Data Breach at New York Utility Prompts Enforcement Action and Industry-Wide Data Security Review

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.infolawgroup.com/2012/08/articles/data-privacy-law-or-regulation/data-breach-at-new-york-utility-prompts-enforcement-action-and-industrywide-data-security-review

In January 2012, two consolidated New York state utilities, New York
State Electric & Gas and Rochester Gas and Electric (collectively,
“NYSEG”) experienced a data security incident that affected
approximately 1.8 million utility customers.

According to the notification letter that NYSEG sent to customers,
unauthorized access to NYSEG systems containing  customers' Social
Security numbers, dates of birth, and, in some cases, financial
account numbers was the result of a breach at one of NYSEG’s data
processing service providers.  According to the the New York Public
Service Commission's investigators, the incident occurred as a result
of improper sharing of NYSEG system log-in credentials with
unauthorized subcontractors by one of the service provider's
employees.

Initial Response by the Public Service Commission

In response to the incident, the New York Public Service Commissioner
issued statements criticizing NYSEG's data security standards as
having failed to live up to industry standards and best practices for
the protection of customer information.  The Commissioner subsequently
directed the utility to update its computer billing and records
system. Specifically, the Commissioner recommended that NYSEG:

Minimize access to customers’ personally identifiable information
(PII) to the type and amount required to fulfill relevant business
functions;

Conduct an annual incident response training exercise simulating a
breach of PII;

Establish a protocol for notifying regulators of a cyber incident
(specifically, to notify the Department of Public Service within 48
hours of the determination that a breach has occurred); and

Ensure the security of all PII stored on mobile or removable storage devices.

The Commissioner required NYSEG to report on its progress in
implementing the recommended changes within 60 days.  In addition, to
preclude NYSEG from recovering breach response costs from shareholders
and customers, the Commissioner required the utility to exclude the
expenses from the utility’s requests for cost recovery.

Enforcement Order

The Commission subsequently issued an “Order Directing a Report on
Implementation of Recommendations” that expanded on many of the
recommendations in the Commissioner’s initial statements, and
described in detail the ways in which the Commissioner found NYSEG to
have failed to adequately protect its customers' PII.

The Commission conducted an exhaustive inquiry into NYSEG’s data
security practices and found several instances in which the utility
was not employing best practices and industry standards to protect
PII.  The Order referred to the NIST (2010) Recommended Security
Controls for Federal Information Systems and Organizations as well as
best practices set forth in the Family Educational Rights and Privacy
Act (FERPA) as the baseline for benchmarking NYSEG's relevant
practices.  The Commission benchmarked NYSEG's data security practices
in eight areas:

Corporate Accountability (nature and extent of functional units within
NYSEG responsible for protecting customer privacy);

Policies, Procedures and Guidelines (the policies that govern data
access, data transfer, data restriction, data retention, deletion and
destruction, and other related matters);

Training, Education and Outreach (programs in place to train employees
and contractors regarding the protection of customer information);

Credentialing (procedures in place to ensure the integrity of
employees and subcontractors, as well as the identity of customers
seeking their own information);

PII Confidentiality Safeguards (how NYSEG categorizes, collects,
retains, segregates and reviews its inventory for PII, including data
destruction policies for PII that is no longer necessary to fulfill
the business purposes for which the information was collected);

Network Security (all common network security policies, practices and
equipment utilization);

Physical Security (physical safeguards for protecting customer data); and

Incident Response (identification and adequacy of information security
incident response plans).

Based on the review, the Commission staff found deficiencies in NYSEG
PII handling polices, practices and procedures that it deemed
critical.  First, the Commission found that NYSEG did not include
requirements for adequate technical and physical safeguards in
supplier contracts, specifically to ensure that employee training and
PII safeguards extend to subcontractors.  Second, the staff found that
NYSEG failed to formalize its policy limiting availability of customer
PII to only authorized individuals within the company and authorized
suppliers.  Third, the Commission found that NYSEG failed to have a
process in place to identify and destroy PII that is no longer
relevant for business use.  The Commission noted that this particular
oversight resulted in the compromise of certain PII that should not
have even been maintained on NYSEG's systems.  Fourth, the PII that
was available on NYSEG systems was not adequately segregated based on
sensitivity, such that SSNs had the same level of security as less
sensitive PII.

Industry-Wide Data Security Review

As a result of the incident experienced by NYSEG, the New York
regulator -- the Public Service Commission -- now plans to review the
data security policies and procedures of every utility that operates
in the state.  The Commissions has indicated that it has already
reviewed and approved several utility data protection policies and
procedures.

Lessons Learned

Public utility commissions that regulate utilities in their respective
states are becoming increasingly sophisticated in the areas of
personal data privacy and security.  Moved by the continued
development of the Smart Grid and the vast amounts of personal
information that the Smart Grid processes, utility regulators have
considered and issued rules governing the handling customer data,
including energy usage information.  In developing these rules, the
regulators have also gained sophistication in the areas of "old
school" data security breach notification requirements.  As a result,
we should expect an uptick in privacy enforcement by state utility
regulators.  At least some of the regulators are demanding to know
more about past information security incidents and are considering
implementing breach reporting requirements.  Utilities across the
country are well-advised to review their information security programs
(including vendor management requirements) and breach response
processes to address their regulators' concerns.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.