Privacy concerns have accompanied the rise of smart grid technologies as a means of helping utilities to efficiently deliver reliable, economic, and sustainable electricity services. As way of background, “smart grid” refers to the digital technology used to computerize and automate the traditional electric utility grid. This technology allows for two-way digital communication between a smart meter device installed at a consumer’s home and the electric utility’s network operations center regarding energy consumption for monitoring and billing purposes.
Advocates of the smart grid argue that this technology allows consumers to use energy resources more efficiently which saves them money on their utility bills. In 2009, Congress allocated $4.5 billion in the American Recovery and Reinvestment Act (Recovery Act) to the Department of Energy’s Office of Electricity Delivery and Energy Reliability for investment in smart grid activities. On June 13, 2011, the Department of Energy announced that more than five million smart meters have been installed in homes across the country as part of Recovery Act-funded efforts to accelerate modernization of the nation’s electric grid, and as of today, electric utilities in 51 US states and territories have been awarded smart grid grants.
However, these innovative technologies, which allow for an unprecedented flow of information between customers and their energy providers, have forced utilities regulators to revamp the laws that govern these utilities. California, Colorado, New York, and Ohio have been on the forefront of enacting these new regulatory changes aimed at maintaining the privacy and security of customer information.
On July 28, 2011, the California Public Utilities Commission (CPUC) in a unanimous decision approved data protection rules for the following smart grid providers: Pacific Gas and Electric Company, Southern California Edison, San Diego Gas and Electric Company, and the companies that assist them in utility operations, companies under contract with the utilities, and other companies that, after authorization by a customer or by the action of the CPUC, gain access to that customer’s usage data directly from the utility.
In addition to the rules protecting the privacy and security of customers’ energy consumption data generated by smart meters and transmitted by the smart grid, the CPUC’s decision adopted (1) reporting and audit requirements regarding the utilities’ data privacy and security practices, third-party access to customer usage information, and security breaches of customer usage information, and (2) policies to govern access to customer usage data by customers and by authorized third parties. For example, utilities are required to provide pricing, usage, and cost data to customers online, and the data must be updated at least on a daily basis and made available to customers by the next day.
On August 29, 2011, Administrative Law Judge G. Harris Adams issued a decision before the Colorado Public Utilities Commission (Commission) providing a list of smart grid privacy-related rule-changes to the state’s 4 Code of Colorado Regulations (CCR) 723-3. The purpose of the rule-making decision was to revise the current regulations applicable to smart grid data privacy and disclosure rules to provide more clarity on data privacy concerns and to protect customer information from unauthorized disclosure while allowing customer access to information.
Judge Adams’s recommended rule-changes modified the existing regulations in a number of ways. They provided clarity both on the definition of customer data as well as the types and manners in which such data is gathered and used, including how and at what cost it should be provided to the customer. The rule-changes also adjusted the customer consent form required by Rule 3028, which governs customer consent for utility disclosure to a third party by mandating that the utility must provide a “consent to disclose customer data form” that includes such information as customer rights, third-party business information, intended data uses, purpose, etc. Overall, the rules would require utilities to explain their data collection practices to customers, the frequency of the data collection, and the security measures that will be taken to ensure the privacy and security of customer data. A copy of the rules will be filed with the Office of the Secretary of State and will become effective 20 days after publication in the Colorado Register by the Office of the Secretary of State. Copies of the rules must be served on interested parties who have an opportunity to file exceptions to the rules. However, if no exceptions are filed within 20 days after service or within any extended period of time authorized, or unless the decision is stayed by the Commission, the rules become a decision of the Commission.
The New York State Public Service Commission (PSC) adopted a policy statement on August 18, 2011 that establishes regulatory policies and presents guidelines for utilities to follow pertaining to the development of smart grid systems. The formalization of the adopted guidelines gives utilities a better understanding of the rules required to develop smart grid systems. The statement was based on input from investor-owned utilities, technology companies, consumer representatives, nonprofit organizations, and governmental entities. The guidelines state that utilities must develop and maintain cyber security standards and bear the responsibility to ensure that cost-effective protection and preparedness measures are employed to deter, detect, and respond to cyber attacks. The policy statement also calls for utilities and third-party providers to take appropriate actions to protect customer privacy when proposing projects that involve the collection and use of consumer data, which should be made available in a timely manner to third parties who are authorized by the consumer.
The Public Utilities Commission of Ohio (PUCO) is in the midst of evaluating responses to an open docket, (11-0277-GE-UNC) which seeks to review customer privacy protection, customer data access and cyber security issues associated with smart grid and advanced metering programs.
These are not the only states looking to ensure that the transition to the smart grid goes smoothly and securely. Vermont and Oklahoma, among other states, have also begun the process of creating and enacting utilities regulations aimed at governing the flow of information from the smart grid. While there is no doubt that the deployment of smart grid technology will be key to the creation of a more energy efficient economy, maintaining privacy rights over the data created is going to be critical to the public’s acceptance of such technology and the success of the smart grid as a whole. It will be up to governments and utilities regulators over the next couple of years to enact sound policies that ensure the privacy and security of customer information without placing undue and restrictive burdens on smart grid and utility companies.
For more information on smart grid technology, click here.