By Joe Hall, Bob Cattanach, and Brad Hammer
Dorsey & Whitney LLP
Energy, Cyber Security, and Privacy Practice
The integration of renewable energy and environmental policy has meant the power industry has had to rethink core assumptions about fuel sources, costs, reliability, and centralized planning. It has also had to reconsider the traditional utility-customer relationship. As distributed generation has grown around the country, energy monitoring and smart metering has increased to better meet power demands. But there is a fine line between monitoring and privacy.
One important conversation has far-reaching implications: the legal and regulatory treatment of customer energy usage data or CEUD. The ownership and treatment of CEUD touches legal issues that include customer privacy rights and a business’s ability to protect potential trade-secret operations. Is it fair game that your neighbors, local businesses, or even the government have access to data on how and when you use electricity or, in some case, even where it comes from, such as natural gas, fossil fuels, or wind power?
In the absence of significant regulatory clarity in the near future, the current lack of guidance in this area may create significant and sometimes unforeseen risks for the industry. Utilities, regulators, and many consumers are strongly invested in discussions over what may become the next-generation utility model at the federal and state level.
Recent advances in metering technology have allowed a detailed exchange of data between a utility and its customers. Through the use of smart meters, this data can serve as an effective tool for more efficient energy pricing and billing by helping utilities better regulate and measure electricity use over time.
However, one concern is that the exchange of CEUD is not necessarily just between utilities and customers. A variety of stakeholders may seek this information for various business, political, and policy objectives such as:
- Target marketing. Businesses selling products and services aimed at increasing home or building efficiency could benefit from customer power-usage data.
- Regulatory enforcement. Local governments may need CEUD to support and enforce local ordinances that mandate energy use reduction in buildings within their borders.
- Conservation compliance. State agencies may seek to verify compliance with conservation, energy efficiency, and emissions reduction efforts (most state agencies may already have access to such data through mandated reporting, but may seek more granular and precise information).
- Efficiency mandates. Owners of apartments or large buildings could request tenant-specific power usage to monitor and encourage energy efficiency, or to ensure compliance with local ordinances.
- Environmental watchdogs. Energy or environmental “watchdog” groups may want power-usage data to enforce conservation, efficiency, or emission reduction requirements on utilities, or customers, or both.
Based on the steady trend over the last decade, the demand for CEUD is almost certain to increase. Privacy law is a relatively new consideration in the power industry, and few regulations exist to define the obligations and protections that apply to power-usage information. Most significantly, under current law, it’s not at all clear who actually owns CEUD – the utility or the customer.
In most jurisdictions, it’s also unclear whether there is any legal obligation to disclose or protect CEUD. This places utilities and their customers in a challenging position and raises a number of fundamental questions:
- Without a set legal mandate, does a utility have a duty to protect CEUD?
- In the absence of any specific formal requirements, can a utility’s customers (retail or industrial) seek redress if they are harmed by the disclosure, intentional or inadvertent, of CEUD?
- Is power-usage data sufficiently important to the “public interest” to warrant regulatory protection and provide regulators with the authority to act on CEUD? • If protection is warranted, should it occur at the state or federal level?
In the absence of regulatory guidance, the rights and liabilities associated with the ownership and protection of CEUD and commercial information will default to bilateral agreements between negotiating parties (typically with a leverage imbalance), and potentially to common law through precedent-setting litigation.
Current regulations While the National Institute for Standards and Technology has issued standards that provide specific guidance with regard to smart-grid cyber security, those standards provide an imprecise discussion with respect to power-usage and data privacy concerns.
To date, only a limited number of states have provided direction concerning ownership, protection, and disclosure of CEUD.
- In some states, such as California, the Legislature addressed the treatment of CEUD by statute.
- In other states, including Colorado and Minnesota, public-utility commissions are beginning to address CEUD based on their regulatory jurisdiction over the retail customer and utility relationship, or the power to promote efficiency and conservation.
- In those states addressing usage data, the trend has been to treat the CEUD as belonging to the customer even though it’s the utility that creates and collects the data. That means customers have the ultimate say over its disclosure, and the utility may only use the data to perform its regulated utility functions (e.g. providing service, billing, dispatching for repairs).
This balancing act between protecting data and the utility’s use of that data for legitimate purposes may shift if the information becomes “de-identified” through aggregation. Through the process of aggregation, information that could identify a specific customer is removed, and a larger set of customers is grouped into a set of CEUD (often based on geography).
For example, Colorado uses the fairly common “15/15” standard. In it, an aggregated set of CEUD must have at least 15 customers, and no one customer can account for more than 15% of energy use in a set. Although the individual energy-use data remains accessible, it’s non-specific to any one customer.
Aggregation, however, is not without its limits and critics. Some – especially large commercial or industrial customers – challenge the efficacy of aggregation. Why? Because certain characteristics of their energy use patterns are so unique that they’re impossible to securely mask without risk of exposure. The failure of the ability to effectively secure data may potentially expose such commercial and industrial customers to “corporate espionage” by those attempting to gain competitive intelligence about a particular entity’s commercial operations (such as the cost of production at a facility).
The challenges of protecting usage data extend beyond affirmative corporate espionage. For example, utilities sometimes struggle with competing obligations when disclosure of CEUD is required under federal or state laws addressing generator interconnections.
Competing objectives can create conflicting mandates from state PUCs where a utility is required to provide certain interconnection data through interconnection studies, but doing so could expose the CEUD that the PUC would otherwise treat as trade secret or propriety information.
With increased interest in distributed generation or large remote generators, utilities are conducting studies for and providing interconnections to an expanding number of entities wishing to interconnect to sparsely populated areas of electric distribution systems. Even if this data is anonymized or aggregated, these studies may inadvertently result in an information release on large commercial or industrial customers.
The path forward
Without a federal standard, the appropriate treatment of CEUD in the power industry will likely find resolution on a state-by-state basis. Unfortunately, on some level this correlates to an inconsistent and potentially conflicting patchwork quilt of regulatory obligations. It also means regulatory guidance is not likely to happen anytime soon.
In the meantime, consumers and businesses will have to continue to try to find ways to protect their privacy and trade secret information. The proliferation of distributed generation may also force utilities to reconsider their CEUD policies and may even prompt tariff revisions as disparate stakeholders seek state PUC guidance.
Even the potential solution of aggregation has its limits, and the rapid evolution of metering technology is sure to complicate the challenge. While a few states have made efforts to formulate policies for CEUD, not enough time has passed to evaluate the best processes to date.
For now, one thing is certain: the inexorability and complexity of CEUD-related questions will not wait for the law to catch up, and industry participants will have to make decisions based on a variety of predictive indicators unique to their situation and jurisdiction.
For a digital copy of the entire October issue of Windpower Engineering & Development, click here.