Energy Choice
                            

Matters

New York Utilities Petition PSC To Confirm Business-to-Business "Process" For Data Security, Utilities' Authority To Deny Access To Entities (ESCOs) Not Signing Data Security Agreements

February 5, 2019

Email This Story
Copyright 2010-19 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com

The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com

Central Hudson Gas & Electric Corporation, Consolidated Edison Company of New York, Inc., National Fuel Gas Distribution Corporation, New York State Electric & Gas Corporation, Niagara Mohawk Power Corporation d/b/a National Grid, KeySpan Gas East Corporation d/b/a National Grid and The Brooklyn Union Gas Company d/b/a National Grid NY, Orange and Rockland Utilities, Inc., and Rochester Gas and Electric Corporation (collectively and individually, the 'Joint Utilities') filed with the New York PSC a petition for approval of the business to business process used to formulate a data security agreement, and an order affirming the joint utilities’ authority to require and enforce execution of the data security agreement by entities seeking access to utility customer data or utility systems.

Specifically, the Joint Utilities ask the New York State Public Service Commission ('Commission') to:

• Confirm that the business-to-business process among parties, the Joint Utilities, New York State Department of Public Service ('Staff'), Energy Service Companies ('ESCOs'), Distributed Energy Resource Suppliers ('DERS'), Direct Customers, and other entities, that was used to negotiate and develop a Data Security Agreement ('DSA') and its accompanying Self-Attestation ('SA') to receive customer data through the interconnection to utility system was appropriate for development of the DSA;

• Authorize the amendment of the DSA going forward through the business to business process which should include at a minimum, standard requirements that: (1) specify compliance with the Uniform Business Practices ('UBP'), UBP DERS, or other applicable Commission rules; (2) address the transfer of information; (3) maintain the confidentiality of Joint Utilities and the ESCOs, DERS, Direct Customers, and their applicable contractors (collectively, 'Energy Service Entities' or 'ESEs') information, including the protection of customer data; (4) requiring the return and destruction of information; (5) address each Party’s responsibility and liability for data security incidents; (6) require cyber security insurance; (7) define minimum cyber security requirements; (8) address how to determine whether ESEs have and maintain minimum levels of cyber security; and (9) require ESE indemnification of the Joint Utilities; and

• Affirm the Joint Utilities’ authority to require ESEs to satisfactorily complete a DSA, which will evolve in the future, and prohibit ESEs from electronic access to utility information technology ('IT') systems as well as customer data without a DSA.

"[T]he Joint Utilities seek Commission approval of the business-to-business process used to develop the DSA because some ESEs claim that a rulemaking process must precede the Joint Utilities requiring that ESEs execute the DSA," the Joint Utilities said

"The business-to-business process, however, was a lengthy and publicly noticed proceeding, as described below, and provided a full opportunity for all parties to participate," the Joint Utilities said

"The Joint Utilities emphasize that they are requesting that the Commission approve the process that resulted in the document as well as the framework for the document, not necessarily the specific underlying documents, as the Joint Utilities expect that the DSA will need to be modified as technology and cyber security standards evolve," the Joint Utilities said

"In addition, the Joint Utilities request that the Commission affirm their authority to require the ESEs to execute a DSA and to prohibit ESEs that fail to do so from obtaining data from or access to the applicable utility’s IT systems. Pursuant to the UBP and UBP DERS, the Joint Utilities have authority to require ESEs to execute a DSA and have the right to prohibit non-compliant ESEs from accessing customer data and utility IT systems. The Joint Utilities would note that the ESEs should be treated as any other vendor, i.e., ESEs should be required to meet the Joint Utilities terms and conditions, which would include cyber security terms, as the Joint Utilities have the right to set and negotiate transactional terms and conditions independently," the Joint Utilities said

"While many ESEs have executed the DSA, others refuse absent a Commission determination. The Joint Utilities assert that they have the authority to require execution of DSAs without Commission approval, but have submitted this petition to confirm their right to do so," the Joint Utilities said

Concerning the requirement for entities not using EDI to obtain utility data, the Joint Utilities stated that the PSC previously held that, until the Commission develops methods to regulate other methods and platforms of data sharing, "Rules governing behavior in and oversight of those programs and transactions will appear within the program rules, the utility tariff, or the procurement request or contract, though the Commission may consider standardization of such rules into the UBP-DERS in the future."

"Based on this statement, a utility may require a DSA with DERS even if they are not engaged in EDI transactions with a utility and subject to the UBP DERS. Moreover, contrary to the assertions made by Mission:Data and others, nothing in the DERS UBPs prohibits the Joint Utilities from imposing any requirements for third party access to Green Button Connect. The fact that the UBP-DERs have a section establishing requirements for DERs using EDI does not mean that DERs using other platforms can do so without any requirements," the Joint Utilities said

In summary, "the Joint Utilities request that the Commission: (1) approve the continuing business-to-business process to develop and implement a DSA to protect customer information and utility IT systems; (2) approve minimum standard requirements in the DSA subject to the continuing evolution of the DSA; and (3) affirm the Joint Utilities’ existing authority to require ESEs to submit and execute a DSA and, if they fail to do so, disconnect them from the utility’s IT systems and remove their access to customer information in order to protect customers and utilities from a potential cyber security event."

Case 18-M-0376

ADVERTISEMENT
NEW Jobs on RetailEnergyJobs.com:
• NEW! -- Chief Operating Officer -- Retail Supplier
• NEW! -- Retail Energy Channel Manager -- Retail Supplier
• NEW! -- Energy Sales Broker
• Business Development Manager -- Retail Supplier -- Houston
• Business Development Manager
• Regulatory & Compliance Analyst -- Retail Supplier
• Sales Quality & Training Manager -- Retail Energy