Getting to know a privacy pro
The Assistant General Counsel and Director of Data Privacy at Xcel Energy talks privacy, smart meters and New Year’s resolutions.
By Angelique Carson, CIPP/US
Megan Hertzler’s path to privacy was sort of an accident. Starting off at the Minnesota Attorney General’s Office as counsel to the Minnesota Public Utilities Commission (PUC), she advised the commission on matters relating to PUC regulation in the state, but, she says, there wasn’t a great emphasis on customer privacy back in 1997. After working in private practice for a time, Hertzler went to work for Xcel Energy in 2009 and, in response to significant data breaches being reported in the media, got down to work on privacy pretty quickly.
“My chief information officer at the time was walking the hallways of the law department at about 7 p.m., and I was the only attorney still working,” Hertzler remembers. “He came into my office and sat down and said, ‘We will not be the next TJX,’ (a retailer whose 2007 data breach resulted in the theft of 45.6 million credit and debit card numbers), and I had no idea what he meant. I thought, ‘I’ll Google it later.’ He told me that he was becoming more and more concerned about what we needed to do to be proactive around data security and privacy, and he wanted someone else to be up at night worrying about it, as he put it.”
When Hertzler focused in on the matter, she found that there was more to do than she originally imagined when it came to data protection.
“It wasn’t that we were noncompliant, but we certainly were not being proactive in identifying emerging privacy issues,”’ she said.
In 2010, Hertzler pitched to management that it create a position dedicated exclusively to privacy, one Hertzler has held ever since. Writing her own job description was somewhat difficult, she recalls, because there really wasn’t a model.
“It’s not usual for this type of stand-alone position to be a part of utilities’ standard operations,” she said. “I think that will change because, more and more, utilities have to be thinking about privacy and data security proactively in order to stay ahead of emerging data risks. And also, with the growing awareness of privacy issues for customer energy use information, utilities will have to respond to a growing number of questions from regulators and customers on their privacy practices. It is best if you have someone that is accountable for all of these issues.”
The Privacy Advisor caught up with Hertzler to ask about the key privacy challenges utilities are facing today—namely as they increasingly deploy smart meters capable of capturing granular data on consumer energy usage—to get her predictions on what 2012 will bring and to learn a bit more about the life of a privacy professional.
When it comes to privacy issues involving customer data, how should utilities get proactive?
Privacy discussions need to occur at all levels of the organization so that business need and customer expectations are both considered when developing internal policy. A good example of this for Xcel Energy was the effort we made in 2010 around customer information, including their energy usage information. We formed an internal task force made up of representatives from all the areas of the company where customer information was collected, maintained or used. It was a very broad and diverse group of individuals.
The task force was charged with developing Xcel Energy’s privacy principles for customer information. We spent 10 months identifying the privacy issues Xcel Energy was facing, including, for example, how the company was using customer information in providing service, how we would handle a request for the customer’s data and whether our response would be different if the request was directly from a customer or from an unrelated third party. By identifying these privacy issues and looking to the existing body of work around privacy, we developed principles that accommodated Xcel Energy’s use of the information to provide service, allowed us to process the data in a fair and transparent way, and maintain the trust our customers placed in us when they gave us the information. We then translated these privacy principles into our company policies and procedures. For example, we developed a data classification standard specific to customer information and a process for authorizing release of customer information to third parties, including identifying necessary informed consent requirements.
Our task force also considered the big picture issues, such as the role Xcel Energy should play within the utility industry in the area of customer privacy. When, prompted by the development of the Smart Grid, the Colorado PUC later issued proposed customer information privacy rules in December of 2010, our internal privacy work ensured that we were ready to provide the PUC with thoughtful, practical feedback, using our privacy principles as the basis for our comments in that rulemaking.
Should we really be concerned with the privacy implications of smart meter data? Or is it all hype?
It’s not hype. More granular energy data can reveal information on how energy is used in the home, which in turn could identify routines or practices by the individual user.
