D1107056 Attachments A-E
Word Document PDF Document

Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission's own Motion to Actively Guide Policy in California's Development of a Smart Grid System.

Rulemaking 08-12-009

(Filed December 18, 2008)

Findings of Fact 130

Conclusions of Law 149

ORDER 163

1. Summary

2. Background: The Evolution of the Question of How to Promote Private, Secure, Useful and Timely Access to Electricity Usage Data

3. Commission's Authority over Smart Grid Issues Enhanced and Clarified by Recent Legislation

3.1. SB 1476 Seeks to Protect the Privacy of Usage Information

This bill would prohibit an electrical corporation or gas corporation from sharing, disclosing, or otherwise making accessible to any 3rd party a customer's electrical or gas consumption data, as defined, except as specified, and would require those utilities to use reasonable security procedures and practices to protect a customer's unencrypted electrical and gas consumption data from unauthorized access, destruction, use, modification, or disclosure.

The bill would prohibit an electrical corporation or gas corporation from selling a customer's electrical or gas consumption data or any other personally identifiable information for any purpose.

The bill would prohibit an electrical corporation or gas corporation from providing an incentive or discount to a customer for accessing the customer's electrical or gas consumption data without the prior consent of the customers.

The bill would require that an electrical or gas corporation that utilizes an advanced metering infrastructure that allows a customer to access the customer's electrical and gas consumption data to ensure that the customer has an option to access that data without being required to agree to the sharing of his or her personally identifiable information with a 3rd party.

The bill would provide that, if the electrical corporation or gas corporation contracts with a 3rd party for a service that allows a customer to monitor his or her electricity or gas usage, and the 3rd party uses the data for a secondary commercial purpose, the contract between the electrical or gas corporation and the 3rd party shall provide that the 3rd party prominently discloses that secondary commercial purpose to the customer.12

3.2. Are FIP Principles Consistent with SB 1476 and Other California Statutes?

1. Transparency - SB 1476, Pub. Util. Code § 8380(c) adopts requirements that make the use of a consumer's energy data transparent to the consumer. Section 8380(c) states: "If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity usage, and that third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer."

    CA Business and Professions Code § 22575 requires online posting of a privacy and third-party access policies of California businesses, including energy utilities.

2. Individual Participation - SB 1476, Pub. Util. Code § 8380(b)(1) anticipates the participation of individuals in protecting their own privacy by requiring a customer's consent before disclosure of information to a third party. Section 8380(b)(1) states: "An electrical corporation or gas corporation shall not share, disclose or otherwise make accessible to any third party a customer's electrical or gas consumption data, except as provided in subdivision (e) or upon the consent of the customer."

    CA Civil Code Section 1633.1 et seq. - authorizes the use of electronic transactions/signatures to satisfy laws requiring records to be in writing.

3. Purpose Specification - SB 1476, Pub. Util. Code § 8380(e)(2) designates certain purposes for which disclosure of usage information is expected and automatically approved. Section 8380(e)(2) states: "Nothing in this section shall preclude an electrical corporation or gas corporation from disclosing a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent."

4. Data Minimization - Although a principle of data minimization is not explicitly required in SB 1476, Commission actions frequently set requirements concerning the collection, retention and reporting of data. Commission rate cases, general regulation, and the Pub. Util. Code often state periods for data retention or reporting of data. For example, Pub. Util. Code § 6354(e), which states: "Energy utilities must report to municipalities the names and addresses of customers who transport gas or electricity, for the purposes of enforcing taxes and fees. Municipalities shall not disclose such customer information to third parties." Thus, even if policies of data minimization are not explicitly contained in SB 1476, data collection and retention, the key to a FIP of data minimization, certainly falls within the purview of the Commission.

5. Use Limitation - SB 1476, Pub. Util. Code § 8380(e) (2) - cited above, limits the use of electricity usage information. Specifically, § 8380(e) (2) prohibits the use of energy consumption data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent.

6. Data Quality and Integrity - Although a principle supporting data quality and integrity is not explicitly required in SB 1476, Commission regulation of utility operations and services requires the accuracy of underlying information. Most directly, it is clear that ensuring the accuracy of data is consistent with consumer protection initiatives in the Pub. Util. Code that require that rates and bills be reasonable.

7. Data Security - SB 1476, Pub. Util. Code § 8380(d) explicitly calls for keeping the information associated with the smart grid safe. Section 8380(d) states: "An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure."

3.3. Should the Commission Use FIP Principles to Develop Privacy and Security Regulations?

For the purposes of protecting personal information, a time-tested approach to policy development is to utilize the Principles of Fair Information Practices.21

TURN has reviewed a draft of the comments being submitted by the CDT/EFF and strongly supports their proposed rules that operationalize the Fair Information Practice Policies.22

We encourage the Commission to adopt rules that encompass the principles embodied in the well-accepted Fair Information Practice Principles, covering all collection, use, retention, and sharing of data.23

SDG&E agrees in principle with the efforts made by CDT & EFF in their proposal, but suggests that the scheme requires further analysis in order to achieve greater consistency in provisions and reasonably accommodation before the [Commission] considers establishing electric utility operational FIPs.26

At a minimum, SDG&E submits that a technical working group should be established to create a common "straw man proposal" or set of "use cases" to foster a better overall understanding of how the FIP's privacy principles may be implemented or applied to the electric IOUs.27

SoCalGas believes that current laws are sufficient and adequate enough to protect the customer's privacy. Overall, SoCalGas agrees with the Center for Democracy and Technology and Electronic Frontier Foundation proposal and the Fair Information Practice principles, however, the intentional vagueness of the proposal, although accommodating a myriad of circumstances, is not specific enough for implementation. SB 1476 is sufficient for the operation of the gas [Advanced Meter Infrastructure] network to be deployed by SoCalGas pursuant to D.10-04-027.28

SoCalGas does not believe that the Commission has yet provided a clear direction that the policies being considered in this proceeding should be expanded beyond the electric grid system. Conversely if the Commission wants to apply the FIP's standards to gas corporations, then SoCalGas would urge those issues be further discussed, analyzed or vetted within the gas service provider context.29

The Commission should focus on implementing SB 1476 as simply and as quickly as possible. No further restrictions or privacy protections are needed, especially in the CI&I sector.30

AT&T encourages the Commission to avoid the adoption of rigid, burdensome consumer privacy rules. Instead, the Commission should seek to adopt a simple framework based on the requirements of SB 1476.33

3.4. Discussion: FIP Principles are Consistent with Pub. Util. Code and Offer a Good Basis for Developing Privacy and Security Regulations

... we agree with CDT-EFF and Researchers that an assessment of privacy and grid security issues should be included as part of this baseline report.35

CDT-EFF suggests that this privacy assessment should be responsive to the principles outlined in the Fair Information Practices.36

4. Jurisdiction: What is the Extent of the Commission's Authority and Obligation to Protect Confidential Consumer Information?

1) What authority does the Commission have over entities that receive information on a consumer's energy usage from the utility? What actions, if any, can the Commission take in response to misuse of data by such an entity?

