Utilities around the world are increasingly deploying smart meters to customer households as regions
to shift their energy infrastructure to digital smart grids, a move that will revolutionize the way utilities and consumers measure and monitor electricity usage. But the shift creates space for potential dangers as well as opportunities when it comes to privacy and security, and though much progress has been made in the last year or so, questions remain—especially when it comes to the granular customer data that smart meters will provide and what may or may not be done with that data.
The smart grid—which has seen major investments from governments including the U.S., UK, Canada, Australia, New Zealand, parts of Asia, Denmark and the Netherlands, among others—will communicate with smart meters on a household’s electrical use down to the appliance level. Consumers will be able to fine-tune their energy consumption to get the best rates, and utilities will be able to more effectively manage power distribution and identify and resolve problems remotely. Additionally—in the not-so-distant future—smart appliances such as toasters, refrigerators and washing machines may communicate with household smart meters. A washing machine may start its wash cycle at off-peak energy hours, for example, or a refrigerator may make ice at 3 a.m. rather than at noon in order to save energy and money.
But the granular information the meters may provide on household energy consumption opens up a world of possibilities for other uses of the information. Megan Hertzler, assistant general counsel and director of data privacy for Xcel Energy, which operates in eight states and serves more than five million customers, recognizes that this data has the potential to deliver value for the utility, but also cautions that protecting the individual’s privacy is an important part of turning this potential into reality. Privacy advocates have raised concerns about utilities’ access to such granular data. Hertzler understands those concerns, but says “we use customer data to deliver safe, reliable service to our customers; we do not foresee a need to further mine the data for personal information.”
As part of its regulated operations, Hertzler explains that Xcel Energy “is interested in energy usage patterns to forecast demand and improve reliability, and to a more limited extent, to assist customers in making smart consumption choices and promote conservation.” Hertzler does not foresee behavioral information being all that important beyond the uses described above. In addition, she says, “the more detailed information you gather from the smart meter, the more it’s going to cost you in overhead. ” While smart meters may be capable of gathering more detailed information, “cost concerns will necessarily limit what is collected to what the utility needs for its operations.”
But in a world where data is currency, who would care about that data? Marketers, for one, would surely enjoy access to such intimate details of consumers’ lives. After all, tracking consumers’ habits in the online world represents a $30 billion economy, according to the Direct Marketing Association. Surely the details on the ground would be at least as appealing.
In addition, third parties such as law enforcement, insurance investigators or divorce attorneys could find value in the surveillance opportunities possible by looking at a comprehensive report of a household’s habits. Targeted theft is also a concern; energy data could potentially reveal at what times occupants leave and return each day, and therefore at what time the home is vacant.
Hertzler says Xcel Energy frequently fields requests for consumer energy data and these requests are not limited to data from its approximately 20,000 installed smart meters. The utility often receives subpoenas for customer account data from law firms, researchers and municipalities. It once received a subpoena for the account data of 200,000 possible customers related to another corporation’s collection efforts.
Though legal guidance on how a utility should respond to such requests can be sparse, Xcel Energy’s policy takes a commonsense approach, according to Hertzler. “We treat customer data the way we would want our own data to be treated,” Hertzler says. “It’s a key concept and why we base our privacy controls on the principles of transparency, notice and informed consent.”
Developing privacy policies on customer data and third-party access is something that utilities worldwide are grappling with now, says Chet Geschickter, a smart grid senior analyst at Greentech Media research. And the rules aren’t hard and fast. In the U.S., each state has its own public utility commission regulations and state laws to abide by.
“It’s not clean,” Geschickter says, adding this is where the National Institute for Science and Technology (NIST) “comes into play and the California Public Utilities Commission (PUC) comes into play. They kind of set the bar in terms of what they think are the appropriate data privacy policies and procedures, and hopefully, those are really good standards and most of the other states follow suit.”
The California PUC’s policy
—based on Fair Information Practices—that utilities have a right to collect and use customer data in order to provide services—but that the same rules do not apply for sharing that data with non-utility third parties without customer consent—looks to be the way states are moving, according to Geschickter.
Rebecca Herold, CIPP, has led NIST’s Smart Grid privacy subgroup since June 2009 and co-authored the NIST report on smart grid privacy. As NIST’s privacy group prepares to release another version of its privacy report, Herold says there has been great progress in the last year on the importance of privacy awareness and safeguards when it comes to the smart grid.
NIST presently has several teams zooming in on smart grid privacy concerns, including teams on utility-to-consumer communication; third-party data protection practices; electric vehicles plugged into the grid; the impact of the National Strategy for Trusted Identities in Cyberspace initiative, and operational and administrative aspects.
Boris Segalis, partner at the law firm InfoLawGroup LLP, who focuses on privacy and information management, says the concerns about what the utility will do with consumer data are misguided. The focus should instead be on the use of the granular data by third parties that receive the information from utilities, with or without consumers’ consent.
“This is a new space in the information marketplace that is unregulated,” Segalis says. “This is very powerful information that can be used to build precise consumer profiles and has virtually unlimited marketing, consumer reporting and other analytical applications. The utilities, at this stage, are not interested in leveraging this information for profit. Instead, they are seeking guidance on how to handle and disclose the data, including to third parties and law enforcement agencies”
In Europe, the European Commission has asked that member states produce action plans for smart grid implementation and for smart meters by 2012. The commission
in April that data protection safeguards must be developed before implementation of the smart grid and smart meters.
Utilities are also working to make consumers’ energy data available to them, Geschickter says, so that, as the owners of their individual data sets, they can make informed decisions and assign rights of access to third parties.
“There’s this chain of custody,” he says, “so I say that I want you, my utility, to share my data with Google, and then Google can now house my data but can’t in turn resell it to third parties because it actually belongs to me, and I’ve just given access rights to Google.”
Herold says she’s seen a general increase in awareness among U.S. utility companies—some of which have voluntarily joined NIST’s privacy subgroup—on the need to develop privacy policies, if not create a designated position for a privacy officer.
“I see that they are seeing the need to have that more and more and be more responsive to consumers and able to answer consumers’ questions,” Herold said. “Because I think early on that was something that most utilities really had never had to think about.”
Meanwhile, Hertzler says her position at Xcel is not yet the norm but that utilities need to proactively address information governance.
“If you don’t have someone who is responsible for how privacy principles interact with the business function, it’s going to be very hard to assure consistent compliance and accountability for protecting personal information. You need to be proactive,” she says. “And I think many times it’s about making that business case for why it makes sense to have someone who is focused exclusively on privacy.”
But Segalis points out that while utilities’ use of personal information generated by the smart grid will likely be heavily regulated by public utilities commissions in the U.S., the PUCs will not have power to regulate the use of the information by third parties. That responsibility likely will fall on the Federal Trade Commission. Thus, Segalis suggests, the FTC likely will be heavily involved in setting a smart grid privacy framework, and the commission’s extensive work in the privacy field should serve as a rough guide to businesses entering the space.
For a roundup of legislation in Europe and the U.S. as it relates to the smart grid on consumer data retention, protection and access, check out our
, available in the IAPP Knowledge Center.