BILL NUMBER: SB 837 AMENDED
BILL TEXT
AMENDED IN SENATE APRIL 27, 2010
AMENDED IN SENATE APRIL 15, 2010
AMENDED IN SENATE MARCH 25, 2010
INTRODUCED BY Senator Florez
JANUARY 5, 2010
An act to amend Section 1985.3 of the Code of Civil Procedure, to
amend Section 1326.1 of the Penal Code, and to add Sections 589,
779.3, 2750, 2750, and 2751, and 8364.5
to, to add the heading of Chapter 4.5 (commencing with Section 2750)
to Part 2 of Division 1 of, to add Chapter 10 (commencing
with Section 5600) to Division 2 of, and to repeal the
heading of Chapter 4.5 (commencing with Section 2771) of Part 2 of
Division 1 of, the Public Utilities Code, relating to utility
service.
LEGISLATIVE COUNSEL'S DIGEST
SB 837, as amended, Florez. Utility service: disconnection: smart
meters: privacy.
(1) Under existing law, the Public Utilities Commission (CPUC) has
regulatory authority over public utilities, including electrical
corporations and gas corporations, as defined. Existing law
authorizes the CPUC to fix the rates and charges for every public
utility, and requires that those rates and charges be just and
reasonable. Existing law requires certain notice be given before an
electrical, gas, heat, or water corporation may terminate residential
service for nonpayment of a delinquent account and prohibits
termination of service for nonpayment in certain circumstances.
This bill would require the CPUC to impose certain requirements on
electrical corporations and gas corporations, and take other
specified actions, with respect to reducing service disconnections.
(2)
(1) The federal Energy Independence and Security Act of
2007 states that it is the policy of the United States to maintain a
reliable and secure electricity structure that achieves certain
objectives that characterize a smart grid. Existing federal law
requires each state regulatory authority, with respect to each
electric utility for which it has ratemaking authority, and each
nonregulated electric utility, to consider certain standards and to
determine whether or not it is appropriate to implement those
standards to carry out the purposes of the Public Utility Regulatory
Policies Act. The existing standards include time-based metering and
communications, consideration of smart grid investments, and
providing purchases with smart grid information, as specified.
Existing
Under existing law, the Public Utilities Commission (CPUC)
has regulatory authority over public utilities, including electrical
corporations and gas corporations, as defined. Existing law
requires the CPUC, by July 1, 2010, and in consultation with the
State Energy Resources Conservation and Development Commission, the
Independent System Operator, and other key stakeholders, to determine
the requirements for a smart grid deployment plan consistent with
certain policies set forth in state and federal law. Existing law
requires that the smart grid improve overall efficiency, reliability,
and cost-effectiveness of electrical system operations, planning,
and maintenance. Existing law requires each electrical corporation,
by July 1, 2011, to develop and submit a smart grid deployment plan
to the commission for approval.
This bill would require the CPUC to ensure that each smart grid
deployment plan authorized by the CPUC after January 1, 2012,
include testing and technology standards, as specified, and
ensure that each metering technology works properly in a field test
in a real home setting.
(3)
(2) Existing law prescribes the circumstances under
which telephone and telegraph corporations may release information
regarding residential subscribers without their written consent.
Existing law relative to restructuring of the electrical industry
requires the commission to implement minimum standards relative to
maintaining the confidentiality of residential and small commercial
customer information by electric service providers.
This bill would provide that meter data collected by an electrical
corporation or gas corporation is the property of the customer,
regardless of whether the data is kept by the customer or retained
solely by the utility, and would require that individual customer
information, including energy usage, billing, and credit information,
remain confidential unless the customer expressly authorizes, in
writing, that the information may be released to a third party. The
bill would require each electrical corporation and gas corporation
that installs smart meters on customer residences to adopt and obtain
the CPUC's approval of a statement of privacy and security
principles for smart meter systems and a work plan to implement those
principles. The bill would require the commission to adopt rules to
ensure the safe transfer of electronic usage information and would
authorize the commission to adopt other rules that the commission
determines are necessary or useful to implement the bill's
requirements.
The bill would provide that energy usage data in the possession of
a 3rd-party demand response service provider, as defined, is the
property of the electrical end-use customer regardless of whether
that data is kept by the customer or retained solely by the service
provider. The bill would prohibit individual electrical end-use
customer information, as defined, in the custody of a 3rd-party
demand response service provider from being provided to any other
person or corporation by the service provider unless the customer
expressly authorizes, in writing, that the information may be
released to that person or corporation and that person or corporation
acknowledges, in writing, that the information is confidential and
may not be shared or utilized by any other person or corporation
without the express written consent of the customer. The bill would
require each 3rd-party demand response service provider to adopt a
statement of privacy and security principles for the data to which it
has access as a result of providing demand response services and a
work plan to implement those principles. The bill would authorize the
CPUC to adopt rules to ensure the privacy of individual electrical
end-use customer information and would authorize the CPUC to exercise
certain enforcement powers relative to these requirements and any
rules that it adopts.
This bill would prohibit an electrical corporation or gas
corporation from sharing, selling, disclosing, or otherwise making
accessible to any third party, without first obtaining the customer's
express written consent, any personally identifiable information
concerning a customer and, upon written request, to inform the
customer of the identity of each person or corporation to whom the
information has been released. The bill would make a violation of
these requirements grounds for a civil suit by the aggrieved customer
against the utility and its employees responsible for the violation.
The bill would require each electrical corporation and gas
corporation to adopt a statement of privacy and security principles
for the personally identifiable information of its customers and to
file that statement with the CPUC, to post the statement on the
utility's Internet Web site, to make the statement available to a
customer, upon request, at no charge, and to disseminate the
statement to customers. The bill would require that an electrical
corporation or gas corporation ensure that any person, other than the
customer or utility, including a contractor, equipment supplier, or
software supplier of the utility, that is permitted to have access to
customer information, is aware of the utility's statement of privacy
and security principles and agrees, pursuant to contract, to act in
a manner that is compatible with the statement of privacy and
security principles.
