Wednesday is Data Privacy Day in the USA, and it should receive heightened awareness after the recent Sony Pictures cyberattack. While media attention focused on cybersecurity weaknesses, privacy is the natural consequence of good cybersecurity. Security – cyber and physical - is a strategy that ensures a privacy outcome.
Unfortunately, determined cyberattackers or the deliberate or careless actions of current or former employees can defeat the best cybersecurity and physical security systems. Mandatory privacy policies and protections minimize the risks that sensitive data will be exposed – whatever that data might be. Sensitive data such as social security numbers, bank account information, and personal health records are managed to protect privacy. Utilities already manage sensitive data too, but need to prepare for significant increases in privacy risks.
Sensors are gathering more and/or new types of data. Inexpensive data transmission and storage makes it possible to handle new volumes, varieties, and velocities of data. Smart Grid technologies can deliver new granularity in time-stamped data about consumer use of electricity, gas or water. More M2M technologies can generate location-based data that accurately maps activity over the course of a day.
All these converging technologies increase data privacy risks, and make the publication of Data Privacy for the Smart Grid* very timely. It’s a key reason I helped write it. The Smart Grid delivers a myriad of benefits to utilities and consumers, but it also creates new risks and new concerns about data privacy. Energy usage data is invaluable to help intelligently manage energy and reduce utility operational costs and consumer costs. Privacy risks emerge in questions of how that energy usage data is used, shared, stored and otherwise accessed.
Utilities have prominent roles in the collection of energy usage data, but they may not be the only entities gathering, receiving, storing, or using that data. In the future it is very likely that businesses other than utilities may manage generation assets or water conservation equipment, sell electricity, or collect energy usage data directly from consumers. The variety of potential players coupled with new services and technologies can easily confuse everyone with blurry responsibilities for privacy protection and more exposure risks. Will consumers always know the “chain of data custody” for their energy usage data? The answer is no, and that has serious policy, process, and training implications for utility executives and vendors of solutions capable of gathering, transmitting, and using this data.
This is definitely a situation where what you don’t know about privacy risks can hurt you – in the forms of criminal or civil litigation and financial penalties, bad publicity, lost goodwill, and reputation damage. What steps should utilities and vendors take to protect the privacy of their customers’ energy usage data and the fallouts of failure? The answers are the focus of next week’s article.
* Published by Taylor and Francis Group. Co authors: Christine Hertzog and Rebecca Herold. ISBN: 978-1-46-657337-6. Available for pre-sale now.