sgcc peer connect: data...
TRANSCRIPT
SGCC Peer Connect: Data Privacy
January 23, 2013
Today’s Presenters
Jules Polonetsky Co-Chair and Director
Future of Privacy Forum
Andy Bochman Worldwide Energy Security
Leader
IBM
• You will receive a copy of the slides
– To the email you used to register
• You can ask questions as we go along
– Simply type into the question box, as we will
explain or raise questions during the Q&A
• We will answer all the questions submitted
– If we are unable to get to all the questions, they
will be answered individually after the
presentation
Housekeeping
If this is what you see – Click on the
orange arrow to expand your dashboard.
In order to ask questions over the phone,
please log in with your Audio Pin.
Click on the + sign to open up the
questions box.
Use the Questions box at any time to
type questions.
We will answer questions during a Q&A
near the end of the call.
Yes, you will receive the slides after the
webinar.
Questions & Audio
Agenda
1. SGCC Data Privacy Education Efforts
• Fact sheet and future video
2. FPF Smart Grid Consumer Privacy Seal
• Introduction to privacy
• Regulatory efforts
• Application of the privacy seal
3. IBM Perspective on Data Security and Privacy
• Information governance
• Foundations for privacy
• Essential practices
SGCC – Data Privacy Fact Sheet
SGCC – 2013 Education Initiatives
Education Committee Initiatives:
– Consumer-Facing Website
– One-Minute Consumer Videos
Name Background
Jules Polonetsky Co-Chair and Director – Future of Privacy Forum
• Chief Privacy Officer and SVP for Consumer Advocacy at
America Online Inc.
• Vice President of Integrity Assurance at America Online
Inc.
• Chief Privacy Officer and Special Counsel at DoubleClick
• Served on the boards of a number of privacy and
consumer protection organizations including the
International Association of Privacy Professionals, TRUSTe,
and the Better Business Bureau (NY Region)
Speaker #1
Future of Privacy Forum Smart Grid Consumer Privacy Seal
Jules Polonetsky
A Charged Atmosphere
“Privacy in the eye of the beholder”
Would you share this with your boss?
Now you can choose
Altimeter, elevation, perspiration, temperature, humidity, excitement, mood…
FTC Section 5 Enforcement
Mobile & Apps
Children Online Privacy Protection Act
Investigating Data Brokers
Overview of Regulatory Efforts
White House “Consumer Privacy Bill of Rights”
– Announced February 2012
– Lays out proposed framework for comprehensive data privacy protection in the U.S.
– Takes two-pronged approach:
• A set of baseline privacy principles—“bill of rights”
• A set of codes of conduct backed by enforcement
Overview of Regulatory Efforts (cont.)
Multistakeholder Process
Department of Commerce/NTIA
Developing codes of conduct for mobile apps
Short form notice
Department of Energy
Third party codes of conduct for energy data
More to come!
Overview of Regulatory Efforts (cont.)
Congress
States
National Association of Attorneys General
CA Attorney General
Focus on mobile and apps
Public Utility Commissions -Smart Grid
Overview of Regulatory Efforts (cont.)
Self-Regulatory Efforts
Platforms Terms of Service
Trade Group Self-regulatory efforts
DAA
NAI
MMA and GSMA
Smart Grid Standards/Guidelines
NIST, NAESB and more
DC based think tank that seeks to advance responsible data practices.
Industry supported
Co-chairs: Jules Polonetsky and Christopher Wolf
Advisory board of industry, academics, and privacy advocates
Focus on Consumers, Data, and Technology
Online data, mobile, apps, social media – and smart grid
What is FPF?
Third party access to consumer energy data enables a wide range of benefits, but also raises legitimate concerns
Responsible companies that provide exciting new products and services such as home security, smart appliances, remote home management will generate positive consumer interest and help advance consumer engagement with energy management, demand response and smart meters.
It is essential that a flexible framework exists that ensures consumer privacy protections are in place and that responsible businesses can responsibly access the data needed to serve consumers.
