Details for: PGE Reply to Protests of AL 5276-E.pdf


Click on the image for full size preview

Document data

Erik Jacobson
Director
Regulatory Relations

Pacific Gas and Electric Company
77 Beale St., Mail Code B13U
P.O. Box 770000
San Francisco, CA 94177
Fax: 415-973-3582

May 14, 2018

California Public Utilities Commission - Energy Division
Attention: Tariff Unit
505 Van Ness Avenue
San Francisco, CA 94102
Subject:

Pacific Gas and Electric Company’s Reply to the Protests of Advice
Letter 5276-E on Data Redaction Criteria Pursuant to D.18-02-004

Dear Energy Division Tariff Unit:
Pacific Gas and Electric Company (PG&E) hereby replies to protests dated May 7,
2018 from Sunrun, Inc. (Sunrun), Solar Energy Industries Association (SEIA), Interstate
Renewable Energy Council, Inc. (IREC), the Office of Ratepayer Advocates (ORA), and
Clean Coalition, to PG&E’s Advice 5276-E containing PG&E’s proposed criteria to
define security-sensitive, customer-related and other confidential data that should be
redacted from disclosure to ensure the physical and cyber security of the electric
system and reflect the customer privacy provisions established in D.14-05-016 as
required by Ordering Paragraph 2.g of D.18-02-004.
Although PG&E believes the protests misunderstand PG&E’s proposed redaction
criteria, PG&E appreciates the constructive, practical suggestions of the parties and
agrees with their recommendation that a workshop to work out the details of the
redaction criteria would be useful. PG&E responds to the protests in more detail below.
Response:
1) PG&E’s Case-by-Case Criteria for Redacting Confidential Data from Public
Disclosure
The protesting parties generally criticize PG&E’s case-by-case approach to
redacting confidential data for security or privacy reasons as too vague and
lacking in specifics. 1 At the same time, the protesting parties recognize the need
to balance the increased transparency and access to data by DER developers
with the legitimate needs of the utilities to protect the security and privacy of
utility system data. PG&E agrees with the need for this balance, and believes the
protesting parties may have misunderstood how PG&E intends to implement its
1

See, e.g., Sunrun Protest, p. 5; IREC Protest, p. 4; SEIA Protest, pp. 2- 3.





- Page 1 -

PG&E’s Reply to Protests of Advice Letter 5276-E -2- May 14, 2018 case-by-case approach. PG&E intends that its general, default disclosure of categories of data identified in Advice 5276-E will include no redaction other than standard aggregation and anonymization of customer-specific data. Where on a case-by-case basis PG&E determines that any specific data needs to be redacted for cyber security, physical security, market integrity, or other confidentiality reasons, it will be redacted from public disclosure but made available to qualified DER developers and providers for project-specific purposes, such as review of Distribution Deferral Opportunity Reports and Grid Needs Assessments as well as responses to formal Requests for Offers for DER distribution deferral projects, subject to an appropriate non-disclosure agreement and/or protective order as is routinely used in commercial transactions and CPUC regulatory proceedings such as the Distribution Planning Advisory Group. 2 The criteria for protection from public disclosure will follow the criteria applicable to other confidential information currently protected under commercial law and FERC and CPUC regulatory policies, such as the confidentiality of critical infrastructure information, intellectual property, trade secrets, customer privacy, and other categories of confidential information protected from public disclosure under, e.g. the California Public Records Act. At the time that PG&E determines that a particular data set should be kept confidential and subject to an appropriate NDA, PG&E would disclose the reasons for confidentiality to the DER developer or provider. If the DER developer or provider is unwilling to maintain the confidentiality of the data, the disagreement could be resolved by the Commission under its normal process for resolving discovery disputes in Commission proceedings. PG&E believes that its case-by-case approach strikes a good balance, by providing data to qualified DER developers and providers for evaluation of potential DER distribution deferral projects while at the same time by protecting confidential data from disclosure to the public for purposes unrelated to DER distribution deferral. 2) PG&E’s User-based Restrictions. Protesting parties also criticized as lacking in detail PG&E’s proposal to screen potential data users to ensure that the users and their intended uses of DRPrelated distribution data do not threaten cyber-security or physical security. 3 However, Sunrun noted that it “does not necessarily oppose user-based restrictions—and, indeed, this may be the most promising of the three 2 In rare circumstances, an NDA may be insufficient to protect highly-sensitive security-related information, in which case PG&E would offer access to the data in a secure date room behind PG&E’s firewall, or otherwise protect the data from any disclosure unless a high threshold of “need to know” is demonstrated. Any dispute regarding these data redactions could be subject to resolution by the CPUC under its normal dispute resolution procedures. 3 Sunrun Protest, p. 5.
- Page 2 -

PG&E’s Reply to Protests of Advice Letter 5276-E -3- May 14, 2018 approaches put forward by the three IOUS—provided companies like Sunrun have access to the data they need to develop cost-effective products.” 4 PG&E agrees with Sunrun – the sole intent of PG&E’s user screening process is to ensure that the users are in fact in good faith in their intended use of the data to develop DER distribution deferral products and service, and not “bad actors” masquerading as DER developers or providers in order to threaten or attack the security of PG&E’s grid. PG&E intends to implement this requirement by enabling advance generic approval of users by name and intended use, so that existing DER developers and providers will be able to access the data on a recurring, “self-serve” basis, including through the web portal. User based restrictions have positive impacts beyond protecting cybersecurity and physical security and helping IOUs ensure adherence to critical infrastructure and customer privacy requirements. While these and other requirements apply to utilities and non-utilities alike, disagreements over the implementation of the requirements can be resolved through the Commission’s normal dispute resolution process. 3) Access to Market Sensitive Data. PG&E agrees with protesting parties that access to market-sensitive data will be in compliance with the current criteria established in D.18-12-004, and any PG&E request to revise the access criteria for market-sensitive data would be subject to formal CPUC review consistent with D.18-12-004, including review of evidence of anti-competitive behavior or market manipulation in the DER nonwires alternative procurements. PG&E appreciates the input from the protesting parties on balancing the need for DER access to data and the need for PG&E to maintain the security and safety of the electric distribution grid for all customers. PG&E looks forward to further discussions on the data redaction criteria, including a workshop on the remaining issues if appropriate. Respectfully submitted, /S/ Erik Jacobson Director, Regulatory Relations cc: 4 Id. Tim Lindl, tlindl@keyesfox.com (Sunrun, Inc) Jeanne Armstrong, Jarmstrong@goodinmacbride.com (SEIA) Sky C. Stanton, stanfield@smwlaw.com (IREC) Chloe Lukins, chloe.lukins@cpuc.ca.gov, The Office of Ratepayer Advocates Kenneth Sahm White, sahm@clean-coalition.org, Clean Coalition Service Lists for R.14-08-013
- Page 3 -