BILL NUMBER: SB 837AMENDED BILL TEXT AMENDED IN SENATE MARCH 25, 2010 INTRODUCED BY Senator Florez JANUARY 5, 2010An act to relating to electricity.An act to amend Section 1798.3 of the Civil Code, to amend Section 1985.3 of the Code of Civil Procedure, to amend Section 1326.1 of the Penal Code, and to add Sections 589, 779.3, 2750, and 8364 .5 to, to add the heading of Chapter 4.5 (commencing with Section 2750) to Part 2 of Division 1 of, to add Chapter 10 (commencing with Section 5600) to Division 2 of, and to repeal the heading of Chapter 4.5 (commencing with Section 2771) of Part 2 of Division 1 of, the Public Utilities Code, relating to utility service. LEGISLATIVE COUNSEL'S DIGEST SB 837, as amended, Florez.Electricity: smart meters.Utility service: disconnection: smart meters: privacy. (1) Under existing law, the Public Utilities Commission (CPUC) has regulatory authority over public utilities, including electrical corporations and gas corporations, as defined. Existing law authorizes the CPUC to fix the rates and charges for every public utility, and requires that those rates and charges be just and reasonable. Existing law requires certain notice be given before an electrical, gas, heat, or water corporation may terminate residential service for nonpayment of a delinquent account and prohibits termination of service for nonpayment in certain circumstances. This bill would require the CPUC to impose certain requirements on electrical corporations and gas corporations, and take other specified actions, with respect to reducing service disconnections.The(2) The federal Energy Independence and Security Act of 2007 states that it is the policy of the United States to maintain a reliable and secure electricity structure that achieves certain objectives that characterize aSmart Gridsmart grid . Existing federal law requires each state regulatory authority, with respect to each electric utility for which it has ratemaking authority, and each nonregulated electric utility, to consider certain standards and to determine whether or not it is appropriate to implement those standards to carry out the purposes of the Public Utility Regulatory Policies Act. The existing standards include time-based metering and communications, consideration of smart grid investments, and providing purchases with smart grid information, as specified. Existing law requires the CPUC, by July 1, 2010, and in consultation with the State Energy Resources Conservation and Development Commission, the Independent System Operator, and other key stakeholders, to determine the requirements for a smart grid deployment plan consistent with certain policies set forth in state and federal law. Existing law requires that the smart grid improve overall efficiency, reliability, and cost-effectiveness of electrical system operations, planning, and maintenance. Existing law requires each electrical corporation, by July1, 2011, to develop and submit a smart grid deployment plan to the commission for approval. This bill would require the CPUC to ensure that each smart grid deployment plan include testing and technology standards, as specified, and ensure that each metering technology works properly in a field test in a real home setting. (3) Existing law prescribes the circumstances under which telephone and telegraph corporations may release information regarding residential subscribers without their written consent. Existing law relative to restructuring of the electrical industry requires the commission to implement minimum standards relative to maintaining the confidentiality of residential and small commercial customer information by electric service providers. This bill would provide that meter data collected by an electrical corporation or gas corporation is the property of the customer, regardless of whether the data is kept by the customer or retained solely by the utility, and would require that individual customer information, including energy usage, billing, and credit information, remain confidential unless the customer expressly authorizes, in writing, that the information may be released to a third party. The bill would require each electrical corporation and gas corporation that installs smart meters on customer residences to adopt and obtain the CPUC's approval of a statement of privacy and security principles for smart meter systems and a work plan to implement those principles. The bill would require the commission to adopt rules to ensure the safe transfer of electronic usage information and would authorize the commission to adopt other rules that the commission determines are necessary or useful to implement the bill's requirements. The bill would provide that energy usage data in the possession of a third-party demand response service provider, as defined, is the property of the electrical end-use customer regardless of whether that data is kept by the customer or retained solely by the service provider. The bill would prohibit individual electrical end-use customer information, as defined, in the custody of a third-party demand response service provider from being provided to any other person or corporation by the service provider unless the customer expressly authorizes, in writing, that the information may be released to that person or corporation and that person or corporation acknowledges, in writing, that the information is confidential and may not be shared or utilized by any other person or corporation without the express written consent of the customer. The bill would require each 3rd-party demand response service provider to adopt a statement of privacy and security principles for the data to which it has access as a result of providing demand response services and a work plan to implement those principles. The bill would authorize the CPUC to adopt rules to ensure the privacy of individual electrical end-use customer information and would authorize the CPUC to exercise certain enforcement powers relative to these requirements and any rules that it adopts. (4) This bill would require each public utility, on or before March 1, 2012, and each March 1 thereafter, to report to the Office of Information Security and Privacy Protection, State and Consumer Services Agency, certain information relative to requests for customer's utility records pursuant