New York PSC Rejects Sought $5 Million Cybersecurity Insurance Requirement For ESCOs, In Modifying Utilities' Data Security Agreement
PSC Requires Energy Service Entities, "Seeking Access To Customer Data Through Utility IT Systems," To Sign Modified DSA
Self-Attestation Also Required
PSC Says Failure To Sign DSA Is Not A Significant Risk Or Condition That, Alone, Allows Utility To Cease Providing Service To An ESCO
PSC Maintains Indemnification Requirement
October 16, 2019 Email This Story Copyright 2010-19 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The New York PSC adopted an order establishing minimum cybersecurity and data privacy requirements for entities (such as ESCOs) that receive from, or exchange customer data with, the utilities on an electronic basis other than by email
The PSC said that its approach, "will provide a universal foundation of cybersecurity and data privacy requirements, while the Commission will continue to develop such requirements and may modify or expand upon them in the future, as appropriate."
The PSC will require that "Energy Service Entities" (ESEs) that seek access to customer data through utility IT systems shall sign a modified Data Security Agreement (DSA) and provide a self-attestation. ESEs include, Energy Service Companies (ESCOs), Distributed Energy Resource Suppliers (DERS), Direct Customers, and their applicable contractors. Special provisions discussed below will apply to certain Direct Customers and state agencies.
Enjoy reading this exclusive and analysis news? Help us continue to bring you EnergyChoiceMatters.com by telling your colleagues about us and our email alerts, or sharing us and our stories on Linked In or your preferred platform.
"Execution of a DSA by ESEs who electronically exchange data directly with the distribution utility, including EDI providers, is appropriate and necessary," the PSC said
"However, also requiring third party representatives of ESEs, who have no direct link to the utility, to execute a DSA would create a burdensome and unnecessary process. This could also lead to a situation whereby numerous 'downstream' entities are required to abide by the terms of a DSA that does not adequately address the relationship between the entity and the utility, nor their use of customer data," the PSC said
The PSC further said, "It is important to note that, in most instances, the utility may only share customer data with ESEs who have received the customer’s consent. ESEs who intend to, in turn, share that customer data with third party representatives need to obtain the proper customer consent to do so. Absent express consent from the customer to share their data with additional third parties, ESEs may only share customer data with a third party when it is necessary for the ESE to provide the service the customer signed up for."
"Third party representatives, as the term is defined in the DSA, shall not be required to execute the DSA or Exhibit B thereto. Instead, it is up to the ESE and the third party representative to determine the type of data security that is appropriate for their business relationship. However, any ESE utilizing a third party representative and/or contractor to provide service to customers will be responsible for the actions of their third party representatives. The ESE is responsible for ensuring that the third parties with whom it shares customer data properly safeguard that data," the PSC said
The PSC did adopt the Self Attestation requirement for ESEs that seek access to customer data through utility IT systems, with one modification
The Self Attestation presents a 16-point checklist of minimum cybersecurity protections that each ESE will be required to observe, and ESEs will have to attest that the protections are in place.
"The Self Attestation, which is Exhibit A to the DSA, provides a list of foundational cyber hygiene practices and protections. All entities that interface with utility IT systems and maintain customer data should observe these basic principles," the PSC said
"The Commission rejects the comments of NEM, Logical Buildings, and the DSA Coalition which state that the Self Attestation creates extensive, burdensome, or robust requirements. The Commission adopts the protections required in the Self Attestation with the exception of one modification," the PSC said
Specifically, with respect to the requirement that Confidential Customer Utility Information be encrypted in transit, "further refinement of this requirement is necessary so as to not impede normal business practices," the PSC said
"Communicating via encrypted emails require the sender and recipient to have a pre-existing relationship with software to encrypt and decrypt the content of emails. Additionally, many ESEs utilize email to communicate with their customers, a vast majority of which will not have the ability to encrypt emails or receive encrypted emails from their chosen ESE. The Joint Utilities exclude email from the electronic communications with ESEs that trigger the need for a DSA. That same exception should be applied to the encryption in transit requirement. Thus, encryption of Confidential Customer Utility Information will not be required for email communications. This modification will allow ESEs to effectively communicate with customers and other entities without first establishing a process for mutual encryption and decryption," the PSC said
With respect to the requirement to store data within the United States or Canada, the PSC said that "the Commission finds this to be a reasonable requirement."
