they did a risk assessment. [00:13:49] Speaker 05: on the scope of the location. [00:13:52] Speaker 05: No notice and, you know, search. [00:13:55] Speaker 02: I don't believe there is one and I've looked. [00:13:57] Speaker 05: Yeah. [00:13:58] Speaker 05: I mean, the background, the background check thing, I just, I don't understand why you're fighting that piece. [00:14:03] Speaker 05: Why? [00:14:04] Speaker 05: What, what, what's wrong with the background check? [00:14:06] Speaker 05: I mean, we don't hire a single person here to work in the federal government. [00:14:08] Speaker 05: It doesn't have a background check. [00:14:11] Speaker 02: The main problem with it, Your Honor, is that it's unnecessary. [00:14:14] Speaker 02: The VA already... No, staff. [00:14:17] Speaker 05: Staff. [00:14:18] Speaker 05: This provision was broadened to not just apply to attorneys, it applies to staff. [00:14:23] Speaker 02: Correct, but the VA will already provide attorneys access to these records on CD-ROM or in hard copy solely by saying, I'm attorney, I'm in good standing with the state bar, and I represent this claimant. [00:14:37] Speaker 02: And all they're doing is imposing another, more onerous layer of regulation if you want to get the more convenient form of access that B&M supplies. [00:14:46] Speaker 05: No, but it's not just more convenient. [00:14:47] Speaker 05: You know why? [00:14:48] Speaker 05: Because just about anybody can hack in and see other stuff. [00:14:52] Speaker 05: So if I give you a piece of paper, the limited universe at which you can expose to the risk of public [00:14:59] Speaker 05: disclosure is limited to what's on that piece of paper. [00:15:03] Speaker 05: When I give you access to a database, it is way harder to be confident about controlling and limiting your access. [00:15:13] Speaker 02: That's fair, Your Honor, but when the VA accredits individuals to represent claimants before them, they will presume the character and fitness of attorneys who are in good standing with a state bar and will presume that that individual is going to protect client confidences, protect the VA's confidential information. [00:15:32] Speaker 02: conduct themselves appropriately. [00:15:34] Speaker 05: With regard to the client who hired them, but not with regard to all of the data. [00:15:40] Speaker 05: Don't worry about the time. [00:15:41] Speaker 05: Not with regard to all the data the electronic system has within it. [00:15:45] Speaker 02: Correct, but individuals who get access to the VDMS get access only to the records of the specific individual. [00:15:52] Speaker 05: Unless they're good hackers. [00:15:54] Speaker 05: That's the problem, right? [00:15:55] Speaker 05: That is the whole cybersecurity problem. [00:15:56] Speaker 05: You're only as strong as your weakest link, and yes, we are [00:16:00] Speaker 05: theoretically, narrowly giving them access to these records. [00:16:04] Speaker 05: But really good hackers can probably gain entry to the entire system that way. [00:16:09] Speaker 05: That is why we have limited access. [00:16:11] Speaker 02: Correct. [00:16:11] Speaker 02: But again, in other circumstances where very sensitive information is at stake, the VA is content to presume that attorneys are not going to violate their ethical obligations and their duties as an officer. [00:16:23] Speaker 01: What is the standard that you have to show? [00:16:25] Speaker 01: You have to show that it's, what is the standard that you have to satisfy? [00:16:29] Speaker 02: in order to show that it's unlawful. [00:16:32] Speaker 02: We have to show that it lacks a statutory basis. [00:16:36] Speaker 02: That's our statutory argument. [00:16:39] Speaker 02: Or that the agency did not provide a reasoned basis for the rule and the rulemaking record. [00:16:47] Speaker 01: It's really hard. [00:16:48] Speaker 01: That's a hard standard to satisfy for just a background check. [00:16:52] Speaker 02: Actually, this is a very important point. [00:16:54] Speaker 02: I recognize I'm well over time. [00:16:56] Speaker 02: No, you're good. [00:16:57] Speaker 05: It's a hard case. [00:16:57] Speaker 02: Go ahead. [00:16:58] Speaker 02: So the VA's sole justification for imposing this background check requirement is that the VA has said that they have to do it because of this Homeland Security Presidential Directive 12 and an accompanying Office of Management and Budget memo. [00:17:14] Speaker 02: That's the only justification for the rule that they have provided. [00:17:18] Speaker 02: That directive and that memo do not apply to mere users of federal information systems. [00:17:24] Speaker 02: They apply to federal employees and contractors. [00:17:28] Speaker 01: What about the OMB circular? [00:17:31] Speaker 01: Didn't they cite the OMB circular as well? [00:17:33] Speaker 02: In the briefing, they have relied only on these two OMB memos that implement the presidential directive. [00:17:45] Speaker 02: That's all I understand them to be relying on. [00:17:47] Speaker 01: Well, I look at page A, for example, which is where the actual rule is. [00:17:51] Speaker 01: And it refers to OMB circular A-130, which in turn refers to implementing control access policies for information resources that ensure individuals have appropriate authorization and need and that appropriate level of identity proof in your background investigation is conducted for grading access. [00:18:10] Speaker 01: It's not just for federal employees. [00:18:13] Speaker 01: I don't know if you have that document, but it's cited in the rule itself. [00:18:19] Speaker 02: I don't It's not I see I see that I see the reference to it in the rule. [00:18:27] Speaker 02: I do not believe that this is in the rule making I see that it is included in the [00:18:38] Speaker 02: amended index of rule-making record at appendix 2126. [00:18:42] Speaker 02: It is not in the record, and so it is not something that the agency has relied on in defending its rule in this court. [00:18:50] Speaker 03: I want to go back to the no-letters provisions, because quite honestly, that is the most troublesome to me. [00:18:58] Speaker 03: Is there any data or any information that indicates how many times this access takes place, subject to the no notice inspection, where the actual adverse party is the Secretary of Veterans Affairs, [00:19:13] Speaker 03: as opposed to whether the access to the data and the purpose behind seeking it is related to litigation in which the secretary is not an active