Professionals >

Contacts >

The U.S. government is increasingly focused on protecting the nation's critical energy infrastructure from destructive cyber and physical attacks and ensuring security within its supply chain. Managing the evolving risks faced by the energy sector requires both a comprehensive understanding of how this sector works and is regulated, and in-depth knowledge of the cyber and physical security environment and its overlapping regulatory framework. Our firm's Energy Security Team includes experienced Energy and Privacy & Cybersecurity lawyers, working together to help clients comply with legal requirements and manage the material risks associated with security and reliability concerns.  

The owners and operators of the nation’s energy infrastructure today face an increasingly complex and risky environment in ensuring the safety, reliability, resilience and physical and cyber security of the system. We provide a robust suite of services to develop our clients’ protective systems, to ensure and verify compliance with applicable rules, to bolster physical, insurance-related and regulatory protections, and to support companies’ incident response in the increasingly likely event of a cyber breach.  These comprehensive services allow our clients to prepare for system-threatening events, to demonstrate compliance to the various federal, state and international regulators who are active in this space, and to support real-time, effective responses to events that threaten the system.

NERC Compliance

Our Energy Security Team advises on all aspects of our clients’ compliance with the mandatory reliability standards enforced by the North American Electric Reliability Corporation (NERC).  NERC violations can result in civil penalty assessments of up to $1,269,500 per violation per day.  Our lawyers regularly advise clients on risk allocation with respect to compliance with and enforcement of the NERC reliability standards in a variety of commercial transactions, including energy asset management and O&M agreements, and the negotiation and administration of agreements with third parties either providing NERC-related services or delegating NERC responsibilities to such third parties.  When necessary, we also assist clients in responding to NERC determinations of alleged violations of NERC electric reliability standards.

Additionally, we regularly help our clients prepare for NERC audits and other NERC compliance monitoring processes (such as self-certification), including reviewing the legal sufficiency of evidence provided by our clients to demonstrate compliance. This can include creating, reviewing, benchmarking and revising clients’ internal compliance programs to ensure that they meet NERC’s electric reliability standards; responding to NERC regional entity inquiries regarding internal compliance programs; and training senior management on NERC compliance, including risk exposure and measures to ensure compliance and mitigate violations.

Mitigating Cyber Risk

Our Energy Security Team has broad experience in helping energy businesses assess their physical and cyber risks and threats, and to develop legally compliant mitigation policies and procedures. As part of our efficient approach to counseling clients, we work with the company's resources, leveraging existing compliance reviews and assessments, in order to identify compliance requirements and best practices that efficiently and effectively protect data, networks, and systems. We also work with technical consultants through a relationship that helps maintain confidentiality and privilege.

A focus of our approach in mitigating cyber risk is to assist our clients in conducting comprehensive and privileged risk assessments and compliance reviews.  These reviews are tailored to each unique client, and typically include assessing and classifying client data; identifying required and recommended data and network safeguards; evaluating organizational governance of information, people, and policies; reviewing training requirements and content for compliance with existing standards; assessing accountability, including the auditing process, risk reporting, and enforcement activities; and reviewing contractual and other components of vendor management and supply chain risk.

We typically conduct our reviews by identifying and assessing our clients’ compliance with a broad range of government regulatory programs that impose obligations to protect sensitive company and personal information, including the Defense Federal Acquisition Regulation Supplement (DFARS); the Chemical Facility Anti-Terrorism Standards (CFATS); the Maritime Transportation Security Act (MTSA), and evolving federal, and state government privacy data breach laws which may impose control standards and incident reporting obligations upon companies, including those in the energy sector.

Incident Response Plans and Training

We also assist clients in developing or enhancing their privacy and cybersecurity policies and procedures, including governance frameworks for escalating events internally and communicating with government partners, incident response plans, vendor management agreements, and insider threat policies.

In order to help ensure that key and responsible individuals understand their obligations under the incident response plans, our Energy Security Team has developed, facilitated, and participated in hundreds of cybersecurity and privacy tabletop exercises – detailed and rigorous simulations of a cyber or privacy incursion that provide invaluable insight into the resiliency of the company’s response protocols. The goals of our tabletop exercises are to identify appropriate actions for each phase of an incident response and to assess the effectiveness of current policies and procedures.  As a result of the exercise we are able to develop a list of targeted suggestions to help mitigate cybersecurity risks and threats.

