Walmart ESCO Seeks Exception To NY Data Security Requirements, Noting Only Data Is Its Own Customer Information
August 28, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Texas Retail Energy (TRE), a subsidiary of Walmart Inc. and a registered ESCO which self-supplies Walmart, requested that the New York PSC grant it an exception to the new Data Security Agreement (DSA) being required by the utilities, noting that, with service limited to self-supply, the data ostensibly being protected is Walmart's own customer information
TRE said in its request that, "TRE’s business operations are limited to providing electric service to Walmart
facilities and TRE currently serves 103 facilities across 5 utility service territories (Orange &
Rockland Utilities, Inc.; Central Hudson Gas & Electric Corporation; New York State Electric &
Gas Corporation; Rochester Gas and Electric Corporation; and Niagara Mohawk Power
Corporation d/b/a National Grid [the 'Joint Utilities'])."
TRE said in its request that, "Over the past several months, the Joint Utilities, Department of Public Service Staff and
energy service entities have conducted 'business-to-business' discussions which, according to
the Public Service Commission, are being conducted in conformance with the Uniform Business
Practices. As part of these business-to-business discussions, the Joint Utilities requested that all
energy services entities, including TRE, complete a Self-Attestation of Information Security
Controls ('Self-Attestation') and sign a Data Security Agreement ('DSA')."
TRE said in its request that, "TRE recognizes the importance of data security and supports the development of
industrywide cybersecurity practices and processes pertaining to the safe and secure
transmission, processing, storage, and disposal of confidential customer data that avoid the
occurrence of data breaches. TRE has submitted comments in this proceeding on two occasions
since it commenced in June 2018 and has participated in business-to-business discussions with
the Joint Utilities. During these discussions, TRE requested that the Joint Utilities recognize an exception to any adopted data security requirements for ESCOs, such as TRE, that only provide
services to their own parents and affiliates. These ESCOs are uniquely situated because all of the
information provided to the utility is their own customer information. It would make little sense
then to require such companies to sign burdensome data security agreements and obtain cyber
liability insurance to protect against the disclosure of their own information. As a result, TRE
requested that it be excluded from the proposed data security requirements, including the request
to complete a Self-Attestation. TRE, through its parent Walmart, already self-insures against data
security breaches. Requiring TRE to obtain cyber liability insurance would simply expose the
company to unnecessary and duplicative costs."
TRE said in its request that, "Walmart is continually seeking new ways to manage its energy consumption and
associated costs. Purchasing energy for its stores through TRE is one such example. By taking
wasteful energy and costs out of its operations, Walmart can do more to save its customers
money. Subjecting TRE to unnecessary costs as a result of this proceeding significantly hampers
Walmart’s energy management and cost containment goals."
TRE said in its request that, "The revised DSA, circulated by the Joint Utilities on August 16, 2018, fails to adequately
address TRE’s concerns. Although the parties discussed the need to recognize TRE’s unique
position during the in-person meetings on the DSA, the latest version still imposes the same
requirements upon TRE as the rest of ESCOs and the Joint Utilities have indicated that this is the
final version of the DSA."
TRE said in its request that, "Although the Commission admittedly supports the business-to-business process, to date it
has remained a bystander to the business-to-business discussions. These discussions have now
broken down and the parties appear to be at an impasse as to the applicability of the DSA to
TRE. The Commission should now intercede and not allow the Joint Utilities to impose onerous
and completely unnecessary requirements on providers such as TRE when all of the accounts it
serves, and information it possesses, belong to itself and its parent Walmart."
TRE said in its request that, "Before TRE completes the Self-Attestation or signs the DSA, it respectfully requests that
the Commission intervene and adopt TRE’s request for an exception to the DSA."
TRE further requested that the Commission clarify, or direct the Joint Utilities to clarify the following:
• Whether cybersecurity insurance requirement of $5 million applies equally across the
utilities or whether a separate policy must be obtained for each utility;
• Whether self-insurance, parental guarantees, or letters of credits are acceptable
alternatives to the cybersecurity insurance requirement;
• Whether offsite backups at a non-company owned data center are an acceptable form of
Replication of Confidential Utility Information; and
• What are the industry best practices in the Self-Attestation for encryption methods.
TRE said in its request that, "As stated above, TRE recognizes the importance of data security and supports the
development of industrywide cybersecurity practices and processes. TRE is willing to continue
to work with Staff and the Joint Utilities to develop and ultimately adopt such practices provided,
however, that any such practices take into consideration unique circumstances of industry
participants, such as TRE."