Privacy Issues

Subscribe to Privacy Issues

The Citizens Utility Board (“CUB”) and the Environmental Defense Fund (“EDF”) recently filed a joint petition asking the Illinois Commerce Commission (“ICC” or “the Commission”) to initiate a proceeding to adopt the Illinois Open Data Access Framework (“Framework”). They hope the Framework will become the governing standards for access to customer usage data by customers, utilities and third parties. One interesting point about the proposed Framework is that the utilities are guardians of the data (sounds like a movie my son would like) but not owners of it. Below is the paragraph discussing ownership:

Customer is principal owner of retail electric consumption data. The customer has the ability to authorize third parties to access individual customer data, and the customer can revoke that access at the customer’s discretion. The utility serves as the guardian of retail electric consumption data, and must allow access to third parties where the customer has authorized it.

You can read CUB’s and EDF’s prefiled testimony and other pleadings by going to the ICC’s website. The case number is 14-0507. Com-Ed and Ameren Illinois have intervened in the case.

The U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability (“DOE OE”), in coordination with the Federal Smart Grid Task Force, will convene its third meeting in the Voluntary Code of Conduct (“VCC”) process on November 22, 2013. Developed in response to the DOE OE-hosted Smart Grid Privacy Workshop and White House report Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, the VCC workshops provide a forum for stakeholders including utilities and third parties to address privacy related to data enabled by smart grid technologies.

Draft VCC principles will be presented and discussed at the meeting. DOE believes broad industry/stakeholder participation is critical to the VCC’s success. The privacy workshop held last January saw participants representing 16 utilities, 15 third-party vendors and carriers, 12 consumer advocate organizations, 3 state commissions and 9 federal agencies. Given the importance of privacy and the need to inspire customer confidence, hopefully participation at the meeting on November 22, 2013 will be even greater. Participation is free but please register in advance. The meeting will also be available through a webcast.

Date: Friday, November 22, 2013
Time: 9:00 am to 3:30 pm (EST)
Location: Federal Communications Commission, 445 12th Street SW, Washington, DC 20554

Smart meters aside, customer privacy is not a new concept to utilities, including those in California. However, on October 5, 2013, Governor Edmund G. Brown, Jr. signed into law AB-1274, now known as Title 1.81.4. Privacy of Customer Electrical or Natural Gas Usage Data. This law is not aimed at utilities, but at third parties which may have access to customer data as a result of doing business directly with the customer. The home area network (“HAN”) function of the smart meter allows customers to monitor their household energy consumption in real-time through a wireless device placed inside their homes. The CPUC views the HAN as a key step in providing customers with timely, actionable information to enable them to optimally manage or reduce their energy consumption and save money. Privacy policies for utilities have long been implemented.

A variety of HAN devices are becoming available in the marketplace and customers in California are able to choose and buy their own device that communicates with their smart meter through a wireless link. As a result, third party vendors of the customers’ choosing will have access to electrical and gas consumption data. A great example provided in the Senate Energy, Utilities And Communications Report states, “…the use of a HAN can show that a refrigerator is an energy hog and would result in the HAN company selling that information to a refrigerator manufacturer which could then market its product directly to the customer.”

The new law does not prohibit the sale of the data, but requires customer consent and disclosure of the secondary purpose. Here are a few key provisions of the new law:

  • Unless otherwise required or authorized by federal or state law, a business shall not share, disclose, or otherwise make accessible to any third party a customer’s data without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used.
  • A business that discloses data, with the express consent of the customer, pursuant to a contract with a nonaffiliated third party, shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the data from unauthorized access, destruction, use, modification, or disclosure.
  • A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer data within its custody or control when the records are no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the data in those records to make it unreadable or undecipherable through any means.

To optimize smart meter customer benefits, mobility will be critical. For example, to communicate with customers regarding real-time pricing then to provide them with the ability to respond by interacting with appliances and other behind-the-meter devices, there will need to be “an app for that.” Leveraging tablets and smart phone technology has an essential role in energy efficiency advancement, or more accurately, the efficient use of energy. As utilities begin to offer and utilize apps, technology privacy must be addressed. This month our friends from Privacy by Design released a primer to assist smart grid app developers: Privacy by Design  Fundamentals for Smart Grid App Developers.