to federal warrants, state warrants, grand jury subpoenas, civil subpoenas, and administrative subpoenas. The bill would require that the reports be made available to the public via the Internet. (5) The Information Practices Act of 1977 generally regulates the maintenance and dissemination of personal information by state agencies. The act defines personal information for this purpose to mean any information that is maintained by an agency, as defined, that identifies or describes an individual, including his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. This bill would expand the definition of personal information to include any information that is maintained by an agency that identifies or describes an individual, family, household, or residence, and would add utility usage information to the types of information included in the definition. (6) Existing law relative to civil discovery requires that a subpoena duces tecum for personal records pertaining to a consumer be served upon the consumer along with a specified affidavit. Personal records are defined for this purpose to include the records of a telephone corporation. Consumer is defined for this purpose to mean any individual, partnership of 5 or fewer persons, association, or trust that has transacted business with, or has used the services of, the witness or for whom the witness has acted as agent or fiduciary. This bill would expand the definition of personal records to include records of an electrical corporation, gas corporation, publicly owned gas utility, or local publicly owned electric utility. The bill would also expand the definition of consumer to include a family, household, or residence. (7) Existing law provides that a judge may order the production of utility records, as defined, only if certain conditions are met. Existing law does not preclude the holder of the utility records from notifying a customer of the receipt of the order for production unless a court orders otherwise. This bill would instead require a holder of utility records to notify a customer of the receipt of the order for production unless a court orders otherwise. (8) Under existing law, a violation of the Public Utilities Act or any order, decision, rule, direction, demand, or requirement of the commission is a crime. Because certain of the bill's provisions would be within the act and because the bill would require action by the commission to implement certain of its requirements, a violation of these provisions would impose a state-mandated local program by creating a new crime. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason.Under existing law, the Public Utilities Commission has regulatory authority over public utilities, including electrical corporations, as defined. Existing law authorizes the commission to establish rules for all public utilities, subject to control by the Legislature.This bill would state the intent of the Legislature to enact legislation that requires the commission to ensure that electrical corporations that are authorized to deploy Smart Grid technology, including smart meters, are meeting their intended goals and have not shifted unnecessary deployment costs onto consumers.Vote: majority. Appropriation: no. Fiscal committee:noyes . State-mandated local program:noyes . THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. (a) Information concerning a utility customer's energy usage belongs to the customer and should be treated as confidential by electrical corporations and gas corporations, and the Legislature finds and declares that this right of privacy needs further protection in light of the detailed information on household energy usage that will be available to electrical corporations and gas corporations after the statewide deployment of smart meter technology. If electrical corporations begin to provide other services over wholly owned medium, including broadband over powerline service, privacy protections need to apply to these services. (b) It is the intent of the Legislature that the protections added by Section 2750 of the Public Utilities Code are in addition to those protections afforded customers pursuant to Section 394.4 of the Public Utilities Code. (c) It is the further intent of the Legislature to enact additional protections to preserve the confidentiality of household energy usage information and prevent its access and use by third parties that provide equipment or software associated with deployment and operation of the smart grid. A customer has a reasonable expectation of privacy with respect to their occupancy, movement, habits, or any other activity in their home that otherwise would not be visible from outside. Smart appliance systems for the home should protect a customer's reasonable expectation of privacy in his or her activities and preferences, and the customer's right to control the use of data collected from in-home smart appliances, in-home sensors, or smart meters, should be protected by limiting a utility's and other business processor's use of the data, and limiting access and use by government and private parties. (d) The Legislature finds that granting the Public Utilities Commission authority to adopt and enforce rules to ensure customer privacy with respect to energy usage information collected as a result of smart meter systems, and to adopt requirements for network security, are cognate and germane to the commission's regulation of electrical corporations and gas corporations. (e) Detailed and real-time consumption data held by, or accessible to, electrical corporations, gas corporations, or third parties should be available to law enforcement only with a warrant or in those circumstances when a warrant is unnecessary to conduct a search of a residence. SEC. 2. Section 1798.3 of the Civil Code is amended to read: 1798.3. As used in this chapter: (a) The term "personal information" means any information that is maintained by an agency that identifies or describes an individual, family, household, or residence including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, utility usage, and medical or employment history. It includes statements made by, or attributed to, the individual. (b) The term "agency" means every state office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include: (1) The California Legislature. (2) Any agency established under Article VI of the California Constitution. (3) The State Compensation Insurance Fund, except as to any records which contain personal information about the employees of the State Compensation Insurance Fund. (4) A local agency, as defined in subdivision (a) of Section 6252 of the Government Code. (c) The term "disclose" means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity. (d) The term "individual" means a natural person. (e) The term "maintain" includes maintain, acquire, use, or disclose. (f) The term "person" means any natural person, corporation, partnership, limited liability company, firm, or association. (g) The term "record" means any file or grouping of information about an individual that is maintained by an agency by reference to an identifying particular such as the individual's name, photograph, finger or voice print, or a number or symbol assigned to the individual. (h) The term "system of records" means one or more records, which pertain to one or more individuals, which is maintained by any agency, from which information is retrieved by the name of an individual or by some identifying number, symbol or other identifying particular assigned to the individual. (i) The term "governmental entity," except as used in Section 1798.26, means any branch of the federal government or of the local government. (j) The term "commercial purpose" means any purpose which has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster. (k) The term "regulatory agency" means the Department of Financial Institutions, the Department of Corporations, the Department of Insurance, the Department of Real Estate, and agencies of the United States or of any other state responsible for regulating financial institutions. SEC. 3. Section 1985.3 of the Code of Civil Procedure is amended to read: 1985.3. (a) For purposes of this section, the following definitions apply: (1) "Personal records" means the original, any copy of books, documents, other writings, or electronic data pertaining to a consumer and which are maintained by any "witness"whichthat is a physician, dentist, ophthalmologist, optometrist, chiropractor, physical therapist, acupuncturist, podiatrist, veterinarian, veterinary hospital, veterinary clinic, pharmacist, pharmacy, hospital, medical center, clinic, radiology or MRI center, clinical or diagnostic laboratory, state or national bank, state or federal association (as defined in Section 5102 of the Financial Code), state or federal credit union, trust company, anyone authorized by this state to make or arrange loans that are secured by real property, security brokerage firm, insurance company, title insurance company, underwritten title company, escrow agent licensed pursuant to Division 6 (commencing with Section 17000) of the Financial Code or exempt from licensure pursuant to Section 17006 of the Financial Code, attorney, accountant, institution of the Farm Credit System, as specified in Section 2002 of Title 12 of the United States Code, an electrical corporation, gas corporation, or telephone corporationwhichthat is a public utility, as defined in Section 216 of the Public Utilities Code, or a publicly owned gas utility, or a local publicly owned electric utility, as defined in Section 224.3 of the Public Utilities Code, or psychotherapist, as defined in Section 1010 of the Evidence Code, or a private or public preschool, elementary school, secondary school, or postsecondary school as described in Section 76244 of the Education Code. (2) "Consumer" means any individual, family, household, residence, partnership of five or fewer persons, association, or trust which has transacted business with, or has used the services of, the witness or for whom the witness has acted as agent or fiduciary. (3) "Subpoenaing party" means the person or persons causing a subpoena duces tecum to be issued or served in connection with any civil action or proceeding pursuant to this code, but shall not include the state or local agencies described in Section 7465 of the Government Code, or any entity provided for under Article VI of the California Constitution in any proceeding maintained before an adjudicative body of that entity pursuant to Chapter 4 (commencing with Section 6000) of Division 3 of the Business and Professions Code. (4) "Deposition officer" means a person who meets the qualifications specified in Section 2020.420. (b) Prior to the date called for in the subpoena duces tecum for the production of personal records, the subpoenaing party shall serve or cause to be served on the consumer whose records are being sought a copy of the subpoena duces tecum, of the affidavit supporting the issuance of the subpoena, if any, and of the notice described in subdivision (e), and proof of service as indicated in paragraph (1) of subdivision (c). This service shall be made as follows: (1) To the consumer personally, or at his or her last known address, or in accordance with Chapter 5 (commencing with Section 1010) of Title 14 of Part 3, or, if he or she is a party, to his or her attorney of record. If the consumer is a minor, service shall be made on the minor's parent, guardian, conservator, or similar fiduciary, or if one of them cannot be located with reasonable diligence, then service shall be made on any person having the care or control of the minor or with whom the minor resides or by whom the minor is employed, and on the minor if the minor is at least 12 years of age. (2) Not less than 10 days prior to the date for production specified in the subpoena duces tecum, plus the additional time provided by Section 1013 if service is by mail. (3) At least five days prior to service upon the custodian of the records, plus the additional time provided by Section 1013 if service is by mail. (c) Prior to the production of the records, the subpoenaing party shall do either of the following: (1) Serve or cause to be served upon the witness a proof of personal service or of service by mail attesting to compliance with subdivision (b). (2) Furnish the witness a written authorization to release the records signed by the consumer or by his or her attorney of record. The witness may presume that any attorney purporting to sign the authorization on behalf of the consumer acted with