party. [00:19:25] Speaker 03: Because it seems to me you're basically taking an adverse party and giving them unfettered access to everything on the other side's computer. [00:19:33] Speaker 03: Now if that [00:19:35] Speaker 03: person who's the gatekeeper and who has the unlimited inspection authority is not a party to the litigation. [00:19:41] Speaker 03: That's a whole different kettle fish. [00:19:44] Speaker 03: Is there any indication as to how much of the time we're talking about litigation or potential litigation that directly involves the agency, the Secretary of Veterans Affairs, as opposed to other litigation or other proceedings in which the secretary would be a nonpartner? [00:19:59] Speaker 02: As far as I am aware, this VBM access is only for proceedings in which the VA is the adverse party. [00:20:07] Speaker 02: This access is for individuals who are representing veterans who are asking the VA for service-connected benefits. [00:20:14] Speaker 03: So you're not aware of any circumstances where counsel would be accessing this subject to this no-notice inspection for purposes that don't involve the secretary as an adverse party? [00:20:25] Speaker 02: I am not aware of any, Your Honor. [00:20:27] Speaker 05: OK, thank you, Mr. Milliken. [00:20:30] Speaker 05: Let's hear from, how do I say your name, counsel? [00:20:34] Speaker 05: Lester. [00:20:35] Speaker 05: Mr. Lester, then let's go. [00:20:50] Speaker 00: Good morning and may it please the court. [00:20:52] Speaker 00: The final rule should be sustained. [00:20:54] Speaker 00: To begin, the petition is defective because it raises as applied challenges to the final rule as opposed to a facial challenge. [00:21:01] Speaker 00: All of the arguments in the petition are about how the rule applies to attorneys specifically. [00:21:07] Speaker 00: A facial challenge, however, has to be independent of the individual. [00:21:10] Speaker 00: They have to show that there's no set of circumstances under which the regulation would be valid. [00:21:15] Speaker 01: Can you help me, first of all? [00:21:16] Speaker 01: I just want to know, can you tell us a little bit about the type of documents that can be accessed by somebody on the VA IT system? [00:21:25] Speaker 01: Like, can they access documents of other veterans other than those they represent? [00:21:29] Speaker 01: And what's the nature of the confidential information? [00:21:33] Speaker 01: security numbers, social security numbers, and things like that. [00:21:37] Speaker 01: And also a related question is, well let's start with that one. [00:21:42] Speaker 00: Sure. [00:21:43] Speaker 00: To begin, in VBMS and case flow, the types of documents that are housed there include sensitive medical information from veterans, their financial information, social security numbers, all sorts of personally identifiable information. [00:21:58] Speaker 00: So given that this information is [00:22:00] Speaker 00: subject to VA's control. [00:22:02] Speaker 00: It's within VA's internal, it's one of VA's internal systems. [00:22:07] Speaker 00: To make this available to outside people requires a very significant sensitivity to the risks associated with that type of disclosure. [00:22:17] Speaker 00: I mean, VA is under a statutory duty. [00:22:18] Speaker 01: If I could get on the system, would I be able to, would I be limited to access only my clients or do I just make a representation that that's all I will use it for? [00:22:29] Speaker 00: As I understand, it's just limited to your own clients. [00:22:32] Speaker 01: Like I would not be able to access other information unless I hacked in some way. [00:22:38] Speaker 00: The way you're supposed to use it should just be limited to your client. [00:22:44] Speaker 00: You wouldn't be able to access other veterans who you didn't represent. [00:22:47] Speaker 01: Could I, if I ignored my ethical obligations, would I be able to access the information of other veterans? [00:22:56] Speaker 00: I don't believe so. [00:22:57] Speaker 00: I don't believe you can. [00:23:00] Speaker 03: I guess you couldn't, or is that I'm sure you could? [00:23:07] Speaker 00: It's set up for you to only access the records of your own client. [00:23:12] Speaker 03: OK. [00:23:12] Speaker 03: So we're talking about within the realm of how it's supposed to work. [00:23:16] Speaker 03: That's how it's supposed to work. [00:23:17] Speaker 03: That's not an exclusion of how it might otherwise work if intentionally mishandled or misappropriated by someone. [00:23:24] Speaker 00: Oh, if it's mishandled or misappropriated or someone's an expert in hacking, then there's all sorts of information that they could gain access to that they don't have any entitlement to see. [00:23:33] Speaker 03: Let me ask you this, counsel. [00:23:35] Speaker 03: In the risk assessment that was done as a part of the adoption of this no-notice inspection rule, in the appendices that we've been furnished with, I see lots and lots and lots of spreadsheets, and they don't tell me anything. [00:23:49] Speaker 03: I can't make any sense out of them. [00:23:52] Speaker 03: What really was the basis for the substantive risk assessment that led to this adoption of the no-notice inspection? [00:24:04] Speaker 00: Well, the risk assessments that are contained in the supplemental appendix are risk assessments of the systems to which one would seek access to as a part of... I mean, you're talking about a spreadsheet with this is filled in, that's filled in, this is blank. [00:24:20] Speaker 03: There are little two, three-word insertions. [00:24:22] Speaker 03: They don't, at least for my limited ability, they don't tell me anything. [00:24:27] Speaker 01: In other words, is there a particular page that you would identify for us that talks about the risk assessment for no notice inspection? [00:24:34] Speaker 01: I don't see it either. [00:24:35] Speaker 00: Well, the risk assessment isn't for necessarily [00:24:40] Speaker 00: for the right to inspect provision, essentially. [00:24:44] Speaker 00: The risk assessment is for the system. [00:24:46] Speaker 00: It's for a VBMS and case flow. [00:24:48] Speaker 00: So what are the potential risks? [00:24:50] Speaker 00: And this is done according to standards. [00:24:52] Speaker 00: So you go through the various types of risks. [00:24:54] Speaker 00: There are environmental risks, potential that there's going to be lightning, potential for hacking, the potential for risks associated with remote access to these