2) What authority, if any, does the Commission have over entities that receive information on a consumer's energy usage from sources other than the utility (from a HAN device or from the customer, for example)? What actions, if any, can the Commission take in response to misuse of data by such an entity?38

4.1. Arguments of Parties in Briefs

Step 1: Pub. Util. Code Section 701 confers broad power on the Commission to regulate public utilities.42

Step 2: "In PG&E Corp v. Public Utilities Comm.,43 the court made clear that the Commission may enforce conditions against non-public utilities (in that particular case, utility holding companies) where such jurisdiction was not barred by statute and was essential to the Commission's assertion of regulatory authority over utilities. 118 Cal. App. 4th at 1199."44 This court decision established the "cognate and germane" criteria (discussed below) for determining the reach of Commission authority.

Step 3: The regulation of third parties interaction with customers over access to their energy usage data "is an exercise of authority that is cognate and germane to the Commission's regulation of IOUs [investor owned utilities] and therefore permissible under Public Utilities Code § 701."45 Therefore, the Commission has authority over any third party who obtains access to a customer's energy usage data.

... would provide that a customer's electric or gas consumption data shall be securely kept by the local publicly owned electric utility or electrical or gas corporation and shall not be accessible by a third party, unless a customer chooses to access his or her consumption data from a third party using a smart meter, after being given the option not to relinquish his or her data.47

...the recent enactment of Public Utilities Code Section 8380 by the California Legislature calls into question whether that reach extends to non-utilities even when they receive consumer energy usage information directly from a utility. Under the canon of statutory construction expressio unius est exclusio alterius, the fact that Section 8380 confers authority on the Commission to directly regulate utilities but not their non-utility agents and contractors, arguably would support a conclusion that the Legislature intends the Commission to only regulate utilities on these matters.60

... for nearly twenty years, [Commission]-jurisdictional utilities have implemented specific tariffs and other restrictions on access to customer-specific information under Commission rules and orders. To the extent these tariffs and underlying Commission rules and orders dictate the terms and conditions of non-utility access to consumer energy usage information, any breach of those access restrictions can be remedied by a Commission order enjoining a utility from continuing to provide such information to the non-utility.61

... legislation prohibits utilities to "share disclose or otherwise make accessible to any third party a customer's electrical or gas consumption data" absent a contractual requirement with the third party to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" and to "protect the personal information from unauthorized access, destruction, use, modification, or disclosure."66

4.2. Discussion: Jurisdiction Over Utilities and Their Contractors/Agents is Clear; Other Determinations Deferred

8380(b)

(1) An electrical corporation or gas corporation shall not share, disclose, or otherwise make accessible to any third party a customer's electrical or gas consumption data, except as provided in subdivision (e) or upon the consent of the customer.

(2) An electrical corporation or gas corporation shall not sell a customer's electrical or gas consumption data or any other personally identifiable information for any purpose.

(3) The electrical corporation or gas corporation or its contractors shall not provide an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the prior consent of the customer.73

8380(d) An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.74

8380(e)(2) Nothing in this section shall preclude an electrical corporation or gas corporation from disclosing a customer's electrical or gas consumption data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, provided that, for contracts entered into after January 1, 2011, the utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent.75

8380(c) If an electrical corporation or gas corporation contracts with a third party for a service that allows a customer to monitor his or her electricity or gas usage, and that third party uses the data for a secondary commercial purpose, the contract between the electrical corporation or gas corporation and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer.76

5. The CDT/EFF Recommendations Serve as a Starting Point for Consideration of Privacy and Security Rules to Protect Usage Data

Our revised rule continues to reflect the Commission's decision, and the parties' broad general consensus, to implement the FIP principles. The revisions we have made reflect useful and constructive feedback from workshop discussions, including comments from PG&E, DRA, TURN, and other parties. More generally, our revised rule continues to reflect the goals of the Commission and parties to protect customer usage data, to bring order to the welter of regulations covering various aspects of the Smart Grid environment, and to accommodate and support innovation in technology and business practices. Importantly, the proposed rule fills gaps in the present framework-especially those gaps created by the inadequate and outdated "notice-and-choice" model of privacy protection-by using the full set of FIPs and "operationalizing" them for easy implementation by Smart Grid entities.82

5.1. What Rules Should Determine Who is Covered, What Information is Covered, and Which Uses of Information are Primary?

1. DEFINITIONS

(a) Covered Entity. A "covered entity" is (1) any electric service provider, electrical corporation, gas corporation or community choice aggregator, or (2) any third party that collects, stores, uses, or discloses covered information [relating to __ or more households or residences].

(b) Covered Information. "Covered information" is any electrical or gas usage information when associated with any information that can reasonably be used to identify an individual, family, household, or residence, or non-residential customer, except that covered information does not include electrical or gas usage information from which identifying information has been removed such that an individual, family, household, or residence or non-residential customer cannot reasonably be identified or re-identified.

(c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

    (1) provide or bill for electrical power or natural gas,

    (2) fulfill other operational needs of the electrical or natural gas system or grid,

    (3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

    (4) implement demand response, energy management, or energy efficiency programs operated by, or on behalf of and under contract with, an electrical or gas corporation, electric service provider, or community choice aggregator.

(d) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

... the distinction between primary and secondary purposes (Sections 1(c) and 1(d)) must be clear and must be maintained ... Because primary purposes are excepted from the customer consent requirement, the Commission should take care not to enlarge this category to include any purposes that would leave customers vulnerable to unexpected or unknown collection, use, or disclosure of the highly revealing information that is covered by the rule. As such, uncontested ("primary") purposes must be tied directly to the provision of energy services and utility operations that have been approved by and subject to oversight by the Commission.86

5.1.1. Position of Parties

Customer. For purposes of this rule, a "customer" is any individual, household, residence or business receiving retail generation, distribution or transmission service from an investor-owned utility.88

The requirement that a specific purpose be indicated for each category of information collected and that the specific identity of third parties to which it is disclosed also be indicated suggests that relatively minor changes in services or products could trigger long notices that customer do not pay attention to, or repeated, annoying notice and consent requests to consumers. Requiring an entity to provide new notice every time it collaborates with another entity, for example, to provide an updated service or to begin to work with a new third party, even if the service to the customer is the same, appears unduly burdensome.89

Although SoCalGas was in fact ordered [to] participate in this proceeding, SoCalGas wanted to raise a question of whether CDT/EFF's proposed definition matches the scope of this proceeding which to date seems to only be addressing the electric grid system. This is a fundamental question that the Commission must clarify before weighing the merits of CDT/EFF's proposed privacy policies and procedures. SoCalGas does not believe that the Commission has yet provided a clear direction that the policies being considered in this proceeding should be expanded beyond the electric grid system.92

5.1.2. Discussion

The general scope of this proceeding is to consider further actions, if needed, to comply with the requirements of EISA [Energy Independence and Security Act] and also to consider policy and performance guidelines to enable the electric utilities to develop and implement a smart grid system in California.98

Because CASMU members are not pursuing an [Advanced Metering Infrastructure] AMI or other Smart Grid measures for their California territories, consideration of the applicability of the Privacy and Security Rules in these territories is not necessary or constructive at this time.100

1. DEFINITIONS

(a) Covered Entity. A "covered entity" is (1) any electrical corporation104 or any third party that provides services to an electrical corporation under contract, (2) any third party who accesses, stores, uses or discloses covered information pursuant to an order or resolution of the Commission, unless exempted by the Commission, or (3) any third party, when authorized by the customer, that accesses, stores, uses, or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation.105

(b) Covered Information. "Covered information" is any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify an individual, family, household, residence, or non-residential customer, except that covered information does not include usage information from which identifying information has been removed such that an individual, family, household or residence, or non-residential customer cannot reasonably be identified or re-identified. Covered information, however, does not include information provided to the Commission pursuant to its oversight responsibilities.

