Xcel Energy: Building privacy into the smart grid
By Jay Cline, CIPP
Smart grids are on their way to becoming mainstream, but what does that mean for consumers, whose detailed household energy data will be aggregated and potentially shared in ways previously unimagined? Should retailers, marketers, defense attorneys and law enforcement have access to the data? While nations and utilities across the globe invest millions, billions even, in the development of smart grids, that is a question being examined on a global scale. In this story, author Jay Cline outlines how one company is working to assure its customers that their privacy will be protected.
(Editor's note: For a primer on the smart grid and what it means for digital privacy, read "Smart grids are the future of power, but what does that mean for the future of privacy?" from the July issue of the IAPP Privacy Advisor member newsletter. Member login required.)
If you live in Boulder, CO, you also now reside in Smart Grid City. Half of this college town's 45,000 households now boast a smart meter in what Xcel Energy calls the first fully functioning smart grid-enabled city in the world. Xcel Energy's response to the new privacy issues associated with its Boulder initiative and to ongoing municipal requests for consumer data is a case study in how a privacy program can enable business objectives.
In public comments filed with the U.S. Department of Energy in July, Megan Hertzler, Xcel Energy's director of privacy, wrote, "[W]ithout strong protections of customer energy usage data, our customers would be reluctant to embrace smart grid and other new technologies."
What is the smart grid? In a snapshot, it's the first overhaul of power grids in more than 100 years. Digital wireless meters at home will transmit information to the power company to allow it to avert power outages and optimize energy use. It will also enable homeowners to pre-program their own energy use through Web-based accounts. Privacy concerns have followed each stage of the smart grid evolution, prompting the Department of Energy to request public comments on the topic.
To understand how a utility company found itself at the forefront of a cutting-edge social issue, some background on the firm is needed. Headquartered in Minneapolis, MN, Xcel Energy and its 12,000 employees annually generate $9.6 billion in revenues by serving 3.4 million electric consumers and 1.9 natural gas consumers across eight western states.
The company traces its founding to 1881, when Henry Byllesby left his employment with Thomas Edison to start a series of power ventures. In 1909, Byllesby formed Minnesota-based Washington County Light & Power Company and Northern States Power (NSP). NSP emerged as the parent, and its 2000 merger with Denver-based New Century Energies resulted in Xcel Energy. The states assigned to Xcel Energy by the state utility-regulatory commissions include Colorado, Michigan, Minnesota, New Mexico, North Dakota, South Dakota, Texas and Wisconsin.
Among U.S. utilities, Xcel Energy is known for thinking ahead. The company ranked first in wind power generation and fifth in solar power, for example, before its foray into the nascent smart grid technology. This progressive mindset has also placed privacy at its doorstep.
According to Hertzler--who joined Xcel Energy in 2002 as assistant general counsel and shifted full-time to privacy earlier this year--privacy issues were already surfacing before the advent of the smart grid project. Its storage of consumer Social Security numbers made it subject to state laws on security breach notification, and its extension of credit to some consumers required the utility to develop an ID theft red flags program.
"Our CIO told me we can't be the next TJX," Hertzler told Inside 1to1: Privacy, referring to the now-famous 2007 data breach at the Massachusetts-based retailer.
But it was a series of ongoing requests by governments, reporters, municipalities and researchers for consumer data that were the catalyst for Xcel Energy to formalize a privacy program. Cities seeking to meet energy conversation goals and researchers testing energy conservation ideas knew they had a friend in the utility and began asking the utility for detailed data sets.
"We were seeing an escalated level of requests for information," Hertzler said.
In one example, Hertzler said a city wanted to know the energy consumption levels of all of its residents so that it could post signs in the yards of those with the lowest use. In another case, a researcher wanted energy use details to the nine-digit ZIP Code level.
But there was "not a lot of legal guidance" for how utilities should respond to these requests, she elaborated, and substantial variation across the laws of the eight states the company serves.
In response, Xcel Energy formed a cross-functional Customer Data Taskforce. It also launched an enterprise data-inventorying and mapping exercise and deployed a vendor-assurance process to incorporate security protections in its service provider contracts. Hertzler also spearheaded the implementation of a data-incident response plan and role-based training for data privacy.
A crowning achievement of the privacy program will occur at year end, she said, when Xcel Energy includes a set of privacy principles with its tariff. A tariff is a document that proposes what services a utility will provide, what rates it will charge and what rules it will follow. Once regulators approve the tariff, the utility is bound by them. Hertzler believes her employer will be one of the first utilities to include privacy principles in its tariff
Hertzler said the company's public comment submission to the Department of Energy indicates the principles Xcel Energy will advocate. One section of the submission reads as follows:
"Utilities should not be required to release information that could allow for the identification of individual consumers to any third party not assisting the utility with the provision of service..."
When the tariff gets approved, Xcel Energy customers will have additional assurance that their energy provider will be a strong link in the smart grid chain.
"We have long-standing relationships with our customers," Hertzler explained. "Trust is an important part of that."
Jay Cline is President of Minnesota Privacy Consultants
Editor's note: The National Institute of Standards and Technology released a report last week making recommendations for privacy within the smart grid, including that privacy be protected "by law or other means."