Smart Grid Privacy Part 1: How to Keep Your Customer Data Protected — and Keep Your Customers

By Susan Lyon and John Roche

.

By now you have probably heard of growing concerns relating to Smart Grid privacy.  Big brother scenarios of your own house spying on you and watching your every move have been predicted.  Whether you think that scenario will play out or not, the reality is that the Smart Grid is like any other technological system and will not escape the watchful eyes of the regulators. 

Rules and regulations governing Smart Grid privacy are still in the nascent stage of development.  Proposals for regulations at the federal, state and local levels are being set forth and comments are being solicited and submitted.  Until these laws develop, what can you do if you are building Smart Grid systems, products and services today? 

Well, you could bury your head in the sand and pay the added cost of retrofitting later, or you could be proactive and consider doing a few things now to get ahead of the game.  The following in a nutshell are privacy tips you should consider sooner rather than later.

Give Them Control.  There is a lot more information about consumers in the Smart Grid world.  Consumers want to use that information and so do others.  Draft National Institute of Standards and Technology (NIST) guidelines currently under development reference Generally Accepted Privacy Principles (GAPP). GAPP and related principles form the basis of many of the multi-national and regional data protection laws throughout the world.  Under GAPP, control and choice are two main principles that have been generally accepted as privacy issues and should be considered. 

In practice this means giving users meaningful choices about how their information is used and shared.  When information is collected, give choices for any purposes customers may not expect.  For example, say you collect information about appliances a customer uses to provide services to monitor and lower energy use.  Your technology is smart enough to tell through energy patterns that their household has an outdated energy-draining dishwasher.  You may want to give customers a choice about whether you then share that fact with a big box retailer who wants to market another more efficient product to them.

Consumers in a Smart Grid environment will also want more control of their information not only so they can keep it private but also so they can more easily share it with others that can use that data to provide beneficial products and services.

Tell Them What You Are Doing.  Another GAPP principle is notice.  What data is being collected? How is it being used? With whom is it being shared? 

An obvious way to do this is in a privacy policy.  Privacy policies are not just for Web sites.  More and more technology products now have privacy policies to help explain their privacy-impacting features. 

Sometimes a privacy policy is not enough.  When information is particularly sensitive or harmful you may want to be clearer and give more prominent notice. Say you have an online community that allows customers to share and compare energy conservation tips.  When customers sign up with that community, you may want to disclose up front the fact that an hour-by-hour account of the temperature in that individual's home will be publicly displayed to other members. This information could potentially be used by thieves to figure out when someone is not at home. 

Design for Access.  Give people the ability to see what information you have about them.  Most people don't care to ask.  Others, however, do want to know.  You should consider something as simple as offering a point of contact such as an email address that customers can use to request their information.  Or something more elaborate like an online profile where customers can log in and change their information and contact preferences or perhaps delete their information altogether.

Keep Data Safe.  When you gather any personal data, particularly sensitive data, you should store it and move it securely.  With information you collect from customers on the Internet or wirelessly transmit to and from utilities, you should use encryption to safeguard the data from intrusion.  Although Federal Energy and Regulatory Commission (FERC) security standards may be adequate for infrastructure security for energy companies, you should follow the developing NIST guidelines when it comes to parts of your system that handle personal information.  For the basics on safeguarding information, the Federal Trade Commission also puts out great business tips and training at http://www.ftc.gov/infosecurity/.

Reduce Consumption.  Think about the data you need to perform the task and only collect or store what you need to have.  For example, don't collect full date of birth if you can get by with just the birth year and save your customers from added risk of fraud by exposing data often used to verify identity to open or access financial accounts.  If you need data for research or analysis but don't really don't need to know who the particular individuals are, make the data anonymous by stripping it of personally identifiable information.  If you no longer need information, securely get rid of it.

Susan Lyon, Of Counsel, and John Roche, Associate, are members of the Privacy and Data Security team of Perkins Coie LLP.

Stay tuned for Part 2 and more practical guidance on Smart Grid privacy.

. 

.

You might also be interested in …

. 

·         How Privacy (or Lack of it) Could Sabotage the Grid

·         Checklist for a Safe and Sane Smart Grid

. 

Related SGN channels …

. 

·         Smart Grid Policy & Regulation

·         Smart Grid Strategy

.