Posted on November 9, 2017 by Ronald R. Janke
Equifax, Yahoo, South Korea – reports of the theft of computer-based information by known, suspected or unknown hackers have become commonplace. A recent report of the hacking into a Securities and Exchange Commission database containing confidential information is of special interest to environmental lawyers, because it poses the question of how can regulated entities electronically submit confidential information to government agencies and be confident that such information will not be stolen through a breach of cyber security. Environmental lawyers are almost universally ill-equipped to answer that question. Even with the help of cyber security experts, the growing number of reported hacks of corporate and government networks provides little comfort for submitting confidential data electronically.
Currently, the best practice may be to submit any confidential information in hard copy. In my experience, agencies protect such information by techniques such as storing documents with confidential information in separate, locked files, using a log to record when a document is removed and returned and who has taken it. While a document with confidential information may be stolen from a file or erroneously filed with publicly-available documents, someone has to be physically present to obtain that document. In contrast, documents stored electronically can be subjected to a cyber-attack by anyone located anywhere in the world.
Agencies may require or prefer to receive all information electronically. Applicants for permits and other approvals may have little choice in such circumstances, but they can initiate a conversation with the agency employee responsible for receiving any confidential information. Expressions of concern over cyber security may instill some sense of personal responsibility in the recipient for protecting the confidentiality of sensitive information by limiting how it is accessed and used. While agency rules may apply equally to all confidential information, the duty to protect confidential information is more personal when it is in a document located in a file drawer maintained in one’s office than when information is stored electronically on a computer database, perhaps with thousands of other documents. In the latter case, cyber security becomes ultimately the duty of information technology specialists who design and maintain the agency’s computer networks.