By Rebecca Herold (The Privacy Professor) CIPP, CISSP, CISM, CISA, FLMI
I’ve had about half a dozen folks ask me how things are going with the work I’m doing with the NIST Smart Grid privacy group, and if I could provide an update since my last couple of posts on the topic here and here.
The time is going by much too quickly, and I am getting a bit nervous as we get closer to when we need to have the next draft of the NISTIR ready, tentatively set for December 31; there is so much more to do in this VOLUNTEER group effort…
Here is a quick laundry list overview for some of the activities I’ve been doing within the group:
Smart Grid Privacy Concerns
In October through our excellent Smart Grid privacy group meeting discussions I expanded the possible smart grid privacy concerns list to 15. See my updated PDF, “Smart Grid Privacy Concerns: October 2009“.
Smart Grid Privacy Standards
We’ve been discussing and addressing the need to create some actual privacy standards for the organizations that are part of the smart grid to follow.
NIST indicates they’ve been working with the ISO/IEC folks to create some privacy standards, but since those are not yet publicly available, and I’ve not been able to see them, I created the following first DRAFT proposed privacy standards for organizations that are part of the smart grid (and beyond) based upon long-established privacy principles (from the OECD and then subsequently another draft from AICPA/CICA), as well as existing data protection laws and regulations as I’ve documented within the NIST smart grid privacy group working spreadsheet:
- Consent & Choice: The organization must describe the choices available to individuals and obtain explicit consent if possible, or implied consent when this is not feasible, with respect to the collection, use and disclosure of their personal information.
- Notice & Purpose Specification: The organizations must provide a clearly worded notice, at or before the time of collection, describing the purpose for the collection, use, retention, and sharing of personal information, along with listing the items that are collected.
- Individual Participation & Access: Organizations must provide a process for individuals and households to allow them to ask to see their corresponding personal information. Organizations must also provide a process to allow individuals and households to request the correction of perceived inaccuracies within the corresponding personal information provided by each organization. Individuals and households must also be informed about all the other parties with whom their corresponding personal information has been shared.
- Data Quality/Integrity/ Accuracy: Organizations must make every effort, using documented policies, procedures, standards and ongoing training and awareness communications, to ensure that personal information and other data collected from smart meters is accurate, complete and relevant for the purposes identified in the notice, and remains accurate throughout the life of the information within the control of the organization. Policies and procedures must be in place to notify all other entities when corrections to personal information is made so that they can appropriate correct the corresponding information for which they are the custodians.
- Use Limitation: Information within the smart grid networks and systems should only be used or disclosed for the purpose for which it was collected and should only be divulged to those parties authorized to receive it. Personal information should be aggregated or anonymized wherever possible to limit the potential for computer matching and data mining the records.
- Retention & Disposal Policies/Practices: Smart meter information and corresponding personal information should only be kept as long as is necessary to fulfill the purposes for which it was collected. When it is no longer needed for the stated purposes for which it was collected, it should be irreversibly be deleted/destroyed using disposal method which, at a minimum, meets NIST disposal standards.
- Transparency & Openness: Documented privacy policies must be made available to individuals and households that are part of the smart grid systems and networks. Individuals and households must be given the ability and process to challenge an organization’s compliance with their stated privacy policies as well as their actual privacy practices.
- Collection Limitation: Only information that is required to fulfill the stated purpose(s) should be collected from individuals from from households. Organizations collecting information must follow fair information processing practices. Personal information must be collected directly from each individual for household, their corresponding smart meter, or an approved mobile smart meter data collection device, unless there are approved and documented reasons why this is not possible.
- Security/Safeguards: Organizations that are part of the smart meter network must protect personal information, in all forms, from loss, theft and must prevent unauthorized access, disclosure, copying, use or modification.
- Accountability & Management: Each organization must formally appoint a position, team, department or individual to ensure that information security and privacy policies and practices exist and are followed. Documented requirements for regular training and ongoing awareness activities must exist and be consistently followed.
- Disclosure and Limiting Sharing: Personal information must be used only for the purposes for which it was collected. Personal information must not be disclosed to any other parties except for those identified in the notice, or with the explicit consent of the corresponding individual or appropriate household representative.
- Monitoring & Enforcement: Each organization that is part of the smart grid network and systems must monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes. Audit functions must be present to monitor all smart grid data and personal information uses, sharing and modifications.
Proposed certification recommendations
Wouldn’t it be a good idea to have privacy certifications for not only the organizations that are part of the large smart grid, but also for the smart meters to help ensure they are appropriately addressing privacy and providing households with informed decision-making capabilities for how the information collected from their homes through these devices are used?
I think so. If you don’t, please let me know why. I believe the following would be two beneficial types of certifications to require for entities that make up the smart grid:
Organization privacy self-certification (for smart grid, but could be a way to “certify” any organization in any industry; follows along the concept of the EU Safe Harbor program):
With wording similar to the following: “We strongly recommend the energy industry follow the lead of the U.S. government agencies who perform annual privacy impact assessments (PIAs) and require each organization that participates in the smart grid network and systems, as well as each organization that performs activities for such organizations, to:
- Perform an annual PIA, provide it to each state’s energy commissioner office to review, and
- Perform a PIA on each new system, network, or smart grid application and provide it to each state’s energy commissioner office to review.
The state energy commissioner office will:
- Either acknowledge the PIA is appropriate and send approval to the organization, after which the organization will post it on their website, or
- Notify the organization and communicate the privacy deficiencies identified within the PIA and ask them to correct them. While the correction is being made, a notice containing an executive summary of the PIA findings must be posted on the organization’s website, along with a high-level description of the corrective actions being performed and corresponding target dates for completion.”
Smart Meter device privacy certification:
With wording similar to the following: “We strongly recommend that the energy industry require each smart grid meter be reviewed by prior to its use and implementation, and be certified as appropriately providing privacy choices and having proper privacy protections. “
We’re working on creating definitions for the privacy portion of the NISTIR for terms such as “personal information,” “personally identifiable information,” “multi-part personal information” and so on.
Laws, regulations and standards that may cover the smart grid activities and data
The short, and incomplete, list includes some of the most far-reaching laws/regs/standards:
- OECD Privacy Principles (http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html)
- AICPA Generally Accepted Privacy Principles (http://infotech.aicpa.org/NR/rdonlyres/0AB737BF-55D1-459B-ADD5-179A270E863C/14379/GAPP_PRAC_0909.pdf)
- FTC Marketing Guidelines (February 2009) (http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf)
- Canada’s PIPEDA (http://laws.justice.gc.ca/en/showdoc/cs/P-8.6/sc:1/en#anchorsc:1)
- EU Data Protection Directive (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML)
- HIPAA (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf)
- GLBA (http://www.ftc.gov/privacy/glbact/glbsub1.htm#6802)
We probably don’t need an exhaustive list, but are these are significant. We are identifying other significant ones to add that are important for the purposes of the next draft of the NISTIR.
State Level Activities
We are considering the activities and information from each of the states for what their energy and utilities commissions have done to date with regard to researching and/or addressing the privacy issues within the smart grid components.
We will hopefully be getting information from the NARUC conference that we can add to the NISTIR.
It is important to point out that the above are just suggestions and ideas being discussed within our NIST smart grid privacy group, and are not necessarily going to be included in the next draft of the NISTIR. They should also NOT be considered as being the viewpoints of NIST!
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com