|
|
|
|
New York Utilities Petition PSC To Confirm Business-to-Business "Process" For Data Security, Utilities' Authority To Deny Access To Entities (ESCOs) Not Signing Data Security Agreements
The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Central Hudson Gas & Electric Corporation, Consolidated Edison Company of New York, Inc.,
National Fuel Gas Distribution Corporation, New York State Electric & Gas Corporation,
Niagara Mohawk Power Corporation d/b/a National Grid, KeySpan Gas East Corporation
d/b/a National Grid and The Brooklyn Union Gas Company d/b/a National Grid NY,
Orange and Rockland Utilities, Inc., and Rochester Gas and Electric Corporation
(collectively and individually, the 'Joint Utilities') filed with the New York PSC a petition for approval
of the business to business process used to formulate a data security agreement, and an order
affirming the joint utilities’ authority to require and enforce execution of the data
security agreement by entities seeking access to utility customer data or utility
systems.
Specifically, the Joint Utilities ask the New York State
Public Service Commission ('Commission') to:
• Confirm that the business-to-business process among parties, the Joint Utilities,
New York State Department of Public Service ('Staff'), Energy Service Companies
('ESCOs'), Distributed Energy Resource Suppliers ('DERS'), Direct Customers,
and other entities, that was used to negotiate and develop a Data Security
Agreement ('DSA') and its accompanying Self-Attestation ('SA') to receive
customer data through the interconnection to utility system was appropriate for
development of the DSA;
• Authorize the amendment of the DSA going forward through the business to
business process which should include at a minimum, standard requirements that:
(1) specify compliance with the Uniform Business Practices ('UBP'), UBP DERS,
or other applicable Commission rules; (2) address the transfer of information; (3)
maintain the confidentiality of Joint Utilities and the ESCOs, DERS, Direct
Customers, and their applicable contractors (collectively, 'Energy Service Entities'
or 'ESEs') information, including the protection of customer data; (4) requiring the return and destruction of information; (5) address each Party’s responsibility and
liability for data security incidents; (6) require cyber security insurance; (7) define
minimum cyber security requirements; (8) address how to determine whether
ESEs have and maintain minimum levels of cyber security; and (9) require ESE
indemnification of the Joint Utilities; and
• Affirm the Joint Utilities’ authority to require ESEs to satisfactorily complete a DSA,
which will evolve in the future, and prohibit ESEs from electronic access to utility
information technology ('IT') systems as well as customer data without a DSA.
"[T]he Joint Utilities seek Commission approval of the business-to-business
process used to develop the DSA because some ESEs claim that a rulemaking
process must precede the Joint Utilities requiring that ESEs execute the DSA," the Joint Utilities said
"The
business-to-business process, however, was a lengthy and publicly noticed proceeding,
as described below, and provided a full opportunity for all parties to participate," the Joint Utilities said
"The
Joint Utilities emphasize that they are requesting that the Commission approve the
process that resulted in the document as well as the framework for the document, not
necessarily the specific underlying documents, as the Joint Utilities expect that the DSA
will need to be modified as technology and cyber security standards evolve," the Joint Utilities said
"In addition, the Joint Utilities request that the Commission affirm their authority to
require the ESEs to execute a DSA and to prohibit ESEs that fail to do so from obtaining
data from or access to the applicable utility’s IT systems. Pursuant to the UBP and UBP
DERS, the Joint Utilities have authority to require ESEs to execute a DSA and have the
right to prohibit non-compliant ESEs from accessing customer data and utility IT systems.
The Joint Utilities would note that the ESEs should be treated as any other vendor, i.e.,
ESEs should be required to meet the Joint Utilities terms and conditions, which would
include cyber security terms, as the Joint Utilities have the right to set and negotiate
transactional terms and conditions independently," the Joint Utilities said
"While many ESEs have executed the DSA, others refuse absent a
Commission determination. The Joint Utilities assert that they have the authority to
require execution of DSAs without Commission approval, but have submitted this petition
to confirm their right to do so," the Joint Utilities said
Concerning the requirement for entities not using EDI to obtain utility data, the Joint Utilities stated that the PSC previously held that, until the Commission develops methods to regulate other methods and platforms of data sharing, "Rules governing behavior in and oversight of those
programs and transactions will appear within the program
rules, the utility tariff, or the procurement request or contract, though the Commission may consider standardization of such
rules into the UBP-DERS in the future."
"Based on this statement, a utility may require a DSA with DERS even if they are not
engaged in EDI transactions with a utility and subject to the UBP DERS. Moreover,
contrary to the assertions made by Mission:Data and others, nothing in the DERS UBPs
prohibits the Joint Utilities from imposing any requirements for third party access to Green
Button Connect. The fact that the UBP-DERs have a section establishing requirements
for DERs using EDI does not mean that DERs using other platforms can do so without
any requirements," the Joint Utilities said
In summary, "the Joint Utilities request that the Commission: (1) approve the
continuing business-to-business process to develop and implement a DSA to protect
customer information and utility IT systems; (2) approve minimum standard requirements
in the DSA subject to the continuing evolution of the DSA; and (3) affirm the Joint Utilities’
existing authority to require ESEs to submit and execute a DSA and, if they fail to do so,
disconnect them from the utility’s IT systems and remove their access to customer
information in order to protect customers and utilities from a potential cyber security event."
Case 18-M-0376
ADVERTISEMENT Copyright 2010-16 Energy Choice Matters. If you wish to share this story, please
email or post the website link; unauthorized copying, retransmission, or republication
prohibited.
February 5, 2019
Email This Story
Copyright 2010-19 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com
NEW Jobs on RetailEnergyJobs.com:
• NEW! -- Chief Operating Officer -- Retail Supplier
• NEW! -- Retail Energy Channel Manager -- Retail Supplier
• NEW! -- Energy Sales Broker
• Business Development Manager -- Retail Supplier -- Houston
• Business Development Manager
• Regulatory & Compliance Analyst -- Retail Supplier
• Sales Quality & Training Manager -- Retail Energy
|
|
|