Cybersecurity, Data Security and Privacy: Seven Questions E&P Company Boards Need to Ask

This article was originally published in World Oil. Any opinions in this article are not those of Winston & Strawn or its clients. The opinions in this article are the author’s opinions only.

One of the enduring legacies of the COVID-19 pandemic will be the shift to remote working, in an effort to reduce operating costs and employee health and safety risks. E&P companies will not be exempt from this development, both in terms of how they might change their own operations and in how they interact with business partners—such as oilfield service companies—that have already begun to move aggressively to remote working arrangements.

More remote working, however, means greater amounts of sensitive data moving digitally between many more devices, in many more locations, with less direct control by the company over how data are handled at the end points. This state of affairs not only tests an organization’s cybersecurity capabilities, but also the extent to which it has an integrated approach covering cybersecurity, data security and privacy.

While cybersecurity has been part of the board agenda at E&P companies for some time, directors now need to make their digital oversight broader and more holistic. Companies that suffer a major cyberattack that results in loss of operations, data theft, or public disclosure of proprietary information can expose themselves to significant legal, regulatory and reputational risk. And while it has yet to happen, boards should anticipate the possibility of a suit relying on Caremark that would attempt to hold directors legally liable for failing to establish adequate oversight of cybersecurity, data security and privacy measures.

In considering a company’s cybersecurity, data security and privacy, it is important to note that while all three concepts are closely related, they are distinct. Cybersecurity involves the protection of an organization’s electronic information systems from attack and unauthorized access. Data security covers the confidentiality, integrity and access of all data, including operational data, intellectual property, and employee records, whether or not those data are accessible in electronic or physical form. Privacy concerns itself specifically with the protection and use of personally identifiable data and the rights of individuals to those data. Because these areas are distinct, an E&P company with extensive cybersecurity capabilities may still have privacy vulnerabilities, for example.

Board oversight of this complex datasphere needs to be based on a clear understanding of the company’s vulnerabilities, the applicable regulations and legal liabilities, and a framework for asking management the right questions.

Read the full article by Sheryl Falk on World Oil here.