Standard content for Members only
To continue reading this article, please login to your Utility Week account, Start 14 day trial or Become a member.
If your organisation already has a corporate membership and you haven’t activated it simply follow the register link below. Check here.
Utilities companies face new vulnerabilities as hackers push the envelope, says Brookes Taney.
Over the last 5-10 years, companies across all industries have experienced cyber breaches on a fairly consistent basis, with hackers pursuing data for the sake of profit. Typically, data such as names, addresses, bank and credit card information has been targeted in order to commit fraud.
Last year utilities companies were ranked the highest risk industry for data breaches. For example in 2015, British Gas suffered a data breach where 2,200 customers’ email addresses and account passwords were posted online.
Increasingly, there appears to be a hierarchy among hackers—a contest of sorts—with status measured by the size, scale and impact of the hack. Companies need to assess their abilities to prepare for and respond to data breaches.
In the past, a utility company’s response to a breach would begin with the discovery of an incident. At this stage, the extent of the breach and any specifics as to what information was taken might be unknown. Insurers, outside counsel and investigators would likely be involved as soon as possible to find out what type of information was compromised, when it was taken and how quickly the leak could be stopped.
The breach landscape is, however, changing rapidly, and savvy legal and IT teams are now looking for more than just one-off breach responses. Instead they are looking to partner with experts that can handle a breach from initial detection through any resulting litigation —and offer adjacent services, such as proactive information governance—to help both reduce the risk of a data breach and minimise the damage if one does occur. Similarly, even after a data breach, that partner may offer services to efficiently and effectively handle any litigation that arises from the breach, including eDisclosure services, forensics and collections, document review and processing and production. Utility companies can face lawsuits from consumers and shareholders, as well as regulatory fines and potential loss of clients and reputation. As the breach runs through its life cycle, litigation may arise—depending on factors such as the size of the breach, the company and consumers involved, and the nature and scope of what was taken or compromised. In the event of litigation, an organisation will require an eDisclosure service, which enables it to efficiently manage the collection, processing and review of electronic documents and communications. An experienced eDisclosure service provider will use technology to perform automated searches on collected data to determine relevance to the case at hand. Utilising technology not only speeds up the eDisclosure process, but it also helps manage the cost of the exercise.
With the help of its service provider, the organisation will need to prove to the regulatory authorities that it had systems in place to minimise the risk of a breach in the first instance by demonstrating that it had established, well-communicated corporate policies as to data loss prevention and any associated auditing procedures. It will also need to show that it had no advance knowledge of potential threats and that it responded with timely and adequate notice post-breach.
Document review is integral to this process, involving in-depth evaluation of the relevant communications. In data breach litigation, this process can be exhaustive, with large bodies of documents needing to be reviewed for relevance by trained experts in very short periods of time. In this scenario, an outsourced solution for document review—with secure facilities, tested training methodologies and review workflows—is essential.
Recent rises in the volume of high-profile data breaches within the utility industry have put the threat of malicious hacking in the spotlight, raising fears of regulatory punishment and severe damage to corporate reputation. Organisations need to take control of the whole data breach cycle, working with information governance experts to take a more proactive approach to prevention and developing a more holistic, end-to-end response in the case of detection. As hackers become more sophisticated and less predictable, organisations are increasingly engaging with experts to counter the threat should it arise.
Please login or Register to leave a comment.