Yes, That Information Is at Risk: Pressure Rising for Oil and Gas Companies to Protect Data

Tyler Chase, Managing Director Energy and Utilities Industry Global Leader
Justin Turner, Associate Director Oil and Gas Cybersecurity and Data Privacy

Oil and gas companies collect, work with and store a wide range of sensitive business data in the course of everyday business. However, they don’t always consider just how much malicious hackers, company insiders, nation-states and other bad actors value that data. As a result, they don’t prioritize developing a data protection program or create one that is comprehensive enough.

Depending on the oil and gas sector — upstream, midstream or downstream — sensitive data can include plant maps, production trends, revenue forecasts, geophysical data and much more. Another type of sensitive data to protect, which oil and gas companies often overlook, is personally identifiable information (PII) related to employees, contractors, partners and others.

PII, which includes Social Security numbers (SSNs), bank account numbers, home addresses and much more, is valuable to adversaries because they can use it to facilitate identity theft and other fraud. And quite often, this information is at high risk for being compromised because it’s not contained and controlled in one system but distributed across many within the organization, and perhaps even shared with external third parties.

Here’s an example: An upstream oil and gas company that needs to send royalty checks to landowners who lease their land to the business typically collect an array of PII from the landowners, so they can send them not only payments but also tax statements. That information might be shared across various departments in the organization, and it also might be emailed to external parties, as well as printed. Also, there’s the PII contained in the actual contracts and lease documents that could be circulated inside and outside of the company.

State-Level Measures Directly Impacting Many Oil and Gas Businesses

If oil and gas companies need more reasons to prioritize the protection of the consumer data they handle, they need only consider the changing regulatory landscape around data privacy and security. Strict mandates like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are creating pressure, including the potential for significant fines for noncompliance. So, too, are expanding breach notification statutes in U.S. states that are home to a significant portion of the oil and gas industry, such as:

  • Colorado: HB18-1128, which took effect in September 2018, outlines more stringent requirements regarding how businesses dispose of personal information. It also requires businesses that have suffered a breach to notify affected Colorado residents within 30 days of the date when the breach was determined to have occurred. Additionally, the new law requires notification of the Colorado attorney general if the breach involves 500 or more Colorado residents.
  • Texas: HB 4390, which went into effect on January 1, 2020, amended the state’s data breach notification law and created an advisory council tasked with studying and developing recommendations regarding data privacy legislation. The bill also requires notifying the Texas attorney general if a breach affects at least 250 Texas residents.

The impact of cyber crime on the bottom line of companies in the energy sector is also an alarm bell for action. Recent research found that the average annual cost of cyber crime for energy businesses, which includes oil and gas firms, is about US$14 million. That’s higher than the average for many other industries, including health, retail and consumer goods. (That figure includes cyber attacks against industrial control systems (ICS), which are also a prime target for cyber criminals — as well as nation-state actors.)

Understanding the Scope of Data to Protect: A Foundational Step to Improving Security

So, how can oil and gas companies improve their protection of consumer data? The starting point is to determine exactly what type of sensitive information they are managing in the normal course of business that could be at risk. Some examples include:

  • Government passport numbers
  • Military ID numbers
  • Biometric data
  • Human resources records
  • SSNs on vendor setup forms, contracts, tax statements and more

There is, of course, a wide range of other sensitive data that oil and gas companies will want to include in a comprehensive data protection program. That data will vary according to the nature of the business and the sector in which the company operates.

For instance, upstream firms may want controls on data such as seismic imaging and exploratory information, development drilling, and production profiles. Midstream companies may seek to protect information like pricing data and supply chain analytics. And downstream companies may want to protect certain details about their refining and production schedules and planned maintenance activities.

By first identifying precisely what consumer data the business must protect, from a regulatory compliance standpoint, a company can build a data protection program that is sustainable and can drive continuous improvement. Organizations continue to digitize more processes and put more devices in the field, so now is the time for oil and gas companies to take that foundational step.

Not all adversaries targeting the energy industry aim to compromise operational systems or siphon trade secrets. Many are aiming for smaller game: sensitive information about the people who work for a company and the people and entities that a company does business with. That data can be just as lucrative for a malicious actor to steal as it is damaging for a company to lose. And it’s very challenging for businesses to protect that data because of how fast and far it can proliferate.

The steps for enhancing data protection described above don’t constitute an insurance policy. Data breaches, in some form, are an inevitable part of modern business. But by understanding what data to protect and taking the appropriate measures to do so, oil and gas companies will be better positioned to avoid significant data loss or compromise. They also can use their data more confidently, as they seek to take advantage of emerging technologies such as robotic process automation (RPA), artificial intelligence (AI) and blockchain.

Add comment