It’s difficult to imagine life without electricity.  Our lives and lifestyles are so thoroughly intertwined with electricity that any disruptions in power can rapidly transform from minor inconveniences into life-threatening situations.  Thus the need for grid modernization – the Smart Grid – is vital to ensure that we continue to enjoy safe, reliable, and affordable electricity.

Modernizing the grid into a Smart Grid means that we’ll have bidirectional flows of electricity AND information.  (For a complete definition of the Smart Grid, see the Smart Grid Dictionary.)  Some of that information includes data communicated by smart meters about electricity consumption in homes and businesses.  Much of this behavioral data is new because it is readily available in a granular form.  Electric meters that can’t communicate this information still collect it, but it is typically read on a monthly basis as a difference in kilowatthours (kWh) from the past month’s reading to the present reading.  Other data is new because advances in wireless sensor technologies can give a cost-effective “voice” to previously uncommunicative devices like refrigerators, hot water heaters, and heating and air conditioning equipment.  We may also see new data made available from upgraded meters for gas and water too.

How this data is used has very interesting implications for consumers. Imagine a dishwasher manufacturer sending a text or email reminder to you to clean filters – all based on data from sensors that indicated this task had been forgotten for a while.  Perhaps kWh data collected by a utility is analyzed by a third party to determine energy efficiency program recommendations for your home or business.  These could be helpful services that save us money and time, but we need to have clearly given permission for data to be used in these ways.  We also need to understand the “chain of custody” – including who has access to that data, why they have access to that data, and how they protect that data.  And the biggest challenge of all is to develop awareness about the value that electricity consumption data – behavioral data about us – can have to us and other entities.

In 2007 the USA enacted the Energy Independence and Security Act (EISA 2007), and it has an outsized role in fashioning key Smart Grid policies, including energy data privacy.  As part of the act, the National Institute of Standards and Technology (NIST) was mandated to develop recommendations for cyber security standards.  NIST formed the Smart Grid Interoperability Panel, (SGIP), which in turn begat the Cyber-Security Working Group (CSWG) to focus on the recommendations for cyber security standards.  An important subset of these cyber security recommendations covers data privacy, and I led a team of dedicated volunteers drawn from the CSWG privacy subgroup that recently completed a draft of recommendations for utilities and regulators.   The recommendations are based on examination of a select number of use cases that cover the electricity supply chain – generation, transmission, distribution, and consumption.  Our draft recommendations were mapped to ten generally accepted privacy principles published by the American Institute of Certified Public Accountants (AICPA) that are in use across a number of business sectors.  The principles are available in this downloadable document.  The entire CSWG privacy group will review the draft recommendations and their feedback will be incorporated into a final set of recommendations that will be publically available.

These recommendations were written with utilities in mind, but the content will be useful to many businesses in the Smart Grid sector that offer hardware, software and services that have any contact with personal or behavioral data.  The recommendations will help educate utilities, regulators, and vendors to build safeguards that protect data privacy into products, services, policies, and procedures.   The information will also be helpful to encourage discussion about data privacy guidelines for the Internet of Things.  And ultimately, these ongoing activities and recommendations help protect consumers dealing with an increasingly data-rich world.