With technology continually growing faster and more sophisticated, consumers and businesses are enjoying the benefits of new opportunities to gather, monitor, and control data. Yet those same opportunities introduce corresponding, unprecedented privacy and data security concerns. As technology outpaces legislation, and with privacy regulation very much in flux, there is considerable confusion, uncertainty, and risk associated with the rollout of many nascent data technologies.
There is perhaps no better example of the juxtaposition of these benefits and risks than Smart Grid technology. Smart Grid is rapidly transforming electric grids nationwide into intelligent, two-way energy and communication systems that enable consumers and utilities to monitor energy consumption in real-time, with pinpoint accuracy. This allows consumers to decrease their monthly bills through improved efficiency, and helps utilities manage demand response. Manufacturers are creating “smart appliances” that will become fully integrated with the Smart Grid, providing consumers an extraordinary degree of control over their usage of devices such as heating and air conditioning systems, refrigerators, and washing/drying machines. Increasingly, utilities are asking consumers to grant them permission to remotely control use of devices, to address the need for conservation in times of peak demand. The benefits of widespread Smart Grid deployment are viewed as so significant, the federal government has allocated more than $3.4 billion to make it happen.
But there is a worrisome side associated with this development. While Smart Grid provides new opportunities for consumers and utilities to make energy use smarter, the technology also enables intelligence to be collected about consumers’ personal habits that raises potentially serious privacy concerns. In response to these concerns, federal and state regulators and legislators are grappling with possible solutions that attempt to balance the benefits and the risks.
Among the privacy concerns identified by the Department of Commerce’s National Institute of Standards and Technology (NIST), in a report issued last August, are the following:
Non-Grid Commercial Uses of Data – Personal energy consumption data storage may reveal lifestyle information that could be of value to many entities, including vendors of a wide range of products and services.
Determining Personal Behavior Patterns/Appliances Used – Access to data-use profiles can pinpoint times and locations of electricity use to specific areas of the home, which can indicate the types of activities the consumer is engaged in and/or the appliances being used.
Real-Time Remote Surveillance – Access to live energy use data can reveal information such as waking or sleeping patterns, whether people are in a facility or residence, exactly where they are in the structure, and how many people are in the structure at any given time.
Fraud – The Smart Grid could be manipulated to attribute energy consumption to another location or vehicle.
One can imagine benign or even beneficial uses of some of this information, but the risk of misuse by hackers or other malevolent actors also is apparent.
The federal government has issued some guidance on standards for Smart Grid providers to contend with the daunting privacy and data security challenges they face. NIST’s three-volume Guidelines for Smart Grid Cyber Security, released in August 2010, was the product of two formal public reviews and numerous workshops and teleconferences over the course of 17 months. The Department of Energy also published a report late last year entitled “Data Access and Privacy Issues Related to Smart Grid Technologies,” which concluded that Smart Grid is a “critical long-term component to a more interactive, robust, and efficient electricity generation, transmission and usage system,” but presents significant privacy issues.
With Smart Grid rollouts in select markets in the U.S., and many more to come, the clash between the technological benefits and the privacy concerns has come to a head.
The most recent state to wrestle with these issues is Maine. Central Maine Power Company (“CMP”) has begun installing more than 600,000 smart meters in the state, a $200 million project partially funded by a $96 million U.S. Department of Energy grant. The smart meters will report a home’s hourly electricity usage directly to CMP. The question before the Maine Public Utilities Commission is whether homeowners, who are worried about the security of their consumption data, can “opt-out” of the CMP smart meter program, and if so, whether they will be charged a fee for that privilege. CMP is opposed to the optout feature because it may reduce the effectiveness of the smart metering program, since the company will collect less data if too many customers decline to have meters installed.
Maine is not the only state embroiled in Smart Grid privacy debates. California, which was the first state to pass a statewide bill (in 2009) to develop an overarching plan for Smart Grid deployment, has faced increasing trouble with implementation. In January, the Marin County, California Board of Commissioners unanimously approved a one-year moratorium on installation of smart meters, citing privacy and health concerns. Although the ultimate authority rests with the California Public Utilities Commission, which has refused to cease installation of smart meters, this vote symbolizes growing opposition in the state. Similar debates have surfaced in other states, and we expect to see more throughout 2011 due to the uncertainty concerning how Smart Grid’s benefits and privacy concerns will be balanced.
What is certain is that electric utilities and Smart Grid technology providers have a great deal at stake in this debate. Some of the privacy and data security obligations under consideration by legislators and regulators have the potential to derail certain Smart Grid plans and technologies if their proponents are unprepared to meet compliance requirements. In anticipation of these challenges, some companies have embraced the “privacy by design” concept, developing security and authentication solutions to protect Smart Grid networks against energy theft, privacy breaches, and cyber attacks against the power grid. The best practices employed by these companies eventually may become mandatory by law.
We encourage you to contact any of the attorneys listed above to discuss regulatory developments and deployment risks, as well as potential funding opportunities related to Smart Grid.