Legal Report: Greenpeace to Pay Oil Company $667 Million in Defamation Suit
Security Management’s Legal Report is a monthly column that highlights the instances where legal matters intersect with the security industry. Our team tracks court cases, new and developing legislation, and regulatory decisions or investigations that affect private organizations and security professionals worldwide.
To share a tip or notify Security Management about emerging legal issues, email Associate Editor Sara Mosqueda at [email protected].
Judicial Decisions
United States
Pipelines. A North Dakota jury ordered environmental advocacy organization Greenpeace to pay an oil company $667 million for defamation.
Energy Transfer, the oil company that operates the Dakota Access Pipeline, claimed that Greenpeace’s involvement in protests against the pipeline included encouraging violence that damaged the company’s reputation.
The protests against the construction and operation of the 1,200-mile-long pipeline drew much attention eight years ago, with demonstrations that lasted months.
Greenpeace, which maintains that it played a minor role in the demonstrations, could face bankruptcy in the wake of the verdict. “Major environmental groups have described the lawsuit as an intimidation tactic, intended to stifle free speech and their attempts to stop new oil and gas drilling,” according to The Washington Post. The group plans to appeal the decision.
The suit against Greenpeace claims that the group paid professional protesters, organized training for demonstrators, and provided them with equipment to bar or delay construction. Greenpeace is also accused of making false statements that claim Energy Transfer used aggressive tactics against protesters and desecrating burial grounds. (Energy Transfer LP v. Greenpeace International, North Dakota District Court for County of Morton, No. 2019-cv-00180, 2025)
Active shooter. Robert E. Crimo III pled guilty to killing seven people and injuring several more in a 2022 Independence Day parade in Highland Park, Illinois.
Crimo withdrew his earlier plea of not guilty, accepting the charges of 21 counts of first-degree murder (three counts for every fatality). Prosecutors dropped 48 charges of aggravated battery before jury selection began in late February.
Because of the change in his plea, there will be no trial and no further motions. Sentencing is scheduled for 23 April, and Crimo is expected to serve out the rest of his life in prison. Each murder charge has a maximum sentence of life. (People v. Crimo, Robert, E., III, 19th Circuit Court for Illinois, No. 22-CF-1130, 2025)
Legislation
Hungary
Mass gatherings. The Hungarian government can now ban public events hosted by LGBTQ+ communities, such as Pride parades.
Lawmakers claim that the new law, which was finally approved by the Hungarian parliament along party lines (140 for, 21 against), is helping protect children’s rights to moral, physical, and spiritual development. In recent years, the current government campaigned against LGBTQ+ communities, claiming that its policies concerning the protection of minors are necessary to guard against what it calls woke ideology.
Critics of the law see it as not only a way to curb the rights of those within the LGBTQ+ community, but also as another move that brings the government closer to authoritarianism. The law also empowers authorities to use facial recognition tools to identify anyone that attends banned events.
A separate aspect of the amended law is the government’s ability to temporarily suspend the citizenship of any Hungarian dual national if authorities determine the individual is a threat to the public or national security. The suspension could last for up to 10 years if the person is determined to present such a threat.
In recent months, Prime Minister Viktor Orbán’s government has taken steps to guard itself from alleged foreign entities that present a threat. Orbán has continued to target his critics, including media outlets and civil rights and anti-corruption groups, which the prime minister claims have received financial support from international donors.
U.S. States
Wildfires. Wyoming Governor Mark Gordon signed a bill into law limiting the liability for electric utility companies that are found guilty of causing wildfires.
House Bill 0192 aims to protect utility companies from increasing class-action lawsuits that target these companies for their role in massive wildfires, as well as subsequent increases in insurance costs. Several of these organizations are smaller, co-op utilities.
The new law requires power companies to create mitigation plans—identifying wildfire risk present around company infrastructure and how to mitigate that risk, for example through vegetation management and regular equipment inspections. Companies that develop these plans and have them approved by the state’s Public Services Commission will be able to claim that their planned mitigation efforts were reasonable and prudent.
Anyone seeking to claim and recover a loss from a utility company because of a wildfire will have to prove that the company failed to comply with the mitigation plan and that that failure was linked to the claimant’s loss; or that the company was grossly negligent, malicious, or had criminal intent in its actions that led to the plaintiff’s loss.
United States
Contractors. The U.S. House of Representatives passed a bill that would require government contractors to adhere to vulnerability disclosure policies. If the proposed legislation is enacted, it would close a loophole in federal cybersecurity standards.
The Federal Contractor Cybersecurity Vulnerability Reduction Act (HR 872) would have federal government contractors implement policies that are in line with guidelines from the National Institute of Standards and Technology.
The bill is still in its early days and must be passed by the U.S. Senate before landing on the president’s desk for approval or veto.
Regulations
Switzerland
Critical infrastructure. The Swiss National Cyber Security Centre (NCSC) enacted a new regulation ordering critical infrastructure operators to report cyberattacks within 24 hours of discovery.
As of 1 April 2025, owners and operators must report any cyberattacks that “endanger the functionality of the affected critical infrastructure, has led to manipulation or leakage of information, or is associated with blackmail, threats, or coercion,” according to the NCSC.
The new mandate, which amended the nation’s Information Security Act, affects owners and operators in sectors like drinking water suppliers, energy, finance, healthcare, telecommunications, and transportation. If an entity discovers a cyberattack, it can file a report on the NCSC’s Cyber Security Hub or via email using a form on the NCSC website.
If owners or operators can only provide incomplete information about the attack in the initial report submitted, they have 14 days to complete the report.
Those who fail to report a cyberattack can be fined. The Federal Council will implement legislation regarding the fines on 1 October, giving organizations six months to prepare and familiarize themselves with the reporting obligations before fines can be levied.
United States
Work travel. The Trump administration ordered enforcement of a rule that requires Canadians visiting the United States for more than 30 days to register with authorities.
The rule, which has not been consistently applied to Canadians before now, applies to all foreign nationals at least 14 years old who remain in the country for 30 days or longer during a single visit. Effective 11 April, such individuals must register with the U.S. Citizenship and Immigration Services.
Trump ordered full enforcement of the rule in Executive Order 14159, “Protecting the American People Against Invasion,” in January 2025.
