HD7 - HB 2332 Data Access and Privacy (Chapter 399, 2019)
During the 2019 Virginia General Assembly session, the General Assembly approved HB 2332, which was signed by the Governor and required the State Corporation Commission (SCC) to convene a stakeholder process to obtain recommendations for nine (9) identified areas related to electricity data access and privacy and provide a report to the State Corporation Commission by April 1, 2020.
The SCC, using an independent facilitator, organized a stakeholder group of 73 individuals representing 46 different organizations, including Virginia electric utilities and electric cooperatives, energy efficiency organizations, housing organizations, gas and water utilities, and public policy organizations. Between October 1, 2019 and March 31, 2020, the group was able to meet three times. The stakeholders conducted the majority of its work between the meeting dates as sub-groups, which divided the nine topic areas into three sub-group committees.
STAKEHOLDER GROUP FINDINGS
The stakeholder group was not able to reach consensus on a set of recommendations due to the complexity of issues addressed in the legislation and the compressed timeframe of the process. The stakeholder group generated three (3) core principles that should be centrally supported by any legislation, policy, or rulemaking. These are:
1) Protection of customer data privacy is imperative.
2) Sharing of customer data, which identifies a specific customer, must be done securely and with prior customer authorization. If data is to be shared on an aggregated basis, customers should be provided with an easy process to opt-out of aggregated data.
3) Any process established for sharing of customer data should be designed to mitigate and minimize and if possible, eliminate, risk to the utility, its physical and cybersecurity, or its infrastructure and systems.
The stakeholder group acknowledges more time is needed for the group to deliberate and generate recommendations that address the complexity of utility data access, sharing, and privacy in the Commonwealth. As a result of (i) these timing constraints; (ii) the lack of clear stakeholder consensus; and (iii) the complexity of the issues, it may be premature for any legislative directives; more study and time in the stakeholder process may be needed. It is strongly suggested by the stakeholder group and the independent facilitator that additional work is necessary to address the needs of the broad range of stakeholders prior to the enactment, by either the SCC or the General Assembly, of any requirements for new processes or rules.
The initial work conducted by the stakeholder group can be further acted upon to provide recommendations that will be effective, efficient, and cover the needs of the range of stakeholders.
What is presented in the report are the findings of each sub-group organized into “considerations." These considerations should not be considered recommendations or statements reflective of a group consensus. The considerations are organized by the nine Legislative Bullets.
LEGISLATIVE BULLET #1: CUSTOMER PRIVACY CONSIDERATIONS
1. Customer privacy considerations, including the establishment of the definitions for, and the protection of, personally identifiable information and energy usage data resulting from the deployment of advanced metering infrastructure by the electric utility.
• Use the Term “Covered Information" Instead of Personally Identifiable Information – The term “personally identifiable information" is too limiting to define the totality of protected customer information. Covered information represents all information about customers that is protected by utilities.
• Define Primary Purpose vs. Secondary Purpose of Data Sharing - Data sharing may take on different purposes, therefore, it is important that a distinction be made whereby the primary purpose of data sharing is for the delivery of a regulated utility service, or Commission-approved program, and secondary purpose, which is any other reason for data sharing. Depending on the purpose, different privacy and security treatments of customer data should apply.
• Define Eligibility Criteria for Third Party Recipients of Individual Customer Data - A key component of protecting privacy is determining who should be eligible to receive customer data. The General Assembly should consider that in defining third party eligibility requirements, third parties must be an adoptee of the U.S. Department of Energy’s DataGuard code of conduct, which requires processes that allow the customer to control access to his or her data for secondary purposes (i.e., to authorize differential access to multiple Third Parties, limit the duration of access, keep a record of data releases, rescind authorizations, and dispose or de-identify data once authorization or the need for the data has expired).
• Define Enforcement Policy Against “Bad Actors" - The General Assembly and the Commission should establish a clear enforcement pathway against a third party who has violated the law or a customer’s privacy. In other jurisdictions, the approach to enforcement varies depending upon the Commission’s jurisdiction over third parties. There was no discussion or conclusions by stakeholders about what jurisdiction the SCC may have over third parties in Virginia.
LEGISLATIVE BULLET #2 – DATA SECURITY
2. The impact of data sharing on the physical and cybersecurity of utility infrastructure and systems.
• More Time is Needed to Research and Understand the Physical and Security Impact of Data Sharing on Infrastructure and Systems - Each regulated utility (investor-owned and cooperative) has unique physical infrastructure that they will need to review dependent upon changing Federal and state mandates.
• The General Assembly and Commission Do Not Need to Regulate Physical and Cyber Security Standards - Virginia’s utilities are already governed by a comprehensive suite of Federal and state laws related to cyber and physical security. If the Commission is to regulate a data access standard and third-parties’ use of and access to that data, it should do so without intruding on the subject matter of cyber and physical security.
LEGISLATIVE BULLET #3 – AGGREGATING ANONYMIZED DATA
3. Aggregating anonymized energy usage data.
• More Time is Needed to Define the Terms and Use of Anonymized and Aggregated Data – Each term is generally understood, but to ensure customer privacy, if data is to be shared with a third party, more discussion is needed to determine thresholds of aggregation that sufficiently maintain individual privacy, the different parameters needed for use of customer data compared to energy usage data, and the impact of data aggregation on rural cooperatives.
LEGISLATIVE BULLET #4 – CUSTOMER AND USER-FRIENDLY FORMAT
4. The format for data access that is customer-friendly and computer-friendly.
• Aggregate data should be provided in a modern, timely, and systematic manner – To include streamlined data access (single unique identifier); secure, quick and convenient data transfer with capability to download in multiple formats; and calendarized data that is aligned with management and planning practices of commercial and residential customers.
