1

Insert Cover Page Karen Made

2

Why is Privacy an Issue with Smart Grid?

Smart Grid presents new privacy threats through its enhanced collection and transmission of more detailed energy usage data than traditionally collected.

Privacy concerns exist wherever personal identifiable information is collected and stored.

Data wants to be free – once information is released, it is practically impossible to retract.

The Voice of Consumers, Making a Difference!

3

How Data Changes with Smart Grid

Quantity and type of data:► Data from smart meters is highly granular.

In California, data collection increments range between 15 minutes to 1 hour.

► Entirely new types of revealing data is collected: Identifiable appliances. Location information of plug-in electric vehicles. Temperature inside the home.

Data flow shifting away from traditional consumer-to-utility relationship.

Patchwork of existing laws doesn’t cover a Smart Grid environment.

Must find a balanced solution that allows data to flow and be used, but also protects customer privacy.

The Voice of Consumers, Making a Difference!

4

Highlights – Data Usage

Data may have important uses for energy conservation, for those customers with the ability to load shift.

Data has possible value to utility business enterprises.

Data can also be compiled for various discriminatory, anti-competitive, and/or illegal uses.

Privacy protections have been circumvented by user error, disgruntled employees, and hackers.

The Voice of Consumers, Making a Difference!

5

Privacy Concerns Regarding Data Usage

Customer energy usage data may disclose intimate personal details related to:

► Customer’s presence in, or absence from, the home.

► Purchasing preferences.

► Health.

► Co-habitation arrangements.

The Voice of Consumers, Making a Difference!

6

Examples of Private Information Revealed by Energy Usage Data

Scant energy usage may allow third parties, and potentially criminals, to determine which homes are empty.

Hackers have used poorly secured networks to:

► Pass their utility charges to other customers.

► Disconnect customers from the grid.

► Steal customer identification information.

The Voice of Consumers, Making a Difference!

7

Examples of Private Information Revealed by Energy Usage Data

Law enforcement agencies in Texas have mined thousands of customers’ energy usage information – without their consent – to identify and target

potential marijuana operations, raising Fourth Amendment concerns.

Landlords may be able to determine how many people live in a home, perhaps in violation of a leasing agreement.

Disclosure of occupant’s prescription data to third parties:► In-home devices may allow two-way communication and facilitate the reading of

Radio Frequency Identification (RFID) tags.

If data is stored at the meter, and it is not de-energized when one tenant leaves, the next tenant could have access to that data.

The Voice of Consumers, Making a Difference!

8

Examples of Privacy Concerns About Energy Usage Data Collection

There is a greater risk of compromising customer privacy if data leaves the home to be processed.

Data sent over wireless devices is easily intercepted by drive-by data collectors and must be securely encrypted to prevent interception.

► All smart meters have home area network (HAN) functionality.

► Once activated, they enable wireless transmission of data with consequent risks.

Entities with access to usage data may gain a competitive edge over other market players.

If unregulated third parties obtain customer data, they may: ► Sell the data.

► Use it for advertising purposes.

► Barrage customers with unwanted or even nefarious advertisements and promotions.

The Voice of Consumers, Making a Difference!

9

Fair Information Practice Principles (FIPPs)

Transparency – Provide clear, meaningful notice about collection, uses, and disclosure.

Individual Participation – Consent to collect, use, and/or disclose data, required any time changes are made, and revocable at any time.

Purpose Specification – Articulate specific purpose(s) for which data will be used.

Data Minimization – Collect only data necessary to fulfill specific purpose(s) and keep only as long as needed.

Use Limitation – Use data only for specified purpose(s).

Data Quality and Integrity – Ensure data is accurate, relevant, timely, and complete and provide tools to correct mistakes or challenge errors.

Data Security – Must protect customer data with appropriate security safeguards.

Accountability and Auditing – Must comply, audit for compliance, and provide employee and contractor training.

The Voice of Consumers, Making a Difference!

10

Privacy and Smart Grid in California The California Public Utilities Commission (CPUC) opened a Rulemaking to

consider and evaluate policies related to Smart Grid in December 2008 (R.08-12-009).

In December 2009, the CPUC adopted a decision that set as policy objectives:

► Ensure all information is secure and a customer’s privacy is protected.► Require that utilities have operations in place by the end of 2010 allowing

customers to access their information through an agreement with a third party (delayed).

In June 2010, the CPUC adopted a decision that established FIPPs as the appropriate framework for privacy rules, with those rules to be determined later.

California was the first state to pass a bill directly related to energy usage data:

► Senate Bill 1476 (Padilla) was passed and codified as Public Utilities Code Section 8380 (December 2010).

► While being touted as a “landmark privacy bill,” it does little to protect consumers and does not adequately address data sharing with third parties.

The Voice of Consumers, Making a Difference!

11

Current Status of Privacy Rules for Smart Grid in California

Center for Democracy and Technology and the Electronic Frontier Foundation developed a very specific set of polices and procedures that translated FIPPs into practical and useable rules:

► Submitted to the CPUC in October 2010.

DRA provided input to the proposed rules and supported them with a couple amendments:

► Limit appropriate uses of data to those purposes specifically related to fulfilling energy policy goals and operational needs.

► The rules should follow the data, regardless of what entity accesses the data.

The CPUC issued a proposed decision adopting privacy rules for California's three large investor owned utilities on May 6, 2011. 

► Parties will submit comments on that proposed decision on May 26, 2011.

The Voice of Consumers, Making a Difference!

12

Thank You

Contact Information:

Karin HietaSmart Grid Project Lead(415) 703-4253kar@cpuc.ca.gov

California Public Utilities CommissionDivision of Ratepayer AdvocatesFourth Floor505 Van Ness AvenueSan Francisco, CA 94102

The Voice of Consumers, Making a Difference!