"Even if an entity is using a cloud-based service there is the ability to choose the location for data storage. Currently, there is no certification or authorizing board that could provide validation of adequate cybersecurity and privacy protections for alternative locations," the PSC said
The PSC will allow for an audit of ESE cybersecurity compliance. However, the audit should be done by an agreed upon third party and paid for by the utility, the PSC said. The audit shall not be conducted by the utility itself
"Any disputes arising out of a 'failed' audit should utilize the dispute resolution processes in the UBP or be brought to Department of Public Service’s Office of Consumer Services Staff through the filing of a complaint, as appropriate. Additionally, the alternatives provided for in the DSA for independent audits obtained by the ESE shall remain an option for ESEs," the PSC said
The PSC approved an indemnification clause contained in the DSA under which all ESEs shall indemnify the Joint Utilities for all damages caused by an ESE’s violation of the terms of the DSA.
"The Commission finds the indemnification clause contained in the DSA to be reasonable. With respect to the comments of RESA that there should be a causal relationship between the breach and the harm, the indemnification clause is already drafted in such a way. ESEs are only required to indemnify the distribution utility where they have breached or failed to comply with the DSA, and that breach or failure causes damage," the PSC said
"Aside from general complaints regarding uncertainty surrounding the level of costs, no party offered any persuasive arguments as to why they should not be responsible for harm cause by their breach of or failure to comply with the terms of the DSA. Failure to hold ESEs responsible for their actions will lead to costs shifts to the distribution utilities and ratepayers, who may or may not participate in one or more of these markets," the PSC said
The PSC, however, will not require ESEs to carry cybersecurity insurance. Utilities had been seeking a $5 million cybersecurity requirement
"The Joint Utilities have not established that cybersecurity insurance would be an efficient and effective means of mitigating cybersecurity risks and financial costs associated with security breaches. Several commenters oppose this requirement as not connected to any reasonable benchmark for the actual risk posed by the entity, or the actual costs of cyber incidents. Moreover, the insurance requirement would serve to act as little more than a market barrier to entry. The Commission recognizes the need to protect utility IT systems and customer data, but does not see a cybersecurity insurance requirement, which is mainly intended to address damages after an incident occurs, as the appropriate means of doing so. Thus, at this time, the Commission declines to adopt a generic cybersecurity insurance provision but may revisit this issue at a future date," the PSC said
Turning generally to requests that the PSC adopt a fully risk-based approach to cybersecurity, the PSC said that, "the Commission concurs that there is a difference in the risk of compromise to the utility IT systems and the risk associated with a breach once the customer consented data is in the possession of the third party, and that the requirements should reflect that."
However, the PSC said that applicable frameworks for cybersecurity and data privacy need to be identified and further analyzed in order to implement a more detailed risk analysis approach for further consideration, with the potential of a fully risk-based assessment
As such, "a fully risk-based approach will not be adopted at this time."
"However, the Commission clarifies that only entities that electronically receive or exchange customer information from a direct connection with the utilities’ IT systems, except by email, will need to adopt the cybersecurity requirements established in this Order. ESEs that have access to customer information but do not have a direct connection into the utility IT systems will need to implement the appropriate privacy protections to ensure customer data is protected from improper disclosure or misuse. Not requiring cybersecurity protections for ESEs who have access to customer data does not mean that the ESEs should not have adequate cybersecurity protections, only that the attestation of those protections will not be a requirement to do so. The Commission strongly urges all ESEs to implement and maintain adequate cybersecurity protections regardless of whether the ESE is connecting to the utility IT systems," the PSC said
Addressing whether utilities may cease service to ESCOs which do not sign a DSA, the PSC failure to sign a DSA, in and of itself, would not constitute an act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility's system that is required for a utility to discontinue service to an ESCO. The utility would need to make a showing of risk in addition to the failure to sign the DSA
The UBPs permit the utilities to cease service to an ESCO for an, "act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility's system."