(c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

    (1) provide or bill for electrical power or gas,

    (2) provide for system, grid, or operational needs,

    (3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

    (4) plan, implement, or evaluate demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission or as part of a Commission authorized program conducted by a governmental entity under the supervision of the Commission.

(d) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

5.2. What Rules Reasonably Promote the FIP Principle of Transparency?

2. TRANSPARENCY (NOTICE)

    (a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the collection, storage, use, and disclosure of covered information.

    (b) When Provided. Covered entities shall provide notice in their first paper or electronic correspondence with the customer, if any, and shall provide conspicuous posting of the notice or link to the notice on the home page of their website.

    (c) Form. The notice shall be labeled "Privacy Policy: Notice of Collection, Storage, Use and Disclosure of Energy Usage Information" and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

    (d) Content. The notice shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice,

    (3) the covered entity's process for altering the notice, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

5.2.1. Position of Parties on Recommended Rule to Promote Transparency

Under the California Uniform Electronic Transactions Act an authorization, acknowledgment, or consent should satisfy a requirement that it be "in writing" if made by an "electronic record" that includes either an "electronic signature" as these terms are defined in Civil Code Section 1633.1 or a "digital signature" as that term is defined in Civil Code Section 1633. Paper, which is antithetical to the environmental goals of the Smart Grid, should not be a requirement and TechNet urges the Commission to make it clear that an electronic signature will satisfy the requirements in the Proposed Rules.110

5.2.2. Discussion: With Modifications, the Recommended Transparency Rule is Reasonable and Consistent with the Law; Paper is Not Necessary

2. TRANSPARENCY (NOTICE)

    (a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

    (b) When Provided. Covered entities shall provide written or electronic notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide conspicuous posting of the notice and privacy policy or link to the notice and privacy policy on the home page of their website, and shall include a link to their notice and privacy policy in all electronic correspondence to customers.

    (c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information, and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

    (d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

5.3. What Rule Best Operationalizes the FIP Principle of Specifying the Purpose for Collecting or Disclosing Information?

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, and

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the identities of the third parties to which it is disclosed;

(b) the periods of time that covered information is retained by the covered entity;

(c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

5.3.1. Positions of Parties on Purpose Specification

The requirement that a specific purpose be indicated for each category of information collected and that the specific identity of third parties to which it is disclosed also be indicated suggests that relatively minor changes in services or products could trigger long notices that customer do not pay attention to, or repeated, annoying notice and consent requests to consumers. Requiring an entity to provide new notice every time it collaborates with another entity, for example, to provide an updated service or to begin to work with a new third party, even if the service to the customer is the same, appears unduly burdensome.119

5.3.2. Discussion: Recommended Rule with Revisions can Meet FIP Goal with Reduced Regulatory Burdens and Less Potential Consumer Confusion

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

(a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, and

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the number and categories of third parties to which it is disclosed; , and

    (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

(b) the approximate periods of time that covered information will be retained by the covered entity;

(c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

5.4. What Rules Reasonably Promote the FIP Principle of Individual Access and Control of Smart Meter Data?

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

    (1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

    (2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

    (1) granting and revoking authorization for secondary uses of covered information,

    (2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

    (3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

    (1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

    (2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a demand for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

    (3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

    (4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, written and specific to the purpose and to the person or entity seeking the information.

    (5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

    (6) On an annual basis, covered entities shall report to the Commission the number of times that customer data has been sought pursuant to legal process without customer consent, and for each such instance, whether it was a civil or criminal case, whether the covered entity complied with the request as initially presented or as modified in form or scope, and how many customers' records were disclosed. The Commission may require the covered entity to make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

5.4.1. Position of Parties

For example, Section 588 of the Public Utilities Code allows the district attorney to access customer confidential information (except usage information) from public utilities in child abduction cases. Nothing in Section 588 prohibits an IOU from notifying the customer whose information is sought in advance of the mandatory disclosure; yet doing so may interfere with the district attorney's efforts to locate and recover an abducted child.124

4(c)(6) Upon request of the Commission, covered entities shall report to the Commission on disclosures of covered information made pursuant to legal process. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.126

5.4.2. Discussion: Recommended Rules Provide a Reasonable Approach to Providing Customer with Access and Control of Usage Data, but Modifications Are Warranted

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

    (1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

    (2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

    (1) granting and revoking authorization for secondary uses of covered information,

    (2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

    (3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

    (1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

    (2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer seven (7) days to appear and contest the claim of the person or entity seeking disclosure.

    (3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

    (4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written form, and specific to the purpose and to the person or entity seeking the information.

    (5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

    (6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

5.5. What Rules Reasonably Promote the FIP Principle of Data Minimization?

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

... data minimization is a powerful tool for protecting against security and privacy threats. It is a basic security "best practice" that customers will and should be able to expect of any entity using revealing covered information. Moreover, in light of many recent high-profile breaches of sensitive consumer data, customer confidence that Smart Grid technologies and business practices employ sufficient privacy and security practices will be key to the growth and development of the Smart Grid marketplace.129

5.5.1. Positions of Parties on Data Minimization

PG&E agrees with the general goal of minimizing the scope and retention of covered information, but this goal should be balanced against the need by the Commission and utilities to maintain records and data for operational and policy purposes, such as resolution of customer billing disputes; energy policy planning and analysis; and cost of service review authorized by the Commission.130

... the potential for privacy to be compromised is minimized if the amount of personal and household information that is captured and retained by the utility and third-parties is limited. Data retention is an important subset of this issue. Personal information that is collected via Smart Grid systems should be retained only as long as needed for the purposes identified by the consumer.131

... the [proposed regulatory] scheme requires further analysis in order to achieve greater consistency in provisions and reasonably [sic] accommodation before the CPUC considers establishing electric utility operational FIPs. For example, SDG&E finds that the recommendation for implementation of the "Data Minimization Principle" requires further party and stakeholder discussion in order to fit the business needs of the electric utilities existing and potentially [sic] future operations. In addition, terminology used in the CDT & EFF proposal such as "shall" and "reasonable" is extremely vague, expression application is too broad, and the language may be subject to a variety of interpretations.132

The data retention requirements are both too limiting and too vague. It proposes energy usage information be kept "only for as long as necessary..." It is unclear under this standard whether a company that maintains Smart Grid data for 2 years could be liable for maintaining the data too long if its competitor maintains the same data for only 1 year. Moreover, it would seem to preclude Smart Grid applications that rely on several years of historical data.133

5.5.2. Discussion: Data Minimization Requirement is Reasonable

5.6. What Use and Disclosure Limitations Reasonably Protect Consumers Yet Permit the Authorized Use and Disclosure of Electricity Consumption Information?

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electric service provider, electrical corporation, gas corporation or community choice aggregator may collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

    (1) Initial Disclosure by a Covered Entity. A covered entity may disclose covered information to a third party without customer consent for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data, provided that the covered entity disclosing the data shall, by contract, require the third party to agree to collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule and, if the information is being disclosed for demand response, energy management or energy efficiency purposes, the disclosing entity permits customers to opt out of such disclosure.

