Security and Privacy Requirements in the Public Utility Space

Data privacy and security are some of the hottest topics at today's business meetings. The utility industry has invested a lot in keeping up with the demands of revolutionary business technology. Automation has made the work processes more efficient; however, it has also brought challenges by introducing new and more sophisticated ways of collecting and processing data.

Utility companies simply cannot operate without data collection. It is not only a crucial component of serving customers and payments, but also necessary when maintaining the system and managing outages. Your home address, name, and phone number are needed when creating a monthly utility bill, and your credit card information is required when paying for it. The collection of this kind of data is a huge responsibility as it is the most sensitive type and thus the most wanted among hackers. Considering that a cyber attack happens every 39 seconds, you should take the privacy of your customers’ Personal Identifiable Information (PII) seriously.

Strong security and privacy procedures have become essential ingredients for business success. Your customers’ trust depends on how well you present your security and privacy methods, and how you execute them.

But that’s not all! There are data laws that guarantee your customers you will safeguard their data. If your business covers the Californian, Brazilian, or EU territories, you need to tailor your privacy policy to the GDPR, CCPA, CPRA, and LGDP requirements to respect the law and ensure your data processes are legitimate in the eyes of your customers. In addition, as a U.S. utility company you need to comply with the RCW 19.29A and other relevant Washington rules, laws, and regulations related to the collection, disclosure, and security of customer PII.

To save you the time and money you would spend looking for the key security and privacy requirements and how to comply, we’ve put together an exhaustive guide that will help you do it quickly and successfully!

1. How does the Public Records Act affect public entities

The U.S. public utilities must conform to RCW 42.56, or the Public Records Act. There are occasions when certain individuals or organizations are suspected of committing a crime related to a designated utility, which requires data disclosure for investigation purposes. In these circumstances, the general public or law enforcement can submit a public record request.

2. RCW 19.29A Utility Requirements

During the 2016 U.S. federal legislative session, two requirements valuable to data privacy were added: RCW 19.29A.100 and RCW 19.29A.110. These requirements were set to regulate data collection in the utility sector. They discuss consumer rights as well as a due date for compliance, which was October 2016.

The RCW 19.29A requirements demonstrate the need to guarantee consumer rights in terms of releasing  personal data, dealing with customer complaints, and regulating data sharing between an authorized company and a third party.

Here are the key RCW 19.29A requirements:

A) Consumer right to consent to release data

In accordance with the regulation, utility companies are forbidden to sell proprietary or private customer data. They are also not allowed to use,share, or even disclose data for marketing purposes or third-party needs without consumer consent. In order to disclose the PII, utility companies must obtain consent prior to disclosure, otherwise this action will be seen as a data misuse.

However, in some cases customer consent is not required. For example, when you need to use the PII to complete essential business functions like creating a monthly billing statement or performing an action to a third party vendor. To be sure, you need to define under which conditions you will share the sensitive information with a vendor. Therefore, it is advisable to separate data into two categories depending on the purpose:

  • Primary purpose: This category includes essential business functions such as payment presentment, customer surveys, energy efficiency program validation, or administration such as the Bonneville Power Administration (BPA) . The third party vendor is required to sign a contract pertaining to data usage or Confidentiality and Non-Disclosure Agreement before any data action occurs. After receiving the confidential PII, the third party vendor is prohibited from sharing the data también with any additional parties who are not under the same contract, or who don’t have any connection or cooperation with the utility affiliates. These purposes don’t require customer consent.
  • Secondary purpose: This category includes promotion of a product or marketing needs of a third party company that customers didn’t subscribe to. Therefore, your staff first need to obtain customer permission before pursuing these aims.

B) Request to release data to a person:

A request for data disclosure can be made by a utility or a person. A person is defined as any partnership, individual i.e. customer, corporation, LLC or any organization or commercial entity except the utility company. When a person requests a disclosure related to marketing purposes, the consent is necessary to proceed with data actions. However, if a customer initiates the disclosure then there is no need for permission. Utilities are not expected to be enforcers of this RCW clause, rather to be aware of it.

C) Resolution of customer complaint:

All utility companies are required to develop a policy that outlines procedures and methods for investigation and resolution of customer requests. They can follow the rules noted in “Complaint Investigation Process” that describe steps a customer needs to take to report an issue related to potential data misuse, such as selling of their PII without their consent.

D) Third party requirements:

While it is permissible to send personal information to a vendor for primary purposes, it is not okay for the same vendor to sell that information regardless of purpose. Thus, a company’s data policy should include measures that will restrict such actions.

3. Data Breach in the Utility Sector

Unfortunately, utility companies are often victims of cyber attacks because the information they collect is a highly valuable commodity on the wrong markets. When a data breach occurs, the companies that fall under the RSW requirements are obliged to notify affected customers as soon as they discover the breach or get notified by their vendor.

Here are a few more specifics about these notifications:

  • When there are signs that a customer won’t experience any harm, the breach notification is not required
  • The required notice can be delayed due to a government or law enforcement agency’s decision to start a criminal investigation
  • The notification can be in a written or electronic form
  • All other options that enable the notification are allowed too

4. Selective Information

Utilities are advised (not required!) to develop internal policies that will carefully note the methods, procedures, and concepts related to the protection of customer data. It is suggested that a quality and thorough privacy policy should provide instructions on how a company will deal with data aggregation and transmission, what data falls under the PII, and what technology will be used used to handle the data.

5. Contract Management Best Practices

To deliver essential business services, utility companies are allowed to hire third parties that will enable their complete realisation. For this activity, the utility doesn't need to have customer consent but it has to ensure that the third party will protect its customer data. The best practice is, as mentioned above, to establish a Confidentiality and Non-Disclosure Agreement (CNDA). In that way, the utility can legally protect its data operations. However, if the third party decides to have a subcontractor company, they need to sign a new CNDA with that company. This is the only way to protect the whole chain of data processing from data misuse and to keep the utility operations in accordance with the statute.

6. GDPR and LGDP compliance

The GDPR is the European data protection and privacy law that mandated all companies that operate on EU territory, including utilities, ensure maximum data security and give consumers more control over their data. LGDP is a Brazilian version of GDPR. It is noted as a “version” because these two laws have the same goal of increasing the safety of consumer data. The LGDP was greatly influenced by the GDPR requirements. However, there are differences such as their fine structure. To learn more about these two data laws you can read our article “Why is customer data privacy important in your helpdesk software?”


CCPA is the current privacy law of California that aims to regulate how companies use customer data within the state. It gives consumers the right to consent, share or limit use of their data. CPRA is the newest Californian privacy law, which was enforced last year and we can expect to see more of it this year. It modifies CCPA and further expands its functions. We discuss these two policies in a greater detail in the article “CCPA 2.0 has passed: Meet the California Privacy Rights Act (CPRA).”

8. How support technology can help you?

You enjoy numerous incredible benefits of automation in the management of your grid, disruptions, outages, and overall electricity delivery to home and business owners. Why wouldn’t you enjoy the same in your customer support department, especially in an area as delicate as data security and privacy which demands minimal human error?

By adding a secure and advanced customer support software to your company assets, you are on a good way to ensuring constant highest level of data protection and long-wanted business prosperity!