the consent of the consumer, and that any objection to release of records is waived. (d) A subpoena duces tecum for the production of personal records shall be served in sufficient time to allow the witness a reasonable time, as provided in Section 2020.410, to locate and produce the records or copies thereof. (e) Every copy of the subpoena duces tecum and affidavit, if any, served on a consumer or his or her attorney in accordance with subdivision (b) shall be accompanied by a notice, in a typeface designed to call attention to the notice, indicating that (1) records about the consumer are being sought from the witness named on the subpoena; (2) if the consumer objects to the witness furnishing the records to the party seeking the records, the consumer must file papers with the court or serve a written objection as provided in subdivision (g) prior to the date specified for production on the subpoena; and (3) if the party who is seeking the records will not agree in writing to cancel or limit the subpoena, an attorney should be consulted about the consumer's interest in protecting his or her rights of privacy. If a notice of taking of deposition is also served, that other notice may be set forth in a single document with the notice required by this subdivision. (f) A subpoena duces tecum for personal records maintained by a telephone corporation which is a public utility, as defined in Section 216 of the Public Utilities Code, shall not be valid or effective unless it includes a consent to release, signed by the consumer whose records are requested, as required by Section 2891 of the Public Utilities Code. (g) Any consumer whose personal records are sought by a subpoena duces tecum and who is a party to the civil action in which this subpoena duces tecum is served may, prior to the date for production, bring a motion under Section 1987.1 to quash or modify the subpoena duces tecum. Notice of the bringing of that motion shall be given to the witness and deposition officer at least five days prior to production. The failure to provide notice to the deposition officer shall not invalidate the motion to quash or modify the subpoena duces tecum but may be raised by the deposition officer as an affirmative defense in any action for liability for improper release of records. Any other consumer or nonparty whose personal records are sought by a subpoena duces tecum may, prior to the date of production, serve on the subpoenaing party, the witness, and the deposition officer, a written objection that cites the specific grounds on which production of the personal records should be prohibited.NoA witness or deposition officer shall not be required to produce personal records after receipt of notice that the motion has been brought by a consumer, or after receipt of a written objection from a nonparty consumer, except upon order of the court in which the action is pending or by agreement of the parties, witnesses, and consumers affected. The party requesting a consumer's personal records may bring a motion under Section 1987.1 to enforce the subpoena within 20 days of service of the written objection. The motion shall be accompanied by a declaration showing a reasonable and good faith attempt at informal resolution of the dispute between the party requesting the personal records and the consumer or the consumer's attorney. (h) Upon good cause shown and provided that the rights of witnesses and consumers are preserved, a subpoenaing party shall be entitled to obtain an order shortening the time for service of a subpoena duces tecum or waiving the requirements of subdivision (b) where due diligence by the subpoenaing party has been shown. (i)Nothing contained in thisThis section shall not be construed to apply to any subpoena duces tecumwhichthat does not request the records of any particular consumer or consumers andwhichthat requires a custodian of records to delete all informationwhichthat would in any way identify any consumer whose records are to be produced. (j) This section shall not apply to proceedings conducted under Division 1 (commencing with Section 50), Division 4 (commencing with Section 3200), Division 4.5 (commencing with Section 6100), or Division 4.7 (commencing with Section 6200), of the Labor Code. (k) Failure to comply with this section shall be sufficient basis for the witness to refuse to produce the personal records sought by a subpoena duces tecum. (l) If the subpoenaing party is the consumer, and the consumer is the only subject of the subpoenaed records, notice to the consumer, and delivery of the other documents specified in subdivision (b) to the consumer, is not required under this section. SEC. 4. Section 1326.1 of the Penal Code is amended to read: 1326.1. (a) An order for the production of utility records in whatever form and however stored shall be issued by a judge only upon a written ex parte application by a peace officer showing specific and articulable facts that there are reasonable grounds to believe that the records or information sought are relevant and material to an ongoing investigation of a felony violation of Section 186.10 or of any felony subject to the enhancement set forth in Section 186.11. The ex parte application shall specify with particularity the records to be produced, which shall be only those of the individual or individuals who are the subject of the criminal investigation. The ex parte application and any subsequent judicial order shall be open to the public as a judicial record unless ordered sealed by the court, for a period of 60 days. The sealing of these records may be extended for 60-day periods upon a showing to the court that it is necessary for the continuance of the investigation. Sixty-day extensions may continue for up to one year or until termination of the investigation of the individual or individuals, whichever is sooner. The records ordered to be produced shall be returned to the peace officer applicant or his or her designee within a reasonable time period after service of the order upon the holder of the utility records. (b) As used in subdivision (a), "utility records" include, but are not limited to, subscriber information, telephone or pager number information, toll call records, call detail records, automated message accounting records, billing statements, payment