Texas has enacted two new laws designed to bolster the security of its utilities and electric cooperatives against cyber threats. This comes on the heels of the United States Department of Energy’s May 2019 announcement that utilities operating in California and Utah experienced cybersecurity incidents in March that interrupted electrical system operations.
The first law, enacted late last week, creates an advisory group tasked with facilitating the creation, aggregation, coordination, and dissemination of best cybersecurity practices for the electric power industry.
The second law, enacted early this week, applies to “monitored utilities,” which include transmission and distribution utilities, corporations that sell electricity “at whole sale,” and some municipally-owned utilities and electric cooperatives, among other organizations. The law requires the Texas Public Utility Commission and “independent organizations” that ensure the reliability and adequacy of the regional electrical network to contract with a Commission-selected Cybersecurity Monitor, which is to:
- Manage a comprehensive cybersecurity outreach program for monitored utilities.
- Meet regularly with monitored utilities to discuss emerging threats, best business practices, and training opportunities.
- Review self-assessments of cybersecurity efforts that are voluntarily disclosed by monitored utilities.
- Research and develop best business practices regarding cybersecurity.
- Report to the Commission on monitored utility cybersecurity preparedness.
Although neither law expressly enshrines cybersecurity best practices, Texas common law suggests that violations of the best practices to be promulgated under one or both laws could be evidence of negligence—and by extension, a basis for legal liability in future civil or regulatory proceedings.
In the coming months and years, utilities, electric cooperatives, and similarly situated organizations are urged to be on alert for continued developments in the energy cybersecurity space. Additionally, utilities, electric cooperatives, and the like should also be aware of existing data privacy and cybersecurity laws that apply to all organizations, both in and outside of the energy industry. These include but are not limited to laws governing data breach notification, data security and destruction, biometric information privacy, and cybersecurity litigation safe harbors.
Attorneys from McDonald Hopkins’ Data Privacy and Cybersecurity Practice Group and Energy Practice Group are available to advise on these important issues facing the energy industry.