S.C. Code Regs. § § 103-823.2

Current through Register Vol. 48, No. 10, October 25, 2024
Section 103-823.2 - Protection of Customer Data
A. Definitions of Key Terms.
(1) Aggregated Data. The term "aggregated data" means customer data, alone or in combination with non-customer data, resulting from processing (e.g., average of a group of customers) or the compilation of customer data from which all unique identifiers have been removed.
(2) Commission. The term "Commission" means the Public Service Commission of South Carolina.
(3) Customer Data. For purposes of this section, "customer data" means data about a current or former customer's electric, natural gas, water, or wastewater usage; information that is obtained as part of an advanced metering infrastructure; and personal identifying information, as defined in S.C. Code Ann. Section 39-1-90(D)(3) and S.C. Code Ann. Section 16-13-510(D), as may be amended, including the name, account number, billing history, address of the customer, email address, telephone number, and fax number, in the possession of electric, natural gas, water or wastewater public utilities.

Also, "customer data" means non-public retail customer-specific data or information that has been obtained or compiled by a public utility in connection with the supplying of Commission-regulated electric, natural gas, waste, or wastewater services. Customer data includes data or information that is:

(a) collected from the meter, by the public utility, and stored in its data systems for billing purposes;
(b) customer-specific usage information for regulated public utility service;
(c) about the customer's participation in regulated public utility programs, such as renewable energy, demand-side management, load management, or energy efficiency programs; or
(d) any other non-public information specific to a customer that is related to electricity consumption, load profile, or billing history.
(4) Non-Public Utility Operations. The term "non-public utility operations" means all business enterprises engaged in by a public utility that are not regulated by the Commission or otherwise subject to public utility regulation at the state or federal level.
(5) Primary Purpose. The term "primary purpose" means the acquisition, storage or maintenance of customer data by a public utility, as defined by Title 58 of the South Carolina Code, which provides services pursuant to state law, federal law, or Order of the Commission.
(6) Secondary Commercial Purpose. The term "secondary commercial purpose" means any purpose that is not a primary purpose.
(7) Third Party. The term "third party" means a person who is not the customer, nor any of the following:
(i) an agent of the customer designated by the customer with the public utility to act on the customer's behalf;
(ii) a regulated public utility serving the customer; or
(iii) a contracted agent of the public utility. For purposes of this regulation, "third party" includes any non-public utility operations or affiliate of the public utility.
(8) Unique Identifier. The term "unique identifier" means a customer's name, account number, meter number, mailing address, telephone number, or email address.
B. Aggregated data which has been aggregated to a degree that individual customer information is not identifiable shall not be considered "customer data."
C. Customer Consent.
(1) A public utility shall not share, disclose, or otherwise make accessible to any third party a customer's data, except as provided in subsection (F) or upon the consent of the customer.
(2) A public utility shall not sell a customer's data for any purpose without the consent of the customer.
(3) The public utility or its contractors shall not provide an incentive or discount to the customer for accessing the customer's data without the prior consent of the customer.
(4) Before requesting a customer's consent for disclosure of customer data, a public utility shall be required to make a full disclosure to the customer of the nature and scope of the data proposed to be disclosed, the identity of the proposed recipient and the intended use of the data by the proposed recipient.
D. If a public utility contracts with a third party for a service that allows a customer to monitor the customer's usage, and that third party uses the data for a secondary commercial purpose, the contract between the public utility and the third party shall provide that the third party prominently discloses that secondary commercial purpose to the customer and secures the customer's consent to the use of his or her data for that secondary commercial purpose prior to the use of the data.
E. A public utility shall use reasonable security procedures and practices to protect a customer's unencrypted consumption data from unauthorized access, destruction, use, modification, disclosure, and to prohibit the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's consent.
F. Exceptions to Sections A through E.
(1) This section shall not preclude a public utility from disclosing aggregated data for analysis, reporting, or program management.
(2) This section shall not preclude a public utility from disclosing customer data to a third party for system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs, or for fraud prevention purposes, provided that the public utility has required by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal identifying information contained in the customer data from unauthorized access, destruction, use, modification, or disclosure, and prohibits the use of the data for a secondary commercial purpose not related to the primary purpose of the contract without the customer's prior consent to that use.
(3) This section shall not preclude a public utility from disclosing customer data in the course of its operations:
(a) Where necessary to provide safe and reliable service;
(b) As required or permitted under state or federal law or regulation or by an Order of the Commission;
(c) Including disclosures pursuant to and permitted by the Fair Credit Reporting Act Section 1681 et seq., Title 15 of the United States Code including for purposes of furnishing account and payment history information to and procuring consumer reports from a consumer reporting agency as defined by 15 U.S.C. Section 1681;
(d) Upon valid request from law enforcement;
(e) To respond to an emergency;
(f) To respond to service interruption reports or service quality issues;
(g) To restore power after a storm or other disruption;
(h) To respond to customers' requests for line locations, installation or repair of streetlights, support for construction or tree trimming/removal by customer, or other service orders or requests;
(i) To inform customers as to tree trimming/vegetation control plans and schedules;
(j) To respond to claims for property damage by the customer resulting from tree trimming/vegetation control or public utility construction;
(k) To respond to customer complaints;
(l) To protect the health or welfare of the customer or to prevent damage to the customer's property;
(m) To assist the customer in obtaining assistance from social services, community action, or charitable agencies;
(n) To perform credit checks or review payment history where customer deposits might otherwise be required or retained;
(o) Where circumstances require prompt disclosure of specific information to protect customers' interests or meet customers' reasonable customer service expectations; or
(p) This section shall not preclude a public utility from, in its provision of regulated public utility service, disclosing customer data to a third party, consistent with the public utility's most recently approved Code of Conduct, to the extent necessary for the third party to provide goods or services to the public utility and upon written agreement by that third party to protect the confidentiality of such customer data.
(4) Nothing in this section precludes the utility from advising a municipality when service is disconnected.
G. If a customer discloses or authorizes the utility to disclose his or her customer data to a third party, the public utility shall not be responsible for the security of that data, or its use or misuse.
H. Public Utility Guidelines.
(1) Each electrical, natural gas, water or wastewater public utility shall develop and seek Commission approval of guidelines for implementation of this section.
(2) The electrical, natural gas, water or wastewater public utility shall file its initial guidelines within 180 days of the effective date of this regulation for Commission approval. The guidelines should, at minimum, address the following:
(a) Customer Notice and Awareness - practices to explain policies and procedures to customers.
(b) Customer Choice and Consent - processes that allow the customer to control access to customer data including processes for customers to monitor, correct or limit the use of customer data.
(c) Customer Data Access - procedures for use of customer data, purpose for collection, limitations of use of customer data and processes for customer non-standard requests.
(d) Data Quality and Security Procedures and Measures - procedures for security and methods to aggregate or anonymize data.
(e) Public Utility Accountability and Auditing - reporting of unauthorized disclosures, training protocol for employees, periodic evaluations, self-enforcement procedures, and penalties.
(f) Frequency of Notice to Customers - practices and procedures to provide initial and annual notification of its privacy policy to customers.
(g) Due Diligence Exercised by Utility When Sharing Customer Data with Third Parties - practices, policies, and procedures when selecting the third party with whom the utility will share data so as to minimize unauthorized or inadvertent disclosure of customer data.
I. No Private Right of Action. This regulation shall be enforced by regulatory enforcement actions only. No private right of action for damages is created hereby.
J. Penalties. Failure to comply with this section is subject to any authority granted to the Commission by statute or regulation.

S.C. Code Regs. § 103-823.2

Added by State Register Volume 45, Issue No. 05, eff. 5/28/2021.