The primer includes an appendix that provides a list of technical resources to aid in the protection of personal information when designing apps. A few of the tips offered for smart grid app developers include:

  • Proactive not Reactive; Preventative not Remedial
  • Privacy as the Default Setting
  • End-to-End Security – Full Lifecycle Protection

Smart meters are capable of delivering a wealth of information regarding a customer’s energy usage. This data holds the promise of current and future benefits, the most basic being that knowledge will affect change. The theory is the more customers understand the correlation between their behavior and energy spending, the more likely they will make adjustments that yield an overall positive impact on their wallets and the environment. (I have all kinds of information that does not always translate into action…like, um, my diet, but OK. That’s the theory.) Additionally, this data offers greater opportunities for optimizing energy efficiency programs. The inability for energy efficiency service providers (“EESPs”) to gain access to customers’ data because of legitimate privacy concerns creates a barrier to realizing many of the benefits from these services. Often, regulatory commissions confront two competing issues: (1) the need to facilitate access to customer data for energy efficiency purposes while (2) safeguarding customer privacy. The State and Local Energy Efficiency Action Network’s Customer Information and Behavior (CIB) Working Group has created a Regulator’s Privacy Guide to Third-Party Data Access for Energy Efficiency. Utilities and state regulators will find the report helpful. It discusses the issues and policy considerations related to providing access to customer information while supporting energy efficiency services and protecting customers’ privacy.

The report is filled with helpful information, like Figure ES-1 shown below. It provides an overview of some states’ approaches to standards for customer consent and identifies the types of non-utility entities that may want access to a customer’s energy usage data.

The State and Local Energy Efficiency Action Network (SEE Action) is a state and local-led effort facilitated by the U.S. Department of Energy and the U.S. Environmental Protection Agency to take energy efficiency to scale and achieve all cost-effective energy efficiency by 2020. Many will want to bookmark its website, as it offers a wealth of research, data sheets and policy papers that Utilities, Regulators, EESPs, Customer Advocates and Customers will find helpful.

After careful review of the available literature and studies, the Staff of the Michigan Public Service Commission believes that the health risk from the installation and operation of metering systems using radio transmitters is insignificant and the appropriate federal health and safety regulations provide assurance that smart meters represent a safe technology. The report discusses the fact that there are multiple sources of RF exposure in our everyday environment, including cellular phones, wireless devices – such as laptops and routers – microwave ovens, baby monitors, garage door openers, walkie talkies, computer monitors, fluorescent lighting, and electrical wires within the home, and that smart meters are a small contributor to the total environmental RF emissions to which the general public is exposed. Eliminating smart meters would result in a minimal reduction of total emissions.

The Staff also recommends regulators include the following fundamental concepts when addressing a smart grid privacy policy:

  • Definitions of various types of data collected (usage/billing, aggregate, customer identifiable)
  • Permitted usage of data types by utility (sales, contractor work, emergency)
  • Customer consent and third-party disclosure rules (notice, time frame, records)
  • Availability of usage information to customer (web portal, direct mail, email)
  • Privacy breach requirements (notification to customer/commission)

The report addresses additional safety concerns unrelated to RF emissions such as overheating of meters and cyber security. With links to excellent resources, it is a must read for utilities and regulators.

According to SDG&E, customer choice is a critical driver of its smart grid deployment plan. Many of SDG&E customers are adopting rooftop solar and PEVs at rates that are among the highest in the nation. These customers are seeking real-time information about their energy use and rates so that they can make informed decisions. With smart meters already deployed throughout most of its service territory, SDG&E is leveraging the skills of our Canadian friends at the Ontario Information and Privacy Commission to apply Privacy by Design to its Dynamic Pricing Project.

Privacy by Design, often referred to as PbD, is a concept developed by Commissioner Ann Cavoukian to address the effects of information and communication technologies. It has seven foundational principles:

  • Embedding privacy requirements into smart grid designs and overall project framework
  • Ensuring privacy is the default stance of all programs
  • Making privacy an essential design feature in smart grid systems and practices
  • Solidifying privacy as a core objective of all smart grid projects
  • Incorporating privacy end-to-end throughout the entire life cycle of any personal information
  • Bolstering visibility and transparency for smart grid efforts with consumers
  • Focusing on consumer privacy as a core foundational requirement

To successfully achieve the objectives surrounding the Smart Pricing Program, SDG&E established a Project Management Office (PMO) dedicated to the implementation of the Smart Pricing Program as part of its Customer Service Division under the leadership of the Chief Customer Privacy Officer. At the project level, a privacy team and privacy champions were established as essential organizational components to integrate privacy best practices.