    (2) Subsequent Disclosures. Any entity that receives covered information derived initially from a gas or electrical corporation, electric service provider or community choice aggregator may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the gas or electrical corporation, electric service provider or community choice aggregator from which the covered information was initially derived itself operates as required by this rule.

    (3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When an entity discloses covered information to any other entity under this subsection 6(c), it shall specify by contract that it shall be considered a material breach if the receiving entity engages in a pattern or practice of storing, using or disclosing the covered information in violation of the receiving entity's commitment to handle the covered information under policies no less protective than those under which the gas or electrical corporation, electric service provider or community choice aggregator from which the covered information was initially derived itself operates in compliance with this rule. If an entity disclosing covered information finds that an entity to which it disclosed covered information is engaged in a pattern or practice of storing, using or disclosing covered information in violation of the receiving entity's privacy and data security commitments related to handling covered information, the disclosing entity shall cease disclosing covered information to such receiving entity.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each such purpose, provided that authorization is not required when information is-

    (1) provided to a law enforcement agency in response to lawful process;

    (2) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

    (1) Authorization. Separate authorization by each customer must be obtained for each secondary purpose.

    (2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization.

    (3) Expiration. Customer consent shall be deemed to expire after two years, after which time customers will need to reauthorize any secondary purposes.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

5.6.1. Positions of Parties

... as a matter of public policy and practical implementation, PG&E does not recommend that utilities or their third party contractors or agents be required to enforce these privacy principles through the indirect means of commercial lawsuits or civil action for breach of contract. PG&E also does not recommend that such parties be required to directly register or be certified by the Commission because the benefit of such third party certification is likely to be offset by the deterrence of third parties from developing and providing new products and services to customers using covered information in a manner consistent with privacy rules already applicable to all entities under general law.144

Customers who have signed up for a service and continue to expect to receive it face potential interruption of service if they do not provide consent. Companies will face significant costs to keep track of, notify and obtain consent from a constantly evolving customer database. Even for a large company, this is burdensome and costly. For a small company, this is an onerous expense, potentially diverting resources away from research and development.147

Consumer expect that the choices they make regarding their data use preferences remain in effect until and unless they change them, and they should have the option to make changes at any time they choose. However, requiring an arbitrary expiration of consumer consent after a two-year period is neither beneficial or convenient to consumers and should not be adopted.148

5.6.2. Discussion: Enforcement Critical to Privacy Rules

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

    (1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

      a. when explicitly ordered to do so by the Commission; or

      b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data;

    provided that the electrical corporation disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

    (2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

    (3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection 6(c), it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

    (4) Liability. Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when: i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of purpose. This authorization is not required when information is-

    (1) provided pursuant to a legal process as described in 4(c) above;

    (2) provided in situations of imminent threat to life or property as described in 4(d) above; or

    (3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

    (1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

    (2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization.

    (3) Opportunity to Revoke. The consent of a customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

5.7. What Rules Reasonably Ensure the Quality and Integrity of Data and Protect its Security?

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. Upon request by the Commission, covered entities shall notify the Commission of security breaches of covered information.

5.7.1. Position of Parties

5.7.2. Discussion: Modified Rules Can Promote the Quality and Security of Data

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information.

(c) Annual Report of Breaches. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

5.8. What Rules Reasonably Assure the Accountability of Entities for Complying with Privacy Policies?

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

    (1) the privacy notices that they provide to customers,

    (2) their internal privacy and data security policies,

    (3) the identities of agents, contractors and other third parties to which they disclose covered information, the purposes for which that information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose, and

    (4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each covered entity shall conduct an independent audit of its data privacy and security practices periodically as required by the Commission to monitor compliance with its data privacy and security commitments, and shall report the findings to the Commission.

(e) Disclosures. On an annual basis, covered entities shall disclose to the Commission-

    (1) the number of authorized third parties accessing covered information,

    (2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the covered entities or authorized third parties, and the number of customers affected by such non-compliances.

Without robust and predictable accountability and auditing requirements, including regular disclosures of relevant practices to the Commission and meaningful customer redress mechanisms, there can be no oversight or enforcement, rendering the customer privacy protections fundamental to the rule ineffective. For this reason, accountability and enforcement are crucial to implementing the overall FIPs [Fair Information Practices] framework.162

5.8.1. Positions of Parties

TURN continues to be extremely troubled by the potential lack of enforcement and lack of potential penalties to deter violations.... TURN strongly recommends the adoption of a set fine as a deterrent. We also suggest a registration process, and violations should lead to suspension, similarly to the provision for deregistering an ESP [energy service provider] under PUC Section 394.1.164

5.8.2. Discussion: The Accounting and Auditing Rule Permits the Monitoring and Enforcement of Compliance with Privacy Policies

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

    (2) their internal privacy and data security policies,

    (3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.),, and

    (4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8.b, the following information:

    (1) the number of authorized third parties accessing covered information,

    (2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

5.9. Should We Adopt Rules Now or is Further Study Needed?

5.9.1. Position of Parties

...[It] proposes that the Commission consider adopting a new or revised General Order or policy statement on customer privacy consistent with these comments. The General Order or policy statement would reaffirm and codify the Commission's existing standards and orders on customer privacy, and would also implement the customer privacy standards enacted in SB 1476.170

5.9.2. Discussion: It is Reasonable to Adopt Rules Now

6. Should Utilities Provide Price Information to Customers? What Price Information Should they Provide?

(B) Information

Information provided under this section, to the extent practicable, shall include:

    (i) Prices. Purchasers and other interested persons shall be provided with information on-

    (I) time-based electricity prices in the wholesale electricity market; and

    (II) time-based electricity retail prices or rates that are available to the purchasers.

6.1. Positions of Parties

6.2. Discussion: PG&E, SCE, and SDG&E Should Provide Retail Price Information and Make Wholesale Price Information Available

7. What Access to Covered Data Should Utilities Provide and When Should they Provide it?

7.1. Position of Parties

This phased approach will allow SCE to be best prepared to provide customers and their authorized third parties with access to usage data in timely manner once the final standard and rules are adopted by the Commission.

... SCE recommends that the Commission order the IOUs to file applications in early 2011, detailing their respective plans to implement ESPI functionality, forecast costs and proposed recovery of implementation costs. Neither ESPI nor any comparable functionality was proposed in the Edison SmartConnect Application or in any other proceeding.215

The backhaul data is collected without any customer input, and the data is available only because the utilities installed the new communicating interval meters on the premises of residential and small commercial customers. These customers had no choice in the collection of the consumption data. For this reason, any dissemination of backhaul data should be highly protected through the rules proposed by CDT/EFF.219

... a customer can choose to voluntarily install "bolt-on technologies" to their meter and obtain real-time meter wireless output signal data to their own HAN Systems...[t]he customer chooses to obtain this data irrespective of any action by the utility, and should thus have complete control over the disposition of the data.221

EnerNOC believes that customers, and their authorized agents, should have access to data on a real-time basis at the meter through Zigbee227-enabled devices using Smart Energy Profile (SEP) protocol228 as soon as possible. Customers, or their agents, should be able to access all data recorded by the meter on as granular a basis as is possible. While not all customers may want or need this capability, the smart meters should be able to provide a choice of data interval and SEP is available today (version 1.0).229

7.2. Discussion

8. Conclusion

9. Comments on Proposed Decision

9.1. Who Is Covered by the Privacy Rules?

9.2. Should the Proposed Privacy Rules Be Adopted or Rejected?

9.3. Should the Proposed Privacy Rules Be Further Modified?

9.4. Other Issues

Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

9.5. Subsequent Filings and Rollouts of Information Services

10. Assignment of Proceeding

(1) provide or bill for electrical power,

(2) fulfill other operational needs of the electrical system or grid,

(3) provide services as required by state or federal law or specifically authorized by an order of the Commission, or

(4) implement demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission, or as part of a Commission authorized program conducted by a governmental entity under supervision of the Commission.

