On October 17, The New York State Public Service Commission (PSC) adopted new cybersecurity and data privacy requirements for third-party energy suppliers and companies that electronically receive and exchange utility housed customer data with the utilities’ IT systems.
In a press release, Commission Chair John B. Rhodes observed, “The Commission today directed the state’s utilities and third-party energy suppliers to provide appropriate cybersecurity protections without erecting significant barriers to development of new energy markets as envisioned by REV [Reforming the Energy Vision]. Our new approach will provide a universal foundation of cybersecurity and data privacy requirements that will encourage a vibrant energy marketplace.”
The Commission’s decision creates critically needed standards to ensure customer data remains protected and secured. The changes are designed to provide protections against a potential cyber incident, while maintaining the confidentiality of customer data, and instilling customer confidence in retail and energy markets.
The Commission’s order recognizes that the data is the customer’s data and that customers have a right to direct or consent to the use of that data. As the PSC underscored, a market where all parties observe cybersecurity and privacy protections will reduce the risks associated with electronic communications of customer data between distribution utilities and companies, instilling customer confidence and promoting market development.
Per the order, a fully risk-based approach will not be adopted at this time. However, the Commission clarifies that only entities that electronically receive or exchange customer information from a direct connection with the utilities’ IT systems, except by email, will need to adopt the cybersecurity requirements established in this Order. Energy Service Entities that have access to customer information but do not have a direct connection into the utility IT systems will need to implement the appropriate privacy protections to ensure customer data is protected from improper disclosure or misuse.
Within 60 days from the date of this order, NY public utilities are required to file a revised Data Security Agreement and Self Attestation consistent with the discussion and conclusions in the October 17 order. Energy Service Entities seeking access to customer data through utility IT systems shall be required to execute a Data Security Agreement and Self Attestation.
To access this order, enter Case Number 18-M-0376NY in the PSC Documents portal.
Your Opinion Matters
Have Something To Say About This Story?