Privacy & Information Security Law Blog

Last month, the Federal Energy Regulatory Commission (“FERC”) published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information (the “CEII Regulations”). The CEII Regulations, which differ little from the notice of proposed rulemaking that FERC issued in June 2016, were approved unanimously on November 17, 2016, by FERC’s three sitting Commissioners (recent retirements have left the two other FERC seats vacant).

The CEII Regulations are intended to implement new authority granted to FERC by the Fixing America’s Surface Transportation Act (“FAST Act”), which became law in December 2015. Specifically, FAST Act Section 61003 amends Federal Power Act Section 215A to authorize FERC and the Department of Energy to designate certain information as “Critical Electric Infrastructure Information.” Such information is statutorily exempted from the Freedom of Information Act and protected from all other state and local disclosure laws. FAST Act Section 61003 also directs FERC to establish sanctions for government officials, including its Commissioners, responsible for unauthorized release of Critical Electric Infrastructure Information. Furthermore, FAST Act Section 61003 directs FERC to “facilitate” voluntary sharing of Critical Electric Infrastructure Information among various stakeholders within the electricity sector.

As opposed to FERC’s existing Critical Energy Infrastructure designation, which dates back to shortly after the 9/11 attacks, the FAST Act’s Critical Electric Infrastructure Information designation was drafted to provide enhanced protections specifically for sensitive electricity subsector information. FERC opted in the CEII Regulations, however, to fold the FAST Act’s Critical Electric Infrastructure Information into FERC’s existing Critical Energy Infrastructure Information program. Although the CEII Regulations’ new “Critical Electric/Energy Infrastructure Information” designation extends beyond the electricity subsector to apply more generally across the energy sector, it provides little additional protection beyond what was previously available. The CEII Regulations also do not outline sanctions for unauthorized releases by FERC Commissioners, notwithstanding the FAST Act Section 61003’s explicit direction that FERC do so. Furthermore, the CEII Regulations interpret the FAST Act’s provisions on voluntary sharing as providing FERC additional authority to release sensitive energy infrastructure information as FERC deems necessary.

In light of recent news that federal officials leaked incorrect information related to purported cyber attacks on the electricity grid, policymakers likely will continue to focus their attention on the handling of sensitive electricity subsector infrastructure information.