Energy Department Sets Civil Penalties for the Mishandling of Classified Data
The Department of Energy has finalized a rule allowing it to fine contractors who do not adequately protect classified information up to $100,000. DOE said it hoped the new regulations would build a culture of “security awareness” and be an incentive for contractors to improve their information security. The rule is notable for several reasons: It penalizes the contractor, not the individual. It is limited to classified data. It provides for case by case mitigation. And it purposefully avoids the use of the term “sensitive information,” pointing out that the frequently-used term has no legislative history, no commonly accepted definition within DOE or the Executive Branch; and the concern of Congress in providing for civil penalties was clearly with classified information, not other data that might be sensitive. We’ve linked to DOE’s summary comments. The Final Rule is 10 CFR 824. (1/28/05)