Security and Resilience (Cyber and Physical)

Protecting customer trust: Ensuring data privacy

With high-profile, widespread data breaches affecting companies from Facebook to Equifax, people are beginning to recognize how much personal data companies collect, and they are losing trust in the ability of various organizations to protect it.

Big companies are not the only ones targeted.

“In small-town America, small businesses are getting hacked regularly. This isn’t just a large utility issue. This is across the board,” said Doug Westlund, senior vice president at AESI-US, Inc.

“A privacy breach is a whole bunch of hurt — you really want to avoid it at all costs,” said Westlund. “With public power, you establish yourself as a trusted energy services provider. Certainly, to be trusted, you absolutely need to be sure that [personal information] is properly protected.”

To maintain trust among customers and shield themselves from loss, public power utilities use a variety of processes and policies to protect data.

Know what data you have

Kenneth Carnes, chief information security officer at the New York Power Authority, acknowledged that utilities already recognize the importance of protecting data such as sensitive financial and customer information. However, he noted that the challenge for utility managers is understanding and conveying the true risk of data loss, and knowing how and where to implement the right level of protection and controls.

“Different utilities are going to have different risks,” said Carnes. “It’s not just the data itself — you have to be able to classify that data, have owners that understand and authorize access to that data, and you need to understand the retention of that data and the risk of retaining it longer than you need to.” 

Westlund advises utilities to start by identifying all personally identifiable information, or PII, kept across various systems in the utility’s purview. This includes any information identifying an individual that the utility holds or that third parties hold on its behalf.

“The utility needs to ensure that third party is protecting the PII, because the utility is held liable for that protection,” said Westlund.

“No one cares about your utility or your business more than you,” said Carnes. To ensure that vendors protect data in a way that is consistent with NYPA’s customer privacy expectations, Carnes said the utility specifies expectations with each vendor from the start. For example, when working with mobile app vendors, which might involve putting customer data in the cloud, NYPA specifies architecture requirements in the contract and teams complete risk assessments to ensure appropriate protections, such as two-factor authentication, get deployed. 

Carnes recommends having language in third-party contracts that protects the utility and its customers in the event the vendor experiences a breach. “If our customer data could be impacted, the vendor is required to let us know. If you don’t have that in the contracts, it is very difficult to get those answers,” he said.

Contracts should also focus on the long-term. “What do they do once you’ve terminated the contract? Do they delete [data]? There’s a lot of language you can leverage that allows your organization protection to understand supplier and vendor data responsibilities,” said Carnes.

Concerning vendor relationships that are already in place, Carnes recommends that utilities make an effort to understand how the vendor is protecting data and make vendors and suppliers aware of the utility’s privacy expectations or policies.

Clean up data

Once a utility knows what data it has, then it can begin to review what it needs to keep and what it can properly discard. Carnes and Westlund offered a variety of questions a utility can ask about its data once it is mapped. One of the most important is whether there is a business need for the data that is collected or kept.

“There is always a tendency to try and get more information. [You should collect only what you] absolutely require for your business operations and customer service,” said Westlund. 

“If you have data in your system from 10 years ago, and it’s really only required for three, are you incurring greater risk because you’re not managing your data properly?” Carnes asked.

Carnes also recommends utilities make an effort to streamline their data so that it is easily transferable across different business needs. As an example, Carnes noted that across NYPA’s data sets, certain fields could be coded “NY,” whereas others will spell out “New York.” “You can’t make that functional,” he said. “Sometimes that’s an effort all in itself to sanitize data. It isn’t really data protection, but it gets you on the road you want to be on, to leverage automation and analytics.”

Know your risk

To customers a breach is a breach, whether it impacted the utility or a third-party vendor. “It doesn’t matter how you lose it, it is that you lost it,” said Carnes. “Everyone plays a part in data protection. You have to make sure you communicate the value of your data to those that are helping to protect it.”

Having strong governance policies, risk management, and clear guidelines for escalation makes it easier for individuals across the utility to report any concerns about data use, said Carnes.

“Understanding what the risks are and how to properly mitigate and avoid the pitfalls of enabling privacy breaches is paramount,” said Westlund. He noted that cybersecurity should be akin to safety, in that staff should receive regular, continuous training.  

“Phishing is by far the most prevalent hacking technique for data privacy breaches,” said Westlund. “So, [the key is] understanding how to detect attacks and being sure you understand how not to get baited, and to notify the appropriate persons in the utility.”

Westlund said that teaching staff to take data privacy issues to heart is most effective through variety of techniques, which can include in-person or web-based training. The frequency of training — quarterly, monthly, or semiannually — depends on the utility’s needs and size.

Westlund also said utilities should, once they have mapped out the personal customer data they have, consider what would happen if that data was breached, from thinking through the risks involved to knowing what steps would need to be taken. “Going through that thought process enables you to put up processes and procedures,” said Westlund.

Carnes agreed that thinking through the consequences can be helpful in prioritizing a response. “If [a utility] has point data for one sensor, and it is a one-off system that’s not critical, what’s the realistic risk that someone would compromise that data over a 24-hour or seven-day period? Are they able to do anything with it? If not, then why spend so much money and effort to protect that information instead of focusing resources where there is real impact and risk?” said Carnes.

Keep customers informed

“Utility customers are going to want to know that their information is secure, and therefore utilities are more proactively saying that they do have a privacy program, without disclosing all the details or nuances of it,” said Westlund.

He noted that utilities can inform customers about privacy practices through any means the utility uses to communicate with customers, including bill stuffers, websites, and reports at public meetings.

Carnes also noted that regulations specify how customers should be notified of any personal data collected and these regulations can change widely from utility to utility.

“There are differences in what we have access to. Based on the size, based on if we’re tied to the municipality versus a separate entity — all of those things give different perspectives on data, and you have to be careful on some of the rules and regulations,” he said.

Carnes advised that utilities speak to both legal counsel and cyber staff to learn about which regulations and laws might affect data collection and protection.