(4)
(3) This bill would require each public
utility electrical corporation and gas corporation
, on or before March 1, 2012, and each March 1 thereafter, to
report to the Office of Privacy Protection, certain information
relative to requests for customer's utility records pursuant to
federal warrants, state warrants, grand jury subpoenas, civil
subpoenas, and administrative subpoenas. The bill would require that
the reports be made available to the public via the Internet.
(5)
(4) Existing law relative to civil discovery requires
that a subpoena duces tecum for personal records pertaining to a
consumer be served upon the consumer along with a specified
affidavit. Personal records are defined for this purpose to include
the records of a telephone corporation.
This bill would expand the definition of personal records to
include records of an electrical corporation, gas corporation,
publicly owned gas utility, or local publicly
owned electric utility.
(6)
(5) Existing law provides that a judge may order the
production of utility records, as defined, only if certain conditions
are met. Existing law does not preclude the holder of the utility
records from notifying a customer of the receipt of the order for
production unless a court orders otherwise.
This bill would instead require a holder of utility records to
notify a customer of the receipt of the order for production unless a
court orders otherwise.
(7)
(6) Under existing law, a violation of the Public
Utilities Act or any order, decision, rule, direction, demand, or
requirement of the commission is a crime.
Because certain of the bill's provisions would be within the act
and because the bill would require action by the commission to
implement certain of its requirements, a violation of these
provisions would impose a state-mandated local program by creating a
new crime.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. (a) Information concerning a utility customer's energy
usage belongs to the customer and should be
treated as confidential by electrical corporations and gas
corporations, and the Legislature finds and declares that this right
of privacy needs further protection in light of the detailed
information on household energy usage that will be available to
electrical corporations and gas corporations after the statewide
deployment of smart meter technology. If electrical corporations
begin to provide other services over wholly owned medium, including
broadband over powerline service, privacy protections need to apply
to these services.
(b) It is the intent of the Legislature that the protections added
by Section 2750 of the Public Utilities Code are in addition to
those protections afforded customers pursuant to Section 394.4 of the
Public Utilities Code.
(c) It is the further intent of the Legislature to enact
additional protections to preserve the confidentiality of household
energy usage information and prevent its access and use by third
parties that provide equipment or software associated with deployment
and operation of the smart grid. A customer has a reasonable
expectation of privacy with respect to their occupancy, movement,
habits, or any other activity in their home that otherwise would not
be visible from outside. Smart appliance systems for the home should
protect a customer's reasonable expectation of privacy in his or her
activities and preferences, and the customer's right to control the
use of energy usage data collected from in-home smart
appliances, in-home sensors, or smart meters, should be protected by
limiting a utility's and other business processor's use of the
energy usage data, and limiting access and use by government
and private parties.
(d) The Legislature finds that granting the Public Utilities
Commission authority to adopt and enforce rules to ensure customer
privacy with respect to energy usage information collected as a
result of smart meter systems, and to adopt requirements for network
security, are cognate and germane to the commission's regulation of
electrical corporations and gas corporations.
(e)
(d) Detailed and real-time consumption data held by, or
accessible to, electrical corporations, gas corporations, or third
parties should be available to law enforcement only with a warrant or
in those circumstances when a warrant is unnecessary to conduct a
search of a residence.
SEC. 2. Section 1985.3 of the Code of Civil Procedure is amended
to read:
1985.3. (a) For purposes of this section, the following
definitions apply:
(1) "Personal records" means the original, any copy of books,
documents, other writings, or electronic data pertaining to a
consumer and which are maintained by any "witness" that is a
physician, dentist, ophthalmologist, optometrist, chiropractor,
physical therapist, acupuncturist, podiatrist, veterinarian,
veterinary hospital, veterinary clinic, pharmacist, pharmacy,
hospital, medical center, clinic, radiology or MRI center, clinical
or diagnostic laboratory, state or national bank, state or federal
association (as defined in Section 5102 of the Financial Code), state
or federal credit union, trust company, anyone authorized by this
state to make or arrange loans that are secured by real property,
security brokerage firm, insurance company, title insurance company,
underwritten title company, escrow agent licensed pursuant to
Division 6 (commencing with Section 17000) of the Financial Code or
exempt from licensure pursuant to Section 17006 of the Financial
Code, attorney, accountant, institution of the Farm Credit System, as
specified in Section 2002 of Title 12 of the United States Code, an
electrical corporation, gas corporation, or telephone corporation
that is a public utility, as defined in Section 216 of the Public
Utilities Code, or a publicly owned gas utility,
or a local publicly owned electric utility, as defined in Section
224.3 of the Public Utilities Code, or psychotherapist, as defined in
Section 1010 of the Evidence Code, or a private or public preschool,
elementary school, secondary school, or postsecondary school as
described in Section 76244 of the Education Code.
(2) "Consumer" means any individual, partnership of five or fewer
persons, association, or trust which has transacted business with, or
has used the services of, the witness or for whom the witness has
acted as agent or fiduciary.
(3) "Subpoenaing party" means the person or persons causing a
subpoena duces tecum to be issued or served in connection with any
civil action or proceeding pursuant to this code, but shall not
include the state or local agencies described in Section 7465 of the
Government Code, or any entity provided for under Article VI of the
California Constitution in any proceeding maintained before an
adjudicative body of that entity pursuant to Chapter 4 (commencing
with Section 6000) of Division 3 of the Business and Professions
Code.
(4) "Deposition officer" means a person who meets the
qualifications specified in Section 2020.420.
