“If personal information of the company’s employees
and/or clients may have been compromised, contact
a credit or personal identity theft monitoring
company immediately. Companies that are
frequently targeted by cyber-attackers should
consider signing retainer agreements with such
should also be available in the event that litigation and/or
governmental investigations ensue.
STAY UP-TO-DATE ON REGULATORY OBLIGATIONS
Laws pertinent to cyber security are rapidly being passed and
then expanded, both domestically and abroad. In the US, 47
states and four territories currently have security breach notification laws. (Alabama, New Mexico, and South Dakota do
not.) While these laws (and their associated penalties) vary by
state, they generally require companies to disclose data breaches of personal information to affected individuals, in writing,
within a short period of time. Some states have exemptions
for encrypted information and companies working with law
enforcement. Additionally, publicly traded companies that
experience a cyber attack may need to file a Form 8-K under
US securities laws, which require disclosure of “material events”
to shareholders within four business days. Because disclosure
obligations can be complicated and highly fact specific, companies experiencing a cyber attack should immediately consult
experienced disclosure counsel for guidance on whether a
filing is warranted.
As many oil and gas companies commonly operate outside
of the US, they also need to stay informed about rapidly changing foreign legislation. For example, while Alberta is currently
the only province in Canada with a mandatory breach notification law for private companies, federal regulations are on
their way. In mid-2015, Canada passed the “Personal Information Protection and Electronic Documents Act” (PIPEDA).
When the law comes into effect, it will require organizations
to report to the Privacy Commissioner of Canada (and, generally,
to affected individuals and certain third parties) any breach of
security safeguards that are reasonably believed to create “a
real risk of significant harm to an individual.” To the extent
that a company operates abroad, it should hire local or international counsel (including translators, if necessary) to keep
it abreast of new or changing laws relating to cyber security.
IMPLEMENT AND UPDATE COMPANY DATA
PRESERVATION AND DESTRUCTION POLICIES
While health care and financial institutions may be the most
obvious examples of companies storing private customer information subject to cyber theft, oil and gas companies also
store sensitive data along the lines of confidential business
plans, information about proprietary technology and research,
and private employee and customer information. Limiting the
amount of sensitive data stored by the company is a clear way
to limit the risk of it being breached. Thus, implement company
policies that securely dispose of data that is no longer needed.
This may include an automatic email deletion policy, standard
deletion of employee and customer information upon termination of the relationship, or other policies prompting review
and potential deletion of files that have not been accessed after
a certain period of time.
If your company outsources storage of its data to a third
party, ask in-depth questions about their security policies,
request secure destruction of data as appropriate, and clearly
address liability for potential security breaches in your
Also note that individuals and companies are required to
preserve relevant documents and evidence once they reasonably anticipate litigation stemming from an event, including
from a security breach. Thus, upon discovering a cyber attack,
a company may need to implement a company-wide litigation
hold, which requires temporarily pausing the company’s data
As with all company policies and procedures, employees will
not follow an incident response plan unless they a) know they
exist and b) know how to follow them. Employees should receive
annual training on how to recognize threats and how to report
them. The IRT should do a full run-through of the company’s
incident response plan at least once a year so employees can
knowledgeably and rapidly respond in the event of a real breach.
In training, use realistic examples and provide feedback to
instill best practices. Companies can take additional steps to
protect themselves by expanding response plans to include
oversight if and when vendors, joint venture partners, or other
commercial allies fall victim to a cyber attack.
While cyber attacks are increasingly sophisticated, companies that anticipate and plan for them will be ready to react,
thereby mitigating their liability and losses in the lawsuits and
government investigations that follow.
ABOUT THE AUTHORS
Philip J. Bezanson, managing partner of Bracewell
LLP’s Seattle office, represents corporate clients,
senior management and boards of directors as
well as individual clients in internal investigations,
securities enforcement, criminal defense and regulatory matters. He can be reached at firstname.lastname@example.org.
Carolyn Robbs Bilanko is a member of Bracewell’s
White Collar Defense practice in Seattle. She advises clients in commercial litigation, internal
investigations, and white collar defense mat-ters. She can be reached at email@example.com.