The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC.
For more detail, read our LawFlash.