September 16, 2021

Volume XI, Number 259

Advertisement

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

September 13, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Power Company Slammed With Hefty $2.7M Fine After Data Breach

An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.

The company notified its regulator, the Western Electricity Coordinating Council, of the incident. A subsequent investigation revealed the company failed to apply its information protection program to the exposed protected information. The company also failed to ensure its contractor followed its information protection program. The company indicated that it believed it unlikely the data was accessed or acquired during the time it was available online. Regulators were not as optimistic. In its penalty notice to the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. noted that there was no assurance the data was not already used or acquired by a malicious actor.

Putting it Into Practice: This case is a reminder that when incidents occur, regulators may take aggressive positions about the level of protections a company had -or should have had- in place. This holds true not just for regulator expectations about internal controls, but third party controls as well.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 73
Advertisement

About this Author

Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney
Associate

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

202-747-2658
Advertisement
Advertisement
Advertisement