Companies in the energy industry today are confronted with unprecedented physical and cyber security challenges. In the physical realm, energy companies must protect critical infrastructure facilities against accidents, natural disasters and acts of sabotage or terror. In the cyber realm, they must safeguard their mission-critical information assets against criminal hackers, hacktivists, nation-states and terrorists who use sophisticated means to steal personal and financial information for monetary gain, engage in economic espionage, disrupt online services or conduct destructive attacks on cyber and physical infrastructure.

Hunton’s energy sector security team stands ready to assist companies in protecting the security and resilience of their critical infrastructure facilities in the face of these physical and cyber threats. We help clients address challenging legal issues while implementing a comprehensive approach to preparing for and responding to today’s security challenges. Energy companies must navigate through an increasingly complex legal and policy environment that is being shaped by new developments and evolving security standards in regulatory compliance, reporting, enforcement, government investigations, litigation, insurance, employment, legislation and other areas. Since the 9/11 terrorist attacks, the matrix of laws, regulations and executive orders at federal and state levels has grown increasingly complex as governments at all levels take action to prepare for hostile attacks and natural disasters. Federal, state and foreign laws that might otherwise provide a predictable legal framework for effective strategic planning in physical and cybersecurity are in a state of rapid, often unpredictable change due to shifting and sometimes conflicting public policies.

This endemic uncertainty complicates the planning for, preparation for and response to the varied physical and cyber crises that every energy company will inevitably face. Some threats, like those posed by severe weather events, are familiar to the industry. Other threats, such as those posed by sophisticated cyber attacks and physical sabotage, are evolving at an alarming pace. What is new is the increasingly unpredictable and often severe nature of governments’ response when a crisis occurs.

• Superstorm Sandy triggered immediate and harsh political attacks on utilities across the Northeast, and sweeping regulatory action in its aftermath. Regulators initiated the expected proceedings to critique the storm preparedness and response of utilities. But they often went much further. For example, regulators and policymakers in New York initiated open-ended proceedings to explore ways to alter the fundamental business model and structure of utilities, purportedly to make them better able to withstand such storms and related threats.
• An act of sabotage involving small firearms at a West Coast electricity substation in 2013 drew little attention, until a series of newspaper articles eight months later brought it national attention. This led to public pressure for reform, congressional hearings, proposed legislation, and the development of new physical security regulations by the Federal Energy Regulatory Commission (FERC).
• The daily drumbeat of news about data breaches, theft of proprietary information, online service disruptions, and destructive malware in the cybersecurity arena has led to new notification and reporting requirements, increasingly aggressive enforcement action by federal and state regulators, widespread class action litigation and criminal investigations, regulatory reforms, evolving insurance requirements, new government policies and programs, proposed legislation and congressional hearings.

Energy sector companies cannot rely on traditional programs and procedures for risk management and crisis response. They must engage in a comprehensive and coordinated form of planning, preparation and response that covers the life cycle of an incident, and addresses the associated legal, regulatory, policy and political issues.

Our Team

Combining talented lawyers from a number of practices, our team works with companies in the electric utility, oil, natural gas, pipeline, coal, nuclear, renewable energy and clean power, and related sectors to minimize the risks or consequences of a serious security incident. Our involvement in the energy industry dates back more than 100 years, and we have established a multidisciplinary team tailored to meet the security challenges in the energy sector.

Many of the practice groups our team is composed of have received top tier rankings or were otherwise highly ranked by Chambers & Partners Guide to the World’s Best Lawyers. Chambers has consistently rated our energy, project finance and regulatory partners in its top tier. For the past several years, it has rated our firm as the top privacy and cybersecurity practice in its Chambers Global, Chambers USA and Chambers UK guides. The Legal 500 United States also has placed the firm in the top tier for cyber crime, and privacy and data security.

Our lawyers work seamlessly together to help clients with legal and regulatory compliance, physical and cybersecurity risk minimization, strategic engagement with key government agencies, response to physical or cyber events, insurance coverage and dispute resolution arising from law enforcement investigations, government enforcement actions and private litigation.

