The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

Something Seems A Little Fishy In North Carolina

See Article Here

In February 2018, Duke Energy was hit with a $10 million dollar fine from the North American Electric Reliability Corporation (NERC) for cybersecurity violations, this was the highest on record for a utility. Now it seeks to pass along their $137.4 million in capital investments to ratepayers for cybersecurity upgrades. A consumer watchdog association is screaming foul. Essentially the group doesn't think rate payers should have to pay for Duke’s ineptitude. I agree. I would understand it if Duke was seeking recovery after it implemented the program and can show proof of progress, but it appears, they want to recover the money spent without showing proof that anything has improved. Who could actually show proof of improvement after only two months? The procurement process for assets is longer than two months, I couldn’t buy a firewall in less than two months!

If you look at the reason for the fine, it was based on security violations from 2015-2018 regarding critical infrastructure assets. Yes, upgrading all of your critical infrastructure in mass could cost you about $137M. Or $127+$10M to cover the fine. But to try to pass along that cost to ratepayers before you even get the assets is a bold move! NERC should ask for receipts and have some folks do a site visit. It will be interesting to watch how Duke explains that capital investments for their cyber security program has nothing to do with their cyber security critical infrastructure violations. Critical infrastructure is normally a capital expense. Right?