Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
Chapter 29
The Legal and Policy Framework for Electronic Reporting of Environmental Compliance Reports: Challenges of Ε-Government: Maintaining Effective Stewardship of the Environment M. Evi Huffer Office of Environmental Information, U.S. Environmental Protection Agency, Mail Stop 2823, 1200 Pennsylvania Avenue, N. W., Washington, DC 20460
U S E P A has a long commitment to Ε-Government, having recognized the many benefits of e-commerce, particularly the opportunities to improve Agency business processes and management of environmental data. This paper discusses E P A ' s progress in establishing the legal framework to introduce electronic reporting/record-keeping (ERR) for environmental compliance documents. It focuses on some of the unique legal challenges faced by EPA in implementing E R R and provides an overview of the Agency's draft proposed electronic reporting and record-keeping rule.
The views expressed in this paper are the author's, and do not necessarily reflect the official position of the United States Environmental Protection Agency.
U.S. government work. Published 2002 American Chemical Society
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
229
230
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
In recent years, we have seen the dawn of a new age of Electronic Government (Ε-Gov) and with it new opportunities and challenges. While to a number of federal agencies the advent of Ε-Gov may be taking them down completely new roads, the United States Environmental Protection Agency (EPA) has a long history of electronic reporting activities and working to address issues related to electronic government (i). EPA is building the technological and institutional infrastructure to make Ε-Gov a reality within the Agency. A major component of the institutional infrastructure is developing the legal framework for Ε-Gov. To this end, EPA has worked diligently assessing the requirements of all its stakeholders including: industry, state and local governments, environmental groups, other non-governmental organizations, as well as the general public. Over the years, EPA has also held various forums that brought together government, industry and legal authorities who have extensive knowledge and understanding of the legal and regulatory processes (2). This paper will provide an overview of some of the opportunities and challenges EPA faces developing the legalframeworkfor its electronic reporting/record-keeping program for environmental compliance regulations. It will also discuss the Agency's proposal for electronic reporting and record-keeping which will establish that legal framework within EPA (5). Addressing the legal issues and establishing the legal framework are perhaps the most challenging in moving toward Ε-Gov for a regulatory agency like EPA.
Mandates What prompted EPA to embark on Electronic reporting and what are the forces driving EPA toward Ε-Gov today? Simply stated, EPA began its electronic reporting initiative because it is good business and - more recently - it has a clear federal mandate. There have been a number of forces in the last decade, both internal and external, pushing the Agency toward electronic commerce. One of the early drivers behind EPA's electronic reporting program was the Paperwork Reduction Act (PRA), implemented by the Office of Management and Budget (4). The PRA encouraged federal regulatory agencies, like EPA, to reduce public burden and costs associated with information collection (5). It was clear, even then, that significant other benefits existed for those who automated reporting. Benefits such as improved data quality, ability to collect real-time data, and the potential to streamline EPA's business processes. All of these forces increased pressure on Agency's like EPA to not only reduce costs and burden on states and the public, but to streamline regulatory and information management processes as well.
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
231 The Clinton-Gore Administration's vision of a Federal Government conducting business with the public electronically, is articulated in such documents as former Vice President Gore's Access Amenca (6). This Ε-Gov vision was a driving force in the 1990s for a number of internal E P A initiatives such as the Reinventing Environmental Information (REI) Action Plan (7). The goals behind such initiatives were to reduce burden and costs and improve E P A customer service. E P A ' s commitment to Ε-Gov was further bolstered by the creation of the new Office of Environmental Information (OEI), which has been operational since the fall of 1999. OEI has been given responsibility for stewardship of the Agency's information management, policy and technology. It also leads the Agency in promoting and fostering electronic reporting and record-keeping for compliance reporting; as well as building the support infrastructure within E P A . As stated on OEI's web site, its role is to "ensure that E P A collects high quality environmental information and makes it available to the American public. We provide guidance to assist the agency about the way we collect, manage, analyze and provide access to environmental information. B y fulfilling these activities we expect that the public and policymakers can make informed decisions". E P A ' s E Gov program goals include to not only reduce costs and burden on the regulated community and improve the quality and efficiency of data, but also to establish an integrated electronic system for collecting and managing environmental data and information. In 1998, the Federal Government received it's first legislative mandate for E Gov: the Government Paperwork Elimination Act (GPEA) (8). G P E A requires federal agencies to provide regulated companies the option of reporting or keeping records electronically, including the use of electronic signatures, by October 2003 (9). G P E A is significant for it is the first legal step toward realization of E-Gov and marks the first time electronic signatures are given legal equivalency with the traditional "wet-ink-on-paper" signatures in such a statute. A more recent legislative mandate, the Electronic Signatures in Global and National Commerce Act (Ε-Sign) of 2000, was enacted to eliminate the legal barriers to commercial, consumer, and business transactions affecting interstate and foreign commerce (10). Ε-Sign provides that transactions cannot be denied legal effect solely because an electronic document or signature was used in its formation. While the Ε-Sign legislation was primarily intended to apply to commercial business transactions and is interpreted to exclude uniquely governmental transactions -- those that related principally to the conduct of