Risk to utilities, consumers if inadequate process for obtaining consumer permission
Risk to consumer engagement and innovation if consent process is burdensome and ineffective
The Need for a Consumer Privacy Seal
Utilities must be confident that third parties that access consumer energy data directly from utilities or via smart meters do so with the permission of consumers and in accord with responsible privacy standards. Regulatory requirements and vendor due diligence will play a lead role,
but are unlikely to suffice to provide oversight for the wide range of services that consumers will be seeking to enable.
A third party privacy seal program can play an essential role in this ecosystem by vetting the privacy standards of third parties and by providing assurance to utilities, regulators and consumers that companies are in compliance with responsible standards. A third party seal can also provide consumers with an avenue for complaint handling and resolution and provide regulators with a supplement to their
efforts to ensure consumers are protected.
The Need for a Consumer Privacy Seal Continued
Takes utilities out of the process of reviewing and vetting third parties.
Takes utilities out of the process of managing consents.
Consistent standards across states.
Alternative location for consumer complaints.
Provides early warning system to eliminate bad actors.
Ensures third parties (not utilities) are responsible for the actions of third parties.
Ensures that the FTC is able to effectively enforce third parties.
Benefit to Utilities
Privacy seal based on best practices Covers:
Data collected directly from consumers by smart devices (i.e. home security systems, smart appliances, etc.).
Data collected by third parties a) directly from a smart meter, b) provided to a third party by a utility or c) utility data provided by a consumer to a third party.
Goals: Ensure consumer trust in smart devices Assist utilities in vetting 3rd parties Allow for a standard consent process to be used across many states
What is the FPF Smart Grid Seal?
Is not a standard for utilities
Does not cover utility collection or use of data for billing, operations, demand response, etc.
What the Seal does NOT Cover
Participating Companies to Date
ADT
AT&T
Comcast
Ecofactor
IBM
Intel
Motorola
Neustar
Opower
Tendril
TRUSTe
Verizon
Currently provides seals or certifications for
ads, cloud services, data collection, downloads,
emails, compliance with certain laws, mobile
privacy, and websites.
TRUSTE will check privacy policies, scan for
potential privacy threats, review consumer consent process, conduct business and technical assessment, ensure compliance with seal requirements, and help resolve disputes.
Provides services for over 4,000 web services.
TRUSTe
Officially launched in October 2012
SDG&E is one of the first utilities to include access to third party services and they will promote the seal and will display the seal logo in their portal alongside the companies that have it.
We will be releasing a paper with Ann Cavoukian, “Privacy by Design and Third Party Access to Customer Energy Usage Data,” at DistrubuTECH on January 29th.
For information: [email protected]
Going Forward
• www.futureofprivacy.org • Facebook.com/futureofprivacy • @julespolonetsky
Jules Polonetsky, Executive Director and Co-Chair [email protected]
Visit our site: http://www.futureofprivacy.org
Name Background
Andy Bochman Worldwide Energy Security Leader – IBM
• Contributor to industry and national security working
groups on energy security and cyber security issues,
including:
• DOE RMP and ES-C2M2 SME Advisor
• NBISE Cyber Workforce Project
• NIST CSWG
• DOD/DHS Software Assurance Forum and Working
Groups
• Founder and editor of:
• The Smart Grid Security Blog
• The DOD Energy Blog
Speaker #2
IBM Energy & Utilities
© 2013 IBM Corporation
Organizing for Data Security and Privacy
© 2012 IBM Corporation Energy & Utilities (E&U) 33
Privacy + Security = Information Governance
© 2012 IBM Corporation Energy & Utilities (E&U) 34
Information Governance challenges
Information users’ expectations regarding information have changed:
– Quality (correct or not?)
– Timeliness/accessibility (mobile & internet means "now" for most people)
– Control over the security/privacy of data collected
Utilities have experienced:
– Huge growth in data collected by smart meter/smart grid devices
– Regulatory mandates/incentives to make the data available to customers online and via mobile devices (while ensuring that sensitive information is secured and monitored)
– SLAs that require data to be available on the same or next day
– Business case drivers that effectively require more sophisticated use of data (what if pricing, preferences, etc.)
© 2012 IBM Corporation Energy & Utilities (E&U) 35
Data Risk Questions to Ponder
Information Lifecycle – how do we think about governance of Information at every point of its life cycle: first - identification and definition, then design, deploy, create, use, move, archive, backup and destroy
Information Security and Privacy – What do we do to ensure the confidentiality, integrity, availability of our information assets?