The PSC said that, "Regarding comments which assert that the failure to execute a DSA does not necessarily constitute a significant risk that compromises system security, the Commission supports such an assertion. Failure to execute a DSA by itself does not establish that an ESCO 'is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility's system. . .'"
"As Commenters point out, there may be numerous reasons why an ESCO might not sign a DSA, but still have robust cybersecurity protections. A distribution utility seeking to discontinue an ESCO or Direct Customer would need to assert that, in addition to not executing a DSA, the ESCO or Direct Customer’s action or inaction presents a specified risk to the utility’s IT systems," the PSC said
The PSC adopted a broad definition of Confidential Utility Information (renamed Confidential Customer Utility Information) as proposed by the utilities, as specifically listed below. "The proposed definition of Confidential Utility Information appropriately extends protection to all customer data transferred by the distribution utility to an ESE. The Joint Utilities are charged with maintaining customer data and based upon the sensitivity of the specific data points, keeping it confidential. ESEs who, in turn, receive customer data from the utility must only use the data for the purposes the customer consented to," the PSC said
Confidential Customer Utility Information shall mean, "information that Utility is: (A) required by the UBP at Section 4: Customer information(C)(2), (3) or UBP DERS at Section 2C: Customer Data, to provide to ESCO, Direct Customer or DERS or (B) any other information provided to ESE by Utility and marked confidential by the Utility at the time of disclosure, but excludes (i) information which is or becomes generally available to the public other than as a result of a disclosure by Receiving Party or its Representatives; (ii) information which was already known to Receiving Party on a non-confidential basis prior to being furnished to Receiving Party by Disclosing Party; (iii) information which becomes available to Receiving Party on a non-confidential basis from a source other than Disclosing Party or a representative of Disclosing Party if such source was not subject to any prohibition against transmitting the information to Receiving Party and was not bound by a confidentiality agreement with Disclosing Party; (iv) information which was independently developed by the Receiving Party or its Representatives without reference to, or consideration of, the Confidential Information; or (v) information provided by the customer with customer consent where the customer expressly agrees that the information is public."
The PSC approved the utilities' proposal that they be afforded discretion as to how cyber events will be handled
"While the Data Security Incident provision provides the Joint Utilities with some discretion as to how cyber events will be handled, no party has provided a basis as to why such discretion would be inappropriate in light of the serious consequences that could arise out of a major cybersecurity breach. Moreover, actions taken pursuant to this provision are subject to the dispute resolution, appeal, or complaint processes before the Department of Public Service or the Commission, as applicable," the PSC said
As noted above, unique cybersecurity provisions apply to direct customers and state agencies
"Due to the fact that Direct Customers are accessing their own data, they do not present the same data security concerns of other ESEs who maintain other customer’s confidential data. However, in most instances, they do present similar security risks to distribution utility IT systems. The Commission adopts the modification presented by the Joint Utilities in their reply comments which forgoes the need to sign a DSA in the event a Direct Customer does not communicate electronically with utility IT systems, but instead uses a third party who has executed a DSA for such communication," the PSC said
However, the PSC said, "a Direct Customer who directly exchanges data electronically with the utility, through EDI for example, presents a similar IT system security risk as an ESCO and should be required to execute a DSA. Although these entities are end use customers, they interface with the utility differently than a typical customer, and thus present a different risk to the Joint Utilities’ IT systems."
"With respect to State Entities, as NYPA points out, some of the DSA provisions may conflict with Federal, State, and local laws, tariffs, rules, and regulations. The unique circumstances presented by State Entitles foreclose making a generic determination as to the applicability of cybersecurity protections. The Joint Utilities are directed to work with each applicable State Entity to develop a customized DSA to address each State Entities’ unique situation," the PSC said
"Similar to the process recently adopted for the New York State Energy Research and Development Authority (NYSERDA) in the Commission’s Order Regarding New York State Energy Research and Development Authority Data Access and Legacy Reporting, the Joint Utilities and each State Entity shall jointly file a revised DSA
within 60 days of the effective date of this Order," the PSC said