FERC Issues Notice of Proposed Rulemaking Aimed at Expanding Data Breach Reporting Obligations
Hunton & Williams explains:
On December 21, 2017, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) aimed at expanding mandatory reporting obligations in relation to cybersecurity incidents. In particular, FERC’s NOPR would direct the North American Electric Reliability Corporation (“NERC”) to develop modifications to certain Critical Infrastructure Protection (“CIP”) Reliability Standards so that those standards require mandatory reporting of cybersecurity incidents that compromise or attempt to compromise a responsible entity’s Electronic Security Perimeter (“ESP”) or associated Electronic Access Control or Monitoring Systems.
Currently, the CIP Reliability Standards require cybersecurity incidents to be reported only if they have actually disrupted one or more reliability tasks, so unsuccessful attempts to penetrate an ESP – or successful attempts that do not disrupt reliability tasks – would not need to be reported.
Read more on Hunton & Williams Privacy & Information Security Law Blog.