I had the pleasure of attending a two day seminar on Managing SCADA Network Security Risks. One of the most interesting seminars was Data Access and Privacy Issues Related to Smart Grid Technologies by Megan Hertzler, Assistant General Council with Xcel Energy. She said that when the meter reader used to come to the house and record your electrical usage, it was aggregate data. There were no privacy issues and the electric company owned the data. Now with Smart Meters the electric company can:
- Detect how many people live at your house by watching the number of cycles of your hot water heater (not accounting for bad hygiene);
- Know when you’re home by the energy cycle of the TV;
- Know when you’re awake by the energy signature of the coffee pot or the toaster and;
- Know whether you’ve got a hydroponics ‘project’ in the house (you know what I’m talking about).
This data is considered granular data and can be used to track what you do and where you are. Once data becomes granular, the ‘Pandora’s box’ of data privacy is opened up. Questions like, data ownership, data usage and data protection become new challenges for utility companies.
Several states’ public utility commissions have begun to tackle these issues and implement laws. California (Docket No: 08-12-009), Oklahoma (H.B. 1079, 59 Leg., 1st Sess. Okla. 2011) , and Colorado (Docket No. 10R-799E) have implemented similar but slightly different laws. For-instance, in business friendly Oklahoma the law stipulates that the utility owns usage data and that the utility may provide access to third-parties and they can charge a fee.
Colorado and California say the utility owns the data but can’t use it without customer consent and must secure the data. Oddly, what’s missing from all these state laws are any penalties for data breaches and what defines a data breach. Ms. Hertzler went on to say that she expects that is coming. It isn’t like the utilities don’t know they have to protect the data or how to do it. They have to protect SSN#s and credit card data collected for online and auto-pay options. Where there seems to be some agreement over these issues is that the data needs to be protected, it’s owned by the utility but customers should have full access, responsibility for security of the data should be extended to third parties that are given access, utilities can use the data for their own business purposes without customer consent and utilities can recover their costs for providing access. I’ll bet a shinny new nickle that the state PUCs will want to regulate what the utilities charge for providing third-parties access. All the other privacy issues are still being played out at various levels of state, local, and federal governments.
This is a case where utilities will actually welcome the federal government stepping in and passing a single privacy standard for this kind of data. For utilities that operate in many states, adhering to all the state regulations with their nuanced differences will be far too onerous.