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
232
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
government business. Nonetheless, it can include some transactions regulated by federal and State agencies, as some records may have both a government and a commercial or business purpose (11). Both the G P E A and Ε-Sign legislation have increased the urgency for federal and state agencies to adopt electronic reporting and record-keeping approaches, including electronic signatures, for their regulatory programs. Fortunately, E P A is ahead of most other agencies and has been working on electronic reporting of environmental compliance data since 1990. With the advent of the new mandates and the creation of the new OEI, the move to Ε-Gov has gained center stage and constitutes one of the Agency's most significant programs. There remains, however, a constant mandate that also drives E P A ' s E-Gov program - as well as all Agency programs - and that is the mission of the Agency itself: to protect human health and safeguard the environment. To that end, E P A must ensure full compliance with the environmental laws in place. As stated in the September 2000 EPA Strategic Plan, much of the success of our nation's environmental record over the last 30 years has been attributed "to a strong set of environmental laws and an expectation of compliance with those laws". Further, an aggressive enforcement program is seen not only as ensuring compliance but also provides fair competition "in the marketplace by ensuring that noncomplying facilities do not gain an unfair competitive advantage" (12). Developing and implementing regulations to protect human health and the environment is what E P A does as an agency, and part of E P A ' s mission in moving to Ε-Gov is ensuring that those regulations remain credible and enforceable. E P A ' s general strategy for electronic reporting/record-keeping of compliance information consists of defining an agency-wide approach which offers regulated entities (both States and companies) consistent, predictable ways to do business with E P A . This approach will simplify and standardize management processes, offer economies of scale to E P A ' s program offices, and increase the ability to effectively manage, distribute and integrate data. It's a two-pronged strategy: designed to build the internal systems infrastructure — the Central Data Exchange (CDX) - and the legal infrastructure - the Cross-Media Electronic Reporting and Record-keeping Rule ( C R O M E R R R ) . While establishing the legal framework through C R O M E R R R is the focus of this paper, C D X represents a significant development in how the Agency collects its data from the regulated community and provides opportunities for the agency to rationalize its information management processes. C D X will serve as E P A ' s primary gateway for electronic documents received by the Agency. The intent is to eventually provide - to the extent possible
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
233
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
- a single portal for the regulated community to exchange electronic documents with E P A . States will also have the option of using C D X as a gateway for electronic environmental submissions from their regulated community, offering them a cost-effective alternative to building their own individual systems. E P A has many reason^ to collect data. These include: decision-making, planning, trend analysis, performance monitoring/measurement, and enforcement. Given the public's strong interest in maintaining effective environmental standards, credible data are key to identifying problems and addressing them. While enforcement is one of the many uses of data, "it is one that requires the highest levels of credibility ....(and) enforcement actions are the strongest possible test of data credibility. A n electronic reporting program providing data that can meet enforcement needs will produce data that agencies can use with confidence for any purpose. The regulated community is then assured that its data are being handled responsibly" (13). Compliance with the nation's environmental protection program is largely based on self-reporting by industry. A regulatory agency like E P A relies heavily on the deterrent effect of criminal prosecution as the primary means for complying with environmental laws. Electronic filings, like their paper counterparts, may serve as evidence in a civil or criminal proceedings. A concern within the enforcement community regarding electronic filings of compliance data with electronic signatures is the lack of actual courtroom experience with such filings. Behind paper-based, wet-ink signatures, a body of experience has developed over the years to analyze handwritten signatures, detect forgeries and alterations to documents. As a result of this considerable experience, there is a significant body of case law regarding authentication, data integrity, and non-repudiation in handling environmental compliance reports with handwritten signatures. However, for electronic filings, such case law is still largely being developed. Further, when electronic documents are used as evidence in proceedings they must first be admissible in a court of law as evidence, and they must also be 'persuasive". While the G P E A and Ε-Sign legislation prohibit electronic documents from being excluded as evidence solely because they are electronic, the laws do not ensure that juries will find the evidence persuasive. As the Department of Justice states, in order to protect the government's interests, agency documents need to be available, reliable, and persuasive and "Electronic processes sufficient to protect an agency ' s position in court should also be able to address any legal responsibilities to these other audiences just as welldesigned paper processes" (14). Thus, a key component in designing any
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
234 electronic reporting or electronic record-retention system is to create electronic systems which produce credible data that when used as evidence is both admissible and persuasive.
