sgcc peer connect: data...

42
SGCC Peer Connect: Data Privacy January 23, 2013

Upload: others

Post on 02-Aug-2020

8 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

SGCC Peer Connect: Data Privacy

January 23, 2013

Page 2: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Today’s Presenters

Jules Polonetsky Co-Chair and Director

Future of Privacy Forum

Andy Bochman Worldwide Energy Security

Leader

IBM

Page 3: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

• You will receive a copy of the slides

– To the email you used to register

• You can ask questions as we go along

– Simply type into the question box, as we will

explain or raise questions during the Q&A

• We will answer all the questions submitted

– If we are unable to get to all the questions, they

will be answered individually after the

presentation

Housekeeping

Page 4: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

If this is what you see – Click on the

orange arrow to expand your dashboard.

In order to ask questions over the phone,

please log in with your Audio Pin.

Click on the + sign to open up the

questions box.

Use the Questions box at any time to

type questions.

We will answer questions during a Q&A

near the end of the call.

Yes, you will receive the slides after the

webinar.

Questions & Audio

Page 5: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Agenda

1. SGCC Data Privacy Education Efforts

• Fact sheet and future video

2. FPF Smart Grid Consumer Privacy Seal

• Introduction to privacy

• Regulatory efforts

• Application of the privacy seal

3. IBM Perspective on Data Security and Privacy

• Information governance

• Foundations for privacy

• Essential practices

Page 6: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

SGCC – Data Privacy Fact Sheet

Page 7: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

SGCC – 2013 Education Initiatives

Education Committee Initiatives:

– Consumer-Facing Website

– One-Minute Consumer Videos

Page 8: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Name Background

Jules Polonetsky Co-Chair and Director – Future of Privacy Forum

• Chief Privacy Officer and SVP for Consumer Advocacy at

America Online Inc.

• Vice President of Integrity Assurance at America Online

Inc.

• Chief Privacy Officer and Special Counsel at DoubleClick

• Served on the boards of a number of privacy and

consumer protection organizations including the

International Association of Privacy Professionals, TRUSTe,

and the Better Business Bureau (NY Region)

Speaker #1

Page 9: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Future of Privacy Forum Smart Grid Consumer Privacy Seal

Jules Polonetsky

Page 10: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

A Charged Atmosphere

Page 11: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents
Page 12: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents
Page 13: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

“Privacy in the eye of the beholder”

Page 14: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Would you share this with your boss?

Now you can choose

Page 15: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Altimeter, elevation, perspiration, temperature, humidity, excitement, mood…

Page 16: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

FTC Section 5 Enforcement

Mobile & Apps

Children Online Privacy Protection Act

Investigating Data Brokers

Overview of Regulatory Efforts

Page 17: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

White House “Consumer Privacy Bill of Rights”

– Announced February 2012

– Lays out proposed framework for comprehensive data privacy protection in the U.S.

– Takes two-pronged approach:

• A set of baseline privacy principles—“bill of rights”

• A set of codes of conduct backed by enforcement

Overview of Regulatory Efforts (cont.)

Page 18: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Multistakeholder Process

Department of Commerce/NTIA

Developing codes of conduct for mobile apps

Short form notice

Department of Energy

Third party codes of conduct for energy data

More to come!

Overview of Regulatory Efforts (cont.)

Page 19: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Congress

States

National Association of Attorneys General

CA Attorney General

Focus on mobile and apps

Public Utility Commissions -Smart Grid

Overview of Regulatory Efforts (cont.)

Page 20: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Self-Regulatory Efforts

Platforms Terms of Service

Trade Group Self-regulatory efforts

DAA

NAI

MMA and GSMA

Smart Grid Standards/Guidelines

NIST, NAESB and more

Page 21: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

DC based think tank that seeks to advance responsible data practices.

Industry supported

Co-chairs: Jules Polonetsky and Christopher Wolf

Advisory board of industry, academics, and privacy advocates

Focus on Consumers, Data, and Technology

Online data, mobile, apps, social media – and smart grid

What is FPF?

Page 22: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Third party access to consumer energy data enables a wide range of benefits, but also raises legitimate concerns

Responsible companies that provide exciting new products and services such as home security, smart appliances, remote home management will generate positive consumer interest and help advance consumer engagement with energy management, demand response and smart meters.