2. TRANSPARENCY (NOTICE)

    (a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

    (b) When Provided. Covered entities shall provide written notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide a conspicuous link to the notice on the home page of their website, and shall include a link to their notice in all electronic correspondence to customers.

    (c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

    (d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

    (a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed,

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and

    (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

    (b) the approximate period of time that covered information will be retained by the covered entity;

    (c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

    (1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

    (2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

    (1) granting and revoking authorization for secondary uses of covered information,

    (2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

    (3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

    (1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

    (2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

    (3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

    (4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written form, and specific to the purpose and to the person or entity seeking the information.

    (5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

    (6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

    (1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency orenergy effiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

      a. when explicitly ordered to do so by the Commission, or

      b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data,

      provided that the covered entity disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

    (2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

    (3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection, it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing, storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

    (4) Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of secondary purpose. This authorization is not required when information is-

    (1) provided pursuant to a legal process as described in 4(c) above;

    (2) provided in situations of imminent threat to life or property as described in 4(d) above; or

    (3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

    (1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

    (2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization. Non-residential customers shall have the same right to revoke, unless specified otherwise in a contract of finite duration.

    (3) Opportunity to Revoke. The consent of a residential customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract..

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information.

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information.

(c) Annual Report of Breaches. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

    (2) their internal privacy and data security policies,

    (3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.), and

    (4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8(b), the following information:

    (1) the number of authorized third parties accessing covered information,

    (2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

1. DEFINITIONS

    (a) Covered Entity. A "covered entity" is (1) any electrical corporation,293 or any third party that provides services to an electrical corporation under contract, (2) any third party who accesses, collects, stores, uses or discloses covered information pursuant to an order or resolution of the Commission, unless specifically exempted, who obtains this information from an electrical corporation, or (3) any third party, when authorized by the customer, that accesses, collects, stores, uses, or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation.294

    (b) Covered Information. "Covered information" is any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify an individual, family, household, residence, or non-residential customer, except that covered information does not include usage information from which identifying information has been removed such that an individual, family, household or residence, or non-residential customer cannot reasonably be identified or re-identified. Covered information, however, does not include information provided to the Commission pursuant to its oversight responsibilities.

    (c) Primary Purposes. The "primary purposes" for the collection, storage, use or disclosure of covered information are to-

(1) provide or bill for electrical power or gas,

(2) provide for system, grid, or operational needs,

(3) provide services as required by state or federal law or as specifically authorized by an order of the Commission, or

(4) plan, implement, or evaluate demand response, energy management, or energy efficiency programs under contract with an electrical corporation, under contract with the Commission or as part of a Commission authorized program conducted by a governmental entity under the supervision of the Commission.

    (e) Secondary Purpose. "Secondary purpose" means any purpose that is not a primary purpose.

2. TRANSPARENCY (NOTICE)

    (a) Generally. Covered entities shall provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the accessing, collection, storage, use, and disclosure of covered information. Provided, however, that covered entities using covered data solely for a primary purpose on behalf of and under contract with utilities are not required to provide notice separate from that provided by the utility.

    (b) When Provided. Covered entities shall provide written notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity's notice regarding the accessing, collection, storage, use, and disclosure of covered information, and shall provide a conspicuous link to the notice on the home page of their website, and shall include a link to their notice in all electronic correspondence to customers.

    (c) Form. The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information and shall-

    (1) be written in easily understandable language, and

    (2) be no longer than is necessary to convey the requisite information.

    (d) Content. The notice and the posted privacy policy shall state clearly-

    (1) the identity of the covered entity,

    (2) the effective date of the notice or posted privacy policy,

    (3) the covered entity's process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and

    (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of covered information.

3. PURPOSE SPECIFICATION

The notice required under section 2 shall provide-

    (a) an explicit description of-

    (1) each category of covered information collected, used, stored or disclosed by the covered entity, and, for each category of covered information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed,

    (2) each category of covered information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and

    (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed;

    (b) the approximate period of time that covered information will be retained by the covered entity;

    (c) a description of-

    (1) the means by which customers may view, inquire about, or dispute their covered information, and

    (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of covered information and the consequences to customers if they exercise such limits.

4. INDIVIDUAL PARTICIPATION (ACCESS AND CONTROL)

(a) Access. Covered entities shall provide to customers upon request convenient and secure access to their covered information-

    (1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

    (2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.

(b) Control. Covered entities shall provide customers with convenient mechanisms for-

    (1) granting and revoking authorization for secondary uses of covered information,

    (2) disputing the accuracy or completeness of covered information that the covered entity is storing or distributing for any primary or secondary purpose, and

    (3) requesting corrections or amendments to covered information that the covered entity is collecting, storing, using, or distributing for any primary or secondary purpose.

(c) Disclosure Pursuant to Legal Process.

    (1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose covered information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to covered information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

    (2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of covered information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.

    (3) Nothing in this rule prevents a person or entity seeking covered information from demanding such information from the customer under any applicable legal procedure or authority.

    (4) Nothing in this section prohibits a covered entity from disclosing covered information with the consent of the customer, where the consent is express, in written or electronic form, and specific to the purpose and to the person or entity seeking the information.

    (5) Nothing in this rule prevents a covered entity from disclosing, in response to a subpoena, the name, address and other contact information regarding a customer.

    (6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

(d) Disclosure of Information in Situations of Imminent Threat to Life or Property. These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

5. DATA MINIMIZATION

(a) Generally. Covered entities shall collect, store, use, and disclose only as much covered information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(b) Data Retention. Covered entities shall maintain covered information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

(c) Data Disclosure. Covered entities shall not disclose to any third party more covered information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific primary purpose identified in the notice required under section 2 or for a specific secondary purpose authorized by the customer.

6. USE AND DISCLOSURE LIMITATION

(a) Generally. Covered information shall be used solely for the purposes specified by the covered entity in accordance with section 3.

(b) Primary Purposes. An electrical corporation, a third party acting under contract with the Commission to provide energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission, or a governmental entity providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission may access, collect, store and use covered information for primary purposes without customer consent. Other covered entities may collect, store and use covered information only with prior customer consent, except as otherwise provided here.

(c) Disclosures to Third Parties.

