Data Breach at New York Utility Prompts Enforcement Action and Industry-Wide Data Security Review

By Boris Segalis and Nihar Shah In January 2012, two consolidated New York state utilities, New York State Electric & Gas and Rochester Gas and Electric (collectively, “NYSEG”) experienced a data security incident that affected approximately 1.8 million utility customers.

According to the notification letter that NYSEG sent to customers, unauthorized access to NYSEG systems containing  customers' Social Security numbers, dates of birth, and, in some cases, financial account numbers was the result of a breach at one of NYSEG’s data processing service providers.  According to the the New York Public Service Commission's investigators, the incident occurred as a result of improper sharing of NYSEG system log-in credentials with unauthorized subcontractors by one of the service provider's employees.

Initial Response by the Public Service Commission

In response to the incident, the New York Public Service Commissioner issued statements criticizing NYSEG's data security standards as having failed to live up to industry standards and best practices for the protection of customer information.  The Commissioner subsequently directed the utility to update its computer billing and records system. Specifically, the Commissioner recommended that NYSEG:

• Minimize access to customers’ personally identifiable information (PII) to the type and amount required to fulfill relevant business functions;

• Conduct an annual incident response training exercise simulating a breach of PII;  

•  Establish a protocol for notifying regulators of a cyber incident (specifically, to notify the Department of Public Service within 48 hours of the determination that a breach has occurred); and

• Ensure the security of all PII stored on mobile or removable storage devices.

The Commissioner required NYSEG to report on its progress in implementing the recommended changes within 60 days.  In addition, to preclude NYSEG from recovering breach response costs from customers, the Commissioner required the utility to exclude the expenses from the utility’s requests for cost recovery.

Enforcement Order

The Commission subsequently issued an “Order Directing a Report on Implementation of Recommendations” that expanded on many of the recommendations in the Commissioner’s initial statements, and described in detail the ways in which the Commissioner found NYSEG to have failed to adequately protect its customers' PII.

The Commission conducted an exhaustive inquiry into NYSEG’s data security practices and found several instances in which the utility was not employing best practices and industry standards to protect PII.  The Order referred to the NIST (2010) Recommended Security Controls for Federal Information Systems and Organizations as well as best practices set forth in the Family Educational Rights and Privacy Act (FERPA) as the baseline for benchmarking NYSEG's relevant practices.  The Commission benchmarked NYSEG's data security practices in eight areas:

• Corporate Accountability (nature and extent of functional units within NYSEG responsible for protecting customer privacy);

• Policies, Procedures and Guidelines (the policies that govern data access, data transfer, data restriction, data retention, deletion and destruction, and other related matters);

• Training, Education and Outreach (programs in place to train employees and contractors regarding the protection of customer information);

• Credentialing (procedures in place to ensure the integrity of employees and subcontractors, as well as the identity of customers seeking their own information);

• PII Confidentiality Safeguards (how NYSEG categorizes, collects, retains, segregates and reviews its inventory for PII, including data destruction policies for PII that is no longer necessary to fulfill the business purposes for which the information was collected);

• Network Security (all common network security policies, practices and equipment utilization);

• Physical Security (physical safeguards for protecting customer data); and

• Incident Response (identification and adequacy of information security incident response plans).

Based on the review, the Commission staff found deficiencies in NYSEG PII handling polices, practices and procedures that it deemed critical.  First, the Commission found that NYSEG did not include requirements for adequate technical and physical safeguards in supplier contracts, specifically to ensure that employee training and PII safeguards extend to subcontractors.  Second, the staff found that NYSEG failed to formalize its policy limiting availability of customer PII to only authorized individuals within the company and authorized suppliers.  Third, the Commission found that NYSEG failed to have a process in place to identify and destroy PII that is no longer relevant for business use.  The Commission noted that this particular oversight resulted in the compromise of certain PII that should not have even been maintained on NYSEG's systems.  Fourth, the PII that was available on NYSEG systems was not adequately segregated based on sensitivity, such that SSNs had the same level of security as less sensitive PII.

Industry-Wide Data Security Review

As a result of the incident experienced by NYSEG, the New York regulator -- the Public Service Commission -- now plans to review the data security policies and procedures of every utility that operates in the state.  The Commissions has indicated that it has already reviewed and approved several utility data protection policies and procedures.

Lessons Learned

Public utility commissions that regulate utilities in their respective states are becoming increasingly sophisticated in the areas of personal data privacy and security.  Moved by the continued development of the Smart Grid and the vast amounts of personal information that the Smart Grid processes, utility regulators have considered and issued rules governing the handling customer data, including energy usage information.  In developing these rules, the regulators have also gained sophistication in the areas of "old school" data security breach notification requirements.  As a result, we should expect an uptick in privacy enforcement by state utility regulators.  At least some of the regulators are demanding to know more about past information security incidents and are considering implementing breach reporting requirements.  Utilities across the country are well-advised to review their information security programs (including vendor management requirements) and breach response processes to address their regulators' concerns.