Data privacy has been an issue long before the smart grid became a commonly used term. With so much of our lives spent online and stored in clouds, data privacy is certainly something to be concerned about. Technology is a wonderful thing, yet it creates more data that needs to be managed and protected. There is a lot of talk about smart meter privacy issues. The data available from smart meters offers a wealth of opportunities for energy management and energy efficiency. Many tend to forget that utilities have always had to safeguard confidential customer account information. The sheer volume of data will no doubt present challenges for the utilities; however, with the introduction of Green Button, customers should also be reminded to safeguard their privacy.

Staysafeonline.org is promoting January 28, 2012 as Data Privacy Day. It is a great way to remind all of us to be responsible with our personal information. Several governors have promoted privacy by declaring January 28 Data Privacy Day in their states: Arizona, California, Ohio, West Virginia and Wisconsin. These states each have offices dedicated to privacy and/or Chief Privacy Officers. While not technically a privacy office, New York’s Consumer Protection Board provides consumers and businesses numerous privacy resources. Attorney Generals from many states also offer consumer-oriented privacy information on their web pages and lead privacy initiatives within their states.

For a lighter read but probably just as important, to celebrate Data Privacy Day author Matt Ivester is giving out free copies of his book lol…OMG! What Every Student Needs to Know About Online Reputation Management, Digital Citizenship and Cyberbullying, from January 27 -30, 2012. I plan to download a copy and read it with my 8th grader. You might also want to check out the recent post by Christine Hertzog of the Smart Grid Library Blog. She provides a fun test called Are You Smarter Than a 5th Grader About Your Electricity Data Privacy?

Here are some general privacy laws you might want to know about:

Happy Data Privacy Day!

Today my friend Commissioner Tim Simon provides us with insight regarding the California Public Utility Commission’s Smart Meter Privacy Order.

Evers: Commissioner Simon, California has long been an energy policy leader. Now with the popularity of the smart grid, the CPUC is often in the national spotlight. Regulators and industry participants nationwide follow your rulings. Recently you did it again, leading the nation with the release of your Privacy and Security of Customer Electricity Usage Data rules. Tell us why these rules are important and how they will help California residents.

Commissioner: The rules established in the recent CPUC Decision are important for a number of reasons. In brief, it protects customer privacy while making customer information available on the customer side of the meter. This will benefit home area networks and other demand response applications. The prudent use information should spawn market applications of customer usage data. When California returns to retail competitive markets this data will spawn innovation in retail ESP power products.

Evers: That is great. Commissioner, it is apparent the Department of Homeland Security’s Fair Information Practice (“FIP”) principles served as a guide to this Commission as you developed the rules. For those not familiar with FIP, please explain the relevance of these principles and how they were helpful to you.

Commissioner: The rules make California practices conform to the best national privacy and security practices. The FIP principles (Transparency; Individual Participation; Purpose Specification; Data Minimization; Use Limitation; Data Quality and Integrity; Security; and Accountability and Auditing) is a widely accepted framework that is at the core of the Privacy Act of 1974 and is mirrored in the laws of many U.S. states, as well as many foreign nations and international organizations. These principles are relevant because they ensure that the use of technology sustains privacy protections relating to the use, collection, and disclosure of personal information and that personal information is handled in full compliance with fair information practices as set out in the Privacy Act.

Evers: Very insightful. Now turning to everyone’s favorite topic, smart meters. Although this sector surely has generated the most passion about smart meters, I am sure you know smart meters are not just for electric companies. Quietly, gas and water companies have been installing smart meters without much fanfare. Why has the Commission declined to apply these important data protection rules to gas companies and other entities as this time?

Commissioner: I want to emphasize electricity use data are different than gas or water use data. While gas and water can be stored, electricity is produced instantly (except for pumped storage).  Naturally, the demand for gas and water does not vary as substantially as the demand for electricity. Additionally, two-way electric smart meters will be capable of feeding power back into the grid. It seems smart meters will provide a lot more personal information on personal electricity use than water or gas use. However, I am not advocating that customer data protection rules should not be applied to water and gas smart meters. Currently the Commission is looking into the electricity smart meters privacy only. Eventually we will have a system where smart meters for electricity, gas and water will be inter-connected with the smart grid.   

Evers: I know this is a bit off the subject but it will be a bonus for my readers…How is the smart meter opt-out going? 