(b) Prior to the date called for in the subpoena duces tecum for
the production of personal records, the subpoenaing party shall serve
or cause to be served on the consumer whose records are being sought
a copy of the subpoena duces tecum, of the affidavit supporting the
issuance of the subpoena, if any, and of the notice described in
subdivision (e), and proof of service as indicated in paragraph (1)
of subdivision (c). This service shall be made as follows:
(1) To the consumer personally, or at his or her last known
address, or in accordance with Chapter 5 (commencing with Section
1010) of Title 14 of Part 3, or, if he or she is a party, to his or
her attorney of record. If the consumer is a minor, service shall be
made on the minor's parent, guardian, conservator, or similar
fiduciary, or if one of them cannot be located with reasonable
diligence, then service shall be made on any person having the care
or control of the minor or with whom the minor resides or by whom the
minor is employed, and on the minor if the minor is at least 12
years of age.
(2) Not less than 10 days prior to the date for production
specified in the subpoena duces tecum, plus the additional time
provided by Section 1013 if service is by mail.
(3) At least five days prior to service upon the custodian of the
records, plus the additional time provided by Section 1013 if service
is by mail.
(c) Prior to the production of the records, the subpoenaing party
shall do either of the following:
(1) Serve or cause to be served upon the witness a proof of
personal service or of service by mail attesting to compliance with
subdivision (b).
(2) Furnish the witness a written authorization to release the
records signed by the consumer or by his or her attorney of record.
The witness may presume that any attorney purporting to sign the
authorization on behalf of the consumer acted with the consent of the
consumer, and that any objection to release of records is waived.
(d) A subpoena duces tecum for the production of personal records
shall be served in sufficient time to allow the witness a reasonable
time, as provided in Section 2020.410, to locate and produce the
records or copies thereof.
(e) Every copy of the subpoena duces tecum and affidavit, if any,
served on a consumer or his or her attorney in accordance with
subdivision (b) shall be accompanied by a notice, in a typeface
designed to call attention to the notice, indicating that (1) records
about the consumer are being sought from the witness named on the
subpoena; (2) if the consumer objects to the witness furnishing the
records to the party seeking the records, the consumer must file
papers with the court or serve a written objection as provided in
subdivision (g) prior to the date specified for production on the
subpoena; and (3) if the party who is seeking the records will not
agree in writing to cancel or limit the subpoena, an attorney should
be consulted about the consumer's interest in protecting his or her
rights of privacy. If a notice of taking of deposition is also
served, that other notice may be set forth in a single document with
the notice required by this subdivision.
(f) A subpoena duces tecum for personal records maintained by a
telephone corporation which that is a
public utility, as defined in Section 216 of the Public Utilities
Code, shall not be valid or effective unless it includes a consent to
release, signed by the consumer whose records are requested, as
required by Section 2891 of the Public Utilities Code.
(g) Any consumer whose personal records are sought by a subpoena
duces tecum and who is a party to the civil action in which this
subpoena duces tecum is served may, prior to the date for production,
bring a motion under Section 1987.1 to quash or modify the subpoena
duces tecum. Notice of the bringing of that motion shall be given to
the witness and deposition officer at least five days prior to
production. The failure to provide notice to the deposition officer
shall not invalidate the motion to quash or modify the subpoena duces
tecum but may be raised by the deposition officer as an affirmative
defense in any action for liability for improper release of records.
Any other consumer or nonparty whose personal records are sought
by a subpoena duces tecum may, prior to the date of production, serve
on the subpoenaing party, the witness, and the deposition officer, a
written objection that cites the specific grounds on which
production of the personal records should be prohibited.
A witness or deposition officer shall not be required to produce
personal records after receipt of notice that the motion has been
brought by a consumer, or after receipt of a written objection from a
nonparty consumer, except upon order of the court in which the
action is pending or by agreement of the parties, witnesses, and
consumers affected.
The party requesting a consumer's personal records may bring a
motion under Section 1987.1 to enforce the subpoena within 20 days of
service of the written objection. The motion shall be accompanied by
a declaration showing a reasonable and good faith attempt at
informal resolution of the dispute between the party requesting the
personal records and the consumer or the consumer's attorney.
(h) Upon good cause shown and provided that the rights of
witnesses and consumers are preserved, a subpoenaing party shall be
entitled to obtain an order shortening the time for service of a
subpoena duces tecum or waiving the requirements of subdivision (b)
where due diligence by the subpoenaing party has been shown.
(i) This section shall not be construed to apply to any subpoena
duces tecum that does not request the records of any particular
consumer or consumers and that requires a custodian of records to
delete all information that would in any way identify any consumer
whose records are to be produced.
(j) This section shall not apply to proceedings conducted under
Division 1 (commencing with Section 50), Division 4 (commencing with
Section 3200), Division 4.5 (commencing with Section 6100), or
Division 4.7 (commencing with Section 6200), of the Labor Code.
(k) Failure to comply with this section shall be sufficient basis
for the witness to refuse to produce the personal records sought by a
subpoena duces tecum.
(l) If the subpoenaing party is the consumer, and the consumer is
the only subject of the subpoenaed records, notice to the consumer,
and delivery of the other documents specified in subdivision (b) to
the consumer, is not required under this section.
SEC. 3. Section 1326.1 of the Penal Code is amended to read:
1326.1. (a) An order for the production of utility records in
whatever form and however stored shall be issued by a judge only upon
a written ex parte application by a peace officer showing specific
and articulable facts that there are reasonable grounds to believe
that the records or information sought are relevant and material to
an ongoing investigation of a felony violation of Section 186.10 or
of any felony subject to the enhancement set forth in Section 186.11.
