July 2020

Columns

Digital: Data security and privacy: The five questions energy company boards need to ask

Over the past 5 yr, the energy industry has been forced to navigate highly volatile conditions, including unstable economics, increased sustainability concerns and a shortage of experienced leaders to succeed those approaching retirement.

Falk, S., Winston & Strawn

Over the past 5 yr, the energy industry has been forced to navigate highly volatile conditions, including unstable economics, increased sustainability concerns and a shortage of experienced leaders to succeed those approaching retirement. With these issues dominating the agenda, energy company boards can be forgiven for regarding data security and privacy as secondary concerns.

In those same 5 yr, however, dramatic changes have taken place in the energy industry’s data landscape. Energy companies now face a wider range of data-related threats and the potential for greater damage when those threats materialize. Separately, heightened public attention and regulatory scrutiny have been placed on data privacy, resulting in more aggressive enforcement, significant legal liability and the specter of reputational damage when such incidents occur.

It is worth noting that such reputational damage is not limited to the company; it reaches the board, as well. Eventually, boards may also find themselves legally liable for breaches, should a suit relying on Caremark be brought that accuses a board of failing to establish adequate oversight of cybersecurity and privacy measures.

In considering a company’s cybersecurity, data security and privacy, it is important to note that while the three concepts are closely related, they are distinct. Cybersecurity involves the protection of an organization’s electronic information systems from attack and unauthorized access. Data security controls the confidentiality, integrity and access of all data, whether or not that data is accessible in cyberspace and whether that data is in electronic or physical form. Privacy concerns itself specifically with the protection and use of personally identifiable data and the rights of individuals to that data. Thus, an energy company with extensive cybersecurity capabilities may have considerable privacy vulnerabilities. A clear picture of forces affecting these three realms can help boards and management develop a sustained response to these changes.

Greater vulnerability

Energy companies may not think of themselves as “data companies,” but they are. The typical energy concern is laden with data—and will become only more so as ongoing advances in artificial intelligence and the internet of things generate even more information in the drive for greater yields and efficiency. In addition to operational data, energy companies have troves of customer and employee data (such as financial account data for both groups and biometric data of employees used in access control), as well as trade secrets and potentially confidential data from business partners and vendors.

Energy company networks have become increasingly high-value targets for malicious actors. Cyberattacks on energy infrastructure have already occurred and are likely to be an increasingly important weapon in terrorist attacks and conflicts between nation-states. Hackers are launching ransomware attacks on entire municipalities.

The vulnerability of the industry extends beyond these high-profile threats, however. Competitors and business partners steal sensitive information for their own advantage. Employees and contractors pose an ongoing internal threat—even when they have no malicious intent. A survey by cybersecurity firm Symantec revealed that half of employees retained confidential company information after they left their job and 40% plan to use that information in their new job. Employees and contractors also lose company devices, fall victim to phishing attacks and circumvent security measures due to their perceived inconvenience.

A web of regulations and liabilities

Energy company boards today must comply with an array of state, national and supra-national regulations that continue to evolve to combat these threats. The cyber component of protecting infrastructure has been a part of industry risk management for some time, through established best practices and regulations such as the Critical Infrastructure Protection Act in the U.S., the European Program for Critical Infrastructure Protection, and regulations from agencies such as the Federal Energy Regulatory Commission and the North American Energy Regulatory Commission.

Energy companies must also comply with cybersecurity requirements that are woven into other regulations affecting corporations generally. For example, an energy company that misstates the protections it provides to personal information may be in violation of the Federal Trade Commission Act’s prohibition against unfair and deceptive trade practices. Publicly listed companies must comply with the Securities and Exchange Commission’s regulations regarding disclosure of cybersecurity risks and incidents.

In addition, energy companies now face an entirely new set of privacy regulations, such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Illinois’ Biometric Information Privacy Act and a growing number of similar laws across various jurisdictions. These regulations place stringent requirements on the use of personal data and establish considerable individual rights regarding that data. They can also have extraterritorial reach and can empower individuals to bring civil action against companies for privacy breaches.

What boards need to know

To stay ahead of rapidly evolving data and privacy risks, regulations and liabilities, board directors do not need to be technical experts, but they do need to know the essential questions to ask of management—starting with the following:

  1. Do we know what data we have, and have we mapped the data flow? Even sophisticated organizations can easily lose sight of the amount of data they collect and store. Identifying data is only the start; the extraterritoriality of many privacy regulations require companies to track how data moves throughout the enterprise and beyond. For example, does the company share data with business partners, store data with third-party service providers or sell data to data brokers? Different types of data will present different risks and liabilities and require different protection strategies. A thorough data inventory allows companies to develop comprehensive strategies rather than ad hoc responses that can lead to gaps and vulnerabilities.
  2. Do we know our data and privacy strengths and weaknesses? Energy companies invariably must set priorities when executing their data and privacy strategy. An accurate assessment of the effectiveness of current data security and privacy measures allows companies to identify weaknesses and prioritize improvements. Thorough data and privacy audits and testing, as well as reviewing certifications and conformity with benchmarks such as the National Institute of Science and Technology’s Cybersecurity Framework, provide a useful baseline from which to work.
  3. Are we practicing data minimization? The plunge in data storage costs and the increased ability to mine insights through data analysis has encouraged organizations to view data collection and retention in largely positive terms. The growing number of data threats and regulations, however, highlight the benefits of data minimization. Companies must scrutinize why they collect and retain the data that they do, and have a working data retention policy to ensure that data is limited to what is needed.
  4. Do we have an agile data security and privacy function? Data and privacy threats, countermeasures, regulations and expectations are continually evolving. Energy boards must ensure that the company has dedicated adequate expertise and resources to data security and privacy and its legal, compliance, technical and operational components. The board should keep itself informed through regular interaction with functional leadership.
  5. Is data security and privacy integrated throughout the organization? The key to effective data security and privacy is ensuring that the necessary procedures and behaviors flow through the enterprise and are monitored to ensure consistency. Vendor due diligence must include assessment of data handling and privacy practices. Contracts must be revised to reflect protections required by regulations such as GDPR and CCPA. Marketing must accurately portray company security and privacy policies, and compliance must ensure timely communication of breaches and other incidents. Often, these efforts will require coordination across functions.

These questions will undoubtedly lead to others, depending on the company’s exposure to data and privacy liability and the maturity of its data security and privacy function. However, the insight these questions generate should help boards ensure that they are exerting the appropriate oversight of this complex and dynamic area. HP

The Author

From the Archive

Comments

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}