Crisis Management

We understand the threat landscape and the impact that a cyber incident can have on companies in the energy sector. We represent both clients who are experiencing a security breach, and clients that are alleged to have security or privacy vulnerabilities in their products or services. In these crisis situations, we pack our bags, hit the ground, and remain on site with our clients until the issues are resolved, from the initial internal investigation stage through the communication, government enforcement, and follow-on litigation stages.

SAFETY Act Certifications and Protections

The Support Anti-Terrorism by Fostering Effective Technologies Act (the SAFETY Act), enacted shortly after the 9/11 tragedy, gives the Department of Homeland Security (DHS) authority to encourage the development and use of anti-terrorism technologies and services by providing liability protections to companies that meet DHS criteria.  Since the Act’s passage, DHS has provided SAFETY Act approval to a widening range of cybersecurity products and services, including technology that detects, blocks, tracks, and contains malware threats across multiple threat vectors within an enterprise network.  Once approved, the Act caps third-party tort liability at an approved level of insurance, providing either limited or absolute immunity under some circumstances for losses suffered as a result of terrorist acts.  The Act includes a myriad of other risk management benefits for companies using approved technologies and services, such as exclusive jurisdiction in federal court for suits against sellers of a technology arising from acts of terrorism; a bar against punitive damages and prejudgment interest; a limitation on non-economic damages; and liability only in proportion to the responsibility of the seller.

Our Energy Security Team has helped numerous clients seek and obtain liability protections under the SAFETY Act. We help companies examine whether their security systems, business continuity, physical and cyber-related incident response plans, or other products and services qualify for coverage under the SAFETY Act. And, we help our clients, with the assistance of technical consultants as appropriate, to develop the applications and information to secure the coverage.

View More

"European Court of Human Rights Confirms the Proportionality Test for Use of Hidden Cameras on the Work Floor," Labor & Employment Law Alert - Europe (December 3, 2019). Contacts: Frederik Van Remoortel, Emmanuel Plasschaert, Evelien Jamaels, Delphine Keppens
Client Alert/Newsletter
5 Harsh Truths About Ransomware Attacks Legaltech News (December 2, 2019)
In the News
Ninth Circuit Rejects Facebook's Article III Argument: Biometric Lawsuit Will Proceed (December, 2019). Authors: Laura Foggan, Jeffrey L. Poston, Nathanial J. Wood, and Brandon C. Ge.
Publications
Courts Are Getting Geofenced In By Location Data Quandaries Legaltech News (November 26, 2019)
In the News
"Behind the Veil: Separating Fact from Fiction in Cyber Warfare," CyberCon, Anaheim, CA (November 20, 2019). Speaker: Evan D. Wolff.
Speech/Presentation
Another Sign That Companies Aren't Ready For CCPA Yet: Data Privacy Trends CloudNine (November 20, 2019)
In the News
"Data Protection Impact Assessments, The Full Picture," IAPP Europe Data Protection Congress 2019, Brussels, Belgium (November 19, 2019). Chair and Speaker: Maarten Stassen.
Speech/Presentation
CCPA Uncertainty May Put Cloud Agreements Up In The Air Legaltech News (November 18, 2019)
In the News
"Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates," Government Contracts Bullet Points (November 13, 2019). Contacts: Evan D. Wolff, Maida Oringher Lerner, Kate M. Growley, CIPP/G, CIPP/US, Michael G. Gruden, CIPP/G
Client Alert/Newsletter
"Proposed CCPA Regulations from California Attorney General: Part III – An Analysis of the Requirement to Verify Consumer Requests and Parental Consents," Privacy Law Alert (November 13, 2019). Contacts: Jeane A. Thomas, CIPP/E, Kristin J. Madigan, CIPP/US, Paul M. Rosen, Lee Matheson, CIPP/US/E/A, CIPM, PCIP
Client Alert/Newsletter

To view more News & Events for this area, please go to our desktop site.

Crowell & Moring LLP is an international law firm with more than 500 lawyers representing clients in litigation and arbitration, regulatory, and transactional matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation, as well as its ongoing commitment to pro bono service and diversity. The firm has offices in Washington, DC, New York, Los Angeles, San Francisco, Orange County, London, and Brussels.

View Desktop Site | Mobile Sitemap

Contact | Subscribe | Terms of Use | Privacy Statement | Alumni

© Crowell & Moring LLP 2019
Attorney advertising - prior results do not guarantee a similar outcome.