The ex parte application shall specify with particularity the
records to be produced, which shall be only those of the individual
or individuals who are the subject of the criminal investigation. The
ex parte application and any subsequent judicial order shall be open
to the public as a judicial record unless ordered sealed by the
court, for a period of 60 days. The sealing of these records may be
extended for 60-day periods upon a showing to the court that it is
necessary for the continuance of the investigation. Sixty-day
extensions may continue for up to one year or until termination of
the investigation of the individual or individuals, whichever is
sooner. The records ordered to be produced shall be returned to the
peace officer applicant or his or her designee within a reasonable
time period after service of the order upon the holder of the utility
records.
(b) As used in subdivision (a), "utility records" include, but are
not limited to, subscriber information, telephone or pager number
information, toll call records, call detail records, automated
message accounting records, billing statements, payment records, and
applications for service in the custody of companies engaged in the
business of providing telephone, pager, electric, gas, propane,
water, or other like services. "Utility records" do not include the
installation of, or the data collected from the installation of pen
registers or trap-tracers, nor the contents of a wire or electronic
communication.
(c) The holder of the utility records shall notify a customer of
the receipt of the order for production of records unless a court
orders the holder of the utility records to withhold notification to
the customer upon a finding that this notice would impede the
investigation. Where a court has made an order to withhold
notification to the customer under this subdivision, the order shall
include a statement of the facts as to why providing notice would
impede the investigation and the peace officer or law enforcement
agency who obtained the utility records shall notify the customer by
delivering a copy of the ex parte order to the customer within 10
days of the termination of the investigation.
(d) A holder of utility records, or an officer, employee, or agent
thereof, shall not be liable to any person for (A)
(1) disclosing information in response to an
order pursuant to this section, or (B) (2)
complying with an order under this section not to disclose to
the customer, the order or the dissemination of information pursuant
to the order.
(e) This section shall not preclude the holder of the utility
records from voluntarily disclosing information or providing records
to law enforcement upon request.
(f) Utility records released pursuant to this section shall be
used only for the purpose of criminal investigations and
prosecutions.
SEC. 4. Section 589 is added to the Public Utilities Code, to
read:
589. (a) On or before March 1, 2012, and each March 1 thereafter,
each public utility electrical corporation
and gas corporation shall report all of the following to the
Office of Privacy Protection created pursuant to Section 11549.5 of
the Government Code:
(1) The number of federal warrants, state warrants, grand jury
subpoenas, civil subpoenas, and administrative subpoenas received by
the utility during the prior calendar year for information pertaining
to a California consumer of the utility's services.
(2) The number and types of actions taken by the utility in
response to each category of information request listed in paragraph
(1).
(3) The number of customers whose utility records were produced in
response to each category of information request listed in paragraph
(1).
(4) The type of information disclosed about the utility's
customers in response to each category of information request listed
in paragraph (1).
(5) The total amount of money received by the utility to respond
to each category of information request in paragraph (1).
(b) Information need not be disclosed pursuant to subdivision (a)
where prohibited by some other law. If the utility does not disclose
information pursuant to this subdivision, it shall include a
statement in the report as to the basis for the withholding of that
information.
(c) On or before June 1, 2012, and each June 1 thereafter, each
public utility shall make the report prepared pursuant to subdivision
(a) available on the utility's Internet Web site and shall provide
an electronic version of the report to the Office of Privacy
Protection.
(d) On or before July 1, 2012, and each July 1 thereafter, the
Office of Privacy Protection shall make a copy of each utility report
furnished to the office pursuant to this section available on the
office's Internet Web site in a manner that will allow the public to
conduct online searches for information contained in the reports.
SEC. 5. Section 779.3 is added to the Public
Utilities Code, to read:
779.3. (a) The Legislature finds and declares all of the
following:
(1) The Division of Ratepayer Advocates is an independent
organization within the Public Utilities Commission that represents
consumers' interests on utility matters, with the statutory mission
to obtain the lowest possible rates for utility services consistent
with safe and reliable service levels.
(2) In November 2009, the division released its report entitled
"Status of Energy Utility Service Disconnections in California,"
which evaluated energy utility disconnection data comparing the 12
months of September 2008 through August 2009, to prior years, back to
January 2006, and compared California trends to national trends.
(3) That data evaluated by the division showed the following:
(A) Disconnections of low-income customers during the period
September 2008 through August 2009 were 19 percent higher than the
past year, with the largest increase for Pacific Gas and Electric
Company's customers.
(B) Disconnections of non-low-income customers have decreased,
except in Pacific Gas and Electric Company's service territory.
(C) While low-income customers have traditionally suffered more
disconnections than non-low-income customers, the recent disparity is
the worst in three years.
(D) A large number of customers, particularly low-income
customers, go through the disconnect-reconnect cycle.
(E) Energy utility workforce constraints have limited
disconnections to a fraction of those customers failing to pay after
receiving final disconnect notices, but the remote disconnection
functionality of smart meters will lift this constraint.
(4) Increasing service disconnections during the current economic
downturn exacerbate the hardship that likely led to the service
disconnection in the first place, and since most disconnected
customers, within hours or days of disconnection, pay their utility
bills in order to be reconnected, the division questions whether
those disconnections are preventable.
(5) It is the intent of the Legislature to enact legislation
implementing the recommendations of the Division of Ratepayer
Advocates to reduce those disconnections that are preventable along
with additional protective measures.
(b) The commission shall require electrical corporations and gas
corporations to implement specific strategies that compel customer
payment prior to, rather than after service disconnection, with the
goal of eliminating all avoidable disconnections. In implementing
this requirement, the commission shall consider requiring electrical
and gas corporations to do all of the following:
(1) Offer autopay to all customers, and provide incentives for
signing up for autopay or for fulfilling commitments to payment
plans.
(2) Offer customers the ability to receive disconnect notices via
a preferred method that is most likely to get their attention,
including telephone calls, e-mails, text messaging, a home
electricity monitoring device or other network device, and
third-party notification.