records, and applications for service in the custody of companies engaged in the business of providing telephone, pager, electric, gas, propane, water, or other like services. "Utility records" do not include the installation of, or the data collected from the installation of pen registers or trap-tracers, nor the contents of a wire or electronic communication. (c)Nothing in this section shall preclude theThe holder of the utility recordsfrom notifyingshall notify a customer of the receipt of the order for production of records unless a court orders the holder of the utility records to withhold notification to the customer upon a finding that this notice would impede the investigation. Where a court has made an order to withhold notification to the customer under this subdivision, the order shall include a statement of the facts as to why providing notice would impede the investigation and the peace officer or law enforcement agency who obtained the utility records shall notify the customer by delivering a copy of the ex parte order to the customer within 10 days of the termination of the investigation. (d)NoA holder of utility records, oranyan officer, employee, or agent thereof, shall not be liable to any person for (A) disclosing information in response to an order pursuant to this section, or (B) complying with an order under this section not to disclose to the customer, the order or the dissemination of information pursuant to the order. (e)Nothing in thisThis section shall not preclude the holder of the utility records from voluntarily disclosing information or providing records to law enforcement upon request. (f) Utility records released pursuant to this section shall be used only for the purpose of criminal investigations and prosecutions. SEC. 5. Section 589 is added to the Public Utilities Code , to read: 589. (a) On or before March 1, 2012, and each March 1 thereafter, each public utility shall report all of the following to the Office of Information Security and Privacy Protection, State and Consumer Services Agency: (1) The number of federal warrants, state warrants, grand jury subpoenas, civil subpoenas, and administrative subpoenas received by the utility during the prior calendar year for information pertaining to a California consumer of the utility's services. (2) The number and types of actions taken by the utility in response to each category of information request listed in paragraph (1). (3) The number of customers whose utility records were produced in response to each category of information request listed in paragraph (1). (4) The type of information disclosed about the utility's customers in response to each category of information request listed in paragraph (1). (5) The total amount of money received by the utility to respond to each category of information request in paragraph (1). (b) Information need not be disclosed pursuant to subdivision (a) where prohibited by some other law. If the utility does not disclose information pursuant to this subdivision, it shall include a statement in the report as to the basis for the withholding of that information. (c) On or before June 1, 2012, and each June 1 thereafter, each public utility shall make the report prepared pursuant to subdivision (a) available on the utility's Internet Web site and shall provide an electronic version of the report to the Office of Information Security and Privacy Protection, State and Consumer Services Agency. (d) On or before July 1, 2012, and each July 1 thereafter, the Office of Information Security and Privacy Protection, State and Consumer Services Agency shall make a copy of each utility report furnished to the office pursuant to this section available on the office's Internet Web site in a manner that will allow the public to conduct online searches for information contained in the reports. SEC. 6. Section 779.3 is added to the Public Utilities Code , to read: 779.3. (a) The Legislature finds and declares all of the following: (1) The Division of Ratepayer Advocates is an independent organization within the Public Utilities Commission that represents consumers' interests on utility matters, with the statutory mission to obtain the lowest possible rates for utility services consistent with safe and reliable service levels. (2) In November 2009, the division released its report entitled "Status of Energy Utility Service Disconnections in California," which evaluated energy utility disconnection data comparing the 12 months of September 2008 through August 2009, to prior years, back to January 2006, and compared California trends to national trends. (3) That data evaluated by the division showed the following: (A) Disconnections of low-income customers during the period September 2008 through August 2009 were 19 percent higher than the past year, with the largest increase for Pacific Gas and Electric Company's customers. (B) Disconnections of non-low-income customers have decreased, except in Pacific Gas and Electric Company's service territory. (C) While low-income customers have traditionally suffered more disconnections than non-low-income customers, the recent disparity is the worst in three years. (D) A large number of customers, particularly low-income customers, go through the disconnect-reconnect cycle. (E) Energy utility workforce constraints have limited disconnections to a fraction of those customers failing to pay after receiving final disconnect notices, but the remote disconnection functionality of smart meters will lift this constraint. (4) Increasing service disconnections during the current economic downturn exacerbate the hardship that likely led to the service disconnection in the first place, and since most disconnected customers, within hours or days of disconnection, pay their utility bills in order to be reconnected, the division questions whether those disconnections are preventable. (5) It is the intent of the Legislature to enact legislation implementing the recommendations of the Division of Ratepayer Advocates to reduce those disconnections that are preventable along with additional protective measures. (b) The commission shall require electrical corporations and gas corporations to implement specific strategies that compel customer payment prior to, rather than after service disconnection, with