    (1) Initial Disclosure by an Electrical Corporation. An electrical corporation may disclose covered information without customer consent to a third party acting under contract with the Commission for the purpose of providing energy efficiency or energy efficiency evaluation services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose covered information to a third party without customer consent

      a. when explicitly ordered to do so by the Commission, or

      b. for a primary purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data,

      provided that the covered entity disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

    (2) Subsequent Disclosures. Any entity that receives covered information derived initially from a covered entity may disclose such covered information to another entity without customer consent for a primary purpose, provided that the entity disclosing the covered information shall, by contract, require the entity receiving the covered information to use the covered information only for such primary purpose and to agree to store, use, and disclose the covered information under policies, practices and notification requirements no less protective than those under which the covered entity from which the covered information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

    (3) Terminating Disclosures to Entities Failing to Comply With Their Privacy Assurances. When a covered entity discloses covered information to a third party under this subsection 6(c), it shall specify by contract, unless otherwise directed by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing, storing, using or disclosing the covered information in violation of the third party's contractual obligations to handle the covered information under policies no less protective than those under which the covered entity from which the covered information was initially derived operates in compliance with this rule.

    · If a covered entity disclosing covered information for a primary purpose being carried out under contract with and on behalf of the entity disclosing the data finds that a third party contractor to which it disclosed covered information is engaged in a pattern or practice of accessing, storing, using or disclosing covered information in violation of the third party's contractual obligations related to handling covered information, the disclosing entity shall promptly cease disclosing covered information to such third party.

    · If a covered entity disclosing covered information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party's misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission's direction, promptly cease disclosing that customer's information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.

(4) Nothing in this section shall be construed to impose any liability on an electrical corporation relating to disclosures of information by a third party when i) the Commission orders the provision of covered data to a third party; or ii) a customer authorizes or discloses covered data to a third party entity that is unaffiliated with and has no other business relationship with the electrical corporation. After a secure transfer, the electrical corporation shall not be responsible for the security of the covered data or its use or misuse by such third party. This limitation on liability does not apply when a utility has acted recklessly.

(d) Secondary Purposes. No covered entity shall use or disclose covered information for any secondary purpose without obtaining the customer's prior, express, written authorization for each type of secondary purpose. This authorization is not required when information is-

    (1) provided pursuant to a legal process as described in 4(c) above;

    (2) provided in situations of imminent threat to life or property as described in 4(d) above; or

    (3) authorized by the Commission pursuant to its jurisdiction and control.

(e) Customer Authorization.

    (1) Authorization. Separate authorization by each customer must be obtained for all disclosures of covered information except as otherwise provided for herein.

    (2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization. Non-residential customers shall have the same right to revoke, unless specified otherwise in a contract of finite duration.

    (3) Opportunity to Revoke. The consent of a residential customer shall continue without expiration, but an entity receiving information pursuant to a residential customer's authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, unless specified otherwise in a contract of finite duration, but an entity receiving information pursuant to a non-residential customer's authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract.

(f) Parity. Covered entities shall permit customers to cancel authorization for any secondary purpose of their covered information by the same mechanism initially used to grant authorization.

(g) Availability of Aggregated Usage Data. Covered entities shall permit the use of aggregated usage data that is removed of all personally-identifiable information to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific customer information because of the size of the group, rate classification, or nature of the information..

7. DATA QUALITY AND INTEGRITY

Covered entities shall ensure that covered information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.

8. DATA SECURITY

(a) Generally. Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect covered information from unauthorized access, destruction, use, modification, or disclosure.

(b) Notification of Breach. A covered third party shall notify the covered electrical corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical corporation or by a covered third party, the covered electrical corporation shall notify the Commission's Executive Director of security breaches of covered information within two weeks of the detection of a breach or within one week of notification by a covered third party of such a breach. Upon request by the Commission, electrical corporations shall notify the Commission's Executive Director of security breaches of covered information. In addition, electrical corporations shall file an annual report with the Commission's Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting covered information, whether by the covered electrical corporation or by a third party.

    As a tariff condition, the Commission can require compliance with privacy rules by third parties who obtain usage information from utilities via the internet (also knows as "the backhaul").

9. ACCOUNTABILITY AND AUDITING

(a) Generally. Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit-

(1) the privacy notices that they provide to customers,

    (2) their internal privacy and data security policies,

    (3) the categories of agents, contractors and other third parties to which they disclose covered information for a primary purpose, the identities of agents, contractors and other third parties to which they disclose covered information for a secondary purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a primary purpose or a secondary purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received covered information from the covered entity.),, and

    (4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

(b) Customer Complaints. Covered entities shall provide customers with a process for reasonable access to covered information, for correction of inaccurate covered information, and for addressing customer complaints regarding covered information under these rules.

(c) Training. Covered entities shall provide reasonable training to all employees and contractors who use, store or process covered information.

(d) Audits. Each electrical corporation shall conduct an independent audit of its data privacy and security practices in conjunction with general rate case proceedings following 2012 and at other times as required by order of the Commission. The audit shall monitor compliance with data privacy and security commitments, and the electrical corporation shall report the findings to the Commission as part of the utility's general rate case filing.

(e) Reporting Requirements. On an annual basis, each electrical corporation shall disclose to the Commission as part of an annual report required by Rule 8.b, the following information:

    (1) the number of authorized third parties accessing covered information,

    (2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

1 SDG&E currently has a tariff for providing third party access to usage data. The SDG&E application will therefore differ from that filed by PG&E and SCE. The SDG&E application shall propose any changes needed to comply with the privacy protections adopted in this decision, to provide a common data format, and to facilitate Commission oversight of third parties obtaining data.

2 Chapter 497, Statutes of 2010.

3 SB 1476 was signed by the Governor and chaptered on September 29, 2010.

4 The focus on the specific usage data generated by the Smart Meters and its concrete uses is the analytic approach adopted in this decision. At every point, the decision seeks to avoid discussion of abstractions and instead focuses on actions needed to protect usage and personal data.

5 SB 1476 is appended to this decision as Attachment A.

6 Verizon consists of a group of licensed utilities in California consisting of California RSA No. 4 Limited Partnership, Cellco Partnership, Fresno MSA Limited Partnership, GTE Mobilnet of California Limited Partnership, GTE Mobilnet of Santa Barbara Limited Partnership, Los Angeles SMSA Limited Partnership, MCI Communications Services Inc., Modoc RSA Limited Partnership, Sacramento Valley Limited Partnership, Verizon California Inc., Verizon Wireless (VAW) LLC and WWC License L.L.C.

7 All references to Opening Comments in this document will refer to the responses filed on October 15, 2010, unless otherwise noted.

8 PG&E's review of applicable statutes and Commission decisions is included as Attachment B to this decision for reference purposes.

9 Throughout this document, unless otherwise noted, Reply Comments will refer to the reply comments filed on November 8, 2010.

10 Chapter 327, Statutes of 2009.

11 16 U.S.C. § 2621(d).

12 SB 1476, Chapter 497 of Statutes of 2010 at 1-2.

13 Joint Comments of the Center for Democracy & Technology and the Electronic Frontier Foundation on Proposed Policies and Finding Pertaining to the Smart Grid, March 9, 2010 at 15.

14 Id.

15 Proposed Smart Grid Privacy Policies and Procedures: Opening Response of the Center for Democracy & Technology and the Electronic Frontier Foundation to Assigned Commissioner's Ruling of September 27, 2010, at Appendix A at 1-4.

16 Opening Responses of Pacific Gas and Electric Company to Assigned Commissioner's Ruling on Customer Privacy and Security Issues, October 15, 2010, Appendix A: List of Current Statutes, Regulations, Decisions and Protocols Related to Customer Privacy Applicable to California Energy Utilities. We have included this as Attachment B to this decision.

