IAPP-GDPR Web Banners-300x250-FINAL

The Assistant General Counsel and Director of Data Privacy at Xcel Energy talks privacy, smart meters and New Year’s resolutions.

Megan Hertzler’s path to privacy was sort of an accident. Starting off at the Minnesota Attorney General’s Office as counsel to the Minnesota Public Utilities Commission (PUC), she advised the commission on matters relating to PUC regulation in the state, but, she says, there wasn’t a great emphasis on customer privacy back in 1997. After working in private practice for a time, Hertzler went to work for Xcel Energy in 2009 and, in response to significant data breaches being reported in the media, got down to work on privacy pretty quickly.

“My chief information officer at the time was walking the hallways of the law department at about 7 p.m., and I was the only attorney still working,” Hertzler remembers. “He came into my office and sat down and said, ‘We will not be the next TJX,’ (a retailer whose 2007 data breach resulted in the theft of 45.6 million credit and debit card numbers), and I had no idea what he meant. I thought, ‘I’ll Google it later.’ He told me that he was becoming more and more concerned about what we needed to do to be proactive around data security and privacy, and he wanted someone else to be up at night worrying about it, as he put it.”

When Hertzler focused in on the matter, she found that there was more to do than she originally imagined when it came to data protection.

“It wasn’t that we were noncompliant, but we certainly were not being proactive in identifying emerging privacy issues,”’ she said.

In 2010, Hertzler pitched to management that it create a position dedicated exclusively to privacy, one Hertzler has held ever since. Writing her own job description was somewhat difficult, she recalls, because there really wasn’t a model.

“It’s not usual for this type of stand-alone position to be a part of utilities’ standard operations,” she said. “I think that will change because, more and more, utilities have to be thinking about privacy and data security proactively in order to stay ahead of emerging data risks. And also, with the growing awareness of privacy issues for customer energy use information, utilities will have to respond to a growing number of questions from regulators and customers on their privacy practices. It is best if you have someone that is accountable for all of these issues.”

The Privacy Advisor caught up with Hertzler to ask about the key privacy challenges utilities are facing today—namely as they increasingly deploy smart meters capable of capturing granular data on consumer energy usage—to get her predictions on what 2012 will bring and to learn a bit more about the life of a privacy professional.

When it comes to privacy issues involving customer data, how should utilities get proactive?

Privacy discussions need to occur at all levels of the organization so that business need and customer expectations are both considered when developing internal policy. A good example of this for Xcel Energy was the effort we made in 2010 around customer information, including their energy usage information. We formed an internal task force made up of representatives from all the areas of the company where customer information was collected, maintained or used. It was a very broad and diverse group of individuals.

The task force was charged with developing Xcel Energy’s privacy principles for customer information. We spent 10 months identifying the privacy issues Xcel Energy was facing, including, for example, how the company was using customer information in providing service, how we would handle a request for the customer’s data and whether our response would be different if the request was directly from a customer or from an unrelated third party. By identifying these privacy issues and looking to the existing body of work around privacy, we developed principles that accommodated Xcel Energy’s use of the information to provide service, allowed us to process the data in a fair and transparent way, and maintain the trust our customers placed in us when they gave us the information. We then translated these privacy principles into our company policies and procedures. For example, we developed a data classification standard specific to customer information and a process for authorizing release of customer information to third parties, including identifying necessary informed consent requirements.

Our task force also considered the big picture issues, such as the role Xcel Energy should play within the utility industry in the area of customer privacy. When, prompted by the development of the Smart Grid, the Colorado PUC later issued proposed customer information privacy rules in December of 2010, our internal privacy work ensured that we were ready to provide the PUC with thoughtful, practical feedback, using our privacy principles as the basis for our comments in that rulemaking.

Should we really be concerned with the privacy implications of smart meter data? Or is it all hype?

It’s not hype. More granular energy data can reveal information on how energy is used in the home, which in turn could identify routines or practices by the individual user.