internal VA systems. [00:25:06] Speaker 00: And the risk assessment for that. [00:25:08] Speaker 05: Those risks are the risks inherent to any database with sensitive information. [00:25:14] Speaker 05: And so how are those tethered to the VA's decision that they could, with no notice, come into your home, inspect your home, your hardware, your software, and everything on your computer? [00:25:26] Speaker 05: That's what you have to have a risk assessment for, right? [00:25:29] Speaker 05: The risk assessment isn't just, I have a sensitive system. [00:25:32] Speaker 05: Because you know what? [00:25:33] Speaker 05: I've got a lot of sensitive stuff in my computer. [00:25:36] Speaker 05: But I don't have the right to go into one of my, even my employees' homes and search their homes. [00:25:41] Speaker 05: That's absurd. [00:25:42] Speaker 00: Well, there are two issues. [00:25:43] Speaker 00: One, to the extent that you say, this is my system and I want to give somebody my employee access to it, and you say, well, I'm only going to give you access to it if I can ensure that you're using it correctly and you're not using it, let's say, in a Starbucks. [00:25:57] Speaker 00: I mean, that's your right to do it. [00:25:58] Speaker 00: It's optional. [00:26:00] Speaker 00: The second part is what the risk assessment entails. [00:26:04] Speaker 00: In the statute itself, it provides what the risks are supposed to assess. [00:26:09] Speaker 00: I can pull that. [00:26:13] Speaker 00: And this is in 5722E1. [00:26:14] Speaker 00: And it's supposed to be periodic assessments of the risk and magnitude of harm. [00:26:20] Speaker 01: To what page of the appendix are you on? [00:26:22] Speaker 00: I'm setting a statute, so it's not directly in the appendix. [00:26:26] Speaker 01: Thank you. [00:26:27] Speaker 00: So 5722B1 provides that the secretary shall ensure that the department information security program includes the following elements. [00:26:37] Speaker 00: And one is periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the department. [00:26:52] Speaker 00: So for [00:26:53] Speaker 00: All of the VA systems, the IT staff provide, do that sort of analysis with respect to a list of potential risks and potential vulnerabilities. [00:27:05] Speaker 00: Some of them are low risk. [00:27:06] Speaker 00: It could be an outward facing system that provides blog posts or publicly available information. [00:27:16] Speaker 00: So the risks associated with privacy and confidentiality for those are relatively low. [00:27:21] Speaker 01: Are you saying then that what the statute requires is you to look at the risks that could result from the system having unauthorized access? [00:27:30] Speaker 01: But that does not mean that you need to also have that assessment talk about how you're going to control that risk. [00:27:37] Speaker 00: That's correct. [00:27:38] Speaker 00: It can. [00:27:39] Speaker 00: But I could show you. [00:27:41] Speaker 00: If you look in the supplemental appendix, for instance, at 46 and 47, [00:27:50] Speaker 00: you know, provides the risks associated with remote access from a separate device. [00:27:55] Speaker 05: But the problem is, I mean, doesn't B2 say the policies and procedures that the VA adopts have to be tethered to and based on that risk assessment? [00:28:05] Speaker 00: So this risk assessment determined that there is a high privacy, there's a significant risk associated with... Basically sensitive data. [00:28:13] Speaker 05: That's what this risk assessment... We have sensitive data. [00:28:15] Speaker 05: Full stop. [00:28:16] Speaker 05: There's nothing else in your risk assessment. [00:28:17] Speaker 05: This is sensitive data. [00:28:19] Speaker 05: So why is being able to go into someone's home and search their premises a reasonable policy with regard to the protection of sensitive data? [00:28:30] Speaker 00: Well, it's a reasonable policy for several reasons. [00:28:33] Speaker 00: which are explained in the final rule in the explanation. [00:28:38] Speaker 00: Essentially, the entire purpose of this rule was to expand access, was to provide more people with access to VA's internal systems to provide that benefit for representing veterans and claimants. [00:28:51] Speaker 03: But it's at what cost? [00:28:53] Speaker 03: At what cost? [00:28:54] Speaker 03: Provide the additional access, but at what cost and under what constraints? [00:28:59] Speaker 00: The constraints are that people have to be staff members of the accredited individuals and service organizations. [00:29:06] Speaker 00: But in expanding the population of people who are eligible for this type of privilege of accessing VA's internal systems, the VA said, well, we want to keep in the existing security protocols in place. [00:29:21] Speaker 00: The inspection provision has been in place since 1994. [00:29:25] Speaker 05: So I get that. [00:29:26] Speaker 05: Let me just ask a point about that. [00:29:27] Speaker 05: It doesn't seem to me to be a reason in the law. [00:29:30] Speaker 05: based on your newly adopted rule that they can't challenge it under APA 502 at this point. [00:29:37] Speaker 05: Despite the fact that it was substantively identical since 1994, I don't see anything cited to me that suggests that, for example, this challenge is therefore untimely. [00:29:49] Speaker 05: Do you have anything to that extent? [00:29:50] Speaker 00: We're not arguing that sometimes. [00:29:51] Speaker 05: I just want to make sure. [00:29:53] Speaker 05: Just clear away whatever I can. [00:29:55] Speaker 00: Right. [00:29:55] Speaker 00: The point of saying that it's in place is part of the overall package of controls that VA has in place for protecting VBMS and case flow. [00:30:09] Speaker 03: So the nexus between the risk assessment and the adopted rule is the VA has sensitive information. [00:30:17] Speaker 03: We're going to adopt the no notice inspection provision. [00:30:20] Speaker 03: That's the nexus. [00:30:22] Speaker 00: Between the risk assessment, the risk assessment that's in the record, yes, that's the connection, is that there is a significant risk associated with disclosing private and confidential information associated with remote access through a separate device, which is how private attorneys and individuals would access the system. [00:30:41] Speaker 00: And given that, [00:30:43] Speaker 00: And also given the fact that there's going to be an expanded population who is eligible for this access, be determined to maintain the