Guest column: Balancing access to electricity data and privacy concerns

This column first appeared on the website of the Lexington Institute, where Constance Douris is a vice president.

IMG_0772

Two types of data involved with smart grid technologies are revealing: personally identifiable information and consumer-specific energy usage data (CEUD). Examples of personally identifiable information include an individual’s name, address, social security number, telephone number, and payment history. CEUD includes data related to an individual customer’s energy use, such as total electricity consumed at different times of the day.

CEUD could be used to identify and monitor behavior patterns inside a home or business. Electrical appliances such as refrigerators and air conditioners can be identified by their load signatures to perform legal and illegal real-time surveillance. For instance, electricity data has already been used by law enforcement in Texas and California to identify possible residential marijuana growing operations and to obtain a search warrant to access a home to search for evidence of marijuana production.

Studies conducted by utilities and consumer advocates have consistently shown that privacy issues are important. The U.S. Department of Energy views privacy and access of the smart grid as complementary values, not competing goals. The grid must encourage innovation, and make electricity usage available to customers while respecting consumers’ interests in personal privacy and security.

Because electricity data has the potential to violate consumer privacy, the DataGuard Energy Data Privacy Program was created by the Energy Department’s Office of Electricity Delivery and Energy Reliability and the Federal Smart Grid Task Force. This program serves as a voluntary code of conduct related to the privacy of customer energy usage data for utilities and third parties.

The program supports providing customers with notices about privacy policies and practices at the start of a service, on a regular basis thereafter, and upon the customer’s request. The notices should include the types of data collected and how that data will be used for a specific purpose. Customers ought to be able to access their usage information to identify inaccuracies and request corrections, and to approve third party access for energy products and services in which they may be interested in.

In July 2011, the California Public Utilities commission was the first to establish rules to protect the privacy and security of customer usage data generated by smart meters. These rules create a framework to balance protecting consumer privacy and creating a new market for third-party participants. California law requires electrical utilities to apply reasonable security procedures and practices in protecting a customer’s unencrypted electrical data from unauthorized access, destruction, use, modification, or disclosure.

Other states such Texas, Illinois, Connecticut, Maine, Maryland and North Carolina, have implemented policies for utilities to release energy data to third parties. However, more than half of U.S. states lack policy in place that permits utilities to release customer electricity usage data to customers or third parties.

Service providers should not share a customer’s social security number, state or federal identification number or other identifiable information. If such information is required, it should be provided directly by the customer.

CEUD should be protected against cyber threats and data must be preserved to ensure accuracy and protect against loss, unauthorized use, or dissemination. The number of cyber threats and security vulnerabilities today are too many for any one organization to handle by itself. The public and private sector need to collect and share data about emerging threats and software flaws, such as file hashes, domain names and Internet Protocol addresses, to protect the electric grid from cyber threats.

Check Point, Cisco, Fortinet, Intel Security, Palo Alto Networks and Symantec work together to protect their customers through threat intelligence sharing as members of the Cyber Threat Alliance. In addition, there are at least 27 programs in the Department of Energy, Department of Homeland Security and the Federal Energy Commission to protect the grid from cyber breaches.

The Department of Homeland Security is conducting a Cyber Incident Data Repository pilot to identify trends, mitigate threats and calculate risks for enterprise risk managers and cybersecurity insurance companies. The repository aims to identify top cyber risks, fashion controls, inform peer-to-peer benchmarking, and create forecasts and models. Perhaps storing information about cyber threats to the electric grid in such a manner could protect the electrical infrastructure.

Customer energy usage data enables utilities and third party providers to better manage electricity consumption, avoid expensive breakdowns, and create interactive devices to manage a household more efficiently. However, it is critical that customers’ personal information and energy usage is protected to maintain consumer privacy. More states should implement policies that allow access to electricity usage data that incorporates the Department of Energy’s voluntary code of conduct and strong cyber protections.