It is essential that a flexible framework exists that ensures consumer privacy protections are in place and that responsible businesses can responsibly access the data needed to serve consumers.

Risk to utilities, consumers if inadequate process for obtaining consumer permission

Risk to consumer engagement and innovation if consent process is burdensome and ineffective

The Need for a Consumer Privacy Seal

Page 23: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Utilities must be confident that third parties that access consumer energy data directly from utilities or via smart meters do so with the permission of consumers and in accord with responsible privacy standards. Regulatory requirements and vendor due diligence will play a lead role,

but are unlikely to suffice to provide oversight for the wide range of services that consumers will be seeking to enable.

A third party privacy seal program can play an essential role in this ecosystem by vetting the privacy standards of third parties and by providing assurance to utilities, regulators and consumers that companies are in compliance with responsible standards. A third party seal can also provide consumers with an avenue for complaint handling and resolution and provide regulators with a supplement to their

efforts to ensure consumers are protected.

The Need for a Consumer Privacy Seal Continued

Page 24: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Takes utilities out of the process of reviewing and vetting third parties.

Takes utilities out of the process of managing consents.

Consistent standards across states.

Alternative location for consumer complaints.

Provides early warning system to eliminate bad actors.

Ensures third parties (not utilities) are responsible for the actions of third parties.

Ensures that the FTC is able to effectively enforce third parties.

Benefit to Utilities

Page 25: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Privacy seal based on best practices Covers:

Data collected directly from consumers by smart devices (i.e. home security systems, smart appliances, etc.).

Data collected by third parties a) directly from a smart meter, b) provided to a third party by a utility or c) utility data provided by a consumer to a third party.

Goals: Ensure consumer trust in smart devices Assist utilities in vetting 3rd parties Allow for a standard consent process to be used across many states

What is the FPF Smart Grid Seal?

Page 26: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Is not a standard for utilities

Does not cover utility collection or use of data for billing, operations, demand response, etc.

What the Seal does NOT Cover

Page 27: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Participating Companies to Date

ADT

AT&T

Comcast

Ecofactor

IBM

Intel

Motorola

Neustar

Opower

Tendril

TRUSTe

Verizon

Page 28: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Currently provides seals or certifications for

ads, cloud services, data collection, downloads,

emails, compliance with certain laws, mobile

privacy, and websites.

TRUSTE will check privacy policies, scan for

potential privacy threats, review consumer consent process, conduct business and technical assessment, ensure compliance with seal requirements, and help resolve disputes.

Provides services for over 4,000 web services.

TRUSTe

Page 29: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Officially launched in October 2012

SDG&E is one of the first utilities to include access to third party services and they will promote the seal and will display the seal logo in their portal alongside the companies that have it.

We will be releasing a paper with Ann Cavoukian, “Privacy by Design and Third Party Access to Customer Energy Usage Data,” at DistrubuTECH on January 29th.

For information: [email protected]

Going Forward

Page 30: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

• www.futureofprivacy.org • Facebook.com/futureofprivacy • @julespolonetsky

Jules Polonetsky, Executive Director and Co-Chair [email protected]

Visit our site: http://www.futureofprivacy.org

Page 31: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Name Background

Andy Bochman Worldwide Energy Security Leader – IBM

• Contributor to industry and national security working

groups on energy security and cyber security issues,

including:

• DOE RMP and ES-C2M2 SME Advisor

• NBISE Cyber Workforce Project

• NIST CSWG

• DOD/DHS Software Assurance Forum and Working

Groups

• Founder and editor of:

• The Smart Grid Security Blog

• The DOD Energy Blog

Speaker #2

Page 32: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

IBM Energy & Utilities

© 2013 IBM Corporation

Organizing for Data Security and Privacy

Page 33: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 33

Privacy + Security = Information Governance

Page 34: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 34

Information Governance challenges

Information users’ expectations regarding information have changed:

– Quality (correct or not?)