the goal of eliminating all avoidable disconnections. In implementing this requirement, the commission shall consider requiring electrical and gas corporations to do all of the following: (1) Offer autopay to all customers, and provide incentives for signing up for autopay or for fulfilling commitments to payment plans. (2) Offer customers the ability to receive disconnect notices via a preferred method that is most likely to get their attention, including telephone calls, emails, text messaging, a home electricity monitoring device or other network device, and third-party notification. (3) Provide additional messages in late payment and disconnect notices that constructively alert customers of the options the utilities may offer and provide the list of costs, both direct and indirect, the customers may face when service is disconnected. (4) Engage in proactive offers regarding the variety of assistance programs before disconnection takes place. (5) Increase in-person contacts before disconnection. (6) Create an arrearage management program. (7) Give priority installation of programmable communicating thermostats to customers who are at risk for disconnection so that they can better manage their usage and load. (c) The commission shall require electrical corporations and gas corporations to reduce the disconnection rates for low-income customers, including customers participating in the California Alternate Rates for Energy program, so that they are in line with the disconnection rates of those customers that are not low-income customers. (d) The commission shall ensure that electric and gas service disconnections remain at, or below, historical levels regardless of whether remote disconnections utilizing Advanced Metering Infrastructure technology, known as AMI or smart meters, are implemented. In implementing this requirement, the commission shall consider requiring electrical corporations and gas corporations to do all of the following: (1) Benchmark disconnection rates in order to facilitate the program. (2) Randomly survey customers eligible for disconnection during customer interactions to identify the most effective means of helping them avoid future disconnections. (3) Share best practices on an ongoing basis. (4) Maintain the personal contact associated with in-person disconnections for a transition period until all of the following occur: (A) Any initial problems with smart meters are addressed. (B) Status reports are filed with the commission that identify smart meter remote disconnection issues and present solutions used to mitigate these issues. (C) Ratepayers have been informed about new disconnection processes. (D) Alternatives that can be deployed to the in-person service associated with disconnections are created, including disconnection hotlines with live agents available to respond to customer problems associated with disconnections, and increasing the number of local payment centers. (e) The commission shall require safeguards to protect against negative health and public safety consequences of remote disconnections of electric and gas service once smart meters are installed. In implementing this requirement, the commission shall consider requiring electrical corporations and gas corporations to do both of the following: (1) Add a process that enables consumers to obtain temporary service reinstatements for 10 days once they initiate an investigation or request for repayment assistance, to be available only once a year to avoid abuse. (2) Provide additional notice regarding the procedure for service reinstatement, including notice regarding temporary reinstatement. SEC. 7. Section 2750 is added to the Public Utilities Code , to read: 2750. (a) For purposes of this section, an authorization, acknowledgement, or consent is written or in writing if made by an "electronic record" that includes a "digital signature," as those terms are defined in Section 1633 of the Civil Code. (b) The meter data collected by an electrical corporation or gas corporation is the property of the customer, regardless of whether the data is kept by the customer or retained solely by the utility. (c) Individual customer information shall remain confidential. For purposes of this section, "individual customer information" includes both of the following: (1) Energy usage information about an individual, family, household, or residence. (2) Billing and credit information about an individual, family, household, or residence. (d) (1) Individual customer information in the custody of an electrical corporation or gas corporation shall not be provided to a third party unless the customer expressly authorizes, in writing, the release of that information to that third party and the third party acknowledges, in writing, that the information is confidential and shall not be shared or utilized by any other person, corporation, or other entity without the express written consent of the customer. (2) A customer may authorize the release of historical information by the utility, but the customer or the third party shall pay any reasonable administrative cost incurred by the utility in complying with the release. (3) A written authorization by a customer for the release of confidential information shall automatically terminate after the passage of three years from the date of the written authorization and any renewal shall be in writing. (e) (1) Each electrical corporation and gas corporation implementing smart meter technology, by July 1, 2011, or within six months of the installation of smart meters on customer residences, shall adopt a statement of privacy and security principles for smart meter systems. Each electrical corporation and gas corporation implementing smart meter technology shall file the statement of principles with the commission. The commission shall approve, or modify and approve, the statement of principles. The statement of principles shall include the following elements: (A) A customer has a right to transparency in information gathering and use. The utility shall provide customers with meaningful, clear, and full notice regarding the collection, use, dissemination, and maintenance of individual customer information gathered as a result of the smart meter system. (B) A customer has a right to participate in what and how