Current through Register Vol. 48, No. 3, March 22, 2024
A.
Definitions of Key Terms.
(1) Aggregated
Data. The term "aggregated data" means customer data, alone or in combination
with non-customer data, resulting from processing (e.g., average of a group of
customers) or the compilation of customer data from which all unique
identifiers have been removed.
(2)
Commission. The term "Commission" means the Public Service Commission of South
Carolina.
(3) Customer Data. For
purposes of this section, "customer data" means data about a current or former
customer's electric, natural gas, water, or wastewater usage; information that
is obtained as part of an advanced metering infrastructure; and personal
identifying information, as defined in S.C. Code Ann. Section
39-1-90(D)(3)
and S.C. Code Ann. Section
16-13-510(D),
as may be amended, including the name, account number, billing history, address
of the customer, email address, telephone number, and fax number, in the
possession of electric, natural gas, water or wastewater public utilities.
Also, "customer data" means non-public retail customer-specific
data or information that has been obtained or compiled by a public utility in
connection with the supplying of Commission-regulated electric, natural gas,
waste, or wastewater services. Customer data includes data or information that
is:
(a) collected from the meter, by
the public utility, and stored in its data systems for billing purposes;
(b) customer-specific usage
information for regulated public utility service;
(c) about the customer's participation in
regulated public utility programs, such as renewable energy, demand-side
management, load management, or energy efficiency programs; or
(d) any other non-public information specific
to a customer that is related to electricity consumption, load profile, or
billing history.
(4)
Non-Public Utility Operations. The term "non-public utility operations" means
all business enterprises engaged in by a public utility that are not regulated
by the Commission or otherwise subject to public utility regulation at the
state or federal level.
(5) Primary
Purpose. The term "primary purpose" means the acquisition, storage or
maintenance of customer data by a public utility, as defined by Title 58 of the
South Carolina Code, which provides services pursuant to state law, federal
law, or Order of the Commission.
(6) Secondary Commercial Purpose. The term
"secondary commercial purpose" means any purpose that is not a primary
purpose.
(7) Third Party. The term
"third party" means a person who is not the customer, nor any of the following:
(i) an agent of the customer designated by
the customer with the public utility to act on the customer's behalf;
(ii) a regulated public utility
serving the customer; or
(iii) a
contracted agent of the public utility. For purposes of this regulation, "third
party" includes any non-public utility operations or affiliate of the public
utility.
(8) Unique
Identifier. The term "unique identifier" means a customer's name, account
number, meter number, mailing address, telephone number, or email address.
B. Aggregated data which
has been aggregated to a degree that individual customer information is not
identifiable shall not be considered "customer data."
C. Customer Consent.
(1) A public utility shall not share,
disclose, or otherwise make accessible to any third party a customer's data,
except as provided in subsection (F) or upon the consent of the
customer.
(2) A public utility
shall not sell a customer's data for any purpose without the consent of the
customer.
(3) The public utility or
its contractors shall not provide an incentive or discount to the customer for
accessing the customer's data without the prior consent of the
customer.
(4) Before requesting a
customer's consent for disclosure of customer data, a public utility shall be
required to make a full disclosure to the customer of the nature and scope of
the data proposed to be disclosed, the identity of the proposed recipient and
the intended use of the data by the proposed recipient.
D. If a public utility contracts with a third
party for a service that allows a customer to monitor the customer's usage, and
that third party uses the data for a secondary commercial purpose, the contract
between the public utility and the third party shall provide that the third
party prominently discloses that secondary commercial purpose to the customer
and secures the customer's consent to the use of his or her data for that
secondary commercial purpose prior to the use of the data.
E. A public utility shall use reasonable
security procedures and practices to protect a customer's unencrypted
consumption data from unauthorized access, destruction, use, modification,
disclosure, and to prohibit the use of the data for a secondary commercial
purpose not related to the primary purpose of the contract without the
customer's consent.
F. Exceptions
to Sections A through E.
(1) This section
shall not preclude a public utility from disclosing aggregated data for
analysis, reporting, or program management.
