1 NAESB Data Privacy Task Force February 16, 2011

2 NAESB Data Privacy TF The Smart Grid potentially enables new parties access to additional customer information that could reveal things about their person, personal behavior, and personal communications The diversity of data access standards and regulatory rules throughout the nation presents a significant challenge to achieving interoperability and hinders the mass deployment of customer products. There are two facets to achieving interoperability with respect to 3 rd Party access to customer usage data Technical - the logical interface where customers and third parties are authorized to gain access to customer usage data NAESB Energy Services Provider Interface Task Force Policy – the policy which governs who is allowed access to customer usage data and what are the responsibilities for protection of customer privacy interface where customers and third parties are authorized to gain access to customer usage data NAESB REQ Data Privacy Task Force

3 NAESB Data Privacy TF A balance must be struck between maximizing innovation and customer choice, while ensuring privacy and a sufficiently standardized environment so that energy service providers can provide cost effective Smart Grid- enabled products that can be utilized by any customer in the nation.

4 Research Documents 1. NISTIR 7628 Guidelines for Smart Grid Cyber Security, Vol. 2 Privacy and the Smart Grid NISTIR 7628 Guidelines for Smart Grid Cyber Security, Vol. 2 Privacy and the Smart Grid 2. DOE Data Access and Privacy Issues Related to Smart Grid Technologies DOE Data Access and Privacy Issues Related to Smart Grid Technologies 3. Illinois Statewide Smart Grid Collaborative Report Illinois Statewide Smart Grid Collaborative Report 4. Ontario Privacy by Design; Achieving the Gold Standard in Data Protection for the Smart Grid Ontario Privacy by Design; Achieving the Gold Standard in Data Protection for the Smart Grid 5. CPUC Privacy Rules related to Third Party Access to usage data and prices CPUC Privacy Rules related to Third Party Access to usage data and prices 6. National Research Institute: Smart Grid Data: Must there be Conflict Between Energy Management and Consumer Privacy? National Research Institute: Smart Grid Data: Must there be Conflict Between Energy Management and Consumer Privacy? 7. Department of Commerce Internet Policy Task Force: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Department of Commerce Internet Policy Task Force: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework 8. Federal Trade Commission: Protecting Consumer Privacy in an Era of Rapid Change Federal Trade Commission: Protecting Consumer Privacy in an Era of Rapid Change

5 Document Summaries DOE recommendations Consumption data should be released only with the customers authorization Authorized third parties should be required to protect the privacy and security of customer data and only use it for the purposes specified in the authorization Define the circumstances, conditions, and data that may be release to third parties Define and establish customer complaint procedures

6 Document Summaries, continued Illinois Statewide Collaborative report had 13 policy recommendations 1.Customers should be able to retrieve usage data in near-real time from the meter and through in- premises devices. 2.Customers should have access to historical usage and billing data via a utility-provided web portal. 3.Customer authorization should be required for third party access to customer-specific meter data 4.Third parties should disclose in plain language the scope, duration, use, and purpose(s) of the requested access to customer usage data and customer complaints should be subject to the Commission complaint process. 5.The utility should provide electronic access to billing and usage data to customer-authorized third parties within a reasonable period of time from receipt of authorization; any fees to provide this service should be outlined in the tariff and reflected in regulated revenue. 6.Service and supply agreements with customers should explicitly authorize the retail electric supplier to access and use usage and billing data for billing purposes. Any authorization not directly related to billing and collection should be explicitly stated. 7.Utilities and customer-authorized third parties should be responsible for protecting all meter data in their possession from unauthorized release. 8.The utility should be allowed to use customer-specific meter data to support operation of utility systems and the electricity transmission and distribution network, or as required by State and federal authorities.

7 Document Summaries, continued Illinois Statewide Collaborative has 13 policy recommendations, continued 9.The utility should be allowed to use customer-specific meter data to solicit participation in Commission-approved demand response and energy efficiency programs. 10.Stakeholders agree that the utility should only be allowed to make use of the Meter Data and Customer Data for offering a competitive service to the extent allowed by applicable laws, rules and orders. 11.Governmental units should not have unauthorized access to customer-specific data except insofar as some customer-specific data is already shared with government entities by the utility under existing law, policies and agreements. 12.Customers should be educated and informed about what it means to allow access to AMI-derived data. 13.If a utility provides a third party with aggregated AMI meter data, it must take reasonable measures to protect the identity of individual customers.

8 Document Summaries, continued Ontario Privacy by Design foundational principles 1.Proactive not Reactive; Preventative not Remedial »Smart Grid systems should feature privacy principles in their overall project governance framework and proactively embed privacy requirements into their designs, in order to prevent privacy-invasive events from occurring 2.Privacy as the Default »If an individual does nothing, their privacy still remains intact. »No action is required on the part of the individual to protect their privacy it is built into the system, by default. 3.Privacy embedded into design »Privacy must be a core functionality in the design and architecture of new Smart Grid systems and practices. 4.Full Functionality – positive-sum, not zero-sum »Embed privacy without any loss of functionality of Smart Grid related goals 5.End-to-End lifecycle protection »Ensure that the people, processes and technology involved in Smart Grid projects consider privacy at every stage, including at the final point of the secure destruction of personal information. 6.Visibility and Transparency »Ensure all component parts and operations remain visible and transparent, to users and providers alike, and that each business practice or technology is operating according to the stated promises and objectives, subject to independent verification. 7.Respect for User Privacy »Architects and operators must keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options

9 Document Summaries, continued National Regulatory Research Institute 1.Define the information utilities will collect »Determine with whom and for what purposes »Assess the need to protect the data 2.Ensure that customers understand what data will be shared and under what terms and conditions 3.Require yearly privacy training programs »Require certification that training has taken place 4.Enforce and revise »report policy breaches, correct errors, review and evaluate Department of Commerce Internet Policy Task Force recommendations 1.Adopt a baseline commercial data privacy framework built on an expanded set of Fair Information Practice Principles (FIPPS) 2.Encourage greater detail in purpose specifications and use limitations, and foster the development of verifiable evaluation and accountability programs 3.Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups 4.Establish a Privacy Policy Office (PPO) to serve as a center of commercial data privacy policy expertise. 5.The FTC should remain the lead consumer privacy enforcement agency for the U.S. government 6.Encourage global interoperability 7.Ensure nationally consistent security breach notification rules

10 Document Summaries, continued Federal Trade Commission proposed framework 1.Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services. 2.Companies should simplify consumer choice Companies do not need to provide choice before collecting and using consumers data for commonly accepted practices, such as product fulfillment For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data 3.Companies should increase the transparency of their data practices Privacy notices should be clearer, shorter, and more standardized, to enable better comprehension and comparison of privacy practices Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use Companies must provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected All stakeholders should work to educate consumers about commercial data privacy practices