information about the customer is collected and used. The utility shall employ a process when using individual customer information gathered as a result of the smart meter system that, to the extent practicable, seeks the customer's consent for the collection, use, dissemination, and maintenance of the information. The utility shall provide mechanisms for customers to access, correct, and seek redress regarding their individual customer information gathered as a result of the smart meter system. (C) A customer has a right to know each reason information is being gathered. The utility shall articulate and communicate with specificity to the customer each purpose for which individual customer information is being gathered through use of the smart meter system. (D) Maintenance of information shall be minimized. The utility shall collect or retain only that individual customer information that is directly relevant and necessary to accomplish a specified purpose. Individual customer information shall only be retained for as long as necessary to fulfill the specified purpose. (E) Information shall be used only for the purposes for which it was gathered. Individual customer information shall be used solely for the purposes for which it was collected and may be shared only for purposes that are compatible with the purposes for which it was gathered. (F) The utility shall maintain the quality and integrity of information. The utility, to the extent practicable, shall ensure that all individual customer information is accurate, relevant, timely, and complete. The utility shall provide a mechanism for customers to easily and confidentially access and view their information and a means to report errors. The utility shall correct erroneous information that is challenged by the consumer. (G) The utility shall maintain the security of the information gathering system. The utility shall protect individual customer information through appropriate security safeguards against risks of loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure, and the smart grid technology employed by the utility shall be capable of implementing these security safeguards. (H) The utility shall undertake reasonable auditing to verify compliance with the utility's statement of principles. The utility shall be responsible for ensuring compliance with its statement of privacy and security principles for smart meter systems and, to that end, shall undertake appropriate training of its employees and contractors and audit the individual customer information being gathered and maintained and the dissemination of that information. (2) No later than six months following the commission's approval of the statement of privacy and security principles for smart meter systems, the electrical corporation or gas corporation shall adopt a work plan for implementation of the statement of principles. The electrical corporation or gas corporation shall file the work plan with the commission. The commission shall approve, or modify and approve, the work plan. Information in the work plan that might be detrimental to the security of the smart meter system shall be filed in a manner that preserves the confidentiality of the information. (3) Upon approval of the statement of privacy and security principles for smart meter systems and the work plan, the utility shall make the statement of principles and the work plan available on the utility's Internet Web site. Information that might be detrimental to the security of the smart meter system shall be omitted from the information made available on the Internet Web site. The utility's Internet Web site shall provide a mechanism for customers to make inquiries about, or comment upon, the statement of principles and work plan. (4) An electrical corporation or gas corporation shall ensure that any person, other than the customer, or corporation that is permitted to have access to the smart grid system, including a contractor, equipment supplier, or software supplier of the utility, is aware of the utility's statement of privacy and security principles for smart meter systems and the work plan, and agrees to follow the requirements of the work plan and act in a manner that is compatible with the statement of principles. (5) An electrical corporation or gas corporation shall promptly notify the commission of any violation of the work plan by any employee of the utility or any person or corporation that is permitted to have access to the smart grid system. (6) The commission may exercise its authority pursuant to Sections 2111 and 2113 to enforce the requirements of the work plan with respect to any person or corporation that is not an electrical corporation or gas corporation. (f) The commission shall adopt rules to ensure the safe transfer of electronic usage information and may adopt other rules that the commission determines are necessary or useful to implement the requirements of this section. The commission shall approve a reasonable charge that may be collected by an electrical corporation or gas corporation for providing historical information pursuant to paragraph (2) of subdivision (c). (g) This section does not limit the ability of a customer to directly and voluntarily provide confidential information to a third party. An electrical corporation or gas corporation shall provide a customer, the customer's electric service provider, the customer's third-party demand response service provider, or other third-party entity authorized by the customer to have read-only access to the customers' smart meter data, including meter data used to calculate charges for electric service, historical load data, and any other proprietary customer information. The access shall be convenient and secure, and the data shall be made available no later than the next day of service. An authorization shall be made in writing. (h) (1) This section does not limit the authority of the commission, subject to Section 583, or the Energy Commission, to require an electrical corporation or gas corporation to provide, for authorized purposes, composite statistical information derived from individual customer information that does not disclose individual customer data. (2) The commission may approve the sharing of information with a third-party demand response service provider