– Timeliness/accessibility (mobile & internet means "now" for most people)

– Control over the security/privacy of data collected

Utilities have experienced:

– Huge growth in data collected by smart meter/smart grid devices

– Regulatory mandates/incentives to make the data available to customers online and via mobile devices (while ensuring that sensitive information is secured and monitored)

– SLAs that require data to be available on the same or next day

– Business case drivers that effectively require more sophisticated use of data (what if pricing, preferences, etc.)

Page 35: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 35

Data Risk Questions to Ponder

Information Lifecycle – how do we think about governance of Information at every point of its life cycle: first - identification and definition, then design, deploy, create, use, move, archive, backup and destroy

Information Security and Privacy – What do we do to ensure the confidentiality, integrity, availability of our information assets?

Classification – How do we properly identify our information assets (so we can apply the appropriate controls)?

Audit, Logging, Reporting, Assessments, Alerts – How do we demonstrate that our policies are in place and that our risk is being properly addressed?

Page 36: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 36

Unified approach to Security ~ People, Process,

and Technology best practice and methodologies

$1.8B investment in Innovative Technologies

7K+ security engineers and consultants

Award-winning X-Force® research with Largest

vulnerability database

Analyst recognized Leadership in every segment

IBM Security Systems

Unified Security Framework

Security foundation for Privacy

Page 37: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 37

Data Security

Enterprise-wide solutions for assuring the privacy and

integrity of trusted information and sensitive data

Portfolio Overview

Data Security Strategy and Assessment

• Comprehensive assessment of data protection capabilities and vulnerabilities through interviews, on-site workshops and market-leading data discovery tools

• Gain insight to sensitive data and where it resides

Data Loss Prevention

• Create a framework and tailored solution to prevent leakage of sensitive data (network and endpoint)

• Monitor sensitive data usage at the endpoint

• Identify sensitive data traveling through network

Encryption

• Secure hard drives on portable computing devices

• Prevent loss of data on laptop or USB thumb drives if lost or stolen

• Facilitate sharing of sensitive data with reduced risk

Database Activity Monitoring (pilot)

• Mitigate the risk of database attacks

• Monitor and block privileged users

• Reporting for audit and compliance readiness

Page 38: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 38

What we practice is what we preach

7. Address new complexity

of cloud and virtualization

6. Control network access

and help assure

resilience

1. Build a risk-aware culture

and management system

2. Manage security incidents

with greater intelligence

3. Defend the mobile and

social workplace

5. Automate security

“hygiene”

4. Security-rich services,

by design

10. Manage the identity

lifecycle

9. Better secure data and

protect privacy

8. Manage third-party

security compliance

Proactive

Au

tom

ate

d

Man

ua

l

Reactive

10 Essential Practices

Maturity based approach

Page 39: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 39

Essential practice 8:

Manage third-party security compliance

Are your security policies and

safeguards compliant today?

An enterprise’s culture of security

must extend beyond company walls,

and establish best practices among

its contractors and suppliers.

Security, like excellence, should

be infused in the entire partner

ecosystem. Numerous cases have

shown how the carelessness of one

company can have a deleterious

effect on many.

Integrate security as a part of mergers and acquisitions.

Assess vendors’ security and risk policies and practices,

and educate them on compliance.

Assess conformance with process and data protection

requirements of industry requirements and regulations

Manage the vendor risk life cycle.

Actions to help get you there:

Page 40: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

© 2012 IBM Corporation Energy & Utilities (E&U) 40

Essential practice 9:

Better secure data and protect privacy

How can you improve the protection

of your critical data?

Every company has critical information,

Perhaps its scientific and technical data,

or maybe its documents regarding

possible mergers and acquisitions, or

clients’ non-public financial information.

Each enterprise should carry out an

inventory, with the critical data getting

special treatment. Each priority item

should be guarded, tracked and

encrypted as if the company’s survival

hinged on it. In some cases, that may be

the case.

Identify the value of your confidential data and the

business impact of loss.

Assess gaps and define a data protection strategy that

manages data loss risk and meets governmental and

customer requirements.

Design a robust data management architecture that

protects your sensitive or confidential information.

Deploy and manage leading data protection technologies.

Actions to help get you there:

Page 41: SGCC Peer Connect: Data Privacysmartenergycc.org/wp-content/uploads/2013/01/Peer-Connect-Data-… · 1. Build a risk-aware culture and management system 2. Manage security incidents

Takeaways & Questions