(3) Provide additional messages in late payment and disconnect
notices that constructively alert customers of the options the
utilities may offer and provide the list of costs, both direct and
indirect, the customers may face when service is disconnected.
(4) Engage in proactive offers regarding the variety of assistance
programs before disconnection takes place.
(5) Increase in-person contacts before disconnection.
(6) Create an arrearage management program.
(7) Give priority installation of programmable communicating
thermostats to customers who are at risk for disconnection so that
they can better manage their usage and load.
(c) The commission shall require electrical corporations and gas
corporations to reduce the disconnection rates for low-income
customers, including customers participating in the California
Alternate Rates for Energy program, so that they are in line with the
disconnection rates of those customers that are not low-income
customers.
(d) The commission shall ensure that electric and gas service
disconnections remain at, or below, historical levels regardless of
whether remote disconnections utilizing Advanced Metering
Infrastructure technology, known as AMI or smart meters, are
implemented. In implementing this requirement, the commission shall
consider requiring electrical corporations and gas corporations to do
all of the following:
(1) Benchmark disconnection rates in order to facilitate the
program.
(2) Randomly survey customers eligible for disconnection during
customer interactions to identify the most effective means of helping
them avoid future disconnections.
(3) Share best practices on an ongoing basis.
(4) Maintain the personal contact associated with in-person
disconnections for a transition period until all of the following
occur:
(A) Any initial problems with smart meters are addressed.
(B) Status reports are filed with the commission that identify
smart meter remote disconnection issues and present solutions used to
mitigate these issues.
(C) Ratepayers have been informed about new disconnection
processes.
(D) Alternatives that can be deployed to the in-person service
associated with disconnections are created, including disconnection
hotlines with live agents available to respond to customer problems
associated with disconnections, and increasing the number of local
payment centers.
(e) The commission shall require safeguards to protect against
negative health and public safety consequences of remote
disconnections of electric and gas service once smart meters are
installed. In implementing this requirement, the commission shall
consider requiring electrical corporations and gas corporations to do
both of the following:
(1) Add a process that enables consumers to obtain temporary
service reinstatements for 10 days once they initiate an
investigation or request for repayment assistance, to be available
only once a year to avoid abuse.
(2) Provide additional notice regarding the procedure for service
reinstatement, including notice regarding temporary reinstatement.
SEC. 6. Section 2750 is added to the Public
Utilities Code, to read:
2750. (a) For purposes of this section, an authorization,
acknowledgment, or consent is written or in writing if made by an
"electronic record" that includes a "digital signature," as those
terms are defined in Section 1633 of the Civil Code.
(b) The meter data collected by an electrical corporation or gas
corporation is the property of the customer, regardless of whether
the data is kept by the customer or retained solely by the utility.
(c) Individual customer information shall remain confidential. For
purposes of this section, "individual customer information" includes
both of the following:
(1) Energy usage information about an individual, family,
household, or residence.
(2) Billing and credit information about an individual, family,
household, or residence.
(d) (1) Individual customer information in the custody of an
electrical corporation or gas corporation shall not be shared, sold,
disclosed, or otherwise made accessible to a third party unless the
customer expressly authorizes, in writing, the release of that
information to that third party and the third party acknowledges, in
writing, that the information is confidential and shall not be
shared, sold, disclosed, made accessible, or utilized by any other
person, corporation, or other entity without the express written
consent of the customer.
(2) A customer may authorize the release of prior bills or usage
records by the utility, but the customer or the third party shall pay
any reasonable administrative cost incurred by the utility in
complying with the release.
(3) A written authorization by a customer for the release of
confidential information shall automatically terminate after the
passage of three years from the date of the written authorization and
any renewal shall be in writing.
(4) An electrical corporation, gas corporation, or third party
shall not offer or provide any incentive, discount, or other
inducement with a monetary value, to a customer to obtain the
customer's authorization to release information pursuant to this
subdivision.
(e) (1) Each electrical corporation and gas
corporation implementing smart meter technology, by July 1, 2011, or
within six months of the installation of smart meters on customer
residences, shall adopt a statement of privacy and security
principles for smart meter systems. Each electrical corporation and
gas corporation implementing smart meter technology shall file the
statement of principles with the commission. The commission shall
approve, or modify and approve, the statement of principles. The
statement of principles shall include the following elements:
(A) A customer has a right to transparency in information
gathering and use. The utility shall provide customers with
meaningful, clear, and full notice regarding the collection, use,
dissemination, and maintenance of individual customer information
gathered as a result of the smart meter system.
(B) A customer has a right to participate in what and how
information about the customer is collected and used. The utility
shall employ a process when using individual customer information
gathered as a result of the smart meter system that seeks the
customer's consent for the collection, use, dissemination, and
maintenance of the information. The utility shall provide mechanisms
for customers to access, correct, and seek redress regarding their
individual customer information gathered as a result of the smart
meter system.
(C) A customer has a right to know each reason information is
being gathered. The utility shall articulate and communicate with
specificity to the customer each purpose for which individual
customer information is being gathered through use of the smart meter
system.
(D) Maintenance of information shall be minimized. The utility
shall collect or retain only that individual customer information
that is directly relevant and necessary to accomplish a purpose
specified in subparagraph (C). Individual customer information shall
only be retained for as long as necessary to fulfill the specified
purpose.
(E) Information shall be used only for the purposes for which it
was gathered. Individual customer information shall be used solely
for the purposes for which it was collected and may be shared only
for purposes that are compatible with the purposes for which it was
gathered.
(F) The utility shall maintain the quality and integrity of
information. The utility, to the extent practicable, shall ensure
that all individual customer information is accurate, relevant,
timely, and complete. The utility shall provide a mechanism for
customers to easily and confidentially access and view their
information and a means to report errors. The utility shall correct
erroneous information that is challenged by the consumer.