existing security controls. [00:30:53] Speaker 03: So I can glean all that from those spreadsheets. [00:30:56] Speaker 00: Well, you can glean it from, that's part of the record. [00:30:59] Speaker 00: And so you can certainly consider the spreadsheets, because the agency considered them. [00:31:03] Speaker 01: One question Judge Gilstrap asked the opposing counsel was, what [00:31:10] Speaker 01: How has the VA been using these rules and what sort of, I mean, how are they using it? [00:31:17] Speaker 01: What sort of inspections are happening? [00:31:20] Speaker 01: Do you have any information on that? [00:31:21] Speaker 00: I understand this rule has been in place for 29 years and VA luckily has not had to invoke its right to conduct one of those inspections. [00:31:31] Speaker 03: How would VA know whether it should or shouldn't invoke? [00:31:35] Speaker 03: I mean, is it [00:31:37] Speaker 03: with the horses out of the barn and down the lane, oh, now it's time to go inspect. [00:31:41] Speaker 03: Is there something that has to happen to precipitate this inspection? [00:31:46] Speaker 03: I mean, if you're going to use it like it's written, it would seem to me it is no notice that you would use it periodically or at least randomly to make sure that the harm you're concerned about isn't happening out there otherwise unbeknownst to you. [00:32:01] Speaker 00: That's a good point, but that's one really for the IT experts to explain what the precise circumstances that they'd be able to use this for. [00:32:09] Speaker 00: But one, there's certainly a deterrent effect. [00:32:12] Speaker 00: I mean, the mere fact that the VA could invoke this right might have some sort of deterrent effect to bad actors. [00:32:18] Speaker 05: There's also- Not just bad actors. [00:32:21] Speaker 05: I don't want them searching my computer drawer either. [00:32:24] Speaker 05: I'm not a bad actor, but I don't want them coming into my house and having some unfettered right to search the location. [00:32:29] Speaker 05: And by the way, what does that mean, the location? [00:32:31] Speaker 05: Does that mean only the room the computer's in or the whole house? [00:32:34] Speaker 05: And what if it's a laptop? [00:32:35] Speaker 05: How do you know which room I was using it in? [00:32:37] Speaker 01: And do you think that that's a proper interpretation of the role, by the way? [00:32:40] Speaker 00: Which role? [00:32:42] Speaker 01: The location role, where it says that you can inspect the location. [00:32:45] Speaker 01: Do you think that that means that the VA can access somebody's house and poke around? [00:32:51] Speaker 00: Well, it means, [00:32:52] Speaker 00: I can only tell you what the rule says. [00:32:56] Speaker 00: Now to the extent that there's an unreasonable search, [00:33:00] Speaker 00: That could be objected to by somebody that would say that's outside the scope of this when it says location. [00:33:06] Speaker 01: I'm asking you what the scope is. [00:33:08] Speaker 01: So what is your answer to the scope? [00:33:10] Speaker 01: What is the scope? [00:33:10] Speaker 01: I mean, you should be prepared to answer this question. [00:33:13] Speaker 00: The scope is to the location. [00:33:16] Speaker 00: I don't have more specific response to what location means. [00:33:20] Speaker 01: Earlier when the rule talks about location, it talks about confirming that the location is one. [00:33:26] Speaker 01: that has a private network. [00:33:28] Speaker 01: There's some language in here and different places that's helpful. [00:33:32] Speaker 01: And so I'm surprised you're not relying on that at all. [00:33:36] Speaker 00: Well, we're relying on everything that's in the record. [00:33:39] Speaker 00: But certainly, what the record says or the rule says is one of the purposes is to make sure that it's being accessed from the approved location. [00:33:49] Speaker 00: So it's not being accessed from Starbucks. [00:33:52] Speaker 01: Yeah, that's what I'm saying. [00:33:53] Speaker 01: You wouldn't limit, your interpretation though, would not limit it to that circumstance. [00:33:59] Speaker 01: Instead, you seem to be agreeing with the hypothetical that under this rule, the agency could go to someone's home and just inspect anywhere. [00:34:09] Speaker 00: No, they certainly couldn't do it. [00:34:10] Speaker 00: You would inspect the purposes for compliance with required security requirements. [00:34:16] Speaker 00: I mean, that's the purpose of coming to somebody's home. [00:34:20] Speaker 00: So to the extent that there's nothing to do with somebody's bedroom with [00:34:25] Speaker 00: making sure it's compliant with required security requirements. [00:34:29] Speaker 00: I don't know why somebody would go in there. [00:34:33] Speaker 00: But these are all hypothetical situations that haven't happened. [00:34:36] Speaker 00: And the part that we're grappling with is what happens. [00:34:39] Speaker 01: If you would address the scope of the rule, you could explain that they can't happen, that the rule doesn't allow that. [00:34:44] Speaker 01: So that's why I'm asking you these questions. [00:34:46] Speaker 01: But he hasn't said the rule doesn't allow that. [00:34:49] Speaker 05: Just to be clear, you said the rule doesn't allow that or you'd like to interpret the rule that way. [00:34:53] Speaker 01: I want to know if you think the rule allows the agency to go to someone's bedroom or to inspect different parts of their house or if it's limited to looking at the software and hardware of the laptop. [00:35:06] Speaker 01: and the location to make sure that it's an appropriate location for access. [00:35:12] Speaker 05: What does that mean? [00:35:14] Speaker 05: Also, the appropriate location for access part, I'm going to need a follow up on that, so go ahead. [00:35:19] Speaker 00: Well, first to your question, Your Honor. [00:35:21] Speaker 00: It means what it says. [00:35:23] Speaker 00: So they're looking at the software and the hardware that are used to access the VA's internal systems. [00:35:30] Speaker 00: With respect to the location, it's [00:35:34] Speaker 00: the location used to access those systems also. [00:35:38] Speaker 01: So you haven't answered my question. [00:35:40] Speaker 01: Could they go into the living room, in the bedroom, and the office? [00:35:44] Speaker 00: Well, that's a good question, because it depends whether or not they're accessing VA systems from those locations. [00:35:49] Speaker 00: And that's why VA says. [00:35:49] Speaker 