- The New York Public Service Commission on Thursday adopted new security requirements for third-party energy suppliers in order to provide "a universal foundation of cybersecurity and data privacy protections" for customer data and related utility IT systems. But regulators nixed a proposed insurance requirement.
- The decision stems from a February request by a group of utilities that regulators confirm they have the authority to require and enforce Data Security Agreements (DSA) for entities seeking access to customer data or utility systems, such as energy service companies or distributed energy resource suppliers.
- The commission's decision will require utilities to cite more than just the lack of a DSA before discontinuing an ESCO's access. But regulators also determined utilities have little say over what a customer may do with their data — a win for stakeholders advocating standardized access to data.
The joint utility petition had requested the PSC affirm their authority to require energy serving entities (ESE) to execute a DSA, or risk being denied access to utility IT systems and possibly customer data.
Regulators said in order to disconnect an ESE from data systems, along with a missing DSA, utilities would need to make a claim that the entity's action or inaction "presents a specified risk to the utility's IT systems." But because the commission's decision also established minimum levels of cybersecurity and privacy protections that all ESEs must maintain, the disconnection process was unnecessary.
According to the order, "ESEs that fail to maintain these minimum levels of protections shall not have access to customer data, and/or the Utility IT systems. Disputes regarding whether an entity has complied with these requirements should be brought to Department Staff."
Utilities had proposed that the DSA include a provision requiring a $5 million cybersecurity insurance policy for entities that electronically receive or exchange customer data with the utility. Regulators nixed this idea.
The utilities "have not established that cybersecurity insurance would be an efficient and effective means of mitigating cybersecurity risks and financial costs associated with security breaches," the commission said. "Moreover, the insurance requirement would serve to act as little more than a market barrier to entry."
PSC officials said the decision sought middle ground, to enable the development of distributed generation while also securing the grid.
"The commission today directed the state's utilities and third-party energy suppliers to provide appropriate cybersecurity protections without erecting significant barriers to development of new energy markets," PSC Chairman John Rhodes said in a statement.
Rhodes said the PSC's new approach "will provide a universal foundation of cybersecurity and data privacy requirements that will encourage a vibrant energy marketplace." The commission's order also recognizes that data belongs to the customer, and that customers have a right to direct or consent to the use of that data.
The joint utilities petition had also proposed to limit an ESEs ability to create derivative data from customer data, except as specified under the DSA. Regulators balked at that.
"It is not up to the utility to decide what the customers data should be used for nor police these actions," the commission's order says. "The use of the customer data once it's out of the utility system should instead be decided between the ESE and the customer."
A group promoting standardized access to energy data called Mission:data had said utilities were trying to "exploit the current climate of fear surrounding cybersecurity risks in order to inappropriately seize certain powers over distributed energy resource suppliers."
The PSC's decision was "a big win for innovation," Mission:data said in a Thursday tweet.