ALBANY — The New York State Public Service Commission (Commission) today adopted new cybersecurity and data privacy requirements for third-party energy suppliers and companies that electronically receive and exchange utility housed customer data with the utilities’ information technology (IT) systems. The new requirements provide a universal foundation of cybersecurity and data privacy protections which will ensure the privacy of customer data and protect the utility IT systems while enabling and encouraging data access.

“The Commission today directed the state’s utilities and third-party energy suppliers to provide appropriate cybersecurity protections without erecting significant barriers to development of new energy markets as envisioned by REV,” said Commission Chair John B. Rhodes. “Our new approach will provide a universal foundation of cybersecurity and data privacy requirements that will encourage a vibrant energy marketplace.”

The Commission’s decision creates critically needed standards to ensure customer data remains protected and secured. The changes are designed to provide protections against a potential cyber incident, while maintaining the confidentiality of customer data, and instilling customer confidence in retail and energy markets which would otherwise suffer reputational harm in the wake of a major cyber event.

Maintaining the security of customer data and the distribution utilities’ IT systems is of paramount importance. The Commission is cognizant of potential benefit of data and information to underpin the provision of valuable offers and services to customers, and to enable smart deployment of distributed and clean resources that provide value to the energy system, and hence to customers.

Importantly, the Commission’s order recognizes that the data is the customer’s data and that customers have a right to direct or consent to the use of that data. Therefore, a balance must be struck between protecting utility IT systems and the privacy of customer data in a way that distributes the risks and responsibility amongst those entities electronically exchanging, receiving and/or collecting customer data with the utilities and facilitating the dissemination of customer information with customer consent to companies. Ultimately, a market where all parties observe cybersecurity and privacy protections will reduce the risks associated with electronic communications of customer data between distribution utilities and companies, instilling customer confidence and promoting market development.

Today’s decision may be obtained by going to the Commission Documents section of the Commission’s Web site at www.dps.ny.gov and entering Case Number 18-M-0376 in the input box labeled "Search for Case/Matter Number". Many libraries offer free Internet access. Commission documents may also be obtained from the Commission’s Files Office, 14th floor, Three Empire State Plaza, Albany, NY 12223 (518-474-2500). If you have difficulty understanding English, please call us at 1-800-342-3377 for free language assistance services regarding this press release.