Read our recent LawFlash detailing the key takeaways for energy companies from the Coronavirus Aid, Relief, and Economic Security Act signed into law on March 27. Although the act does not expressly provide relief for energy companies, many of its provisions impact energy sector companies.
The US Nuclear Regulatory Commission (NRC) on March 11 issued a Notice of Violation to Avera St. Luke’s Hospital stemming from findings during an inspection of its Aberdeen, South Dakota facility in July 2019. During the inspection, NRC identified three apparent violations in the following areas:
- Monitoring occupational exposure of workers from various sources of radiation
- Developing and implementing a robust radiation protection program
- Reporting an occupational exposure in excess of the annual limits in 10 CFR 20.1201
Nuclear Power Corporation of India Limited (NPCIL) announced on October 30 that the malware “Dtrack” had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP) in early September 2019. KKNPP is the largest nuclear power plant in India, equipped with two Russian-designed VVER pressurized water reactors, each with a capacity of 1,000 megawatts. Both reactor units feed southern India’s power grid.
On November 4, KKNPP issued a press release stating that its reactors are operating normally and emphasizing that all critical systems for KKNPP and other NPCIL plants are “air-gapped and impossible to hack.” The term “air-gapped” is often used in the cybersecurity context to describe isolated control processing technologies or systems that are not connected to the internet or external networks, and are therefore considered safe from cyberthreats.
As noted in this article by Morgan Lewis antitrust lawyers, the role of antitrust laws in labor markets, including in the energy field, remains a key area of focus by enforcers, including the Antitrust Division of the US Department of Justice and the Federal Trade Commission. At a public workshop on competition in labor markets in September 2019, Assistant Attorney General Makan Delrahim reaffirmed “that criminal prosecution of naked no-poach and wage-fixing agreements remains a high priority for the Antitrust Division.”
The Nuclear Regulatory Commission’s (NRC’s) Assistant Inspector General for Audits issued a memorandum on August 20 on the status of recommendations based on the Office of Inspector General’s (OIG’s) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13). As previously reported on Up & Atom, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures for licensees to use to demonstrate sustained program effectiveness. Based on the NRC’s July 3, 2019, response, OIG has issued this status of recommendations.
Following the July 12, 2019, release of “Power Reactor Cyber Security Program Assessment,” the Nuclear Regulatory Commission’s (NRC’s) Director of Physical and Cyber Security Policy in the Office of Nuclear Security and Incident Response issued a memorandum to NRC Staff on August 6, 2019.
The memorandum provides guidance to Staff on next steps, but also cautions that when initiating changes to the Cyber Security Program they keep several points in mind. Specifically, the Director asks Staff to ensure that changes do not adversely impact other areas of the program; that guidance revisions are consistent and incorporated throughout all documents; that, where necessary, a backfit analysis is performed; and that no changes constitute an unreasonable risk to public health and safety.
The memorandum reminds Staff that their next step, per the assessment, is to present a draft action plan by September 20, 2019. The action plan should identify enhancements to the Cyber Security Program that promote regulatory efficiency and effectiveness, while continuing to provide for reasonable assurance of public health and safety and promote common defense and security. The memorandum also praises NRC Staff for its efforts in conducting the assessment.
We will continue to monitor developments for cybersecurity at the NRC.
On July 25, 2019, the United States Government Accountability Office (GAO) released GAO-19-384, a report to congressional requesters analyzing the cybersecurity risk management of 23 civilian agencies—including the Nuclear Regulatory Commission (NRC). Using key elements such as risk tolerance and risk mitigation strategies, GAO examined the extent to which all agencies established a cybersecurity risk management program; what challenges, if any, agencies identified in developing and implementing such programs; and what steps the Office of Management and Budget (OMB) and the US Department of Homeland Security (DHS) have taken to meet their risk management responsibilities to address any challenges agencies face in this area. In its analysis, GAO compared policies and procedures from the 23 civilian agencies to key federal cybersecurity risk management practices, attained the agencies’ own views on challenges they faced, identified and analyzed actions taken by the OMB and DHS to determine whether such actions address agency challenges, and interviewed responsible agency officials.
The Ohio House of Representatives approved HB 6 on July 23, providing up to $150 million in financial support for the two operating nuclear plants in the state. A version of the House bill was passed by the Ohio Senate last week, and Governor Mike DeWine signed the bill into law shortly after the legislation passed the House.
On June 24, the US Supreme Court issued its opinion in Food Marketing Institute v. Argus Leader Media, expanding the scope of information protected under Exemption 4 of the Freedom of Information Act (FOIA). FOIA establishes an expansive right for the public to access records from executive agencies to hold the government accountable. Limiting that broad right, FOIA includes several broadly worded exceptions whereby the release of certain information may not be compelled under FOIA. One such exemption, Exemption 4, states that “trade secrets and commercial or financial information obtained from a person” that are “privileged or confidential” are protected from mandatory public disclosure. The statute does not define “confidential,” so the question of what “commercial or financial information” is protected from disclosure has resulted in much litigation.
Justice Gorsuch’s majority opinion held that commercial or financial information that is both customarily and actually treated as private by its owner—and that is provided to the government under an assurance of privacy—is exempt from disclosure under FOIA. This holding has significant implications for all businesses that turn any information over to the US government. No longer may courts require proof that the information, if disclosed, would “cause substantial harm” to the company’s competitive position. Mere confidentiality, plus agency representations that the information will remain confidential, is enough.
The Environmental Protection Agency (EPA) issued three rules on June 19, granting additional powers to states to determine their projected energy resource mixes, including nuclear energy. In response to the rules, utilities should be prepared for possible changes to state policies defining what constitutes “clean” energy and supporting reliability. The rules are intended to go into effect 30 days from their issuance. However, the implementation timeline for the rules is not certain because several states and organizations have stated they intend to challenge the rules in the federal courts.