• Regulatory Compliance - Complying with North American Electric Reliability Corporation (NERC) Reliability Standards, NIST security standards, and other regulations or guidance issued by federal and state agencies, including the FERC, NERC, Environmental Protection Agency (EPA), Pipeline and Hazardous Materials Safety Administration (PHMSA), Department of Transportation (DOT), National Transportation Safety Board (NTSB), Nuclear Regulatory Commission (NRC), Federal Emergency Management Agency (FEMA), Occupational Safety and Health Administration (OSHA), Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), state public utility commissions, and state attorneys general.
• Statutory Compliance - Complying with all federal and state information security requirements, including security breach notification laws at the federal level and in 47 states and four territories, the Pipeline Safety Act, the Payment Card Industry Data Security Standard, HIPAA, and the Gramm-Leach-Bliley Act.
• Compliance with Foreign Laws - Utilizing the experience of our team members in the United States, United Kingdom, Belgium and Beijing, and our network of leading local privacy and cybersecurity lawyers in more than 100 countries, we work with clients to ensure compliance with foreign legal requirements.
• Risk Reduction - Reducing the risks and consequences of major physical and cyber events, including assistance with the development of strategies, policies, plans and procedures that reflect industry best practices and standards, as appropriate, employee training, table top exercises, and cybersecurity penetration testing.
• Strategic Engagement - Strategically engaging with the federal government on information sharing and collaboration opportunities, and helping clients obtain the latest threat and vulnerability information from agencies such as the FBI, the Department of Homeland Security and the Department of Energy.
• Response to Cyber Incidents - Providing comprehensive “breach coach” assistance in managing the full panoply of activities associated with a significant cybersecurity incident/data breach, including: (i) directing a privileged internal forensic investigation; (ii) liaising with law enforcement and federal and state regulatory agencies such as the FBI, US Secret Service, Department of Justice, FTC and state attorneys general; (iii) analyzing breach notification requirements; (iv) managing notifications to affected individuals, state and federal regulators and consumer reporting agencies; (v) negotiating with payment card services; (vi) establishing relationships with credit bureaus; (vii) managing public relations; (viii) training call center agents; (ix) handling regulatory investigations and enforcement actions; (x) managing legislative inquiries; (xi) preparing executives for hearings; (xii) assisting with investor relations; preparing for litigations and advising on information retention obligations; and (xiii) handling resulting lawsuits (including class actions) and other legal actions brought by regulators, customers, business partners and other parties in federal and state court, before regulatory agencies and in alternative dispute resolution proceedings.
• Response to Physical Incidents - Providing comprehensive assistance with responding to significant physical events, including engaging with federal and state regulatory agencies, minimizing litigation consequences, preparing for congressional inquiries and hearings, and advising on public relations and other issues.
• Dispute Resolution - Assisting with dispute resolution regarding physical and cyber events, including investigations by the FBI, US Secret Service and other law enforcement agencies; enforcement actions by the EPA, PHMSA, FERC, OSHA, FTC, Department of Justice and state attorneys general; and individual and class action litigation regarding liability, insurance coverage, contractual obligations and other issues in federal and state court, alternative dispute resolution proceedings and before regulatory agencies.
• Limiting Liability - Reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cybersecurity system under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act.
• Insurance Counseling and Recovery - Assisting with insurance coverage for physical and cybersecurity incidents, including the development of insurance programs that address a company’s cyber or physical risk profile, and the recovery of insurance proceeds in the event of an incident.
• Policy Advocacy - Advising on executive branch and congressional activity relating to physical and cybersecurity, including policies and programs, pending legislation, hearings, inquiries and investigations.

Response to Cybersecurity Incidents

• Assisted clients with more than 1,000 cybersecurity incidents or data breaches worldwide.
• Assisted major power grid company with the response to a significant insider threat, including engaging with the FBI, DHS, DOE, FERC, state regulatory agencies, and affected third parties, supervising the digital forensics analysis, leading the internal investigation, and managing communications with the public.
• Assisted one of the country’s largest electric utility companies in its response to a major breach of protected health information, including advice on state and federal notification obligations, negotiations with the service provider that was breached, and communications with employees and the public.
• Represented a Fortune 150 company in one of the country’s largest information security incidents involving the theft of payment card information. We assisted with the forensic investigation, government investigation, and customer and regulator notification. Following the breach, we assisted the client with the related FTC enforcement action, including negotiating the consent decree with the FTC and assisting in drafting the report to the FTC evidencing compliance with the terms of the consent decree. We also assisted the company in developing and implementing a global, comprehensive, written privacy and data security program. The program included an information security governance framework, policies and procedures, training modules, and other privacy education and awareness documents.
• Provided advice and representation to a major critical infrastructure transportation company with a data security breach involving one of its service providers. We assisted with every aspect of the breach event, including overseeing an extensive forensic investigation, preparing multiple notification letters and related communications, drafting employee communications and managing the resulting responses. We also handled a Senate inquiry regarding the breach incident.
• Provided advice and representation in the United States and overseas to a Fortune 10 company with several significant information security issues, including one incident that affected millions of individuals in more than 75 countries.
• Provided a large global company with all aspects of its investigation and handling of two massive cyber attacks perpetrated by a nation-state and an international criminal hacking network. These attacks affected the company’s entire network and website. We assisted the company in every aspect of the breach, including compliance with breach notification laws, negotiations with credit card brands, and advice on engagement with law enforcement. We also assisted the company in its notification of its extensive corporate customer list.
• Represented a major critical infrastructure company that was victimized by a sophisticated international organized crime ring, which breached the client’s network and perpetrated a large-scale financial theft. We led the investigation of the cyber intrusion, worked with US and international law enforcement agencies, managed communications with financial institution regulators, helped assess and respond to litigation risks from customers and other third parties, and defended the client against ensuing class actions.
• Advised some of the largest financial institutions and energy companies in the world in their preparation for offensive and defensive litigation arising from the theft of highly confidential business records and intellectual property.