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
Legal Framework Addressing legal issues raised by moving to electronic processes is critical to developing the legal framework and minimizing the legal risks that may compromise E P A ' s mission, and is an integral part of implementing Ε-Gov. Such a framework identifies and removes legal obstacles to electronic reporting/recordkeeping and ensures the legal validity and enforceability of electronic approaches. Through its research and analysis in electronic reporting/record-keeping for its regulatory programs, E P A has identified three features that a legally valid regulatory compliance system needs to provide to ensure the enforceability of electronic regulatory compliance programs. They are authentication, document integrity, and nonrepudiation. These three legal/security concepts need to be addressed in developing the legal framework, whether it is paper-or electronicbased. Authentication refers to the ability to establish that the originator of a transmission is the individual or organization it purports to be. For a document to be authentic, it must be established: who sent the report, when the report was sent, and when the report was received. Proofing the authenticity of an electronic document is generally based on three methods: "something you know", "something you have", and "something you are". Authentication technologies based on "something you know" include passwords and personal identification numbers (PINs). The "something you have" method relies on the originator possesses a specific piece of property such as an encryption token (i.e., smart card) or a digital signature/certificate. The third method, "something you are", relies on biometrics such as an individual's unique characteristics in voice patterns, fingerprints, handwriting attributes. Depending on the level of authentication required, one or more of these methods may be used. Document integrity refers to the ability to show that the data received are the same data that were submitted and that the data have not been altered in transmission, storage or retrieval. For document integrity, the transmission process must be ensured, and a permanent record of the transmission must be created. Proper record retention procedures and archiving are important components of ensuring the overall integrity of documents.
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
235 The concept of 'non-repudiation', while not a formal legal term, is commonly used within the electronic commerce community, and refers to the ability to prove to a neutral third party that the individual who originated the transmission intended to be bound to the content and context (the substance) of the electronic transmission. The 'intent to be bound', when coupled with authentication and document integrity, establishes nonrepudiation. Environmental compliance reports often require officials to sign the reports and attest to its truthfulness, completeness and accuracy. The concept of "non-repudiation" is critical to such documents as it reduces the ability of the originator to disavow responsibility for the document in question. The Agency has drafted a proposed rule which it believes ensures the authenticity, integrity, accessibility, and non-repudiation of electronic documents. One that will provide electronic documents the same legal and evidentiary force as their paper counterparts. This proposal reflects extensive consultation with E P A ' s diverse community of stakeholders - industry, states, tribes, local governments, non-governmental organizations, and other federal agencies; and through a series of state conferences and two E P A public information meetings last year to discuss the proposed rule's approach and C D X .