05: So if they have a laptop and they're walking around their house, I think his answer is yes. [00:35:53] Speaker 05: If you come to my door and you say to me, where'd you use the laptop? [00:35:57] Speaker 05: And I said, well, I used it while I was in bed. [00:35:59] Speaker 05: And then I carried it over to the kitchen. [00:36:00] Speaker 05: And then I used it in the living room. [00:36:02] Speaker 00: Well, that's one of the reasons why VA, and in the rules of behavior, it says you should keep your personal property separate from your VA access equipment. [00:36:15] Speaker 00: And to the extent that you are using that equipment, you should use it in a place that's approved. [00:36:20] Speaker 00: So if you have a home office or a dedicated space where you use that equipment, that's where you're supposed to use it from. [00:36:26] Speaker 00: You shouldn't be walking around your house using the laptop. [00:36:30] Speaker 03: So you don't tell people how they ought to use their equipment when they're adverse to you in a court proceeding? [00:36:36] Speaker 00: Well, in the rules of behavior, which is one of the requirements for obtaining that access in the first place, they agreed to use it as approved. [00:36:48] Speaker 00: I mean, the whole point of this is that this is all optional. [00:36:50] Speaker 00: Nobody has to agree to this for anything. [00:36:54] Speaker 00: This is all about for the privilege of accessing VA's internal systems, which are usually not available to outside people. [00:36:59] Speaker 01: Can you help me understand why it's reasonable to have to look at someone's bedroom if earlier that morning they had been working on their computer there for half an hour? [00:37:09] Speaker 01: How is that tied to security requirements? [00:37:12] Speaker 01: I don't know if that would ever happen. [00:37:14] Speaker 01: I know, but you just said the rule allows it. [00:37:16] Speaker 01: So I'm asking you, how is that reasonably tied to the goal of ensuring that access is from a place that complies with the VA's requirements? [00:37:27] Speaker 00: I'm not sure if they would in that case. [00:37:30] Speaker 00: But these are hypothetical applications. [00:37:34] Speaker 00: It'd be OK if it's by the office. [00:37:35] Speaker 01: That you have agreed fall within the scope of the rule. [00:37:38] Speaker 01: Say that again? [00:37:38] Speaker 01: That you have agreed fall within the scope of the rule. [00:37:42] Speaker 01: You have agreed these fall within the scope of the rules, so you call them hypothetical, but it's concerning to me because you've agreed that the rules are broad enough to cover this, and yet you can't explain how that is tied to a risk of improper access of the VA IT system. [00:38:03] Speaker 00: I can, to the extent that there's some sort of, not even some sort of, if somebody's using their equipment in the bedroom, and that's where they access the VBMS and case flow systems from, if that's the location, then the rule says you can periodically expect the location from which it's being accessed. [00:38:25] Speaker 00: If somebody's accessing it from their home office, which is a dedicated space, [00:38:29] Speaker 00: then they couldn't go into somebody's bedroom. [00:38:32] Speaker 00: But it depends on how the person uses their equipment. [00:38:35] Speaker 05: I understand. [00:38:36] Speaker 05: I need to head back up here. [00:38:37] Speaker 05: So let's just consider the challenge. [00:38:40] Speaker 05: Now, obviously, if you're talking about a constitutional challenge, all applications of the rule have to be unconstitutional. [00:38:49] Speaker 05: So that's a facial challenge, constitutional boom. [00:38:52] Speaker 05: What about under a 502 challenge? [00:38:55] Speaker 05: is he correct uh... your opposing counsel when he says that he's not that's not the way he's arguing it all he has to prove is either a lack of statutory basis for the agency didn't provide a reason basis is that a correct statement of the law is that what he has to prove in order to [00:39:10] Speaker 05: succeed on a facial challenge to these provisions under 502? [00:39:15] Speaker 00: Sorry, on a facial challenge? [00:39:16] Speaker 05: Under 502. [00:39:18] Speaker 00: Well, first of all, we don't argue that it is a facial challenge. [00:39:21] Speaker 00: But to the extent that it is a facial challenge and the rule and the argument is that the agency acted arbitrarily and capriciously in adopting these rules or that there was no statutory authority for them, I mean, those would be arguments that the court could certainly consider. [00:39:35] Speaker 05: So where is the statutory authority authority for each the background investigation exactly walk me through it and the what we're calling the no notice inspection. [00:39:46] Speaker 00: I would be delighted to show you. [00:39:47] Speaker 00: So with respect to the statutory authority for the background check let's start there because one of the problems you have of course is your brief was written prior to Loper right and [00:39:57] Speaker 05: Your whole brief is chevron, chevron, chevron, and that doesn't exist anymore. [00:40:01] Speaker 05: So I now need you to act. [00:40:02] Speaker 05: I'm sure it's the same provisions you're going to point me to, but nonetheless, I want to give you the opportunity to walk me through why it is I don't just give the agency deference on what it thinks about these statutes, because that doesn't exist anymore, but rather why I think I ought to conclude that you're right about them. [00:40:18] Speaker 00: OK, so under 38 USC 5722, this is the 2006 statute, under 5722C, compliance with certain requirements, it says that the secretary shall comply with the provisions of [00:40:35] Speaker 00: subchapter three of chapter 35, title 44, and other related information security requirements promulgated by the National Institute of Standards and Technology and the Office of Management and Budget that define department information system mandates. [00:40:50] Speaker 00: And so they're responsible for complying with the NIST guidance and the OMB guidance. [00:40:55] Speaker 00: Now with respect to the NIST guidance, it's applicable to [00:41:02] Speaker 00: Under FIPS, which is a publication provided by NIST, the National Institute of Standards and Technology, under FIPS 201, it provides the credentialing requirements needed to obtain a PIP. [00:41:18] Speaker 05: Well, the problem is, NIST is limited to employees and