Classification – How do we properly identify our information assets (so we can apply the appropriate controls)?
Audit, Logging, Reporting, Assessments, Alerts – How do we demonstrate that our policies are in place and that our risk is being properly addressed?
© 2012 IBM Corporation Energy & Utilities (E&U) 36
Unified approach to Security ~ People, Process,
and Technology best practice and methodologies
$1.8B investment in Innovative Technologies
7K+ security engineers and consultants
Award-winning X-Force® research with Largest
vulnerability database
Analyst recognized Leadership in every segment
IBM Security Systems
Unified Security Framework
Security foundation for Privacy
© 2012 IBM Corporation Energy & Utilities (E&U) 37
Data Security
Enterprise-wide solutions for assuring the privacy and
integrity of trusted information and sensitive data
Portfolio Overview
Data Security Strategy and Assessment
• Comprehensive assessment of data protection capabilities and vulnerabilities through interviews, on-site workshops and market-leading data discovery tools
• Gain insight to sensitive data and where it resides
Data Loss Prevention
• Create a framework and tailored solution to prevent leakage of sensitive data (network and endpoint)
• Monitor sensitive data usage at the endpoint
• Identify sensitive data traveling through network
Encryption
• Secure hard drives on portable computing devices
• Prevent loss of data on laptop or USB thumb drives if lost or stolen
• Facilitate sharing of sensitive data with reduced risk
Database Activity Monitoring (pilot)
• Mitigate the risk of database attacks
• Monitor and block privileged users
• Reporting for audit and compliance readiness
© 2012 IBM Corporation Energy & Utilities (E&U) 38
What we practice is what we preach
7. Address new complexity
of cloud and virtualization
6. Control network access
and help assure
resilience
1. Build a risk-aware culture
and management system
2. Manage security incidents
with greater intelligence
3. Defend the mobile and
social workplace
5. Automate security
“hygiene”
4. Security-rich services,
by design
10. Manage the identity
lifecycle
9. Better secure data and
protect privacy
8. Manage third-party
security compliance
Proactive
Au
tom
ate
d
Man
ua
l
Reactive
10 Essential Practices
Maturity based approach
© 2012 IBM Corporation Energy & Utilities (E&U) 39
Essential practice 8:
Manage third-party security compliance
Are your security policies and
safeguards compliant today?
An enterprise’s culture of security
must extend beyond company walls,
and establish best practices among
its contractors and suppliers.
Security, like excellence, should
be infused in the entire partner
ecosystem. Numerous cases have
shown how the carelessness of one
company can have a deleterious
effect on many.
Integrate security as a part of mergers and acquisitions.
Assess vendors’ security and risk policies and practices,
and educate them on compliance.
Assess conformance with process and data protection
requirements of industry requirements and regulations
Manage the vendor risk life cycle.
Actions to help get you there:
© 2012 IBM Corporation Energy & Utilities (E&U) 40
Essential practice 9:
Better secure data and protect privacy
How can you improve the protection
of your critical data?
Every company has critical information,
Perhaps its scientific and technical data,
or maybe its documents regarding
possible mergers and acquisitions, or
clients’ non-public financial information.
Each enterprise should carry out an
inventory, with the critical data getting
special treatment. Each priority item
should be guarded, tracked and
encrypted as if the company’s survival
hinged on it. In some cases, that may be
the case.
Identify the value of your confidential data and the
business impact of loss.
Assess gaps and define a data protection strategy that
manages data loss risk and meets governmental and
customer requirements.
Design a robust data management architecture that
protects your sensitive or confidential information.
Deploy and manage leading data protection technologies.
Actions to help get you there:
Takeaways & Questions
Thank you! You will receive a copy of the slides to the email
address you used to register.
Links to Resources: • FPF’s Smart Grid Consumer Privacy Seal
• http://www.futureofprivacy.org/smart-grid-consumer-privacy-seal/ • IBM's Energy and utilities insights
• http://www-935.ibm.com/industries/energy/
Jules Polonetsky Co-Chair and Director
Future of Privacy Forum [email protected]
Andy Bochman Worldwide Energy Security
Leader