17 This information was contained in a power point presentation made by PG&E at the workshop. The presentation was titled "Consumer Privacy Policy" and was made available to all parties through posting on the Commission's website. As of February 3, 2011, the presentation was available at http://www.cpuc.ca.gov/NR/rdonlyres/9B3563D4-5C59-4FD7-8DC4-24422AB6EFE2/0/PrivacyWorkshop_Oct2520103.pdf.

18 CDT Reply Comments at 1.

19 DRA Reply Comments at 1.

20 Id.

21 UCAN Opening Comments at 5.

22 TURN Opening Comments at 5.

23 Future of Privacy Forum Reply Comments at 2.

24 PG&E Reply Comments at 1.

25 SCE Reply Comments at 2.

26 SDG&E Reply Comments at 5.

27 Id. The terms "investor owned utility" (IOU) and "utility" are used interchangeably in this decision.

28 SoCalGas Reply Comments at 3.

29 Id. at 5.

30 EnerNOC Reply Comments at 8.

31 CEERT Reply Comments at 2.

32 Id. at 6.

33 AT&T Reply Comments at 2.

34 Verizon Reply Comments at 9.

35 D.10-06-047 at 41.

36 Id.

37 SoCalGas Reply Comments at 3.

38 ALJ Ruling, October 29, 2010, at 2.

39 Customer Representatives Opening Brief at 3.

40 Id. at 5.

41 Id. at 3.

42 Id. at 5.

43 PG&E Corp. v. Public Utilities Com. (2004) 118 Cal. App. 4th at 1174.

44 Customer Representatives Opening Brief at 5.

45 Id. at 8.

46 Id.

47 Id. at 11, quoting from Excerpts from Bill Analysis of Senate Judiciary Committee, SB 1476 (Padilla), 2009-2010 Regular Session, available at http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_1451-1500/sb_1476_cfa_20100412_120118_sen_comm.html .

48 Id. at 12.

49 Id. at 15.

50 CFC Opening Brief at 7.

51 SCE Opening Brief at 2.

52 Id.

53 Id.

54 Id.

55 Id.

56 Id.

57 Hillsboro Properties v. Public Utilities Com. (2003) 108 Cal. App. 4th at 246.

58 PG&E Corp. v. Public Utilities Com. (2004) 118 Cal. App. 4th at 1174.

59 PG&E Opening Brief at 3.

60 Id. at 4, footnote omitted.

61 Id. at 6.

62 Id. at 8.

63 Id. at 8.

64 The Energy Detective (TED) device is a home energy monitor that enables the owner to see energy usage in real time. The TED device is currently commercially available.

65 Sempra Opening Brief at 9.

66 Telephone Companies Opening Brief at 6.

67 Id. at 6.

68 Id. at 8.

69 Technology Companies Opening Brief at 6.

70 Id. at 10.

71 Customer Representatives Reply Brief at 5.

72 The findings of Commission jurisdictional authority over third-party demand response providers (DRPs) as discussed in D.10-12-060 are not superseded by any jurisdictional designations herein.

73 Section 8380(b).

74 Section 8380(d).

75 Section 8380(e)(2), emphasis added.

76 Section 8380(c).

77 A non-utility HAN-enabled device must be authorized by the utility in order to enable the direct transfer of data from the Smart Meter. The process of authorization requires that the device be "registered" by the particular smart meter. A utility will provide this registration service to the consumer who either buys a device or subscribes to a service that uses the device.

78 There is a national effort to adopt standards for data exchange with the utility (a process called OpenADE - Open Automatic Data Exchange) and with the Smart Meter (a process called Smart Energy Profile) that will provide standardized and secure information. The Commission will consider via a regulatory proceeding whether to require California utilities to conform with these national standards when adopted.

79 It is important to note that the privacy requirements adopted here do not apply to the Commission and its agents, including but not limited to contractors and consultants. SB 1476 creates obligations applicable to "electrical or gas corporation[s]." The Commission and its agents are subject to separate statutory provisions pertaining to the protection of data. These requirements are not the subject of this decision.

80 Although SDG&E currently provides this data via tariff, this decision also requires an application from SDG&E to ensure that its program to provide this information eventually shares a common structure with that of SCE and PG&E.

81 We clarify that our action does not absolve a utility of liability in situations where the utility is reckless in sharing the data with the third party.

82 CDT Reply Comments at 3.

83 CDT Reply Comments at 11.

84 Id.

85 Id.

86 Id. at 4-5.

87 Id. at 4.

88 SCE Reply Comments at 3.

89 TechNet and the State Privacy and Security Coalition Reply Comments at 6-7.

90 TURN Reply Comments at 6.

91 Id.

92 SoCalGas Reply Comments at 4-5.

93 DRA Opening Comments on PD at 11.

94 Id.

95 CEERT Opening Comments on PD at 10-11.

96 PG&E Opening Comments on PD at 4.

97 SDG&E Opening Comments on PD at 6.

98 R.08-12-009 at 13, emphasis added.

99 These utilities do not propose to install Smart Meters at this time.

100 CASMU Comments on PD at 2.

101 CDT/EFF Opening Comments on PD at 4-8.

102 SDG&E Opening Comments on PD at 12-13.

103 SDG&E Comments on PD at 6.

104 At this time "any electrical corporation" includes only PG&E, SCE, and SDG&E. Phase 2 of this proceeding will determine whether these rules should apply to gas corporations and other electrical corporations.

105 The Commission and its agents, including but not limited to contractors and consultants, are not "covered entities" subject to these rules because the Commission and its agents are subject to separate statutory provisions pertaining to data. In addition, these rules do not apply at this time to gas corporations, other electrical corporations, community choice aggregators, or electric service providers. Phase 2 of this proceeding will make that determination.

106 This conclusion is based on a review of PG&E's Reply Comments at Appendix A at 6. PG&E recommends no revisions to the wording proposed by CDT.

