Legal liability from cyber attacks
HOW TO MINIMIZE YOUR COMPANY’S LEGAL EXPOSURE FROM DATA BREACHES
PHILIP J. BEZANSON AND CAROLYN ROBBS BILANKO, BRACEWELL LLP, SEATTLE
CYBER ATTACKS have become commonplace, and the threats
they pose continue to evolve. Although the most high-profile
attacks have typically involved theft of personal, financial,
political, or business information that could be sold at a profit
or used for competitive damage or public embarrassment,
there are additional dramatic implications for energy
The energy sector, along with other manufacturing and
infrastructure institutions, bear the risk that hackers could
access company databases and control systems for the malicious purpose of causing mayhem, tangible business disruption,
or destruction to people and property.
Oil and gas companies face the specific threat of environ-mental-, religious-, and political-cyber-terrorists targeting
upstream, midstream, and downstream sites. Such attacks
endanger expensive company equipment, the environment,
and the lives of on-site company personnel.
Whatever the type of attack, the monetary and reputational
consequences can be significant. Data breaches often trigger
investigations by the US Federal Trade Commission, the US
Securities and Exchange Commission, the US Department of
Justice, and state regulatory agencies, as well as class-action
lawsuits and shareholder derivative actions. The modern inevitability of cyber attacks behooves directors and officers at
oil and gas companies to allocate adequate funds and time to
implement cyber security risk-management strategies that
protect sensitive business information and property and minimize the company’s legal exposure.
Here, we offer five tips on how energy companies can mitigate
their legal liability from cyberattacks.
IDENTIFY AN INCIDENT RESPONSE TEAM IN ADVANCE
Since company employees are often the first to detect or learn
of a cyber attack, all company personnel should be trained to
immediately escalate the issue to the chief information security
officer (CISO) (if the company has one) or the general counsel
(GC). The CISO or GC should then immediately notify and
mobilize the incident response team (IRT). While there may
be a tendency to “wait and see” what details emerge before
giving such notice, it is critical to elevate the issue immediately
so the IRT can begin searching for the access point of the breach
and assessing the damage.
The IRT should include the company’s top executives (
including a CISO, if possible), legal counsel, relevant IT support,
and personnel who are able to convey updates to employees,
business partners, investors, regulators, and other potential
internal and external stakeholders.
Once the IRT has an initial grasp of what transpired (or is
still taking place), the company may need to bring in external
support. This includes notifying the board of directors, engaging
outside legal counsel, hiring a forensic investigation firm,
notifying the company’s insurers, and contacting law enforce-
ment. (Today, the FBI is considered the lead federal agency for
investigating cyber attacks, but local law enforcement and/or
other governmental agencies may be appropriate depending
on the type of attack.) The company also may want to engage
a call center to handle the inevitable surge in customer calls
and a PR firm to coordinate communications with the
If personal information of the company’s employees and/
or clients may have been compromised, contact a credit or
personal identity theft monitoring company immediately.
Companies that are frequently targeted by cyber-attackers
should consider signing retainer agreements with such entities.
By listing the names and contact information of these external
entities in the company’s incident response plan, the company
will be able to immediately receive the support it needs to
address and mitigate the damage from cyberattacks.
REVIEW YOUR INSURANCE POLICIES
Insurers now offer a variety of policies that cover losses stemming from cyber attacks. Coverage options vary by insurer, but
may include notification costs, forensic investigation costs,
legal defense costs (including attorney fees, judgments, and/
or settlements), regulatory response costs (including attorney
fees and/or settlements with the government), revenue due to
lost business, and ransom/extortion payments.
Oil and gas companies facing threats to their physical property and equipment also should review their property and
criminal insurance policies for coverage in the event of a cy-berattack. Insurance policies for company directors and officers