BILL ANALYSIS Ó AB 1274 Page 1 Date of Hearing: May 7, 2013 ASSEMBLY COMMITTEE ON JUDICIARY Bob Wieckowski, Chair AB 1274 (Bradford) - As Amended: April 18, 2013 SUBJECT : Privacy: Public Utilities KEY ISSUE : Should the network provider that receives data from a "smart meter" be prohibited from disclosing or selling a customer's electrical or gas consumption data to third parties without the customer's consent, and otherwise be required TO keep the data secure? FISCAL EFFECT : As currently in print this bill is keyed non-fiscal. SYNOPSIS In recent years California has encouraged the use of "smart meters" by public gas and electric utility companies. These devices can send a customer's usage data over the Internet to the public utility in real time, thereby obviating the need for a utility company employee to come to the customer's residence of commercial property to read a meter. But smart meters do more than just send data directly to the utility company; they also allow consumers to monitor their energy consumption patterns and by doing so, the reasoning goes, figure out ways to be more efficient in their energy use. These devices also make it easier for utility companies to monitor peak times of energy and thereby better allocate energy sources to different sectors within an energy grid. However, along with its benefits, some argue that these devices pose threats to privacy, especially when a customer's consumption patterns can be shared widely and rapidly across the Internet, potentially along with other personal information. Three years ago this Committee heard AB 1476 (Chapter 497, Stats. of 2010). That legislation requires gas and electric utilities that used smart meters to protect consumers' energy usage data from unauthorized access or disclosure. It generally prohibits the utilities from sharing, selling, or otherwise disclosing a customer's consumption patterns to third parties without the customer's consent, and it requires those utilities to use reasonable security procedures, including encryption. This author-sponsored bill would extend many of these same prohibitions to the "customer premises AB 1274 Page 2 network provider" - that is, the customer's Internet service provider that receives data from the smart meter and transmits it to the gas or electric utility. This bill would also allow a customer who suffers damages as a result of a violation of the bill's provision to bring a court action to recover specified relief. There is no opposition to this bill. SUMMARY : Prohibits a "customer premises network provider," as defined, from sharing, disclosing, selling, or otherwise making a customer's electrical and gas consumption data accessible to a third party, except as specified. Specifically, this bill : 1)Defines a "customer premises network provider" [network provider] to mean a company that provides home area network connectivity or commercial area network connectivity if the network device receives electrical or gas consumption data from a utility advanced metering system. Specifies that "customer premises network provider" does not include an electrical or gas corporation or publicly owned utility merely furnishing connectivity from the network devices within the customer premises to its utility advanced metering system. 2)Prohibits a network provider from sharing, disclosing, or otherwise making accessible to a third party a customer's electrical or gas consumption data, except upon the express consent of the customer or as required under state or federal law. 3)Prohibits a network provider from selling a customer's electrical or gas consumption data or any other personally identifiable information for any purpose. 4)Prohibits a network provider and its contractors from providing an incentive or discount to the customer for accessing the customer's electrical or gas consumption data without the express consent of the customers. 5)Requires the network provider and its contractors to maintain compliance with national or state standards for maintaining energy data security in a manner that prevents negligent or willful release of identity or personal information of one or more utility customers. 6)Provides that if a network provider or its contractor provides a service that allows a customer to monitor his or her AB 1274 Page 3 electricity or gas usage, and uses the data for a purpose other than that specified in the agreement between the customer and the network, the network must disclose this purpose to the customer and secure the customer's consent prior to use. 7)Requires a network provider to use generally accepted principles and practices for securing a customer's unencrypted data from unauthorized access, destruction, use, modification, or disclosure. 8)If the customer chooses to disclose consumption data to a third party that is neither affiliated nor has no business relationship with the network provider, the network provider will not be responsible for the security, use, or misuse of that data. 9)Permits a customer who suffers damages as a result of a violation of the provisions of this bill to bring an action and be entitled to remedies, as specified. EXISTING LAW : 1)Prohibits an electrical corporation or gas corporation, and a local publicly-owned utility, from sharing, disclosing, or otherwise making accessible to a third party a customer's electric or gas usage that is made available as part of an advanced metering system. (Public Utilities Code Section 8380.) 2)Requires a gas or electrical corporation, and a local publicly-owned utility, to use reasonable security procedures and practices to protect a consumer's unencrypted data from unauthorized access, destruction, use, modification, or disclosure. (Public Utilities Code Section 8381.) 3)Requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect the consumer information from unauthorized access. (Civil Code Sections 1798.81.5.) 4)Requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the AB 1274 Page 4 third party implement and maintain reasonable security measures to prevent unauthorized access to the personal information. (Civil Code Section 1798.81.5 (c).) COMMENTS : In the old days, a "meter reader" came to our homes and places of business and read our gas and electric meters in order to determine our usage and bill us accordingly. But today public utilities have the ability to send that information over the Internet through so-called "smart meters." These devices, however, do more than just send data to the public utility in real time, they also allow consumers to monitor their energy consumption patterns and, one hopes, use it to figure out ways to be more efficient. Almost three years ago this Committee heard AB 1476 (Chapter 497, Stats. of 2010). That bill required an investor-owned utility (IOU) or publicly owned utility (POU) using advanced metering (smart meters) to protect consumers' energy usage data from an unauthorized access or disclosure. It generally prohibited the utilities from sharing or otherwise disclosing a customer's consumption data and patterns to third parties without the customer's consent, and it required those utilities to use reasonable security procedures, including encryption. Existing law also prohibits gas and electric utilities from selling a customer's usage data or any personal information or otherwise sharing that data without the customer's consent. Existing law also requires the utility to maintain reasonable security measures to protect the customer's consumer data. This author-sponsored bill would extend many of the same prohibitions and requirements that now apply to gas and electrical utilities to the "customer premises network provider" - that is, the customer's Internet service provider that receives data from the smart meter and transmits it to the gas or electric utility. This bill would also allow a customer who suffers damages as a result of a violation of the bills provision to bring an action in a court of appropriate jurisdiction to recover specified relief, including both money damages and injunctive relief. ARGUMENTS IN SUPPORT : The author describes the purpose of this bill as follows: "As technology becomes available to provide services to Californian's that will allow them, in real time, to manage their energy use it is important to ensure that privacy safeguards are in place so that customers can be confident that these new service providers will protect this information and AB 1274 Page 5 not misuse or sell it without consent. Important legislation has been enacted to protect the security of the energy grid. But we need to make sure that the privacy of utility customers are also protected so that this information is not available to be used by those who might wish to cause harm to those customers. This bill will ensure that 3rd party providers of services that access customer utility data will follow similar rules that electric and gas utilities are already required to follow." REGISTERED SUPPORT / OPPOSITION : Support None on file Opposition None on file Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334