1. 1 Data Access and Privacy Related to Third Parties November 2010

2. 2 Data Access and Privacy Access to customer usage information has national attention and implications ENERGY INDEPENDENCE AND SECURITY ACT OF 2007 (EISA) TITLE XIIISMART GRID SEC. 1307. STATE CONSIDERATION OF SMART GRID. All electricity purchasers shall be provided direct access, in written or electronic machine-readable form as appropriate, to information from their electricity provider WHITE HOUSE OFFICE OF SCIENCE AND TECHNOLOGY POLICY (OSTP) RFI – Consumer Interface with the Smart Grid February 2010 Department of Energy (DOE) Data Access and Privacy Issues Related to Smart Grid Technologies October 2010 SGIP Cyber Security Working Group NISTIR 7628 Guidelines for Smart Grid Cyber Security Vol. 2 Privacy and the Smart Grid August 2010

3. 3 Data Access and Privacy - continued The Smart Grid potentially enables new parties access to additional customer information that could reveal things about their person, personal behavior, and personal communications The diversity of data access standards and regulatory rules throughout the nation presents a significant challenge to achieving interoperability and hinders the mass deployment of customer products. Utilities are required to protect customer usage information under existing laws and regulatory rules No rules currently apply to third parties who would offer customers energy services that utilize customer usage data Third party access is being addressed jurisdiction-by-jurisdiction »Texas – PUCT Substantive Rules »California - Privacy Rules related to Third Party Access »Illinois - Statewide Smart Grid Collaborative »Ontario – Privacy by Design

4. 4 Data Access and Privacy - continued The logical interface where customers and third parties are authorized to gain access to customer usage data Governs who is allowed access to customer usage data and what are the responsibilities for protection of customer privacy There are two facets to achieving interoperability with respect to access to customer usage data TechnicalPolicy Development of a standard interface is currently well under way NAESB REQ.21 Energy Services Provider Interface (ESPI) Currently under development with an expected completion by 2Q11 Requires adoption by state regulators for their distribution companies Includes SGIP CSWG NISTIR 7628 security requirements to protect the data at rest and in transit No standard best practices for third party access to customer usage data currently exists State PUCs will address third party access in lengthy projects and rulemakings

5. 5 Recommendation To achieve interoperability with respect to third party access to customer usage data, data access and privacy protection business practices should containing the following as recommended by NIST and DOE: Third parties should register with an authorizing agent (e.g. PUC, Utility, etc.) Include the following recommendations from DOE » Consumption data should be released only with the customers authorization » Authorized third parties should be required to protect the privacy and security of customer data and only use it for the purposes specified in the authorization » Define the circumstances, conditions, and data that may be release to third parties » Define and establish customer complaint procedures Include the following guidelines from the NISTIR 7628 Cyber Security Guidelines: Vol. 2, Privacy and the Smart Grid » Require a third party Privacy Impact Assessment (PIA) using the NISTIR model » Require the third party to have privacy policies and practices which include the following NISTIR recommended principles a.Management and Accountability b.Customer Notice and Purpose c.Choice and Consent d.Collection and Scope e.Use and Retention f.Individual Access g.Disclosure and limiting Use h.Security and Safeguards

6. 6 Summary A balance must be struck between maximizing innovation and customer choice, while ensuring privacy and a sufficiently standardized environment so that energy service providers can provide cost effective Smart Grid- enabled products that can be utilized by any customer in the nation.

7. 7 Appendix Sources NISTIR 7628 Guidelines for Smart Grid Cyber Security, Vol. 2 Privacy and the Smart Grid DOE Data Access and Privacy Issues Related to Smart Grid Technologies Texas PUCT Substantive Rules CPUC Privacy Rules related to Third Party Access to usage data and prices Illinois Statewide Smart Grid Collaborative Ontario Privacy by Design

8. 8 Sources NISTIR 7628 Guidelines for Smart Grid Cyber Security Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements Provides guidelines for 3 rd party interface data security http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf Vol. 2, Privacy and the Smart Grid Provides guidance to regulators/ policy makers for 3 rd party data access and includes an overview of current data protection laws and regulations with regard to privacy http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf DOE Data Access and Privacy Issues Related to Smart Grid Technologies –Provides overview of data access and privacy concerns, a summary of recommendations –http://www.gc.energy.gov/documents/Broadband_Report_Data_Privacy_10_5.pdfhttp://www.gc.energy.gov/documents/Broadband_Report_Data_Privacy_10_5.pdf Texas PUCT Substantive Rules Provides for 3 rd parties who are authorized by the customer read-only access to the customers advanced meter data on a day after basis http://www.puc.state.tx.us/rules/subrules/electric/25.130/25.130.doc CPUC Privacy Rules related to Third Party Access to usage data and prices –http://docs.cpuc.ca.gov/published/proceedings/R0812009.htmhttp://docs.cpuc.ca.gov/published/proceedings/R0812009.htm Illinois Statewide Smart Grid Collaborative report –http://www.ilgridplan.org/Shared%20Documents/ISSGC%20Collaborative%20Report.pdfhttp://www.ilgridplan.org/Shared%20Documents/ISSGC%20Collaborative%20Report.pdf Ontario – Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid –http://www.smartgridinformation.info/pdf/2818_doc_1.pdfhttp://www.smartgridinformation.info/pdf/2818_doc_1.pdf