(2) This section shall not preclude a public
utility from disclosing customer data to a third party for system, grid, or
operational needs, or the implementation of demand response, energy management,
or energy efficiency programs, or for fraud prevention purposes, provided that
the public utility has required by contract that the third party implement and
maintain reasonable security procedures and practices appropriate to the nature
of the information, to protect the personal identifying information contained
in the customer data from unauthorized access, destruction, use, modification,
or disclosure, and prohibits the use of the data for a secondary commercial
purpose not related to the primary purpose of the contract without the
customer's prior consent to that use.
(3) This section shall not preclude a public
utility from disclosing customer data in the course of its operations:
(a) Where necessary to provide safe and
reliable service;
(b) As required
or permitted under state or federal law or regulation or by an Order of the
Commission;
(c) Including
disclosures pursuant to and permitted by the Fair Credit Reporting Act Section
1681 et seq., Title 15 of the United States Code including for purposes of
furnishing account and payment history information to and procuring consumer
reports from a consumer reporting agency as defined by
15 U.S.C. Section
1681;
(d) Upon valid request from law
enforcement;
(e) To respond to an
emergency;
(f) To respond to
service interruption reports or service quality issues;
(g) To restore power after a storm or other
disruption;
(h) To respond to
customers' requests for line locations, installation or repair of streetlights,
support for construction or tree trimming/removal by customer, or other service
orders or requests;
(i) To inform
customers as to tree trimming/vegetation control plans and schedules;
(j) To respond to claims for property damage
by the customer resulting from tree trimming/vegetation control or public
utility construction;
(k) To
respond to customer complaints;
(l)
To protect the health or welfare of the customer or to prevent damage to the
customer's property;
(m) To assist
the customer in obtaining assistance from social services, community action, or
charitable agencies;
(n) To perform
credit checks or review payment history where customer deposits might otherwise
be required or retained;
(o) Where
circumstances require prompt disclosure of specific information to protect
customers' interests or meet customers' reasonable customer service
expectations; or
(p) This section
shall not preclude a public utility from, in its provision of regulated public
utility service, disclosing customer data to a third party, consistent with the
public utility's most recently approved Code of Conduct, to the extent
necessary for the third party to provide goods or services to the public
utility and upon written agreement by that third party to protect the
confidentiality of such customer data.
(4) Nothing in this section precludes the
utility from advising a municipality when service is disconnected.
G. If a customer discloses or
authorizes the utility to disclose his or her customer data to a third party,
the public utility shall not be responsible for the security of that data, or
its use or misuse.
H. Public
Utility Guidelines.
(1) Each electrical,
natural gas, water or wastewater public utility shall develop and seek
Commission approval of guidelines for implementation of this section.
(2) The electrical, natural gas, water or
wastewater public utility shall file its initial guidelines within 180 days of
the effective date of this regulation for Commission approval. The guidelines
should, at minimum, address the following:
(a)
Customer Notice and Awareness - practices to explain policies and procedures to
customers.
(b) Customer Choice and
Consent - processes that allow the customer to control access to customer data
including processes for customers to monitor, correct or limit the use of
customer data.
(c) Customer Data
Access - procedures for use of customer data, purpose for collection,
limitations of use of customer data and processes for customer non-standard
requests.
(d) Data Quality and
Security Procedures and Measures - procedures for security and methods to
aggregate or anonymize data.
(e)
Public Utility Accountability and Auditing - reporting of unauthorized
disclosures, training protocol for employees, periodic evaluations,
self-enforcement procedures, and penalties.
(f) Frequency of Notice to Customers -
practices and procedures to provide initial and annual notification of its
privacy policy to customers.
(g)
Due Diligence Exercised by Utility When Sharing Customer Data with Third
Parties - practices, policies, and procedures when selecting the third party
with whom the utility will share data so as to minimize unauthorized or
inadvertent disclosure of customer data.
I. No Private Right of Action. This
regulation shall be enforced by regulatory enforcement actions only. No private
right of action for damages is created hereby.
J. Penalties. Failure to comply with this
section is subject to any authority granted to the Commission by statute or
regulation.