(G) The utility shall maintain the security of the information
gathering system. The utility shall protect individual customer
information through appropriate security safeguards against risks of
loss, unauthorized access or use, destruction, modification, or
unintended or inappropriate disclosure, and the smart grid technology
employed by the utility shall be capable of implementing these
security safeguards.
(H) The utility shall undertake reasonable auditing to verify
compliance with the utility's statement of principles. The utility
shall be responsible for ensuring compliance with its statement of
privacy and security principles for smart meter systems and, to that
end, shall undertake appropriate training of its employees and
contractors and audit the individual customer information being
gathered and maintained and the dissemination of that information.
(2) No later than six months following the commission's approval
of the statement of privacy and security principles for smart meter
systems, the electrical corporation or gas corporation shall adopt a
work plan for implementation of the statement of principles. The
electrical corporation or gas corporation shall file the work plan
with the commission. The commission shall approve, or modify and
approve, the work plan. Information in the work plan that might be
detrimental to the security of the smart meter system shall be filed
in a manner that preserves the confidentiality of the information.
(3) Upon approval of the statement of privacy and security
principles for smart meter systems and the work plan, the utility
shall make the statement of principles and the work plan available on
the utility's Internet Web site. Information that might be
detrimental to the security of the smart meter system shall be
omitted from the information made available on the Internet Web site.
The utility's Internet Web site shall provide a mechanism for
customers to make inquiries about, or comment upon, the statement of
principles and work plan.
(4) An electrical corporation or gas corporation shall ensure that
any person, other than the customer, or corporation that is
permitted to have access to the smart grid system, including a
contractor, equipment supplier, or software supplier of the utility,
is aware of the utility's statement of privacy and security
principles for smart meter systems and the work plan, and agrees to
follow the requirements of the work plan and act in a manner that is
compatible with the statement of principles.
(5) An electrical corporation or gas corporation shall promptly
notify the commission of any violation of the work plan by any
employee of the utility or any person or corporation that is
permitted to have access to the smart grid system.
(6) The commission may exercise its authority pursuant to Sections
2111 and 2113 to enforce the requirements of the work plan with
respect to any person or corporation that is not an electrical
corporation or gas corporation.
(f) The commission shall adopt rules to ensure the safe transfer
of electronic usage information and may adopt other rules that the
commission determines are necessary or useful to implement the
requirements of this section. The commission shall approve a
reasonable charge that may be collected by an electrical corporation
or gas corporation for providing historical information pursuant to
paragraph (2) of subdivision (c).
(g) This section does not limit the ability of a customer to
directly and voluntarily provide confidential information to a third
party. An electrical corporation or gas corporation shall provide a
customer, the customer's electric service provider, the customer's
third-party demand response service provider, or other third-party
entity authorized by the customer, with read-only access to the
customers' smart meter data, including meter data used to calculate
charges for electric service and historical load data. The access
shall be convenient and secure, and the data shall be made available
no later than the next day of service. An authorization shall be made
in writing.
(h) (1) This section does not limit the authority of the
commission, subject to Section 583, or the Energy Commission, to
require an electrical corporation or gas corporation to provide, for
authorized purposes, composite statistical information derived from
individual customer information that does not disclose individual
customer data.
(2) The commission may approve the sharing of information with a
third-party demand response service provider pursuant to subdivision
(f) of Section 5601.
(3) The commission may authorize the sharing of information with
academic or other researchers retained to evaluate system
reliability, vulnerability, security, or other authorized research
topics, provided that the results of the research publicly disclose
only composite statistical information derived from individual
customer information that does not disclose individual customer data.
The commission may condition the sharing of information by an
electrical corporation or gas corporation upon the removal of
individual identifying information and characteristics. The
commission shall ensure that academic or other researchers have
obtained approval from their institutional review board to use the
requested data. The commission shall require each electrical
corporation and gas corporation to adopt a mechanism for academic or
other researchers to confidentially report suspected system
vulnerabilities that they have found in their research and testing.
The commission shall require each electrical corporation and gas
corporation to adopt a mechanism for members of the public to
anonymously report system vulnerabilities.
(i) The commission may exercise its enforcement authority pursuant
to Chapter 11 (commencing with section 2100) of Part 1 with respect
to an electrical corporation or gas corporation to enforce the
requirements of this section.
SEC. 5. Section 2750 is added to the
Public Utilities Code , to read:
2750. (a) An electrical corporation or gas corporation shall not
share, sell, disclose, or otherwise make accessible to any third
party, without first obtaining the customer's express written
consent, any personally identifiable information concerning a
customer including, but not limited to, the following:
(1) The customer's personal billing or credit information, or
electrical or gas usage data.
(2) The customer's credit or other personal financial information,
except when the corporation is ordered by the commission to provide
this information.
(3) The services that the customer purchases, enrolls in, or
subscribes to, from the utility or from independent services that use
the electrical or gas consumption data to provide a related service
to the customer.
(4) Demographic information about individual customers, or
aggregate information from which individual identities and
characteristics have not been removed.
(b) A customer who gives his or her written consent for the
release of one or more of the categories of personally identifiable
information in subdivision (a) shall be informed by the electrical
corporation or gas corporation of the identity of each person or
corporation to whom the information has been released, upon written
request.
(c) (1) A customer who, pursuant to subdivision (b), has given
written consent for the release of one or more of the categories of
personally identifiable information in subdivision (a), may rescind
this consent upon submission of a written notice to the electrical
corporation or gas corporation.
(2) An electrical corporation or gas corporation shall cease to
make available any personal information about the customer, within 30
days following receipt of notice pursuant to paragraph (1).
(3) If a customer voluntarily terminates service with an
electrical corporation or gas corporation, any prior consent for the
release of personally identifiable information shall also terminate.