9. 9 NISTIR Vol. 2, Privacy and the Smart Grid What is privacy? Privacy of personal information Covered by data protection laws and regulations Privacy also includes privacy of the person, personal behavior, and personal communications These should be considered because of the new types of energy use data that can be created and communicated The Smart Grid enables other parties to have access to this data and creates many new uses for this collected data NISTIR 7628 Vol.2 provides guidance on options for protecting the privacy and avoiding the misuse of personal information Conclusions Smart Grid technologies and associated new types of information may create privacy risks and challenges may or may not be mitigated by existing laws and regulations Smart Grid technologies may create new privacy risks and concerns that may not be addressed adequately by the existing business policies and practices of utilities and third-party Smart Grid providers Utilities and third-party Smart Grid providers need to follow standard privacy and information security practices to effectively and consistently safeguard the privacy of customer personal information. Recommendations 1.Conduct a Privacy Impact Assessment (PIA) Initially to identify existing privacy risks and establish a baseline privacy posture measurement Additional privacy impact assessments should be conducted following significant organizational, systems, applications, or legal changesand particularly, following privacy breaches and information security incidents involving personal information, as an alternative, or in addition, to an independent audit. NISTIR 7628 includes a PIA model

10. 10 NISTIR Vol. 2, Privacy and the Smart Grid, continued Recommendations, continued 2.Develop and document privacy policies and practices according to the following principles a.Management and Accountability i.Appoint designated security personnel ii.Provide regular privacy training for all workers who have access to personal smart grid information b.Customer Notice and Purpose i. Provide notice of all purposes for which the customer data will be used, how long the data will be maintained, and which third parties the data will be shared with c.Choice and Consent To the extent practicable, obtain explicit approval for the collection and use of personnel information Customers should have the option to forgo data collection and services that are not related to the core services provided d.Collection and Scope Only personal information that is required to fulfill the stated purpose should be collected e.Use and Retention Information should be used or disclosed only for the purpose for which it was collected and divulged only to those parties authorized to receive it Information should be aggregated and anonymity preserved wherever possible Information should be kept only as long as is necessary to fulfill the purposes for which it was collected f.Individual Access A process should be available whereby an individual may ask to see their personal information and correct inaccuracies Individuals should be informed about parties with whom their personal information has been shared g.Disclosure and limiting Use Seek individual approval for disclosure of consumer data to third parties h.Security and Safeguards Personal information should be protected from loss, theft, unauthorized access, inappropriate disclosure, copying, use, or modification

11. 11 DOE Data Access and Privacy Issues Summary of potential best practices Consumption data should be released only with the customer authorization, which includes the purposes for which the 3 rd party is authorized to use the data the term of authorization the means for withdrawing an authorization Authorized 3 rd parties should be required to protect the privacy and security of customer data and only use it for the purposes specified in the authorization States should define the circumstances, conditions, and data that utilities should release to 3 rd parties Issues How customers should authorize 3 rd party access Utility limits of liability Complaint procedures once a 3 rd party has been authorized What data the utility should be required to release Utility fees for 3 rd party data access Whether 3 rd parties should be required to obtain further informed consent before disclosing the data State certification requirements for third parties

12. 12 Texas PUCT Substantive Rules Substantive Rule § 25.130 Advanced Metering, effective May 30, 2007 »§25.130 (j)(1) An electric utility shall provide a customer, the customers REP, and other entities authorized by the customer read-only access to the customers advanced meter data, including meter data used to calculate charges for service, historical load data, and any other proprietary customer information. The access shall be convenient and secure, and the data shall be made available no later than the day after it was created. »Smart Meter Texas portal provides the technical interface for third parties to gain access to customer usage data (note: this functionality has not yet been turned on)

13. 13 CPUC Privacy Rules related to Third Party Access to usage data and prices CPUC requirements SCE, PG&E, and SDG&E are to provide consumers and 3rd parties approved by consumers with usage data by the end of 2010 Policy goal of providing consumers with access to electricity price information by end of 2010 Rule making schedule October 15, 2010 responses filed 1.Current utility practices for providing customers and 3 rd parties access to usage and pricing information and steps taken to protect the information and the privacy of individuals 2.Proposals for providing customers access to usage and pricing information while protecting the security of the data and the privacy of customers October 25-26, 2010 workshop November 1, 2010 replies due Positions Existing laws are good enough Existing laws are the best tools by which privacy issues in the Smart Grid can be addressed, obviating the imposition of extraordinary, industry-centric requirements that might chill innovation, delay roll-out of promising technologies and divert limited resources away from innovation Avoid creating overlapping or duplicative regulations. Overly burdensome policies that restrict the ability of consumers to access their information and partner with service providers (including utilities) may serve to stifle innovation without bringing significant new privacy protections. CPUC should require that utilities and 3 rd parties provide consumers with policy statements that define the collection, use and protection of sensitive and private information. Customers should provide consent through electronic means for utility to release their information to a 3 rd party and indemnify the utility. Customers should be able to limit the scope and duration of 3 rd party access and terminate at any time Utilities should not be required to monitor or enforce 3 rd party compliance with privacy laws. 3 rd parties should be held responsible for complying with applicable state and federal privacy laws

