Smart Grid Privacy Tips Part 2: Anticipate the Unanticipated

In the first installment of this two-part series on Smart Grid privacy issues, the authors made several recommendations on keeping your customer's information protected — including how to best communicate what information you collect and how you're using it. But there's more you need to know about handling Smart Grid privacy, as this second installment points out.

By Susan Lyon and John Roche

In the Smart Grid world, when standing in the shoes of your customers, try to anticipate unanticipated privacy consequences that can arise. Systems and devices interact in a matrixed Smart Grid environment. In that interactive process, information from those systems and devices can be combined in unexpected ways to create detailed consumer information. A seemingly harmless interaction can also reveal things about individuals that not everyone would care to share.

Handle Sensitive Data with Care. That Smart Grid system you develop that is smart enough to identify a medical device, like a sleep apnea machine, to send back-up power during black outs may also be smart enough to now know that your customer has a sleeping condition. Design your systems, if you can, to not collect details that can reveal sensitive information such as health, financial information, social security number, driver's license number, sex life, religious or philosophical beliefs, political opinions or racial or ethnic origin. If you do collect it, make it optional if possible and take extra care with the data principles described here.

Make Promises You Can Keep. It may be tempting to make statements about the level of security you have in place or the privacy practices you use to protect information about customers on the Smart Grid to market your product and promote adoption and use. Those same statements if proven to be false or deceptive can also be one of the easiest ways to get in trouble with regulators.

Sometimes promises you intend to keep get broken through no fault of your own. Can you really anticipate everything a hacker can do to get around your systems? Probably not. So don't say you keep information 100% secure. Do you really invest enough money to always have the best and newest security the moment it comes out? Probably not. So don't say that your security is "state of the art." In general, avoid making absolute promises about security or promises that are practically impossible to keep.

Mind Your Agents. Don't forget privacy and security provisions in contracts with vendors you may use that have access to or process information on your behalf. Consider an onsite audit or other due diligence to make sure their privacy and security practices are at least as good as yours. Make them report any breaches or incidents immediately. Remember, anything your service providers do with personal information will likely be treated as if you did it yourself.

Know When to Say "No" and "Yes" to Information Requests. Detailed information collected in Smart Grid data systems can be highly useful for government investigators and officials and others seeking information for seemingly legal purposes. Know that response or failure to respond to information requests is a double-edged sword. Failure to respond can land you in trouble but so can giving up information under certain circumstances. For example, if your service provides users the ability to send and receive messages, you could be an electronic communication service provider for purposes of a federal law that prohibits you from sharing information about those messages and, in certain circumstances, even with government officials. You should also consider where you store information. Outsourced storage to certain countries could trigger different obligations that could impact you and your customers. Seek good legal advice when you get information requests and when you decide to store information in places where the laws may be different than your own.

Put Yourself in the Shoes of the Customer. Try to see things from the perspective of the individuals whose data you collect and hold. By doing this, you can anticipate and avoid many privacy issues.

A consumer may not mind the collection of data by individual devices and appliances to help make electrical products run more efficiently or help monitor energy consumption. Collecting and sharing information about each of these activities independently may not warrant a very high level of consent and notice experience to make consumers feel comfortable. If you decide to combine this information, however, consider the rising creepiness factor a consumer may feel if these data elements are brought together in a way that creates a minute-by-minute account of what she is doing throughout the day.

An electric car can tell how far she drove, and with GPS, where she drove, and when it is plugged into the garage, when she is at home or not. Smart appliances can reveal when she is cooking and watching TV. A power draw on the hot water heater can reveal when she is taking a shower. Lights out can tell when she is sleeping.

There are many other issues to consider when developing devices and systems that handle and reveal personal information in the Smart Grid environment. We have only skimmed the surface of the few presented here. Rest assured that the privacy issues that emerge with the development of Smart Grid systems will be as complex and interesting as the Smart Grid itself.

Susan Lyon, Of Counsel, and John Roche, Associate, are members of the Privacy and Data Security team of Perkins Coie LLP.

You might also be interested in …

• Smart Grid Privacy Part 1: How to Keep Your Customer Data Protected — and Keep Your Customers
• How Privacy (or Lack of it) Could Sabotage the Grid
• Checklist for a Safe and Sane Smart Grid

Related SGN channels …

• Smart Grid Policy & Regulation
• Smart Grid Strategy

Stay connected with SGN …

• Get LinkedIn with Jesse
• Be a Fan on Facebook
• Follow Us on Twitter
• Try our RSS feed
• Get our email digest