Historically, utilities have typically afforded some level of privacy to the customer’s energy usage information. What the implementation of smart meters and other advanced meter technology has changed is that the data has more uses and is perceived to be more valuable to a broader group of interests. Once upon a time, no one would have asked for energy usage information except to understand their own energy bill. Now, because the data is much more granular, it has many more potential uses. We get quite a few requests from a variety of non-customers for both individual and aggregated usage data to understand things like carbon footprints, the success of energy efficiency programs or even possible criminal activity. Before releasing the data, we have to consider who is making the request, what their relationship is to the customer, whether they have a legal authority to compel the data and whether the possibility of that request is even transparent to our customers. Five years ago, we weren’t even thinking about these issues because we were not getting these types of requests.
We have seen a lot of interest from our customers in our privacy practices based on the ongoing dialog around these issues. YouTube has hundreds of videos on privacy and health issues for smart meters, including discussions on whether these meters act as illegal surveillance devices on what people do in their home. What a scary idea. I respond to many of these customer inquiries by providing assurances that we will only use the data to service, and that we will not release this information to others except in limited circumstances, such as when we are legally required or with the customer’s knowledge and consent.
One thing to keep in mind is that utilities “get” the importance of maintaining trust with their customers. Electricity is an essential service. It is also a highly regulated service, with considerable oversight by state and federal agencies. This puts us in a very different posture from some other industries. We collect and use customer information to provide electric service. We are not collecting data so that we can sell it to others for their business purposes. Instead, our focus is to implement privacy controls (such as transparency and consent) that we believe provide appropriate privacy protections and make the release of data for non-utility purposes subject to law or the customer’s choice.
Will 2012 be the year that utilities really get it right when it comes to smart meter privacy?
We are going to hear a lot more about this issue in 2012. For example, the National Association of Regulatory Utility Commissioners (NARUC) issued a statement last summer recommending that all state regulatory commissions consider privacy in the context of information collected from smart meters and advanced metering technology. I believe that this recommendation has started a domino effect that we will start to realize in 2012. Prior to NARUC’s announcement, a handful of states, such as California and Colorado, were already proactively looking at the privacy implication of smart meter deployment. But the NARUC announcement really put this topic on the map. I would expect that in 2012 you will see even more dialogue around smart meter deployment and privacy among federal agencies, state regulatory commissions, regulated utilities and other stakeholders. In fact, the recent IAPP web conference on smart grid privacy in which I participated was part of the dialogue. Each state will make a determination as to what the outcome of this dialogue will be, but the hope is for a fairly uniform approach to privacy and smart meter deployment issues across state lines.
Okay, enough about smart meters. If you weren’t working in privacy, what would you do for work?
I would try and talk myself onto Anthony Bourdain’s “The Layover” so I could go around the world, eat, drink and talk about how great—or not—the particular local cuisine was. I think his honest, unfiltered assessment of the food he tries on the show is refreshing. I also like his wicked sense of humor.
Are you big on privacy in real life?
While I deal with social media issues at work, in my personal life I am not on Facebook or Twitter, and I still mail my bills. My family and friends have offered to set up a Facebook or a LinkedIn account for me, thinking that my absence from social media is a time issue rather than a deliberate avoidance in my personal life. Their conclusion that I don’t have time probably has a lot of merit. My life is full. In other words, this choice of mine may not be so much a principle as a survival mechanism.
Have you had good mentors within your career?
I’ve had fantastic mentors in my career, including with my present employer. I don’t think you can advance in a career without the benefit of having people invest in you and share with you their wisdom, and so I’ve been really fortunate. I would say early on in my career, when I was a law student, I had a woman attorney who mentored me at a time when I really needed someone to provide me with perspective on my career, and that experience was incredibly valuable to me. Once I graduated, we moved on to a less formal mentor relationship, to more of a friendship role. She said, “You need to mentor others. That is all I am asking you to do in recognition of what I’ve done for you.” I’ve mentored law students and non-lawyers throughout my career to give back, and found the process extremely rewarding.
Any New Year’s resolutions?
It’s sort of a developmental goal for me this year: I am signed up for CIPP certification, even though I had promised myself after taking the bar exam that I would never take another test again. My goal is to pass the exam with a solid score. Wish me luck!