By Eric Bukstein
As energy companies across the country are gearing up to start providing electrical service through “Smart Grids,” California is one of the first jurisdictions to begin creating a regulatory framework for the operation of a Smart Grid. On May 21, 2010, the California Public Utilities Commission (“CPUC”) issued a proposed decision, authored by Commissioner Nancy Ryan, providing California energy companies with details on what information must be included in any Smart Grid deployment plans submitted to the CPUC by a July 1, 2011 deadline. The CPUC currently is taking comments on the decision, which will be considered and finalized by the entire commission. While the proposed decision addresses some privacy and data security issues, the CPUC stated that further proceedings will focus more specifically on information access and privacy protections.
Smart Grids provide for a two-way flow of information and electricity, allowing both customers and utilities more control over energy consumption and costs, increasing the reliability of the energy grid, and allowing for a more efficient delivery of energy. Utilities’ use of smart grids raises privacy concerns because of the possibility of linking personal information to granular details about energy use. For an excellent background on Smart Grids and the privacy issues they present, see the white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, co-authored by Hogan Lovells partner, Christopher Wolf.
CPUC’s proceeding started after the California legislature passed a law in September of 2009 requiring the CPUC “to determine the requirements for a Smart Grid deployment plan” by July 1, 2010. This decision was the result of a year of proceedings in which the CPUC received comments from stakeholders as to how to best implement this law and move toward the deployment of a Smart Grid.
The CPUC’s proposed decision addresses many issues beyond privacy, laying down an outline, by way of eight topics which need to be addressed, for a utility company’s Smart Grid deployment plan. The CPUC specifically added Grid Security and Cyber Security Strategy to a list of topics, which were initially suggested by utility companies, that should be addressed in each utility company’s deployment plans. The full list of categories is as follows:
1. Smart Grid Vision Statement;
2. Deployment Baseline;
3. Smart Grid Strategy;
4. Grid Security and Cyber Security Strategy;
5. Smart Grid Roadmap;
6. Cost Estimates;
7. Benefits Estimates; and
Regarding privacy and data security, the proposed decision asks utility companies to assess these issues in two areas. First, as part of a privacy impact assessment to be included in a baseline report (item 2 above), which analyzes current practices, the utility company must address the following questions:
- What data is the utility now collecting?
- For what purpose is the data being collected?
- With whom will the utility currently share the data?
- How long will the utility currently keep the data?
- What confidence does the utility have that the data will [sic] is accurate and reliable enough for the purposes for which the data is used?
- How does the utility protect the data against loss or misuse?
- How do individuals have access to the data about themselves?
- What audit, oversight and enforcement mechanism does the utility have in place to ensure that the utility is following their own rules?
Second, in a section of the proposed decision devoted to information security, the CPUC requires a utility company to describe “security strategies” that “address physical, cyber and human threats for grid operations with implementation of Smart Grid technologies.” Each Smart Grid deployment plan needs to discuss how it will incorporate National Institute of Standards and Technology (“NIST”) requirements and guidelines into the security program of the utility. The CPUC declined to adopt specific Smart Grid security standards at this time, but recommends that utility companies consult documents, prepared by NIST and the Department of Homeland Security, for guidance when preparing security plans. The CPUC also directed that each deployment plan should contain a systematic risk assessment, including a “security audit based on industry best practices.” This assessment should address:
"The prevention of, preparation for, protection against, mitigation of, response to, and recovery from security threats for the utilities’ advanced meter and communications infrastructure, distribution grid management, and distribution grid management with implementation of other Smart Grid technologies and infrastructure, including all major subsystems and utility storage of customer information."
Additionally, the CPUC orders that each deployment plan discuss the following questions:
· What types of information about customers are or will be collected via the smart meters, and what are the purposes of the information collection? Could the information collection be minimized without diminishing the specified purposes?
· Does the utility have or expect to have other types of devices, such as programmable communicating thermostats (PCTs), which can collect information about customers? If so, what types of information is collected, and what are the purposes of the information collection? Could the information collection be minimized without interfering with the specified purposes?
· What types of information, if any, does the utility plan to collect from the smart meter and HAN gateway?
· How frequently will the utility take readings from the smart meter? Is this frequency subject to change? Will customers control this frequency?
· For each type of information identified above, for what purposes will the information be used? The purposes should be articulated with specificity, e.g., “targeted marketing” instead of “promoting energy efficiency.”
· For each type of information collected, for how long will the information be retained, and what is the purpose of the retention? Could the retention period be shortened without diminishing the specified purpose?
· What measures are or will be employed by the utility to protect the security of customer information?
· Has the utility audited or will it audit its security and privacy practices, both internally and by independent outside entities? If so, how often will there be audits? What are the audit results to date, if any?
The CPUC recognizes that these questions are substantially similar to the questions asked in the deployment baseline section. However, the CPUC intends for the deployment baseline answers to address current utility practices and for the cyber security section to emphasize utility plans.
While the CPUC has issued these preliminary guidelines for what needs to be included in a deployment plan, the CPUC declined to develop the “full host of regulatory requirements and protections” in their decision. The CPUC states that further proceedings will focus on information access and privacy protections.
This decision is an important step in California’s move to regulate Smart Grids. As noted in the decision, the CPUC and other regulatory and legislative bodies will continue to refine the regulatory requirements for Smart Grid operators. However, this decision begins to outline the issues that utility companies will need to address as they plan for and deploy Smart Grids throughout California.