IAPP-GDPR Web Banners-300x250-FINAL

By Jay Cline, CIPP

Smart grids are on their way to becoming mainstream, but what does that mean for consumers, whose detailed household energy data will be aggregated and potentially shared in ways previously unimagined? Should retailers, marketers, defense attorneys and law enforcement have access to the data? While nations and utilities across the globe invest millions, billions even, in the development of smart grids, that is a question being examined on a global scale. In this story, author Jay Cline outlines how one company is working to assure its customers that their privacy will be protected.
(Editor's note: For a primer on the smart grid and what it means for digital privacy, read "Smart grids are the future of power, but what does that mean for the future of privacy?" from the July issue of the IAPP Privacy Advisor member newsletter. Member login required.)

If you live in Boulder, CO, you also now reside in Smart Grid City. Half of this college town's 45,000 households now boast a smart meter in what Xcel Energy calls the first fully functioning smart grid-enabled city in the world. Xcel Energy's response to the new privacy issues associated with its Boulder initiative and to ongoing municipal requests for consumer data is a case study in how a privacy program can enable business objectives.

In public comments filed with the U.S. Department of Energy in July, Megan Hertzler, Xcel Energy's director of privacy, wrote, "[W]ithout strong protections of customer energy usage data, our customers would be reluctant to embrace smart grid and other new technologies."

What is the smart grid? In a snapshot, it's the first overhaul of power grids in more than 100 years. Digital wireless meters at home will transmit information to the power company to allow it to avert power outages and optimize energy use. It will also enable homeowners to pre-program their own energy use through Web-based accounts. Privacy concerns have followed each stage of the smart grid evolution, prompting the Department of Energy to request public comments on the topic.

To understand how a utility company found itself at the forefront of a cutting-edge social issue, some background on the firm is needed. Headquartered in Minneapolis, MN, Xcel Energy and its 12,000 employees annually generate $9.6 billion in revenues by serving 3.4 million electric consumers and 1.9 natural gas consumers across eight western states.

The company traces its founding to 1881, when Henry Byllesby left his employment with Thomas Edison to start a series of power ventures. In 1909, Byllesby formed Minnesota-based Washington County Light & Power Company and Northern States Power (NSP). NSP emerged as the parent, and its 2000 merger with Denver-based New Century Energies resulted in Xcel Energy. The states assigned to Xcel Energy by the state utility-regulatory commissions include Colorado, Michigan, Minnesota, New Mexico, North Dakota, South Dakota, Texas and Wisconsin.

Among U.S. utilities, Xcel Energy is known for thinking ahead. The company ranked first in wind power generation and fifth in solar power, for example, before its foray into the nascent smart grid technology. This progressive mindset has also placed privacy at its doorstep.

According to Hertzler--who joined Xcel Energy in 2002 as assistant general counsel and shifted full-time to privacy earlier this year--privacy issues were already surfacing before the advent of the smart grid project. Its storage of consumer Social Security numbers made it subject to state laws on security breach notification, and its extension of credit to some consumers required the utility to develop an ID theft red flags program.

"Our CIO told me we can't be the next TJX," Hertzler told Inside 1to1: Privacy, referring to the now-famous 2007 data breach at the Massachusetts-based retailer.

But it was a series of ongoing requests by governments, reporters, municipalities and researchers for consumer data that were the catalyst for Xcel Energy to formalize a privacy program. Cities seeking to meet energy conversation goals and researchers testing energy conservation ideas knew they had a friend in the utility and began asking the utility for detailed data sets.

"We were seeing an escalated level of requests for information," Hertzler said.

In one example, Hertzler said a city wanted to know the energy consumption levels of all of its residents so that it could post signs in the yards of those with the lowest use. In another case, a researcher wanted energy use details to the nine-digit ZIP Code level.

But there was "not a lot of legal guidance" for how utilities should respond to these requests, she elaborated, and substantial variation across the laws of the eight states the company serves.

In response, Xcel Energy formed a cross-functional Customer Data Taskforce. It also launched an enterprise data-inventorying and mapping exercise and deployed a vendor-assurance process to incorporate security protections in its service provider contracts. Hertzler also spearheaded the implementation of a data-incident response plan and role-based training for data privacy.

A crowning achievement of the privacy program will occur at year end, she said, when Xcel Energy includes a set of privacy principles with its tariff. A tariff is a document that proposes what services a utility will provide, what rates it will charge and what rules it will follow. Once regulators approve the tariff, the utility is bound by them. Hertzler believes her employer will be one of the first utilities to include privacy principles in its tariff

Hertzler said the company's public comment submission to the Department of Energy indicates the principles Xcel Energy will advocate. One section of the submission reads as follows:

"Utilities should not be required to release information that could allow for the identification of individual consumers to any third party not assisting the utility with the provision of service..."

When the tariff gets approved, Xcel Energy customers will have additional assurance that their energy provider will be a strong link in the smart grid chain.

"We have long-standing relationships with our customers," Hertzler explained. "Trust is an important part of that."

Jay Cline is President of Minnesota Privacy Consultants

Editor's note: The National Institute of Standards and Technology released a report last week making recommendations for privacy within the smart grid, including that privacy be protected "by law or other means."


If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»