contractors. [00:41:21] Speaker 05: So it absolutely does not cover these people. [00:41:23] Speaker 00: OK. [00:41:24] Speaker 00: Well, I don't know if it's limited to employees and contractors. [00:41:27] Speaker 05: It expressly says, this is guidance for employees and contractors. [00:41:31] Speaker 00: And with respect to the tell me why it's not limited to employees and contractors I mean it's not limited to employees and contractors employees and contractors happen to be the ones that ordinarily use a personal identity identification verification [00:41:49] Speaker 00: Credential I mean because ordinarily outside people or people other than employees and contractors don't access internal government systems So to the extent that there is an access in the underlying rationale to ensure that an identity is being Verified prior to accessing these systems certainly applies. [00:42:08] Speaker 00: That's one argument. [00:42:09] Speaker 00: The second is in the statute itself in 57 23 F [00:42:16] Speaker 00: One, the statute applies to not just employees and contractors, it's to users of the department information and information systems. [00:42:27] Speaker 00: So under F1, those users are responsible for complying with all department information. [00:42:34] Speaker 00: Security program. [00:42:35] Speaker 05: I'm sorry. [00:42:36] Speaker 05: What is the thing with users that you kind of lost me and which I want to get caught up in? [00:42:40] Speaker 05: Don't worry about the time. [00:42:41] Speaker 00: Yes, Your Honor. [00:42:43] Speaker 00: It's 38 USC 5723 F. [00:42:47] Speaker 05: 5723F. [00:42:48] Speaker 05: Yes. [00:42:48] Speaker 05: Okay. [00:42:52] Speaker 05: And what does it say? [00:42:53] Speaker 00: Congress directed that all users of the Department Information and Information Systems are responsible for complying with all department information security program policies, procedures, and practices. [00:43:05] Speaker 00: That's F1. [00:43:06] Speaker 00: On top of that, on F5, they're also responsible for signing an acknowledgement that they have read, understand, and agreed to abide by the VA national rules of behavior on an annual basis. [00:43:18] Speaker 00: In terms of the question about the authority for applying this to others than employees and contractors, the OMB guidance provides that support. [00:43:31] Speaker 00: In Appendix 44, this is OMB's HSPD-12 implementation guidance for federal departments and agencies. [00:43:44] Speaker 00: And where it says to whom does the directive apply, under the term employee, it provides kind of another category, which is other agency-specific categories of individuals, such as short-term employees, guest researchers, volunteers, intermittent or temporary or seasoned employees. [00:44:05] Speaker 00: to the extent that the agency makes that decision to make it available. [00:44:08] Speaker 01: And you think that includes, this bullet point includes any users of this system, including those who are not interns or part-time employees or anything? [00:44:20] Speaker 00: Sure. [00:44:20] Speaker 00: These are just examples. [00:44:21] Speaker 01: You think it includes the attorneys and other people who are representing veterans? [00:44:28] Speaker 00: Yes. [00:44:32] Speaker 00: So that's the textual basis for this. [00:44:37] Speaker 05: So the textual basis is they can require users to comply with the same things they can require employees and contractors to comply with? [00:44:45] Speaker 00: Yes. [00:44:46] Speaker 05: Even if it feels unreasonably broad, I mean, even if there was no risk assessment done, do you really? [00:44:55] Speaker 05: I'm just trying to understand. [00:44:58] Speaker 05: Look, I'll be honest with you. [00:44:59] Speaker 05: I think the rule's crazy. [00:45:02] Speaker 05: It's absolutely crazy. [00:45:03] Speaker 05: I think it's excessive. [00:45:04] Speaker 05: It's overly broad by a lot. [00:45:07] Speaker 05: And I'm offended by it, especially when you sit here and tell me they can search my underwear drawer. [00:45:10] Speaker 05: I don't like this. [00:45:11] Speaker 05: I know I don't even go there, but so I don't like it. [00:45:15] Speaker 05: So I'm trying to figure out if you really do have statutory authority to adopt something that broader, if there isn't some obligation that you tether the breath of your invasiveness to an assessment of threat. [00:45:31] Speaker 05: And I'm just, that's what I'm not finding. [00:45:33] Speaker 05: I'm not finding the linkage. [00:45:34] Speaker 05: I think you, look, you got another background check. [00:45:36] Speaker 05: You need to waste time on that, right? [00:45:37] Speaker 05: That's easy. [00:45:39] Speaker 05: Especially because they may sleep, mainly complained about attorneys and this provision expanded to staff. [00:45:43] Speaker 05: Done. [00:45:44] Speaker 05: You know, no background check was done on those staff. [00:45:46] Speaker 05: You have me on that. [00:45:48] Speaker 05: It's, I really think that this other provision is just unreasonably broad. [00:45:52] Speaker 05: And so what I'm trying to work through in my own head is whether that results in them winning or not, or whether, even though I think it's unreasonably broad, [00:46:00] Speaker 05: And I don't think the agency has sufficiently tethered it in a concrete way to actually protecting the database. [00:46:11] Speaker 05: Is it nonetheless legal? [00:46:12] Speaker 05: That's where I'm at. [00:46:13] Speaker 05: Is it nonetheless passed muster under 502? [00:46:16] Speaker 05: Because the Constitution thing is out. [00:46:17] Speaker 05: They don't win on that either. [00:46:20] Speaker 05: A major questions doctrine is a joke. [00:46:25] Speaker 05: So that's a stupid argument. [00:46:26] Speaker 05: Keep going. [00:46:27] Speaker 00: So I'm just telling you, you win on all these things. [00:46:30] Speaker 05: This is a narrow point. [00:46:32] Speaker 05: And that's what I'm really focused on and struggling with. [00:46:36] Speaker 00: First of all, with respect to the statutory authority, we walk through in 38 USC 57, 22, and 23 various provisions on page 50 and 51 of our response brief. [00:46:48] Speaker 00: that provide that the department is responsible for establishing its own department information security program. [00:46:57] Speaker 00: And it provides various parameters. [00:46:59] Speaker 00: And then within that, so there's authorization for them to adopt a rule for IT security, which is what this is. [00:47:09] Speaker 