CROMERRR Proposal The proposed rule's goals are straightforward but challenging: to provide the regulated community with the option of submitting electronic reports and maintaining electronic records, including electronic signatures, in lieu of paper reports/records and wet-ink signatures; while ensuring that those electronic reports and records submitted and maintained by the regulated community are reliable and trustworthy and available to E P A and state environmental agencies as required by regulation. The multiple objectives include: reducing both costs and burden for regulated companies, allowing flexibility for various approaches, and providing freedom to adopt new technologies as they became available. Generally, the proposed C R O M E R R R establishes the legal framework. It removes the existing regulatory barriers to electronic reporting and electronic record-keeping, such as the requirements for "paper" based reports, signatures, and records embedded throughout E P A ' s current regulations. The proposal provides for compliance reports to be submitted and/or records to be maintained electronically, in lieu of paper, so long as the electronic reporting or record-keeping satisfies the requirements of the rule. Its approach is to identify performance-based criteria that - to the extent possible - ensure integrity, authenticity and non-
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
236
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
repudiation of electronic reports and records; specifying "technology-neutral" criteria for acceptable electronic reporting and record retention systems. CROMERRR establishes standards for electronic reports and records affected by both the GPEA and Ε-Sign legislation. The rule's scope is intended to cover all EPA environmental compliance programs, both reporting and record-keeping requirements, and include EPA delegated state programs (75). The rule does not stipulate technology; nor does the rule promulgate any new environmental regulatory requirements. Since many of EPA's programs are delegated to state agencies, the proposed rule contains provisions for delegated state programs (76). Early in the process, before drafting the proposal, EPA worked extensively with the states through such forums as the National Governor's Association (NGA) to identify state business needs and determine the impact an EPA electronic reporting/record-keeping rule on delegated state programs. For federal programs which EPA has delegated to authorized/approved states, the rule contains provisions for approving state electronic reporting systems and record-keeping programs for implementing federally delegated programs. Basically, the proposed rule sets criteria for approval of delegated state electronic reporting and record-keeping programs when such approval is required as determined by existing state primacy regulations (77). For submitting electronic compliance reports for a federal reporting requirement, the rule proposes that electronic documents submitted to EPA or delegated state agencies satisfy two requirements. First, electronic reports must be submitted to an EPA designated electronic document receiving system or to an approved state electronic document receiving system. Second, for electronic reports that require signatures, the document must be signed with an electronic signature that can be validated using the appropriate EPA or approved state electronic document receiving system. Rather than specifying complex procedural and technological requirements for companies, the proposed approach requires submitters to use specified EPA and state systems. The proposal then sets general requirements in the form of performance-based criteria for government systems receiving electronically signed reports from regulated entities. The general areas addressed by the proposed performance criteria for government systems include system security, electronic signature method, submitter registration process, electronic signature/certification scenario, transaction record, and system archives. For electronic record-keeping, the rule proposes some basic provisions in the form of performance-based criteria which regulated entities' electronic recordretention systems must satisfy. The proposed CROMERRR provides that
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
237 electronic records required to be maintained under E P A programs satisfy federal record-keeping requirements when they are generated and maintained by an electronic record-retention system that meets the following generic criteria: 1) generate and maintain accurate and complete electronic records in a form that does not allow alteration of the record without detection; 2) ensure that the records are not altered throughout the records' required retention period; 3) produce accurate and complete copies of records as required under current regulations; 4) use secure, computer-generated audit trails; 5) ensure that the electronic records are searchable and retrievable; 6) archive electronic records in a form which preserves context, metadata, and audit trail; and 7) make computer systems, controls, and attendant documentation available for agency inspection. When an electronic signature is affixed to an electronic record, the system must also 8) prevent the electronic signature affixed to a document from being detached, copied or otherwise compromised without detection; 9) preserve the basic information associated with electronic signatures (i.e., name, date, time and meaning of affixed signature); and 10) archive an electronic record with affixed signatures in a form which preserves context, metadata, audit trail, and electronic signature. There are some unique distinctions between the current proposal's approach to electronic reporting and it's approach to electronic record-keeping. For regulated companies submitting environmental compliance reports, the proposed approach relies on an E P A or state controlled system. While for maintaining records electronically, the proposed approach relies on regulated companies to create and operate record-retention systems, select technical approaches, and implement procedures to comply with the rule's performance criteria. Also, with respect to records retained, particularly for third party disclosure purposes, there may be instances where some medium more tangible than electronic records may be preferred. For example, paper may be the medium of choice for record retention of information that must be made available to personnel responding to an emergency, because it may be more likely to remain accessible during emergency events (like power outages, fires, floods, etc.) that could render electronic records inaccessible. Once the proposed rule is formally published in the Federal Register Notice, the regulated community will have an opportunity to formally review it and comment on the approach proposed in the rule. E P A has also announced its plans for further consultation with its stakeholders and to work with the public to promote products that support e-commerce for environmental information.
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
238
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
Conclusion In recent years, legislative drivers such as the Government Paperwork Elimination Act and the Electronic Signatures in Global and National Commerce Act, have taken the decision to embark on Ε-Gov away from individual agencies mandating the road to Ε-Gov. Along with new and exciting opportunities to improve our current business processes, Ε-Gov also brings new challenges, with significant legal and regulatory implications, which agencies like EPA need to address to provide electronic approaches to its reporting community. CROMERRR moves EPA a step closer to Ε-Gov and shows its commitment to working with its state partners and many stakeholders to effectively address the challenges and fully embrace the opportunities of Ε-Gov, while maintaining effective stewardship of the environment. References 1.
