Data breach notification
Data breach notification obligations for Energy, Power & Commodities companies now arrive from multiple directions simultaneously. The Federal Energy Regulatory Commission and the North American Electric Reliability Corporation have both issued mandatory incident reporting requirements under NERC CIP-008-6, while the U.S. Department of Energy issued a separate 2023 guidance pressing bulk power system operators on cyber incident disclosure timelines. Compliance teams in this sector are currently reconciling those federal obligations against a patchwork of state-level breach notification statutes that set shorter clocks and broader definitions of covered data.
Watch
- NERC CIP-008-6 incident reporting timelines and what triggers mandatory notification
- DOE cybersecurity incident disclosure guidance for bulk power system operators, 2023
- State breach notification laws with sub-72-hour windows that conflict with federal timelines
- FERC proposed rulemaking on expanded cyber incident reporting for public utilities
- Vendor and third-party OT systems now pulled into breach notification scope by regulators
Recent material activity in Energy, Power & Commodities
Active monitoring in place across Energy, Power & Commodities. Material developments related to data breach notification will appear here as they are published.