00: Within that, the [00:47:10] Speaker 00: What the petitioner then has to show is that it's arbitrary and capricious for the agency to have maintained this provision. [00:47:18] Speaker 00: And it's not arbitrary and capricious because the government considered that the reason why this was necessary and that they're expanding the population to which the rule is applicable. [00:47:29] Speaker 05: But I don't see that. [00:47:30] Speaker 05: I don't see that risk assessment anywhere. [00:47:32] Speaker 05: I don't see. [00:47:33] Speaker 05: I think that you and I could probably come up with some really good arguments about why maybe this is necessary. [00:47:39] Speaker 05: I probably am never going to totally agree with them, but I might have to defer to them as a matter of agency discretion. [00:47:46] Speaker 05: But I don't see where they did that. [00:47:48] Speaker 05: I don't see in the final rulemaking where they actually did some risk assessment and said why they need to go into my house to see the room in which I operated my laptop. [00:47:58] Speaker 00: Well, I'm going to walk back. [00:48:00] Speaker 00: The rule only authorizes what it authorized in terms of what can be inspected, and that's the hardware, software, and location. [00:48:07] Speaker 05: But the location is the place. [00:48:09] Speaker 05: It's the place. [00:48:10] Speaker 05: What else does location mean other than the place you're using the device? [00:48:15] Speaker 00: Well, yes, it's the place in which you're using the device. [00:48:17] Speaker 00: But this kind of also goes to the application part of it. [00:48:21] Speaker 00: First of all, it's not necessary that somebody would come to your house. [00:48:25] Speaker 00: It might be a remote inspection. [00:48:26] Speaker 00: Somebody could do it on camera. [00:48:29] Speaker 00: There might be an inspection for [00:48:31] Speaker 00: Not only to catch anybody, there's this nefarious purpose that's assigned to this, but it could also be for like a lesson learned. [00:48:37] Speaker 00: Let's say there is some sort of resource problem. [00:48:40] Speaker 00: This could be an opportunity for the IT staff to analyze what went wrong here so they can make improvements in the future. [00:48:46] Speaker 05: The problem isn't, I can imagine there are certain aspects of the location thing that would be reasonable. [00:48:55] Speaker 05: For example, if the rule were limited to, to ensure the location as a closed network. [00:49:00] Speaker 05: and is not operating off Wi-Fi, right? [00:49:02] Speaker 05: Like that's all the purpose. [00:49:03] Speaker 05: We can go to location to ensure closed network. [00:49:06] Speaker 05: But the rule is written so much broader than that. [00:49:08] Speaker 05: It doesn't have those safeguards or guardrails around it, which means, I mean, I feel like we've got sort of vigilante VA police officers coming into your house. [00:49:17] Speaker 05: And I don't want that. [00:49:18] Speaker 05: And I don't know what to do about that. [00:49:20] Speaker 05: I mean, [00:49:20] Speaker 05: Can't you just go back and just make this rule a little narrower? [00:49:23] Speaker 05: Make it sensible or more? [00:49:25] Speaker 01: Right now, you admitted earlier that location includes being able to go into someone's bedroom, if that's where the laptop was. [00:49:32] Speaker 00: I don't want to admit that it's anything more than what it says, because these are all hypothetical scenarios. [00:49:38] Speaker 00: So it's like I admitted it. [00:49:40] Speaker 00: I admitted the rule says what it says. [00:49:43] Speaker 01: That's right, and it's broad. [00:49:45] Speaker 01: That's the concern. [00:49:47] Speaker 01: I was trying to read it narrowly, and you fought me on it. [00:49:51] Speaker 03: as to a rule from 1994 that you tell me you've never used? [00:49:55] Speaker 00: They never had to use it. [00:49:56] Speaker 00: And it's the right to use it. [00:49:58] Speaker 00: How do we know they never had to use it? [00:49:59] Speaker 00: How do we know? [00:50:00] Speaker 00: I'm going by the institutional knowledge that's provided to me by the agency. [00:50:04] Speaker 01: So there's been no inspection that has ever occurred? [00:50:07] Speaker 00: That I'm aware of, or that anyone at the agency? [00:50:10] Speaker 01: That the agency told you. [00:50:11] Speaker 01: Correct. [00:50:11] Speaker 01: You asked this question, and your representation from the agency is that no inspection has occurred. [00:50:16] Speaker 01: That's correct. [00:50:19] Speaker 01: Are you relying at all on OMB circular A 130? [00:50:27] Speaker 00: Well, it's referenced in the final rule. [00:50:30] Speaker 01: And it talks about users generically. [00:50:32] Speaker 01: It doesn't talk about employees. [00:50:34] Speaker 01: So are you relying on it at all? [00:50:36] Speaker 01: I mean, it's not in your brief. [00:50:38] Speaker 00: Well, we haven't specifically. [00:50:40] Speaker 00: No, I mean, you can look at 5723 F1, which talks about the users having to comply with department policies and procedures. [00:50:47] Speaker 00: You don't need to go there. [00:50:48] Speaker 01: So you're telling me you're not relying on it? [00:50:51] Speaker 00: I mean, the final rule cites it. [00:50:52] Speaker 00: It's in the rule. [00:50:53] Speaker 01: The rule cites it. [00:50:53] Speaker 01: So are you relying on it or not? [00:50:55] Speaker 01: It's just a yes or no. [00:50:56] Speaker 01: Yes. [00:50:59] Speaker 05: All right. [00:51:00] Speaker 05: I want you to know you've been very helpful. [00:51:03] Speaker 05: It's a hard case. [00:51:04] Speaker 05: And you can see that we're struggling with it. [00:51:07] Speaker 05: And so I don't want you to walk out of here and feel like oh my god. [00:51:11] Speaker 05: I did a terrible job You didn't do a terrible job. [00:51:13] Speaker 05: You did a great job. [00:51:14] Speaker 00: Okay. [00:51:14] Speaker 05: Thank you Yes, I want to be helpful you you you were sometimes helpful You succeeded in part maybe a little room for growth, but I know I'm kidding you did a good job Thank you so much. [00:51:26] Speaker 00: Thank you [00:51:37] Speaker 04: You know, you don't have to worry about soccer. [00:51:39] Speaker 03: Maybe some latitude, but let's not be here all day. [00:51:45] Speaker 03: I've got a question for you, Star. [00:51:47] Speaker 03: Yes. [00:51:47] Speaker 03: Have you ever said to the other side, [00:51:50] Speaker 03: Let's just change the rule. [00:51:52] Speaker 