Last week, the New York Public Service Commission (PSC) issued an important order setting the conditions for data-driven distributed energy resources (DERs) providers to access customer energy data held by utilities. Our first reaction to the order was: “Fortuitous timing.” We had just published a white paper about “Nth” parties, referring to the use of contractors in digital supply chains that access or process energy data on behalf of DER providers. Our recommendations regarding privacy and liability policies concerning the often-complex business relationships between DER providers and Nth parties were, in large part, adopted by the PSC. You can read “Beyond Third Parties: Promoting Innovation Through Energy Data Sharing With ‘Nth’ Parties,” co-authored with Klaar De Schepper of Flux Tailor, here.
The PSC’s order has many important findings that resolve outstanding cybersecurity issues that had created serious uncertainty for DER providers operating in the state. These findings fall into two general categories: Those pertaining to the hotly-contested “business-to-business” process by which the 20-page Data Security Agreement (DSA) was created, and those pertaining to the terms of the DSA itself.
First the process. In March, 2018, the PSC instructed parties to hold “business-to-business” negotiations about how to prevent data breaches from occurring, given that an I.T. vendor to energy service companies (ESCOs) had lost customer information. The Joint Utilities eagerly took the mantle of the resulting negotiations, drafting their preferred DSA that, not surprisingly, was very utility-friendly and DER-hostile. Particularly irksome to Mission:data (and RESA and many others) was how the Joint Utilities claimed to be good-faith participants in a “collaborative process” while simultaneously taking on the role of the Commission itself: The Joint Utilities received written comments from parties; issued new drafts; unilaterally declared a DSA draft “final”; and required all parties to sign the DSA. The Joint Utilities became judge, jury and executioner.
Good timing: The New York PSC affirmed several of the best practices identified in our report about 3rd parties, 4th parties and “Nth” parties that process customer energy information.
After the DSA was finalized, the Joint Utilities’ petitioned the PSC seeking a determination that the “business-to-business” process was “appropriate.” Presumably, the Joint Utilities sought the PSC’s bestowal of legitimacy on the process because of the outrage from many parties: Mission:data, for example, called the business-to-business process an “abdication” of the PSC’s responsibilities, and Utilisave called it “coercive and unfair.” If the business-to-business process were allowed to stand, it would have made a mockery of public utility regulation. The Joint Utilities could create virtually any term or condition they want, and those terms would be deemed “appropriate.” What is the Public Service Commission’s reason to exist if utilities are, in essence, allowed to regulate themselves?
Fortunately, the Commission declined to adopt the Joint Utilities’ position regarding the appropriateness of the process. The order does not deem the process inappropriate — after all, the Commission initiated the process by its own order — but neither does it grant the Joint Utilities’ petition. The order states, “Regardless of whether stakeholders participated in, or agreed with, the results of the business-to-business process, the Commission now acts in response to the Joint Utility Petition in compliance with the due process afforded under SAPA [State Administrative Procedure Act].” Essentially, the appropriateness of the business-to-business process was rendered moot by the remaining substance of the order. While Mission:data would have preferred a strong reprimand of the Joint Utilities’ power grab, we were pleased that the PSC asserted itself and did not allow the Joint Utilities to run roughshod over the PSC’s authority.
Next is the DSA itself. The Commission order modified the DSA to eliminate many of its most egregious elements. The order:
Eliminates the cybersecurity insurance requirement: "The Joint Utilities have not established that cybersecurity insurance would be an efficient and effective means of mitigating cybersecurity risks and financial costs associated with security breaches" (p. 58).
Protects due process rights: The utilities cannot unilaterally shut off access to a DER. Instead, a dispute process with DPS Staff must be followed: "With respect to DERS, Mission:data is correct that, while the UBP provides for discontinuance of an ESCO or Direct Customer, there is no analogous discontinuance provision found in the UBP-DERS....Disputes regarding whether an entity has complied with these [cybersecurity] requirements should be brought to Department Staff” (p. 42).
Permits DER providers to create “derivatives” of energy data: Most appalling in the original DSA was the prohibition on creating “derivatives” of energy data. A “derivation” could be anything from counting time-series energy usage records in a database, calculating a usage/temperature regression model, or analyzing energy efficiency potential of a home or business. Essentially, all of the digital activities of innovative DERs that New York policy has supported for years were in violation of the DSA. The prohibition on derivatives was a brazenly anti-competitive attempt to kneecap DERs and keep the profits from data analysis in the hands of the Joint Utilities. The order excised this prohibition, saying: “It is not up to the utility to decide what the customers data should be used for nor police these actions” (p. 60).
Declines to adopt the NIST Cybersecurity Framework: While required for EDI users, the Commission declines to require NIST Cybersecurity Framework compliance for DERs using Green Button Connect. This is very positive because the Cybersecurity Framework is a generic, high-level conceptual document, not an objectively-measurable cybersecurity standard.
Allows cybersecurity audits of DER providers, but audits shall be paid for by the utility: "The audit [if required] should be done by an agreed upon third party and paid for by the utility. It is not the utilities’ business model to audit ESE [energy services entity] cybersecurity and privacy programs or to determine compliance" (p. 53).
Finally, regarding Nth parties, the order eliminates the requirement that vendors to DER providers sign the DSA. The PSC reasoned that implicating cloud hosting providers and data aggregators as parties to the DSA would create obstacles to DER adoption. The order states, “[R]equiring third party representatives of ESEs, who have no direct link to the utility, to execute a DSA would create a burdensome and unnecessary process” (p. 27).
Overall, last week’s ruling provides clarity on many of the issues that had blocked development of data-driven DERs over the past 18 months. Mission:data welcomes these first steps toward animating the market for DERs in New York.
Read the PSC order
Read the Data Security Agreement and related documents
Read UtilityDive coverage: New York adopts utility-ESCO cybersecurity standards, rejects insurance requirements