(d) This section does not apply to any of the following:
(1) General information regarding the usage, load shape, or other
characteristics of a group or rate classification, unless the release
of that information would reveal customer specific information
because of the size of the group, rate classification, or nature of
the information.
(2) Information provided under supervision of the commission to a
collection agency by the electrical corporation or gas corporation
exclusively for the collection of unpaid debts.
(3) Information provided to an emergency service agency responding
to a 911 telephone call or any other call communicating an imminent
threat to life or property.
(4) Information provided to a law enforcement agency in response
to lawful process.
(5) Information that is required by the commission pursuant to its
jurisdiction and control over electrical corporations and gas
corporations.
(6) Information required to be provided by the electrical
corporation or gas corporation pursuant to rules and orders of the
commission or the Federal Energy Regulatory Commission.
(7) The name and address of the customers of an electrical
corporation or gas corporation who are enrolled in the California
Alternative Rates for Energy or CARE program provided by that utility
for the sole purpose of low-income ratepayer assistance outreach
efforts.
(8) Information provided in response to a request pursuant to
subdivision (a) of Section 530.8 of the Penal Code.
(e) An electrical corporation or gas corporation shall not offer
or provide any incentive, discount, or other inducement with a
monetary value, to a customer to obtain the customer's authorization
to release information pursuant to this section.
(f) For purposes of this section, an authorization,
acknowledgment, or consent is written or in writing if made by an
"electronic record" that includes a "digital signature," as those
terms are defined in Section 1633 of the Civil Code.
(g) Each violation of this section is grounds for a civil suit by
the aggrieved customer against the electrical corporation or gas
corporation and its employees responsible for the violation.
SEC. 6. Section 2751 is added to the
Public Utilities Code , to read:
2751. (a) On or before July 1, 2011, each electrical corporation
and gas corporation shall adopt a statement of privacy and security
principles for the personally identifiable information of its
customers which shall be filed with the commission, posted on the
utility's Internet Web site, made available to a customer upon
request at no charge, and disseminated to customers. The statement of
privacy and security principles shall provide customers with
meaningful, clear, and full notice regarding the collection, use,
dissemination, and maintenance of the personally identifiable
information of its customers.
(b) The statement of privacy and security principles shall
incorporate each of the following principles of the Fair Information
Practice Principles adopted by the Federal Trade Commission:
(1) Notice/Awareness.
(2) Choice/Consent.
(3) Access/Participation.
(4) Integrity/Security.
(5) Enforcement/Redress.
(c) An electrical corporation or gas corporation shall ensure that
any person, other than the customer or corporation, including a
contractor, equipment supplier, or software supplier of the utility,
that is permitted to have access to customer information pursuant to
Section 2750, is aware of the utility's statement of privacy and
security principles and agrees, pursuant to contract, to act in a
manner that is compatible with the statement of privacy and security
principles.
SEC. 7. The heading of Chapter 4.5 (commencing with Section 2750)
is added to Part 2 of Division 1 of the Public Utilities Code, to
read:
CHAPTER 4.5. ELECTRICAL CORPORATIONS AND GAS
CORPORATIONS
SEC. 8. The heading of Chapter 4.5 (commencing with Section 2771)
of Part 2 of Division 1 of the Public Utilities Code is repealed.
SEC. 9. Chapter 10 (commencing with Section
5600) is added to Division 2 of the Public Utilities Code, to read:
CHAPTER 10. THIRD-PARTY DEMAND RESPONSE SERVICE PROVIDERS
5600. (a) For purposes of this chapter, "third-party demand
response service provider" means a person or corporation that is not
an electrical corporation who collects customer energy usage data or
collects that data and provides equipment, software, or services that
enable end-use electrical customers to reduce their electricity
usage in a given time period, or shift that usage to another time
period, in response to a price signal, a financial incentive, an
environmental condition, or a reliability signal.
(b) For purposes of this chapter, an authorization,
acknowledgment, or consent is written or in writing if made by an
"electronic record" that includes a "digital signature" as those
terms are defined in Section 1633 of the Civil Code.
5601. (a) Energy usage data is the property of the electrical
end-use customer, regardless of whether the data is kept by the
customer or retained solely by a third-party demand response service
provider.
(b) Individual electrical end-use customer information shall
remain confidential. For purposes of this section, "individual
electrical end-use customer information" includes both of the
following:
(1) Electrical usage information about an individual, family,
household, or residence.
(2) Billing and credit information about an individual, family,
household, or residence.
(c) (1) Individual electrical end-use customer information in the
custody of a third-party demand response service provider shall not
be shared, sold, disclosed, or otherwise made accessible to any other
person or corporation by a third-party demand response service
provider unless the customer expressly authorizes, in writing, the
release of that information to that person or corporation and that
person or corporation acknowledges, in writing, that the information
is confidential and shall not be shared, sold, disclosed, made
accessible, or utilized by any other person or corporation without
the express written consent of the customer.
(2) A written authorization by an electrical end-use customer for
the release of confidential information shall automatically terminate
three years from the date of the written authorization, and any
renewal shall be in writing.
(3) No third-party demand response service provider shall offer or
provide any incentive, discount, or other inducement with a monetary
value, to a customer to obtain the customer's authorization to
release information pursuant to this subdivision.
(d) (1) Each third-party demand response service provider, before
providing demand response service on customer residences, shall adopt
a statement of privacy and security principles for smart meter
systems. The statement of principles shall include the following
elements:
(A) A customer has a right to transparency in information
gathering and use. The third-party demand response service provider
shall provide customers with meaningful, clear, and full notice
regarding the collection, use, dissemination, and maintenance of
individual customer information gathered as a result of the demand
response services.