Commissioner: The Commission is in the process of reviewing additional detail and analyses provided by the utilities regarding smart-meter opt-out. We had a workshop on September 14, 2011, to address the following issues:

  • Are the costs/opt-out fees reasonable?
  • What additional procedures, if any, should be adopted for residents in multi-unit apartments who wish to opt-out of a utility’s Smart Meter program?
  • What level of assistance should be provided to low income ratepayers?
  • What provisions are there for ratepayers who wish to delay installation of a Smart Meter at this time?
  • And does it address all the radio frequency concerns?

The proceeding is expected to conclude by the end of this year. I do not expect all parties will be satisfied, but I do anticipate a balanced, cost effective opt-out policy.

Evers: Thank you Commissioner Simon for taking time to provide your insight on these important issues.

On February 23, 2011, from 8:00 am to 5:00 pm at ERCOT Austin, 7620 Metro Center Drive, Austin, TX, the NIST Smart Grid Cyber Security Working Group (“CSWG) Outreach Team will be available to answer questions regarding the lengthy NIST Interagency Report, Guidelines for Smart Grid Cyber Security 7628. This report will guide the industry  through the many layers of Smart Grid Cyber Security issues. In addition to discussing technical issues, such as Security Architecture and Cryptography, the hot topic of Smart Grid Privacy will also be touched upon as part of the day’s agenda.

The CSWG privacy subgroup performed a Privacy Impact Assessment (PIA) for the consumer-to-utility aspect of the Smart Grid. The following questions navigated the process of performing the consumer-to-utility PIA:

  1. What personal information may be generated, stored, transmitted, or maintained by components and entities of the Smart Grid?
  2. How is this personal information new or unique compared with personal information in other types of systems and networks?
  3. How is the use of personal information within the Smart Grid new or different from the uses of the information in other types of systems and networks?
  4. What are the new and unique types of privacy risks that may be created by Smart Grid components and entities?
  5. What is the potential that existing laws, regulations, and standards apply to the personal information collected by, created within, and flowing through the Smart Grid components?
  6. What could suggested standardized privacy practices look like for all entities using the Smart Grid so that following them could help to protect privacy and reduce associated risks?

Although not exhaustive, Table 5- 2 from the report provides a snapshot of some of the concerns. With only your imagination as the limit, there are many potential uses for granular energy data when it is combined with personal information. This applies to businesses as well as residential customers.

Table 5-2 Potential Privacy Concerns and Description

Privacy Concern

Discussion

Categorization

Fraud

Attributing energy consumption to another location or vehicle (in the case of PEVs).

Type II: While fraud is an existing concern, the current system of reading consumer meters (either manual recording or electronically via “drive-by” remote meter reading systems) may allow less opportunity for data manipulation without collusion with the personnel collecting the data.

Determine Personal Behavior Patterns / Appliances Used

Smart meter and home automation network data may track the use of specific appliances. Access to data-use profiles that can reveal specific times and locations of electricity use in specific areas of the home can also indicate the types of activities and/or appliances used. Possible uses for this information include: Appliance manufacturers could use this information for product reliability and warranty purposes; Other entities could use this data to do targeted marketing.

Type I: The type of data made available by Smart Grid implementation may be both more granular and available on a broader scale.

Perform Real- Time Remote Surveillance

Access to live energy use data can reveal such things as if people are in a facility or residence, what they are doing, waking and sleeping patterns, where they are in the structure, and how many are in the structure.

Type II: Many methods of real-time surveillance currently exist. The availability of computerized real-time or near-real-time energy usage data would create another way in which such surveillance could be conducted.

Non-Grid Commercial Uses of Data

Personal energy consumption data storage may reveal lifestyle information that could be of value to many entities, including vendors of a wide range of products and services. Vendors may purchase attribute lists for targeted sales and marketing campaigns that may not be welcomed by those targets. Universities might purchase information to study student attributes and target a new student profile with simple application question profiling. Such profiling could extend to other types of profiling on employment selection, rental applications, and other situations that may not be welcomed by those targets.

Type II: Under the existing metering and billing systems, meter data is not sufficiently granular in most cases to reveal any detail about activities. However, smart meters, time of use and demand rates, and direct load control of equipment may create detailed data that could be sold and used for energy management analyses and peer comparisons. While this information has beneficial value to third parties, consumer education about protecting that data has considerable positive outcomes.