Companies in the energy industry today are confronted with unprecedented physical and cyber security challenges. In the physical realm, energy companies must protect critical infrastructure facilities against accidents, natural disasters and acts of sabotage or terror. In the cyber realm, they must safeguard their mission-critical information assets against criminal hackers, hacktivists, nation-states and terrorists who use sophisticated means to steal personal and financial information for monetary gain, engage in economic espionage, disrupt online services or conduct destructive attacks on cyber and physical infrastructure.
Hunton & Williams LLP’s energy sector security team stands ready to assist companies in protecting the security and resilience of their critical infrastructure facilities in the face of these physical and cyber threats. We help clients address challenging legal issues while implementing a comprehensive approach to preparing for and responding to today’s security challenges. Energy companies must navigate through an increasingly complex legal and policy environment that is being shaped by new developments and evolving security standards in regulatory compliance, reporting, enforcement, government investigations, litigation, insurance, employment, legislation and other areas. Since the 9/11 terrorist attacks, the matrix of laws, regulations and executive orders at federal and state levels has grown increasingly complex as governments at all levels take action to prepare for hostile attacks and natural disasters. Federal, state and foreign laws that might otherwise provide a predictable legal framework for effective strategic planning in physical and cybersecurity are in a state of rapid, often unpredictable change due to shifting and sometimes conflicting public policies.
This endemic uncertainty complicates the planning for, preparation for and response to the varied physical and cyber crises that every energy company will inevitably face. Some threats, like those posed by severe weather events, are familiar to the industry. Other threats, such as those posed by sophisticated cyber attacks and physical sabotage, are evolving at an alarming pace. What is new is the increasingly unpredictable and often severe nature of governments’ response when a crisis occurs.
- Superstorm Sandy triggered immediate and harsh political attacks on utilities across the Northeast, and sweeping regulatory action in its aftermath. Regulators initiated the expected proceedings to critique the storm preparedness and response of utilities. But they often went much further. For example, regulators and policymakers in New York initiated open-ended proceedings to explore ways to alter the fundamental business model and structure of utilities, purportedly to make them better able to withstand such storms and related threats.
- An act of sabotage involving small firearms at a West Coast electricity substation in 2013 drew little attention, until a series of newspaper articles eight months later brought it national attention. This led to public pressure for reform, congressional hearings, proposed legislation, and the development of new physical security regulations by the Federal Energy Regulatory Commission (FERC).
- The daily drumbeat of news about data breaches, theft of proprietary information, online service disruptions, and destructive malware in the cybersecurity arena has led to new notification and reporting requirements, increasingly aggressive enforcement action by federal and state regulators, widespread class action litigation and criminal investigations, regulatory reforms, evolving insurance requirements, new government policies and programs, proposed legislation and congressional hearings.
Energy sector companies cannot rely on traditional programs and procedures for risk management and crisis response. They must engage in a comprehensive and coordinated form of planning, preparation and response that covers the life cycle of an incident, and addresses the associated legal, regulatory, policy and political issues.
Combining talented lawyers from a number of practices, our team works with companies in the electric utility, oil, natural gas, pipeline, coal, nuclear, renewable energy and clean power, and related sectors to minimize the risks or consequences of a serious security incident. Our involvement in the energy industry dates back more than 100 years, and we have established a multidisciplinary team tailored to meet the security challenges in the energy sector.
Many of the practice groups our team is composed of have received top tier rankings or were otherwise highly ranked by Chambers & Partners Guide to the World’s Best Lawyers. Chambers has consistently rated our energy, project finance and regulatory partners in its top tier. For the past several years, it has rated Hunton & Williams as the top privacy and cybersecurity practice in its Chambers Global, Chambers USA and Chambers UK guides. The Legal 500 United States also has placed the firm in the top tier for cyber crime, and privacy and data security.
Our lawyers work seamlessly together to help clients with legal and regulatory compliance, physical and cybersecurity risk minimization, strategic engagement with key government agencies, response to physical or cyber events, insurance coverage and dispute resolution arising from law enforcement investigations, government enforcement actions and private litigation.
- Regulatory Compliance - Complying with North American Electric Reliability Corporation (NERC) Reliability Standards, NIST security standards, and other regulations or guidance issued by federal and state agencies, including the FERC, NERC, Environmental Protection Agency (EPA), Pipeline and Hazardous Materials Safety Administration (PHMSA), Department of Transportation (DOT), National Transportation Safety Board (NTSB), Nuclear Regulatory Commission (NRC), Federal Emergency Management Agency (FEMA), Occupational Safety and Health Administration (OSHA), Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), state public utility commissions, and state attorneys general.
- Statutory Compliance - Complying with all federal and state information security requirements, including security breach notification laws at the federal level and in 47 states and four territories, the Pipeline Safety Act, the Payment Card Industry Data Security Standard, HIPAA, and the Gramm-Leach-Bliley Act.
- Compliance with Foreign Laws - Utilizing the experience of our team members in the United States, United Kingdom, Belgium and Beijing, and our network of leading local privacy and cybersecurity lawyers in more than 100 countries, we work with clients to ensure compliance with foreign legal requirements.
- Risk Reduction - Reducing the risks and consequences of major physical and cyber events, including assistance with the development of strategies, policies, plans and procedures that reflect industry best practices and standards, as appropriate, employee training, table top exercises, and cybersecurity penetration testing.
- Strategic Engagement - Strategically engaging with the federal government on information sharing and collaboration opportunities, and helping clients obtain the latest threat and vulnerability information from agencies such as the FBI, the Department of Homeland Security and the Department of Energy.
- Response to Cyber Incidents - Providing comprehensive “breach coach” assistance in managing the full panoply of activities associated with a significant cybersecurity incident/data breach, including: (i) directing a privileged internal forensic investigation; (ii) liaising with law enforcement and federal and state regulatory agencies such as the FBI, US Secret Service, Department of Justice, FTC and state attorneys general; (iii) analyzing breach notification requirements; (iv) managing notifications to affected individuals, state and federal regulators and consumer reporting agencies; (v) negotiating with payment card services; (vi) establishing relationships with credit bureaus; (vii) managing public relations; (viii) training call center agents; (ix) handling regulatory investigations and enforcement actions; (x) managing legislative inquiries; (xi) preparing executives for hearings; (xii) assisting with investor relations; preparing for litigations and advising on information retention obligations; and (xiii) handling resulting lawsuits (including class actions) and other legal actions brought by regulators, customers, business partners and other parties in federal and state court, before regulatory agencies and in alternative dispute resolution proceedings.
- Response to Physical Incidents - Providing comprehensive assistance with responding to significant physical events, including engaging with federal and state regulatory agencies, minimizing litigation consequences, preparing for congressional inquiries and hearings, and advising on public relations and other issues.
- Dispute Resolution - Assisting with dispute resolution regarding physical and cyber events, including investigations by the FBI, US Secret Service and other law enforcement agencies; enforcement actions by the EPA, PHMSA, FERC, OSHA, FTC, Department of Justice and state attorneys general; and individual and class action litigation regarding liability, insurance coverage, contractual obligations and other issues in federal and state court, alternative dispute resolution proceedings and before regulatory agencies.
- Limiting Liability - Reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cybersecurity system under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act.
- Insurance Counseling and Recovery - Assisting with insurance coverage for physical and cybersecurity incidents, including the development of insurance programs that address a company’s cyber or physical risk profile, and the recovery of insurance proceeds in the event of an incident.
- Policy Advocacy - Advising on executive branch and congressional activity relating to physical and cybersecurity, including policies and programs, pending legislation, hearings, inquiries and investigations.