107 SCE Comments at 4.

108 CDT/EFF Comments on PD at 8.

109 CDT/EFF Comments on PD at 9.

110 TechNet, Comments on PD at 14.

111 PG&E Comments on PD at 2-3.

112 Verizon Reply Comments at 4.

113 Id. at 4.

114 Id. at 5.

115 CDT Reply Comments at 5-6.

116 PG&E Reply Comments at 6.

117 Id.

118 SCE Reply Comments at 5.

119 TechNet and the State Privacy and Security Coalition Reply Comments as 6-7.

120 Verizon Reply Comments at 4.

121 CDT/EFF Comments on PD at 10-11.

122 Verizon Coments on PD at 11.

123 SCE Reply Comments at 6.

124 Id.

125 Id. at 7.

126 Id.

127 CDT/EFF Comments on PD at 12, footnote omitted.

128 Section 2891(d)(5).

129 CDT Reply Comments at 7, footnotes omitted.

130 PG&E Reply Comments at 8.

131 UCAN Reply Comments at 5.

132 SDG&E Reply Comments at 5.

133 AT&T Reply Comments at 1.

134 TechNet and the State Privacy and Security Coalition Reply Comments at 7.

135 Id. at 8.

136 CDT/EFF Comments on PD at 13-14

137 Ontario Comments on PD at 5.

138 TechNet and the State Privacy Coalition Reply Comments at 8-9.

139 CDT Reply Comments at 15-16.

140 Id.

141 Id.

142 Id. at 16.

143 Id. at 18.

144 PG&E Reply Comments at 10.

145 DRA Comments on PD at 2.

146 SDG&E Comments on PD at 15.

147 TechNet and the State Privacy and Security Coalition Reply Comments at 9.

148 Verizon Reply Comments at 5.

149 AT&T Reply Comments at 1.

150 Id. at 2.

151 Id. at 2.

152 EnerNOC Reply Comments at 5.

153 Id.

154 SCE Comments on PD at 16.

155 TURN Reply Comments.

156 DRA Reply Comments at 9.

157 Id. at 10.

158 Pub. Util. Code § 8380(e)(1).

159 PG&E Reply Comments at 10.

160 Id. at 10.

161 CFC Reply Comments at 12.

162 CDT Reply Comments at 8.

163 SCE Reply Comments at 10.

164 TURN Reply Comments at 9.

165 PG&E Comments on PD at 7.

166 SDG&E Reply Comments at 2, footnote omitted.

167 SDG&E Reply Comments at 5.

168 Id.

169 TURN Reply Comments at 5.

170 PG&E Opening Comments at 6.

171 SCE Reply Comments at 2.

172 Verizon Reply at 2.

173 D.09-12-046 at 3.

174 Id.

175 PG&E Reply Comments at 2.

176 Id. at 3.

177 Id.

178 SCE Opening Comments at A-5.

179 Id.

180 SCE Reply Comments at 13.

181 Id.

182 Id. at 14.

183 Id. at 15.

184 Id.

185 Id.

186 SCE Opening Comments at A-5 to A-6.

187 SDG&E Opening Comments at 11.

188 Id.

189 ISO Reply Comments at 2.

190 Id.

191 DRA Reply Comments at 3.

192 Id.

193 Id.

194 Id. at 4.

195 DRA Comments on PD at 15.

196 DRA Comments on PD at 16-20.

197 CAISO Comments on PD at 3-4.

198 TURN Reply Comments at 3.

199 Id. at 4.

200 Id.

201 Id.

202 Id.

203 Id. at 5.

204 UCAN Comments at 2.

205 D.09-12-046 at 11 citing 16 U.S.C. § 2621(d)(19).

206 The Commission is aware of many activities going on at the national level to create standardized formats around what data to provide and the means to provide customers with information through such initiatives as the OpenADE initiative. Such initiatives provide for interoperability, which is a central tenet of this Commission, the State and national and Federal Smart Grid policy-making efforts.

207 PG&E Opening Comments at 2.

208 SCE Opening Comments at A-2 to A-3.

209 SDG&E Opening Comments at 4-5.

210 PG&E Reply Comments at 4.

211 PG&E Comments on PD at 2.

212 Id. at 8.

213 SCE Reply Comments at 11-12.

214 Id. at 12.

215 Id.

216 SCE Comments on PD at 22-23.

217 Id. at 23.

218 SDG&E Opening Comments at 12.

219 TURN Reply Comments at 11-12.

220 TURN Comments on PD at 11-12.

221 Id. at 12.

222 UCAN Reply Comments at 3.

223 SoCalGas Reply Comments at 3.

224 SDG&E Reply Comments at 6.

225 DRA Comments on PD at 5.

226 Id. at 13-14.

227 Zigbee is a specification for a suite of high level communication protocols using small, low-power digital radios for low-data-rate wireless personal area networks.

228 Smart Energy Profile (SEP) is a particular protocol in the Zigbee series. SEP 1.0 is currently available and SEP 2.0 is under development.

229 EnerNOC Opening Comments at 10-11.

230 SEP 2.0 is anticipated to provide better security features, among other features, than is available in SEP 1.0.

231 Control4 Reply Comments at 2.

232 Tendril Opening Comments at 9, footnote omitted.

233 DRSG Comments on PD at 2.

234 Id. at 5.

235 Id. at 8.

236 DRSG Comments at 7.

237 DRA Comments on PD at 21.

238 UCAN Comments on PD at 7.

239 TURN Comments on PD at 12.

240 Id. at 13.

241 SDG&E, Advice Letter 2100-E (July 31, 2009) at 2.

242 DRA Comments on PD at 21 notes that D.07-07-042 FOF 4 authorized recovery of funds for SCE and D.09-03-026 authorized recovery of HAN-related funding for PG&E. For SDG&E, D.07-04-043 at 13 also authorized recovery of HAN-related funding.

243 CFC Opening Comments on PD at 3-6.

244 DRA Opening Comments on PD at 8.

245 UCAN Opening Comments on PD at 3.

246 EDF Opening Comments on PD at 4.

247 EDF Opening Comments on PD at 5.

248 CCTA Opening Comments on PD at 2.

249 CEA Opening Comments on PD at 2.

250 TURN Opening Comments on PD at 4.

251 SCE Opening Comments on PD at 11.

252 DRSG Opening Comments on PD at 12.

253 CEERT Opening Comments on PD at 1.

254 DRA Opening Comments on PD at 5.

255 TechNet Opening Comments on PD at 6.

256 SDG&E Opening Comments on PD at 6.

257 UCAN Opening Comments on PD at 3.

258 EDF Opening Comments on PD at 9.

259 DRSG Opening Comments on PD at 6.

260 CEERT Opening Comments on PD at 9.

261 Verizon Opening Comments on PD at 2-3.

262 AT&T Comments on PD at 1.

263 FPF Comments on PD at 2.

264 CTIA Reply Comments on PD at 1-2.

265 CCTA Reply Comments at 3.

266 UCAN Comments on PD at 1.

267 SDG&E Comments on PD at 3.

268 TURN Comments on PD at 2.

269 SCE Comments on PD at 1.

270 CDT/EFF Comments on PD at 1.

271 DRA Comments on PD at 1.

272 CAISO Comments on PD at 1.

273 Walmart Comments on PD at 1.

274 PG&E Comments on PD at 1.

275 OPOWER Comments on PD at 3.

276 CEERT Comments on PD at 10.

277 CCTA Reply Comment on PD at 5.

278 CEERT Comments on PD at 10.

279 PG&E Reply Comments on PD at 3.

280 AT&T Comments on PD at 8.

281 Verizon Comments on PD at 9-10.

282 Verison Comments on PD at 12.

283 Verizon Comments on PD at 13.

284 AT&T Comments on PD at 11-12.

285 CDT/EFF Reply Comments on PD at 4, citing from Foothill Federal Credit Union v. Superior Court (2007).

286 Verizon Comments on PD at 16.

287 Verizion Comments on PD at 18-19.

288 PG&E Comments on PD at 6.

289 TURN Comments on PD at 7.

290 LGSEC Comments on PD at 4.

291 Id. at 2.

292 Id.

293 At this time "any electrical corporation" includes only PG&E, SCE, and SDG&E. Phase 2 of this proceeding will determine how rules should apply to gas corporations and to PacifiCorp, the Sierra Pacific Power, Bear Valley Electric Service and Mountain Utilities.

294 The Commission and its agents, including but not limited to contractors and consultants, are not "covered entities" subject to these rules because the Commission and its agents are subject to separate statutory provisions pertaining to data. In addition, these rules do not apply at this time to gas corporations, other electrical corporations, community choice aggregators, or electric service providers. Phase 2 of this proceeding will make that determination.

Top Of PageGo To First Page