In the spring of 2018, a major electronic data interchange (“EDI”) provider in the utility industry was hacked by outside parties. While the attack apparently did not impact the operations of physical power and natural gas infrastructure, nor was any confidential information obtained illegally, this breach rippled throughout the energy world, with the largest impact occurring in New York.
Because of this seemingly isolated incident, New York became a first mover in establishing cybersecurity rules and protocols for the energy sector. Unfortunately, while the entire industry agrees on the need to protect critical infrastructure and data, the rushed and hackneyed process in New York led to a suboptimal public policy outcome that may have impacts in other states as well.
This outcome included two documents, a Data Security Agreement and a Self Attestation Form (collectively the “Security Documents”), which market participants were required to sign by the end of August. Failure to sign meant participants risked being kicked out of the market. Despite the concessions made by the industry and the utilities, these documents likely will stymie the further development of the competitive retail energy market and increase costs to consumers. Additionally, the Security Documents create unnecessary hurdles to New York being able to achieve the state’s ambitious energy goals by creating new cost barriers to entry and creating ambiguity and confusion as to the allowed uses of data gathered by the utilities and shared with energy providers. As discussed below, the process used to create a first of its kind cybersecurity policy lacked appropriate regulatory oversight and failed to account for the various levels of risk associated with different market players.
Within weeks of the breach reported by the EDI provider, a New York utility issued to all energy service companies (ESCOs) operating in their territory a Data Security Agreement and a Vendor Risk Assessment. These documents were issued on a Monday with a note from the utility that if they were not executed and returned by that Friday, the utility would turn off the ESCOs’ access to its systems, effectively shutting off the market to any company unwilling to comply. The utility claimed it had this authority under Section 2.(f)(1)(a) of the Uniform Business Practices Act, which governs the competitive retail energy market in New York. Industry participants immediately and forcefully pushed back, claiming that this deadline gave them insufficient time to review the documents, that the utilities lacked the authority to require the execution of such documents, and that there were multiple substantive issues within the documents which needed to be addressed prior to their execution. As additional utilities followed suit, sending proposed Data Security Agreements and Vendor Risk Assessments, the forms varied slightly, creating additional risks and concerns for industry participants.
During the next 6 weeks, multiple discussions took place between market participants and the utilities, leading to the utilities in New York joining together and providing the industry with a single set of documents modeled on the Data Security Agreement previously approved by the New York Public Service Commission (“PSC”). Given the significant differences between the proposed Data Security Agreement and the one previously approved by the PSC, the utilities and the industry began collaborating through a business-to-business series of meetings and interactions between late May and late July.1
In mid-June, the PSC opened a formal proceeding and directed staff to monitor and file a report on the business-to-business process at the end of August. However, the report was to be limited in scope to ensuring that the cyber protections were adequate and to determining whether the insurance requirements contained in the proposed Security Documents were “an efficient and effective vehicle for mitigating any potential financial risks.”2 During the course of the business-to-business negotiations, the parties agreed to reduce the required cyber insurance amount from $10 million to $5 million.
Failings of the Process
While the reduction of the cybersecurity amount represents a significant compromise between the parties, it fails to address two critical issues:
- Who should be required to carry the insurance? Should it be the EDI providers who interact with the utility daily, the ESCO who only receives the data from the EDI provider, or both; and
- Should the insurance requirement be a flat amount across all market participants regardless of the potential impact a data breach could have? In other words, is it equitable to require a company with 2,000 customers to provide the same level of security as a company serving 100,000 meters? The obvious answer to this is “no,” as the company with the larger meter count creates more risk for the loss of confidential data.
Interestingly, despite explicit direction from the Commission, staff failed to address this critical cybersecurity insurance requirement in their report, noting only that there remained disagreement between the parties as to the amount of cybersecurity insurance that should be required. It is also worth noting that requiring cyber insurance will increase costs to New York consumers and decrease competition, as these additional costs will be embedded in the customer’s final bill.
Had the PSC instituted a more formal proceeding and engaged all stakeholders in this process and addressed these critical issues, a more reasoned outcome that accounts for the risk posed by market participants rather than a one-size-fits all approach would have been the likely outcome and would have created fewer barriers to entry for the competitive market. However, this was not the route either staff or the PSC elected to take, instead giving the utilities more of a free hand and creating the belief among market participants that whatever the utilities ultimately wanted, the PSC would ultimately give them.
A second major failing in the process lies in the failure to thoroughly flesh out critical sections of the Security Documents. This failure included creating definitions that were ambiguous and confusing, subjecting “Third Party Representatives” to the requirements of the Security Agreements without considering the risk posed by the data received by these parties, and giving the utilities the ability to limit an ESCO’s participation in the market if the utility determined in its sole discretion that a market participant is not in compliance with the requirements of the Security Documents. In comments filed in late September, multiple industry participants addressed issues which were not resolved during the business-to-business process, among others, and requested that the PSC stay implementation and enforcement of the requirements in the Security Documents until these issues have been addressed.3
Throughout this informal process, all parties agreed that protecting consumer information is of paramount importance. Multiple times throughout the process, industry participants considered seeking a more formal process to comprehensively address the issues raised by all parties in the proceeding. However, the utilities’ sense of urgency, whether real or manufactured, to put something in place was used as justification for not instituting a more formal proceeding. Given that data privacy and security are critical issues for individuals and businesses, New Yorkers are ultimately being done a disservice. While the breach of an EDI provider’s systems earlier this year led to some positive changes, such as requiring New York market participants to move to the latest version of EDI protocols, the desire to produce an outcome rather than the right policy will only result in higher costs for consumers and will afford little benefit in terms of heightened cybersecurity.
1 Copies of the comments of the parties in this business to business proceeding can be found at: http://www3.dps.ny.gov/W/PSCWe b.nsf/ArticlesByTitle/4A24D0D51395B1F8852582A200
2 NY PSC Case 18-M-0376, Order Instituting Proceeding, June 14, 2018, at 3.
3 NY PSC Case 18-M-0376, Final Comments of the DSA Coalition Members on Proposed Data Security Agreement and Proposed Self Attestation, September 21, 2018.
Your Opinion Matters
Have Something To Say About This Story?