(B) A customer has a right to participate in what and how
information about the customer is collected and used. The third-party
demand response service provider shall employ a process when using
individual customer information gathered as a result of providing
demand response services that, seeks the customer's consent for the
collection, use, dissemination, and maintenance of the information.
The third-party demand response service provider shall provide
mechanisms for customers to access, correct, and seek redress
regarding their individual customer information gathered as a result
of providing demand response services.
(C) A customer has a right to know the reason information is being
gathered. The third-party demand response service provider shall
articulate and communicate to the customer the purposes for which
individual customer information is being gathered as a result of
providing demand response services.
(D) Maintenance of information shall be minimized. The third-party
demand response service provider shall collect or retain only that
individual customer information that is directly relevant and
necessary to accomplish a purpose specified in subparagraph (C).
Individual customer information shall only be retained for as long as
necessary to fulfill the specified purpose.
(E) Information shall be used only for the purposes for which it
was gathered. Individual customer information shall be used solely
for the purposes for which it was collected and may be shared only
for purposes that are compatible with the purposes for which it was
gathered.
(F) The third-party demand response service provider shall
maintain the quality and integrity of information. The third-party
demand response service provider, to the extent practicable, shall
ensure that all individual customer information is accurate,
relevant, timely, and complete. The third-party demand response
service provider shall correct erroneous information that is
challenged by the consumer.
(G) The third-party demand response service provider shall
maintain the security of the information gathering system. The
third-party demand response service provider shall protect individual
customer information through appropriate security safeguards against
risks of loss, unauthorized access or use, destruction,
modification, or unintended or inappropriate disclosure, and the
demand response technology employed by the third-party demand
response service provider shall be capable of implementing these
security safeguards.
(H) (1) The third-party demand response service provider shall
undertake reasonable auditing to verify compliance with the
third-party demand response service provider's statement of
principles. The third-party demand response service provider shall be
responsible for ensuring compliance with its statement of privacy
and security principles for the demand response technologies utilized
by the third-party demand response service provider and, to that
end, shall undertake appropriate training of its employees and
contractors and audit the individual customer information being
gathered and maintained and the dissemination of that information.
(2) After adopting privacy and security principles and before
commencing to provide demand response service on customer residences,
the third-party demand response service provider shall adopt a work
plan for implementation of the statement of principles. Information
in the work plan that might be detrimental to the security of the
demand response technology utilized by the third-party demand
response service provider shall be handled in a manner that preserves
the confidentiality of the information.
(3) Upon adoption of the statement of privacy, security
principles, and the work plan, the third-party demand response
service provider shall make the statement of principles and the work
plan available on the third-party demand response service provider's
Internet Web site or supply it to customers in writing or as an
electronic record, as defined in Section 1633 of the Civil Code.
Information that might be detrimental to the security of the demand
response technology utilized by the third-party demand response
service provider shall be omitted from the information made available
on the Internet Web site or directly supplied to customers. The
third-party demand response service provider shall provide a
mechanism for customers to make inquiries about, or comment upon, the
statement of principles and work plan.
(4) A third-party demand response service provider shall ensure
that any person, other than the customer, or corporation that is
permitted to have access to the demand response technology utilized
by the third-party demand response service provider, including a
contractor, equipment supplier, or software supplier of the
third-party demand response service provider, is aware of the
third-party demand response service provider's statement of privacy,
security principles, and the work plan, and agrees to follow the
requirements of the work plan and act in a manner that is compatible
with the statement of principles.
(5) A third-party demand response service provider shall promptly
investigate and take corrective action to prevent any violation of
the work plan by any employee of the third-party demand response
service provider or any person or corporation that is
permitted to have access to the demand
response technology utilized by the third-party demand response
service provider.
(e) The commission may adopt rules to ensure the privacy of
electrical end-use customer information and may adopt other rules
that the commission determines are necessary or useful to implement
the requirements of this chapter.
(f) This section does not limit the ability of the electrical
end-use customer to directly and voluntarily provide confidential
information to any person or corporation.
(g) This section does not limit the authority of the commission to
adopt rules authorizing the sharing of information between a
third-party demand response service provider and an electrical
corporation when this sharing is in the interest of the electrical
end-use customer, provided the requirements of this section are
applicable to any information provided to the third-party demand
response service provider and the requirements of Section 2750 are
applicable to any information provided to the electrical corporation.
5602. The commission may exercise its authority pursuant to
Sections 2111 and 2113 to enforce the requirements of this chapter or
any rule adopted by the commission.
SEC. 10. SEC. 9. Section 8364.5 is
added to the Public Utilities Code, to read:
8364.5. (a) The commission shall ensure that each smart grid
deployment plan authorized by the commission after January 1,
2012, includes testing and technology standards.
(b) Testing standards shall include all of the following:
(1) A requirement that the smart metering technology have a
comprehensive security audit. The security auditing plan and the
results of the security audit shall be made publicly available upon
approval by the commission.
(2) A requirement that the manufacturer disclose whether it
created a cryptographic protocol for data encryption and specify the
protocol used.
(3) A requirement that the manufacturer submit security audit
results as part of a direct access meter project self-certification
program.
(c) Technology standards shall do both of the following:
(1) Ensure that the particular smart metering technology is
compatible with other smart technologies.
(2) Ensure that the particular smart metering technology is
compatible with the electrical corporation's energy usage
data collection and billing system.
(d) The commission shall ensure that each metering technology
works properly in a field test in a real home setting.
SEC. 11. SEC. 10. No reimbursement
is required by this act pursuant to Section 6 of Article XIII B of
the California Constitution because the only costs that may be
incurred by a local agency or school district will be incurred
because this act creates a new crime or infraction, eliminates a
crime or infraction, or changes the penalty for a crime or
infraction, within the meaning of Section 17556 of the Government
Code, or changes the definition of a crime within the meaning of
Section 6 of Article XIII B of the California Constitution.