Response to Cybersecurity Incidents

• Assisted clients with more than 1,000 cybersecurity incidents or data breaches worldwide.
• Assisted major power grid company with the response to a significant insider threat, including engaging with the FBI, DHS, DOE, FERC, state regulatory agencies, and affected third parties, supervising the digital forensics analysis, leading the internal investigation, and managing communications with the public.
• Assisted one of the country’s largest electric utility companies in its response to a major breach of protected health information, including advice on state and federal notification obligations, negotiations with the service provider that was breached, and communications with employees and the public.
• Represented a Fortune 150 company in one of the country’s largest information security incidents involving the theft of payment card information. We assisted with the forensic investigation, government investigation, and customer and regulator notification. Following the breach, we assisted the client with the related FTC enforcement action, including negotiating the consent decree with the FTC and assisting in drafting the report to the FTC evidencing compliance with the terms of the consent decree. We also assisted the company in developing and implementing a global, comprehensive, written privacy and data security program. The program included an information security governance framework, policies and procedures, training modules, and other privacy education and awareness documents.
• Provided advice and representation to a major critical infrastructure transportation company with a data security breach involving one of its service providers. We assisted with every aspect of the breach event, including overseeing an extensive forensic investigation, preparing multiple notification letters and related communications, drafting employee communications and managing the resulting responses. We also handled a Senate inquiry regarding the breach incident.
• Provided advice and representation in the United States and overseas to a Fortune 10 company with several significant information security issues, including one incident that affected millions of individuals in more than 75 countries.
• Provided a large global company with all aspects of its investigation and handling of two massive cyber attacks perpetrated by a nation-state and an international criminal hacking network. These attacks affected the company’s entire network and website. We assisted the company in every aspect of the breach, including compliance with breach notification laws, negotiations with credit card brands, and advice on engagement with law enforcement. We also assisted the company in its notification of its extensive corporate customer list.
• Represented a major critical infrastructure company that was victimized by a sophisticated international organized crime ring, which breached the client’s network and perpetrated a large-scale financial theft. We led the investigation of the cyber intrusion, worked with US and international law enforcement agencies, managed communications with financial institution regulators, helped assess and respond to litigation risks from customers and other third parties, and defended the client against ensuing class actions.
• Advised some of the largest financial institutions and energy companies in the world in their preparation for offensive and defensive litigation arising from the theft of highly confidential business records and intellectual property.

Response to Physical Issues

• Immediately following the 9/11 terrorist attacks, we worked with Oak Ridge National Laboratory and various federal agencies to develop protocols to define and protect critical infrastructure for oil and gas pipelines, and to protect information about such assets from disclosure.
• Provided extensive advice and counsel to a major pipeline company on a matter before the Pipeline and Hazardous Materials Safety Administration on a physical security issue relating to an oil spill.
• Advised energy companies on their public responses following the 2003 Northeast–Midwest blackout.
• Represented a NERC Regional Entity in connection with an investigation by the FERC Office of Enforcement of a major Southeast outage.
• Defended a major generating company against alleged violations of the Clean Water Act and various state statutes and regulations following spills at its coal ash storage facility.
• Represented a utility applicant in one of the very few, if not the only, NRC licensing proceeding in which nuclear security issues were actually litigated.
• Provided assistance to licensees in preparing for NRC inspections, responding to NRC inspection findings, preparing enforcement proceedings following notices of violation, and preparing for and participating in NRC investigations in matters relating to physical security.
• Represented a utility in one of only two NRC licensing proceedings ever to involve litigation of off-site radiological emergency response issues.
• Represented a Midwest public utility in an operational audit for compliance with FERC’s standards of conduct, code of conduct, market behavior rules, and open access transmission tariff and OASIS requirements, brought by FERC’s Office of Market Oversight and Investigation (now the Office of Enforcement).
• Represented an ISO in connection with investigations by the FERC Office of Enforcement into alleged market power abuse in a regional market for installed capacity and operational and Open Access Same Time Information System (OASIS) compliance.

Planning and Preparation

• Assisted energy and other critical infrastructure companies in reducing their cybersecurity risk by providing advice on improving their governance structure, conducting an inventory of sensitive data and networks, analyzing and strengthening network security policies and practices, and leading table top exercises.
• Provided extensive legal and operational advice to major electric utility companies on cybersecurity information-sharing and collaboration opportunities with the FBI, Department of Homeland Security and Department of Energy, and assisted in negotiating public-private partnership agreements with all three agencies.
• Assisted major critical infrastructure companies on various aspects of state and federal Freedom of Information Act (FOIA), including the applicability of exemptions to disclosure based on trade secrets, confidential commercial or financial information, law enforcement proceedings, statutory nondisclosure requirements, personal privacy and other grounds. We have represented clients in negotiations with various federal agencies over the applicability of certain FOIA exemptions, and prepared extensive redactions and legal objections to an agency’s proposed release of documents under FOIA. We have successfully persuaded agencies to adopt our requested redactions to documents prior to release.
• Represented transmission providers and a variety of other clients in every significant electric transmission proceeding conducted by the FERC in the last 20 years, drafting comments on proposed rules and other pleadings, coordinating and communicating with state regulators and stakeholders, and representing clients in litigation.
• Advised regional transmission organizations (RTOs) and independent system operators (ISOs) on a wide variety of issues related to risk management and insurance, regulatory compliance, government relations, contracting with specialist consultants and stakeholder relations.
• We have represented clients in numerous matters involving NERC and the development of, and compliance with, its mandatory electric reliability standards. We have helped clients monitor NERC developments, commented on NERC filings at FERC, helped a large transmission operator develop policies to govern the allocation of NERC-imposed penalties within its region, and represented clients in confidential NERC audits and compliance violation investigations.
• Advised clients on FERC compliance and enforcement matters, including operational audits, nonpublic investigations and self-reports.
• Represented a NERC Regional Entity in connection with forming and passing mandatory reliability standards provisions of the Energy Policy Act of 2005, and in connection with the developing, implementing and administering mandatory reliability standards.
• Advised clients on matters involving various aspects of the mandatory NERC Reliability Standards, including Compliance Registry issues, standards compliance, penalty liability, standards development, hearing process and audit issues, and monitoring the development of NERC and Regional Entity compliance and enforcement programs.
• Represented electric utility clients in the development of corporate governance programs designed to adequately identify, prioritize and support compliance with applicable FERC regulatory obligations.
• Performed comprehensive internal due diligence reviews for compliance with the standards of conduct, affiliate transaction regulations and Open Access Transmission Tariff policies applicable to the electric industry.
• Advised clients on the development of NERC’s new mandatory reliability standards relating to physical security of the grid, and those relating to geomagnetic disturbance operations.
• Advised a wide range of energy and other critical infrastructure companies on policy, regulatory and legislative developments relating to cybersecurity, physical security and national security.

Risk Reduction & Insurance

• Assisted energy and other critical infrastructure companies with all manner of insurance issues. We have reviewed and developed insurance programs for electric utility companies, including coverage for information security incidents and related D&O liability insurance coverage. We have assisted clients in connection with property and business interruption claims arising out of 9/11 attacks, Hurricanes Andrew and Katrina, natural gas explosions, pollution claims, fire damage, claims arising from catastrophic damage to power plants and mines, cybersecurity incidents and data breaches.
• Advised major critical infrastructure companies on reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cybersecurity system under the SAFETY Act.