HOW TO MINIMIZE YOUR COMPANY’S LEGAL EXPOSURE FROM DATA BREACHES
PHILIP J. BEZANSON AND CAROLYN ROBBS BILANKO, BRACEWELL LLP, SEATTLE
CYBER ATTACKS have become commonplace, and the threats they pose continue to evolve. Although the most high-profile attacks have typically involved theft of personal, financial, political, or business information that could be sold at a profit or used for competitive damage or public embarrassment, there are additional dramatic implications for energy companies.
The energy sector, along with other manufacturing and infrastructure institutions, bear the risk that hackers could access company databases and control systems for the malicious purpose of causing mayhem, tangible business disruption, or destruction to people and property.
Oil and gas companies face the specific threat of environmental-, religious-, and political-cyber-terrorists targeting upstream, midstream, and downstream sites. Such attacks endanger expensive company equipment, the environment, and the lives of on-site company personnel.
Whatever the type of attack, the monetary and reputational consequences can be significant. Data breaches often trigger investigations by the US Federal Trade Commission, the US Securities and Exchange Commission, the US Department of Justice, and state regulatory agencies, as well as class-action lawsuits and shareholder derivative actions. The modern inevitability of cyber attacks behooves directors and officers at oil and gas companies to allocate adequate funds and time to implement cyber security risk-management strategies that protect sensitive business information and property and minimize the company’s legal exposure.
Here, we offer five tips on how energy companies can mitigate their legal liability from cyberattacks.
IDENTIFY AN INCIDENT RESPONSE TEAM IN ADVANCE
Since company employees are often the first to detect or learn of a cyber attack, all company personnel should be trained to immediately escalate the issue to the chief information security officer (CISO) (if the company has one) or the general counsel (GC). The CISO or GC should then immediately notify and mobilize the incident response team (IRT). While there may be a tendency to “wait and see” what details emerge before giving such notice, it is critical to elevate the issue immediately so the IRT can begin searching for the access point of the breach and assessing the damage.
The IRT should include the company’s top executives (including a CISO, if possible), legal counsel, relevant IT support, and personnel who are able to convey updates to employees, business partners, investors, regulators, and other potential internal and external stakeholders.
Once the IRT has an initial grasp of what transpired (or is still taking place), the company may need to bring in external support. This includes notifying the board of directors, engaging outside legal counsel, hiring a forensic investigation firm, notifying the company’s insurers, and contacting law enforcement. (Today, the FBI is considered the lead federal agency for investigating cyber attacks, but local law enforcement and/or other governmental agencies may be appropriate depending on the type of attack.) The company also may want to engage a call center to handle the inevitable surge in customer calls and a PR firm to coordinate communications with the media.
If personal information of the company’s employees and/or clients may have been compromised, contact a credit or personal identity theft monitoring company immediately. Companies that are frequently targeted by cyber-attackers should consider signing retainer agreements with such entities. By listing the names and contact information of these external entities in the company’s incident response plan, the company will be able to immediately receive the support it needs to address and mitigate the damage from cyberattacks.
REVIEW YOUR INSURANCE POLICIES
Insurers now offer a variety of policies that cover losses stemming from cyber attacks. Coverage options vary by insurer, but may include notification costs, forensic investigation costs, legal defense costs (including attorney fees, judgments, and/or settlements), regulatory response costs (including attorney fees and/or settlements with the government), revenue due to lost business, and ransom/extortion payments.
Oil and gas companies facing threats to their physical property and equipment also should review their property and criminal insurance policies for coverage in the event of a cyberattack. Insurance policies for company directors and officers should also be available in the event that litigation and/or governmental investigations ensue.
STAY UP-TO-DATE ON REGULATORY OBLIGATIONS
Laws pertinent to cyber security are rapidly being passed and then expanded, both domestically and abroad. In the US, 47 states and four territories currently have security breach notification laws. (Alabama, New Mexico, and South Dakota do not.) While these laws (and their associated penalties) vary by state, they generally require companies to disclose data breaches of personal information to affected individuals, in writing, within a short period of time. Some states have exemptions for encrypted information and companies working with law enforcement. Additionally, publicly traded companies that experience a cyber attack may need to file a Form 8-K under US securities laws, which require disclosure of “material events” to shareholders within four business days. Because disclosure obligations can be complicated and highly fact specific, companies experiencing a cyber attack should immediately consult experienced disclosure counsel for guidance on whether a filing is warranted.
As many oil and gas companies commonly operate outside of the US, they also need to stay informed about rapidly changing foreign legislation. For example, while Alberta is currently the only province in Canada with a mandatory breach notification law for private companies, federal regulations are on their way. In mid-2015, Canada passed the “Personal Information Protection and Electronic Documents Act” (PIPEDA). When the law comes into effect, it will require organizations to report to the Privacy Commissioner of Canada (and, generally, to affected individuals and certain third parties) any breach of security safeguards that are reasonably believed to create “a real risk of significant harm to an individual.” To the extent that a company operates abroad, it should hire local or international counsel (including translators, if necessary) to keep it abreast of new or changing laws relating to cyber security.
IMPLEMENT AND UPDATE COMPANY DATA PRESERVATION AND DESTRUCTION POLICIES
While health care and financial institutions may be the most obvious examples of companies storing private customer information subject to cyber theft, oil and gas companies also store sensitive data along the lines of confidential business plans, information about proprietary technology and research, and private employee and customer information. Limiting the amount of sensitive data stored by the company is a clear way to limit the risk of it being breached. Thus, implement company policies that securely dispose of data that is no longer needed. This may include an automatic email deletion policy, standard deletion of employee and customer information upon termination of the relationship, or other policies prompting review and potential deletion of files that have not been accessed after a certain period of time.
If your company outsources storage of its data to a third party, ask in-depth questions about their security policies, request secure destruction of data as appropriate, and clearly address liability for potential security breaches in your contract.
Also note that individuals and companies are required to preserve relevant documents and evidence once they reasonably anticipate litigation stemming from an event, including from a security breach. Thus, upon discovering a cyber attack, a company may need to implement a company-wide litigation hold, which requires temporarily pausing the company’s data destruction policies.
As with all company policies and procedures, employees will not follow an incident response plan unless they a) know they exist and b) know how to follow them. Employees should receive annual training on how to recognize threats and how to report them. The IRT should do a full run-through of the company’s incident response plan at least once a year so employees can knowledgeably and rapidly respond in the event of a real breach. In training, use realistic examples and provide feedback to instill best practices. Companies can take additional steps to protect themselves by expanding response plans to include oversight if and when vendors, joint venture partners, or other commercial allies fall victim to a cyber attack.
While cyber attacks are increasingly sophisticated, companies that anticipate and plan for them will be ready to react, thereby mitigating their liability and losses in the lawsuits and government investigations that follow.