03: Let's just put reasonable suspicion or some kind of condition on this. [00:51:58] Speaker 03: And have they refused to negotiate with you and just said, no way? [00:52:03] Speaker 02: In responding to the notice of proposed rulemaking, we said at appendix 1181 to 1182, there may be a reasonable basis for some type of limited inspection to ensure that VA IT systems are being used appropriately, but this is too broad. [00:52:20] Speaker 02: And they said in response, no, it's been in place since 1994. [00:52:27] Speaker 02: And anyway, this is part of the security requirements to which we have to adhere without citing any specific security requirements. [00:52:34] Speaker 02: We're going to leave it as is. [00:52:36] Speaker 02: So yes, we said that, and they refused. [00:52:38] Speaker 03: You know, we have something in the trial court called meet and confer. [00:52:41] Speaker 03: You really haven't had a meet and confer with the other side over this. [00:52:44] Speaker 03: You really haven't said, we'll back off if you'll add this, or if you'll [00:52:48] Speaker 03: as slight condition on the front end, then we can resolve this. [00:52:53] Speaker 03: That discussion, the negotiation, that's just the... Judge, don't stop. [00:52:56] Speaker 04: The government doesn't negotiate. [00:52:57] Speaker 04: He's not aware of this. [00:52:58] Speaker 04: I mean, I'm sure he would love it. [00:52:59] Speaker 03: That's becoming apparent, Chief Judd. [00:53:01] Speaker 05: He would love to sit down and negotiate. [00:53:02] Speaker 05: That is not the way the government works. [00:53:05] Speaker 02: In our experience, the way that this back and forth takes place in these types of proceedings is you submit comments in response to the proposed rule. [00:53:12] Speaker 02: Hopefully, the government takes them seriously. [00:53:14] Speaker 02: Unfortunately, in our view, they did not in this case. [00:53:18] Speaker 02: So again, I'll try to be brief here. [00:53:21] Speaker 02: First, scope. [00:53:22] Speaker 02: The government's counsel has confirmed that the scope of this provision is exactly as broad as we're concerned about. [00:53:28] Speaker 02: It was not justified by any risk assessment. [00:53:31] Speaker 02: I think that has become clear throughout the course of the argument. [00:53:35] Speaker 02: I think the closest my friend came was mentioning a part of this OMB guidance that mentioned other categories of individuals besides employees and contractors like temporary and seasonal employees, for example. [00:53:49] Speaker 02: What it says is applicability to those types of individuals is, quote, an agency-based risk decision. [00:53:56] Speaker 02: So they would have needed to do some sort of risk determination that they needed to impose all these requirements on mere users of the systems. [00:54:06] Speaker 02: Chief Judge Moore, you ask about explicit statutory authorization. [00:54:10] Speaker 02: There is none. [00:54:11] Speaker 02: My friend pointed to various provisions that at a very high level give the VA the authority to promulgate regulations that apply to their IT systems. [00:54:23] Speaker 02: There is nothing saying that they get to come into your house if you're accessing the VBMS from your home office. [00:54:28] Speaker 05: See, I don't agree. [00:54:28] Speaker 05: I think that those regulations could authorize them to, but only if the VA, because what they're [00:54:35] Speaker 05: What the rule is is quite extraordinary in its breath. [00:54:38] Speaker 05: And it's possible if they could have articulated a reasoned basis for needing that breath. [00:54:45] Speaker 05: I mean, what is your response to that? [00:54:47] Speaker 05: If I think under the statute, for example, suppose that they had 20 cases. [00:54:52] Speaker 05: where something was going on at the house, and it showed that it created a real security risk, whatever. [00:54:57] Speaker 05: They're like, this is why we need this rule. [00:54:59] Speaker 05: We need it because, boom. [00:55:01] Speaker 05: They just didn't do that. [00:55:02] Speaker 05: That's part of the problem. [00:55:03] Speaker 05: But do you still win, or do they need to be able to articulate a reason to base these for the breadth of this rule? [00:55:09] Speaker 05: Because the statute is super broad. [00:55:11] Speaker 05: Do what you need to to protect the cybersecurity. [00:55:13] Speaker 05: That's basically what it says. [00:55:16] Speaker 02: Yes, we still win because regardless of whether a reason basis could have been supplied, it was not here. [00:55:22] Speaker 05: I don't know if no one could be supplied to the breadth of this rule. [00:55:26] Speaker 02: That was the second point I was going to make, which is I don't think such a basis would exist. [00:55:31] Speaker 05: But as far as the statute... But I do think the statute, though, authorizes them to do. [00:55:36] Speaker 02: whatever they can provide a reasoned basis for needing to do to protect the cyber security. [00:55:54] Speaker 02: is that if an agency is going to rely on general grants of authority to regulate within their bailiwick to exercise extraordinarily broad power that goes beyond the type of thing they typically do, you need to have clear congressional authorization. [00:56:12] Speaker 02: The VA is not in the business of knocking down doors and coming in and searching homes where veteran representatives are. [00:56:21] Speaker 02: I think that that power [00:56:22] Speaker 02: would have to be justified by very clear statutory authorization. [00:56:27] Speaker 01: Just to be clear, so I understand your position. [00:56:30] Speaker 01: It's that there might be a reasoned basis for some narrow subset within the rule, but there's no reasoned basis for the breadth of the rule. [00:56:37] Speaker 02: I agree with that. [00:56:38] Speaker 01: OK. [00:56:39] Speaker 02: Yes. [00:56:40] Speaker 02: Yes. [00:56:42] Speaker 05: OK. [00:56:42] Speaker 05: Are you good? [00:56:44] Speaker 02: I'll just make one final point, if Your Honor doesn't mind. [00:56:47] Speaker 02: My friend represented that no inspection has ever occurred. [00:56:53] Speaker 02: We have no way to verify that. [00:56:55] Speaker 02: But if that's true, then I would ask, why on earth is this necessary? [00:57:01] Speaker 05: OK. [00:57:01] Speaker 02: Thank you, Your Honor. [00:57:02] Speaker 05: That's a lovely little ending. [00:57:04] Speaker 05: Thank both counsel. [00:57:05] Speaker 05: The case is taken under submission.