LEGISLATIVE BULLET #5 – NATIONALLY RECOGNIZED STANDARDS
5. Ensuring that standards and practices for access to data adhere to nationally recognized standards and best practices.
• Further Explore Recognized Standards and Best Practices and How They May Be Adopted by Virginia – The stakeholder group did not reach consensus on specific standards. National standards should be reviewed and adapted specifically to Virginia with a potential starting point being the Green Button Connect My Data standard, which provides a set of standards for allowing secure, interoperable transfers of energy-usage and billing information between utilities and authorized third parties. The Green Button standard has been ratified by the North American Energy Standards Board (NAESB).
LEGISLATIVE BULLET #6 – CUSTOMER OPT-IN/OPT-OUT
6. Opt-in/opt-out conditions for access to customers' utility usage data by the electric utility, a contracted agent, and a third party.
• Further Discussion is Needed to Define Customer Opt-In and Opt-Out Conditions – The stakeholder group suggested, if data is to be shared:
• Individual Data should be consent-based when it is being shared with a third party. The customer should be able to opt-in and opt-out easily.
• Aggregated Data assumes customer data is not re-identifiable and the customer can choose to opt-out as data aggregation thresholds and definitions of “covered information" and “unshareable" data are deemed sufficient to protect customer privacy.
• Anonymized Data should be defined through a transparent process that allows appropriate input from the customer community.
• Third party and eligibility definitions are needed.
LEGISLATIVE BULLET #7 – CURRENT DATA ACCESS PROVISIONS
7. Current data access and sharing provisions resulting from the deployment of advanced metering infrastructure implemented by other utilities in the Commonwealth.
• A Portion of Future Provisions May Apply Regardless of Metering Technology - Within provisions for data access and sharing, defining the specific data type(s) for access and sharing should be considered. Consideration should be focused on energy usage data for billing (kW, kWh, etc.). In future legislation, policy or rulemaking, developers will need to also consider:
• Provisions for recovery of incremental cost to provide customer data outside of standard availability
• Further analyses of related rules and regulations (i.e. Privacy, Retail Access, etc.)
LEGISLATIVE BULLET #8 – COST RECOVERY
8. Costs of and cost recovery mechanisms for changes to electric utility infrastructure needed to implement regulations.
• Cost Recovery Will Need to Be Adaptable to Different Utility Models -
• Cost Recovery for Data Access for Consumers of Investor-Owned Electric Utilities - Costs undertaken by utilities to comply with data access laws and regulations should be recoverable through Virginia’s current regulatory process . To the extent such costs are for additional infrastructure (i.e., customer information system upgrades and cyber security), utilities may elect to recover those costs as part of a grid transformation project through its rates for generation and distribution services, and/or a customer credit reinvestment offset. The costs of fulfilling any special request are borne by the customer and should be based on the specifics of the data request and the associated costs of developing, processing, and transmitting the requested data.
• Cost Recovery for Data Access for Consumers of Cooperative Electric Utilities - Costs undertaken by utilities to comply with data access laws and regulations should be recoverable. The costs of fulfilling any special request are borne by the customer and should be based on the specifics of the data request and the associated costs of developing, processing, and transmitting the requested data. Cost recovery for any program would be through base rates through Virginia’s current regulatory process.
LEGISLATIVE BULLET #9 – CUSTOMER DATA USAGE NOTIFICATION REQUIREMENTS
9. Notice requirements by utilities to customers regarding the types of energy usage data being collected, how that data is used by the utility to provide the utility service, how customers can access their data, how the customer can manage and direct what specific information from their energy usage data can be shared, with whom this data can be shared outside the utility, and when the data can be shared.
• Use Best Practices from Other Jurisdictions - Best practices from the Federal government and other states should be considered in Virginia. As an example, the Federal Fair Information Practices (FIPs) include:
• Notice/awareness: Customers should be given notice of a utility’s information practices
• Choice/consent: Choice and consent in an online context means giving customers options to control how their data is used.
• Access/participation: Customers should be able to view the data collected about them and be able to verify and or contest its accuracy.
• Integrity/security: Utilities should ensure that data collected is accurate and protected against unauthorized access.
• Enforcement/redress: There must be some enforcement mechanism(s) for consumers to seek a remedy from violators (see “Enforcement" above).
The FIPs have been incorporated into the U.S. Department of Energy’s DataGuard Energy Data Privacy Program, as well as other state commission’s policies, including California, Colorado, and Michigan.
The stakeholder group wanted to convey the following five points to the General Assembly as it considers next steps.
1. The Process Should Result in a Flexible Solution to Accommodate Different Stakeholder Needs - Any policy developed cannot be a one-size-fits-all approach but should allow for some variation to address different stakeholder needs.
2. Data access and privacy, as a concept to research and address, is complex, requires multiple perspectives to be considered, and needs additional time than was provided by the Legislation, to develop more specific recommendations.
3. Customer Focus is Paramount to Success - The stakeholders repeatedly noted the importance of protecting customer data and ensuring clarity on how energy-related data will be used, i.e. identifying that a critical driver between access and privacy is customer consent, and educating customers on data collection, use, and disclosure, will be critical.
4. Contextual Issues Must Be Considered - Any policy or legislation that might be proposed needs to include provisions that enable flexibility to adjust and adapt in an agile and feasible manner to changing conditions.
5. The Stakeholder Process Should Continue – So far, the Virginia stakeholder process has allowed stakeholders dedicated to energy efficiency and appropriate energy data use to provide a wide range of perspectives, share different models and approaches, and have deep discussions about the issues associated with data access, sharing and privacy. It is important that the stakeholders and the Commission Staff maintain a role in the development of potential legislation, policy, and implementation guidance to best inform the General Assembly and the SCC in their deliberations.