2.
3. 4.
5.
See Electronic Reporting at EPA: USEPA Policy on Legal Acceptance of
Electronic Submissions, [Federal Register: September 4, 1996 (Volume 61, Number 172)], pages 46683-46694. USEPA has funded research in this area through grants to such groups as the Environmental Law Institute (ELI) and the National Governors' Association (NGA). See From Pens to Bytes: Summaries of Court Decisions Related to Electronic Reporting, June 1999, Environmental Law Institute, ISBN #0911937-94-3. EPA Fact Sheet on CROMERRR available at http://www.epa.gov/cdx/. The PRA requires federal government entities to obtain approvalfromOMB to collect any informationfromthe public. OMB may disapprove, approve, or place conditions on the information collection. The purpose is to ensure that collections are not unnecessarily conducted and that the public burden for approved collections is minimized. The 1995 Paperwork Reduction Act took effect on Oct.1, 1995, superseding the PRA of 1980, as amended in 1986. Final Rule issued August 29, 1995 (60 FR 44978). While EPA's earlier efforts focused on larger enterprises submitting electronic reports via value added networks in EDI based standards, more recent efforts have focused on alternative technologies, particularly those attractive to smaller and medium size businesses. For an example of one of EPA's efforts to develop e-reporting options which meets the needs of small and medium -sized businesses, see the report on Internet Discharge Monitoring Report (DMR) pilot with NY Department of Environmental Conservation in 2000 at http://www.epa.gov/cdx.
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
239 6.
7. 8.
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
9.
10.
11.
12. 13. 14.
15.
16.
Access America, available at Http://www.gits.gov. Reinventing Environmental Regulation, President B i l l Clinton and Vice President Al Gore, March 16, 1995. U . S . EPA REI Action Plan: Building Data Systems for the 21 Century, December, 1997. The Government Paperwork Elimination Act (GPEA), Public Law No. 105277, §§1701-1710 (1998), took effect on October 21, 1998. O M B guidance to assist agencies in implementing G P E A is available at: Http://www.whitehouse.gov/WH/EOP/OMB, Procedures and Guidance; Implementation of the Government Paperwork Elimination Act, 65 F R 25508, May 2, 2000. The Electronic Signatures in Global and National Commerce Act (E-Sign), Public Law No. 106-229, enacted on June 30, 2000, codified at 15 U.S.C. §§7001 to 7031. Ε-Sign defines uniquely governmental transactions as reporting and record -keeping by regulated entities that is principally for governmental purposes. These requirements, while not addressed by Ε-Sign, are addressed by G P E A . Governmental transactions that are also commercial transactions may be affected by Ε-Sign. For such transactions, the effective date for Ε-Sign, for agencies that have undertaken a rulemaking to address electronic reporting/record-keeping, is June 1, 2001. Where Ε-Sign's applies to an EPA compliance requirement to retain a record, the effective date is June 1, 2001. At the time of this writing, federal agencies were still assessing the impact of Ε-Sign on regulatory requirements. EPA's Strategic Plan, E P A 190-R-00-002, September 2000, page 55. National Governor's Association, A State Guide for electronic Reporting of Environmental Data, November 1999, page 63. U.S. Department of Justice, Legal Considerations In Designing And Implementing Electronic Processes: A Guide For Federal Agencies, November, 2000, page 7. The current C R O M E R R proposal does not address electronic reporting on any form of magnetic media (diskette, tape, etc.). The proposed rule does not prohibit such technologies; it simply does not address them. Delegated programs is used throughout this paper to refer to those states authorized to implement the requirements of federal environmental laws. Such state programs are variedly referred to as delegated, authorized, approved, or assumed programs. st
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.
240
Downloaded by NORTH CAROLINA STATE UNIV on January 2, 2018 | http://pubs.acs.org Publication Date: August 1, 2002 | doi: 10.1021/bk-2002-0824.ch029
17. A concern for a number of states is the proposal's provisions for approving state electronic reporting and record-keeping programs. Many states view the current process for program modifications under existing state primacy regulations as carrying a high administrative cost. Also, of concern to some states is what they perceive as system complexity/cost driven by federal enforcement concerns regarding electronic signatures. For a fuller discussion of state concerns, see NGA SEES document.
Garner et al.; Capturing and Reporting Electronic Data ACS Symposium Series; American Chemical Society: Washington, DC, 2002.