NY PSC Secretary Grants Additional Time For Responses To Utilities' Petition Seeking Confirmation That Utilities May Cease Retail Access To ESCOs Not Signing Data Security Agreement
December 3, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • email@example.com
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The Secretary of the New York PSC granted parties additional time to respond to a petition for a declaratory ruling, filed by the joint utilities, in which the utilities had asked that the PSC confirm the utilities’ right under the Uniform Business Practices (UBP) to discontinue an ESCO's access to the utilities' various systems, in their relevant retail access programs, if such ESCO fails to meet minimum data security standards, including the execution of a Data Security Agreement (DSA).
The DSA Coalition had also requested that the utilities' petition for a declaratory ruling be treated as a proposed rule, and therefore that the PSC publish notice of the proposed rule in the New York State Register and provide the public with a 60-day comment period
However, the Secretary said that, "it is beyond the authority of the Secretary to convert a request for a declaratory ruling into a proposed rulemaking."
"The Commission, in addressing the petition for a declaratory ruling, may convert the petition into a proposed rule and direct further process, should it decide to do so," the Secretary said
The National Energy Marketers Association on November 30 submitted comments on the joint utilities' (JU) petition.
NEM stated, "[T]he JU are effectively arguing that UBP Section 2.F.1.a. was intended to allow the JU to assume the role of the Commission in developing and adopting energy market policies, that in so doing the JU can flout the requirements of SAPA, and the JU have unilateral authority to enforce their self-established and self-adopted policy without first seeking Commission intervention to discontinue an ESCO that the utility deems to be non-compliant. It strains credulity to assert that the Commission would have adopted UBP Section 2.F.1.a. to have that meaning and intended effect. It is contrary to one of the primary missions of the Commission: to curb utility market power abuses. It is contrary to the Public Service Law that authorizes the Commission to promulgate rules and approve tariffs, not the utilities it regulates. It is contrary to SAPA, which requires potentially affected entities to receive proper notice and an opportunity to comment on proposed compliance obligations and that when those compliance obligations are finalized they be published so that current and potentially affected entities are apprised of the regulatory requirements they must follow. For these reasons, the JU Petition and relief requested should be denied by the Commission."
NEM stated in its comments that, "The JU are invoking the language under UBP Section 2.F.1.a. as the purported basis for their 'right' to discontinue ESCO service when an ESCO does not execute the DSA and SA [Self Attestation]. UBP Section 2.F.1.a. provides that a utility may discontinue an ESCO’s participation in its retail access program for '[f]ailure to act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility’s system, and the ESCO or Direct Customer failed to eliminate immediately the risk or condition upon verified receipt of a non-EDI notice.' Section 2.F.2. and 2.F.7. explains the process to be followed to initiate the discontinuance process, including the provision of notice and a cure period. In addition, Section 2.F.5. states that the utility 'may request permission from the Department to expedite the discontinuance process, upon a showing that it is necessary for safe and adequate service or in the public interest.'"
NEM stated in its comments that, "To NEM’s knowledge, Section 2.F.1.a. has not previously been invoked as the basis for an ESCO discontinuance. When Section 2.F. was originally adopted nearly two decades ago, cybersecurity risks were not in the realm of generally understood or anticipated system security risks. By its terms, Section 2.F.1.a. requires a showing that an ESCO’s conduct poses 'a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility’s system.' However, the type and extent of conduct to satisfy the Section 2.F.1.a. threshold has not heretofore been examined by the Commission. In the absence of such Commission guidance, the JU should not be permitted to exert unchecked discretion in making a determination that an ESCO should be discontinued under this Section."
NEM stated in its comments that, "The JU Petition wrongly and inappropriately construes an ESCO decision not to sign the agreements as incontrovertible evidence that the Section 2.F.1.a. standard has been met without any actual proof that an individual ESCO’s conduct and operations in fact constitute a 'significant risk' to the utility distribution system. Throughout the business-to-business process the utilities failed to explicate in quantifiable or verifiable terms the risks to be mitigated and how the requirements embedded in the DSA and SA were reasonably tailored to address those risks. NEM and its members support the development of reasonable cybersecurity standards for the retail marketplace. However, the utilities did not provide specific, actionable information about the risks posed by ESCO access to data. This is why the DSA and SA utilize an overly broad, blanket approach to the treatment of all ESCOs regardless of individual risk posed, rather than targeted solutions being identified and incorporated in the agreements. Indeed, an ESCO’s decision not to sign the DSA or the SA does not mean that the ESCO has not implemented robust cybersecurity measures to protect customer data that are appropriate to the size and scope of its individual business. The ESCO’s decision not to sign the DSA or SA could very well be related to the risks and costs associated with signing and implementing agreements that to date have not been subject to Commission scrutiny or received Commission approval."
NEM stated in its comments that, "While Section 2.F.7.a. allows the utility to 'discontinue participation as soon as practicable' for ESCO conduct posing 'a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility’s system,' UBP Section 2.F.5. clearly requires the utility to 'request permission from the Department to expedite the discontinuance process, upon a showing that it is necessary for safe and adequate service or in the public interest.' Read together these provisions reflect a clear understanding that Commission intervention in the process as an objective arbiter is a necessary and required check on the utilities’ ability to discontinue ESCO service. Staff’s Report in Case 18-M-0376 supports this – 'The UBP details the discontinuance process, including timeframes, and includes participation by Staff.'"
NEM stated in its comments that, "The JU are effectively requesting in the Petition that the Commission cede its oversight role, as expressed in UBP Section 2, to the utilities by permitting the JU to discontinue an ESCO without Commission intervention. NEM submits that Commission intervention is particularly vital here, where the Commission has not previously adopted cybersecurity policy for the retail marketplace, where precedent interpreting and applying UBP Section 2.F.1.a. has not been established, where the utility’s potential to abuse its market power is significant and where the consequences to the ESCO of discontinuance are severe and irreparable. Moreover, UBP Section 2.F.1.a. requires a case-specific inquiry into whether individual ESCO conduct is causing 'a significant risk' to the distribution utility system."
NEM stated in its comments that, "It would be an extreme and dangerous precedent to interpret Section 2.F.1.a. in the manner requested by the JU – to allow the utility to be the sole arbiter of a dispute to which it is also one of the parties and concerning agreements that it authored. Interpreting Section 2.F.1.a. to allow the JU to discontinue an ESCO that has not executed the agreements, agreements that are not Commission-approved and have not been filed in any Commission docket, and without Commission intervention, would compound the harmful precedent."
NEM further stated in its comments that, "The terms of the agreements being imposed by the JU, that stand as direct competitors in the retail marketplace with ESCOs and control ESCO access to the utility delivery system, are not balanced. The agreements provide the JU with unprecedented and far-reaching control over their ESCO competitors. The JU granted themselves audit rights over ESCO operations, restrict derivative data uses in a manner that could undermine DER product development, restrict locations for ESCO processing and storage of information, and impose a new $5 million cyberinsurance requirement, amongst others."