Historically, utilities have typically afforded some level of privacy to the customer’s energy usage information. What the implementation of smart meters and other advanced meter technology has changed is that the data has more uses and is perceived to be more valuable to a broader group of interests. Once upon a time, no one would have asked for energy usage information except to understand their own energy bill. Now, because the data is much more granular, it has many more potential uses. We get quite a few requests from a variety of non-customers for both individual and aggregated usage data to understand things like carbon footprints, the success of energy efficiency programs or even possible criminal activity. Before releasing the data, we have to consider who is making the request, what their relationship is to the customer, whether they have a legal authority to compel the data and whether the possibility of that request is even transparent to our customers. Five years ago, we weren’t even thinking about these issues because we were not getting these types of requests.

We have seen a lot of interest from our customers in our privacy practices based on the ongoing dialog around these issues. YouTube has hundreds of videos on privacy and health issues for smart meters, including discussions on whether these meters act as illegal surveillance devices on what people do in their home. What a scary idea. I respond to many of these customer inquiries by providing assurances that we will only use the data to service, and that we will not release this information to others except in limited circumstances, such as when we are legally required or with the customer’s knowledge and consent.

One thing to keep in mind is that utilities “get” the importance of maintaining trust with their customers. Electricity is an essential service. It is also a highly regulated service, with considerable oversight by state and federal agencies. This puts us in a very different posture from some other industries. We collect and use customer information to provide electric service. We are not collecting data so that we can sell it to others for their business purposes. Instead, our focus is to implement privacy controls (such as transparency and consent) that we believe provide appropriate privacy protections and make the release of data for non-utility purposes subject to law or the customer’s choice.

Will 2012 be the year that utilities really get it right when it comes to smart meter privacy?

We are going to hear a lot more about this issue in 2012. For example, the National Association of Regulatory Utility Commissioners (NARUC) issued a statement last summer recommending that all state regulatory commissions consider privacy in the context of information collected from smart meters and advanced metering technology. I believe that this recommendation has started a domino effect that we will start to realize in 2012. Prior to NARUC’s announcement, a handful of states, such as California and Colorado, were already proactively looking at the privacy implication of smart meter deployment. But the NARUC announcement really put this topic on the map. I would expect that in 2012 you will see even more dialogue around smart meter deployment and privacy among federal agencies, state regulatory commissions, regulated utilities and other stakeholders. In fact, the recent IAPP web conference on smart grid privacy in which I participated was part of the dialogue. Each state will make a determination as to what the outcome of this dialogue will be, but the hope is for a fairly uniform approach to privacy and smart meter deployment issues across state lines.

Okay, enough about smart meters. If you weren’t working in privacy, what would you do for work?

I would try and talk myself onto Anthony Bourdain’s “The Layover” so I could go around the world, eat, drink and talk about how great—or not—the particular local cuisine was. I think his honest, unfiltered assessment of the food he tries on the show is refreshing. I also like his wicked sense of humor.

Are you big on privacy in real life?

While I deal with social media issues at work, in my personal life I am not on Facebook or Twitter, and I still mail my bills. My family and friends have offered to set up a Facebook or a LinkedIn account for me, thinking that my absence from social media is a time issue rather than a deliberate avoidance in my personal life. Their conclusion that I don’t have time probably has a lot of merit. My life is full. In other words, this choice of mine may not be so much a principle as a survival mechanism.

Have you had good mentors within your career?

I’ve had fantastic mentors in my career, including with my present employer. I don’t think you can advance in a career without the benefit of having people invest in you and share with you their wisdom, and so I’ve been really fortunate. I would say early on in my career, when I was a law student, I had a woman attorney who mentored me at a time when I really needed someone to provide me with perspective on my career, and that experience was incredibly valuable to me. Once I graduated, we moved on to a less formal mentor relationship, to more of a friendship role. She said, “You need to mentor others. That is all I am asking you to do in recognition of what I’ve done for you.” I’ve mentored law students and non-lawyers throughout my career to give back, and found the process extremely rewarding.

Any New Year’s resolutions?

It’s sort of a developmental goal for me this year: I am signed up for CIPP certification, even though I had promised myself after taking the bar exam that I would never take another test again. My goal is to pass the exam with a solid score. Wish me luck!

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»