California Proposes Smart Grid Data Privacy Standards

The California Public Utilities Commission (PUC) has released a proposed decision that would specify security and privacy requirements for all data collected and stored by smart meters.

Its 143-page proposal is open for public comment until May 26. In early June, the proposal will be considered by the commission, at which point it may adopt all, some, or none of it.

With experts warning that smart grids too often lack appropriate security controls, California's efforts could serve as a template for how other states work with power providers to improve smart meter and smart grid security.

"The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention," said attorney Timothy Tobin, an associate at law firm Hogan Lovells, in a blog post. Notably, "the European Union's Article 29 Working Party issued smart meter guidelines last month."

The commission said that smart meters are essential for reducing and streamlining energy consumption. But it also said that based on its investigations, "access to detailed, disaggregated data on energy consumption can reveal some information that people may consider private."

Accordingly, the proposed decision opts to use Fair Information Practices. In particular, the commission wants to require smart meter operators to minimize the data they collect, use it only for the intended purpose--namely, to calculate a consumer's energy bill--unless they obtain permission from the consumer to do otherwise, ensure that the data remains accurate to ensure proper billing, and use "reasonable security procedures and practices to protect a customer's unencrypted electrical or gas consumption data from unauthorized access, distribution, use, modification, or disclosure."

The state's requirements would apply to smart meters deployed by Pacific Gas and Electric Company (PG&E), Southern California Edison Company (SCE), and San Diego Gas & Electric Company (SDG&E), all of which are investor-owned electric utilities. But it would also apply to numerous other organizations that work with the utilities.

"A third party would have to comply with the PUC rules when it obtains access to customer's usage data via Home Area Network (HAN)-enabled devices that are 'locked' to automatically transfer usage data to the third party," according to a summary of the proposed directive released by the Future of Privacy Forum, an advocacy group.

"In addition, the proposed rules would require utilities to provide third parties with access to usage data that customers authorize if the third parties comply with the privacy and security rules," it said. "The PUC rejected suggestions that third parties should be required to register for certification to offer services that require access to customer energy consumption data."

The new rules won't also apply to other electrical operators or gas providers, although the commission said that it's also exploring that possibility.

Yes, you can stay safe in the cloud. In this Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. Download the report now. (Free with registration.)