Response to Physical Issues

• Immediately following the 9/11 terrorist attacks, we worked with Oak Ridge National Laboratory and various federal agencies to develop protocols to define and protect critical infrastructure for oil and gas pipelines, and to protect information about such assets from disclosure.
• Provided extensive advice and counsel to a major pipeline company on a matter before the Pipeline and Hazardous Materials Safety Administration on a physical security issue relating to an oil spill.
• Advised energy companies on their public responses following the 2003 Northeast–Midwest blackout.
• Represented a NERC Regional Entity in connection with an investigation by the FERC Office of Enforcement of a major Southeast outage.
• Defended a major generating company against alleged violations of the Clean Water Act and various state statutes and regulations following spills at its coal ash storage facility.
• Represented a utility applicant in one of the very few, if not the only, NRC licensing proceeding in which nuclear security issues were actually litigated.
• Provided assistance to licensees in preparing for NRC inspections, responding to NRC inspection findings, preparing enforcement proceedings following notices of violation, and preparing for and participating in NRC investigations in matters relating to physical security.
• Represented a utility in one of only two NRC licensing proceedings ever to involve litigation of off-site radiological emergency response issues.
• Represented a Midwest public utility in an operational audit for compliance with FERC’s standards of conduct, code of conduct, market behavior rules, and open access transmission tariff and OASIS requirements, brought by FERC’s Office of Market Oversight and Investigation (now the Office of Enforcement).
• Represented an ISO in connection with investigations by the FERC Office of Enforcement into alleged market power abuse in a regional market for installed capacity and operational and Open Access Same Time Information System (OASIS) compliance.

Planning and Preparation

• Assisted energy and other critical infrastructure companies in reducing their cybersecurity risk by providing advice on improving their governance structure, conducting an inventory of sensitive data and networks, analyzing and strengthening network security policies and practices, and leading table top exercises.
• Provided extensive legal and operational advice to major electric utility companies on cybersecurity information-sharing and collaboration opportunities with the FBI, Department of Homeland Security and Department of Energy, and assisted in negotiating public-private partnership agreements with all three agencies.
• Assisted major critical infrastructure companies on various aspects of state and federal Freedom of Information Act (FOIA), including the applicability of exemptions to disclosure based on trade secrets, confidential commercial or financial information, law enforcement proceedings, statutory nondisclosure requirements, personal privacy and other grounds. We have represented clients in negotiations with various federal agencies over the applicability of certain FOIA exemptions, and prepared extensive redactions and legal objections to an agency’s proposed release of documents under FOIA. We have successfully persuaded agencies to adopt our requested redactions to documents prior to release.
• Represented transmission providers and a variety of other clients in every significant electric transmission proceeding conducted by the FERC in the last 20 years, drafting comments on proposed rules and other pleadings, coordinating and communicating with state regulators and stakeholders, and representing clients in litigation.
• Advised regional transmission organizations (RTOs) and independent system operators (ISOs) on a wide variety of issues related to risk management and insurance, regulatory compliance, government relations, contracting with specialist consultants and stakeholder relations.
• We have represented clients in numerous matters involving NERC and the development of, and compliance with, its mandatory electric reliability standards. We have helped clients monitor NERC developments, commented on NERC filings at FERC, helped a large transmission operator develop policies to govern the allocation of NERC-imposed penalties within its region, and represented clients in confidential NERC audits and compliance violation investigations.
• Advised clients on FERC compliance and enforcement matters, including operational audits, nonpublic investigations and self-reports.
• Represented a NERC Regional Entity in connection with forming and passing mandatory reliability standards provisions of the Energy Policy Act of 2005, and in connection with the developing, implementing and administering mandatory reliability standards.
• Advised clients on matters involving various aspects of the mandatory NERC Reliability Standards, including Compliance Registry issues, standards compliance, penalty liability, standards development, hearing process and audit issues, and monitoring the development of NERC and Regional Entity compliance and enforcement programs.
• Represented electric utility clients in the development of corporate governance programs designed to adequately identify, prioritize and support compliance with applicable FERC regulatory obligations.
• Performed comprehensive internal due diligence reviews for compliance with the standards of conduct, affiliate transaction regulations and Open Access Transmission Tariff policies applicable to the electric industry.
• Advised clients on the development of NERC’s new mandatory reliability standards relating to physical security of the grid, and those relating to geomagnetic disturbance operations.
• Advised a wide range of energy and other critical infrastructure companies on policy, regulatory and legislative developments relating to cybersecurity, physical security and national security.

Risk Reduction & Insurance

• Assisted energy and other critical infrastructure companies with all manner of insurance issues. We have reviewed and developed insurance programs for electric utility companies, including coverage for information security incidents and related D&O liability insurance coverage. We have assisted clients in connection with property and business interruption claims arising out of 9/11 attacks, Hurricanes Andrew and Katrina, natural gas explosions, pollution claims, fire damage, claims arising from catastrophic damage to power plants and mines, cybersecurity incidents and data breaches.
• Advised major critical infrastructure companies on reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cybersecurity system under the SAFETY Act.