14. 14 Illinois Statewide Smart Grid Collaborative Established by the ICC in September 2008 Collaborative report issued October 1, 2010 includes numerous recommendations which will be considered in an ICC Smart Grid Policy Docket The Collaborative makes thirteen policy recommendations related to data privacy and data access 1.AMI systems should be designed so that customers can securely retrieve usage data directly and in near real time from the meter securely through in-premises devices. 2.Customers should have access to collected historical usage and billing data for a reasonable period of time, via a utility-provided web portal. 3.Customer authorization should continue to be required for access to any customer-specific meter data by a third party, and its use should be disclosed by the third party to the customer. 4.Third parties should fully disclose in plain language the scope, duration, and purpose(s) of the requested access to customer-specific meter data. In addition, customer complaints regarding access to or use of data should be subject to the Commission complaint process. 5.The utility should provide electronic access to billing and usage data to customer-authorized third parties within a reasonable period of time from receipt of authorization; any fees to provide this service should be outlined in the tariff and reflected in regulated revenue. 6.A service and supply agreement with a customer should explicitly authorize an Alternate Retail Electric Supplier (ARES) to access and use usage and billing data for billing purposes. Any authorization to access historical data or other information not directly related to billing and collection should be explicitly stated in such an agreement. Authorization to provide usage information to an ISO should be included, if necessary. Cancellation or expiration of the supply agreement should also revoke a suppliers access rights to the customers data. A utility should not be required to customize or disaggregate data.

15. 15 Illinois Statewide Smart Grid Collaborative, continued Policy recommendations. continued 7.Utilities and customer-authorized third parties should be responsible for protecting all meter data in their possession from unauthorized release. 8.The utility should be allowed to use customer-specific meter data to support operation of utility systems and the electricity transmission and distribution network, or as required by State and federal authorities. 9.The utility should be allowed to use customer-specific meter data to solicit participation in Commission-approved demand response and energy efficiency programs. 10.Stakeholders agree that the utility should only be allowed to make use of the Meter Data and Customer Data for offering a competitive service or share such information with any affiliated or unaffiliated entity to the extent allowed by, and consistent with all applicable laws, ICC rules and orders. Some stakeholders further believe that if a utility or its affiliate offers competitive services, they should not, under any circumstances, be allowed to use customer Meter Data in offering those services without affirmative customer authorization and application of third party disclosure requirements. 11.Governmental units should not have unauthorized access to customer-specific data except insofar as some customer-specific data (such as regarding outages, disconnections, and other information potentially affecting public health and safety) is already shared with government by the utility under existing law, policies and agreements. [See e.g., 220 ILCS 5/8-202(b)] The utility should adopt policies and procedures that comply with state and federal law to respond appropriately to law enforcement requests for AMI-derived data. 12.Customers should be educated and informed about what it means to allow access to AMI-derived data. 13.If a utility provides a third party with aggregated AMI meter data, it must take reasonable measures to protect the identity of individual customers. Where individual customer data privacy cannot reasonably be assured, the third party should obtain authorization from the customer for access to identifiable customer data prior to its release by the utility.

16. 16 Ontario – Privacy by Design Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid - June 2010 Personal Information defined as recorded information about an identifiable individual. 7 Foundation Principles of Privacy by Design 1.Proactive not Reactive; Preventative not Remedial »Smart Grid systems should feature privacy principles in their overall project governance framework and proactively embed privacy requirements into their designs, in order to prevent privacy-invasive events from occurring 2.Privacy as the Default »If an individual does nothing, their privacy still remains intact. »No action is required on the part of the individual to protect their privacy it is built into the system, by default. 3.Privacy embedded into design »Privacy must be a core functionality in the design and architecture of new Smart Grid systems and practices. 4.Full Functionality – positive-sum, not zero-sum »Embed privacy without any loss of functionality of Smart Grid related goals 5.End-to-End lifecycle protection »Ensure that the people, processes and technology involved in Smart Grid projects consider privacy at every stage, including at the final point of the secure destruction of personal information. 6.Visibility and Transparency »Ensure all component parts and operations remain visible and transparent, to users and providers alike, and that each business practice or technology is operating according to the stated promises and objectives, subject to independent verification. 7.Respect for User Privacy »Architects and operators must keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options

17. 17 Ontario – Privacy by Design, continued Canadas Model Code for the Protection of Personal Information 1. Accountability »An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organizations compliance with the following principles. 2. Identifying Purposes »The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 3. Consent »The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. 4. Limiting Collection »The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure, and Retention »Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

18. 18 Ontario – Privacy by Design, continued 6. Accuracy »Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. 7. Safeguards »Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness »An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. 9. Individual Access »Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging »An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organizations compliance.