pursuant to subdivision (f) of Section 5601. (3) The commission may authorize the sharing of information with academic or other researchers retained to evaluate system reliability, vulnerability, security, or other authorized research topics, provided that the results of the research publicly disclose only composite statistical information derived from individual customer information that does not disclose individual customer data. The commission may condition the sharing of information by an electrical corporation or gas corporation upon the removal of individual identifying information and characteristics. The commission shall ensure that academic or other researchers have obtained approval from their institutional review board to use the requested data. The commission shall require each electrical corporation and gas corporation to adopt a mechanism for academic or other researchers to confidentially report suspected system vulnerabilities that they have found in their research and testing. The commission shall require each electrical corporation and gas corporation to adopt a mechanism for members of the public to anonymously report system vulnerabilities. (i) The commission may exercise its enforcement authority pursuant to Chapter 11 (commencing with section 2100) of Part 1 with respect to an electrical corporation or gas corporation to enforce the requirements of this section. SEC. 8. The heading of Chapter 4.5 (commencing with Section 2750) is added to Part 2 of Division 1 of the Public Utilities Code , to read: CHAPTER 4.5. ELECTRICAL AND GAS CORPORATIONS SEC. 9. The heading of Chapter 4.5 (commencing with Section 2771) of Part 2 of Division 1 of the Public Utilities Code is repealed.CHAPTER 4.5. ELECTRICAL AND GAS CORPORATIONSSEC. 10. Chapter 10 (commencing with Section 5600) is added to Division 2 of the Public Utilities Code , to read: CHAPTER 10. THIRD-PARTY DEMAND RESPONSE SERVICE PROVIDERS 5600. (a) For purposes of this chapter, "third-party demand response service provider" means a person or corporation that is not an electrical corporation who collects customer energy usage data and provides equipment, software, or services that enable end-use electrical customers to reduce their electricity usage in a given time period, or shift that usage to another time period, in response to a price signal, a financial incentive, an environmental condition, or a reliability signal. (b) For purposes of this chapter, an authorization, acknowledgement, or consent is written or in writing if made by an "electronic record" that includes a "digital signature" as those terms are defined in Section 1633 of the Civil Code. 5601. (a) Energy usage data is the property of the electrical end-use customer, regardless of whether the data is kept by the customer or retained solely by a third-party demand response service provider. (b) Individual electrical end-use customer information shall remain confidential. For purposes of this section, "individual electrical end-use customer information" includes both of the following: (1) Electrical usage information about an individual, family, household, or residence. (2) Billing and credit information about an individual, family, household, or residence. (c) (1) Individual electrical end-use customer information in the custody of a third-party demand response service provider shall not be provided to any other person or corporation by a third-party demand response service provider unless the customer expressly authorizes, in writing, the release of that information to that person or corporation and that person or corporation acknowledges, in writing, that the information is confidential and shall not be shared or utilized by any other person or corporation without the express written consent of the customer. (2) A written authorization by an electrical end-use customer for the release of confidential information shall automatically terminate three years from the date of the written authorization, and any renewal shall be in writing. (d) (1) Each third-party demand response service provider, within six months of commencing providing demand response service on customer residences, shall adopt a statement of privacy and security principles for smart meter systems. The statement of principles shall include the following elements: (A) A customer has a right to transparency in information gathering and use. The third-party demand response service provider shall provide customers with meaningful, clear, and full notice regarding the collection, use, dissemination, and maintenance of individual customer information gathered as a result of the demand response services. (B) A customer has a right to participate in what and how information about the customer is collected and used. The third-party demand response service provider shall employ a process when using individual customer information gathered as a result of providing demand response services that, to the extent practicable, seeks the customer's consent for the collection, use, dissemination, and maintenance of the information. The third-party demand response service provider shall provide mechanisms for customers to access, correct, and seek redress regarding their individual customer information gathered as a result of providing demand response services. (C) A customer has a right to know the reason information is being gathered. The third-party demand response service provider shall articulate and communicate to the customer the purposes for which individual customer information is being gathered as a result of providing demand response services. (D) Maintenance of information shall be minimized. The third-party demand response service provider shall collect or retain only that individual customer information that is directly relevant and necessary to accomplish a specified purpose. Individual customer information shall only be retained for as long as necessary to fulfill the specified purpose. (E) Information shall be used only for the purposes for which it was gathered. Individual customer information shall be used solely for the purposes for which it was collected and may be shared only for purposes that are compatible with the purposes for which it was gathered. (F) The third-party demand response service provider shall maintain the quality and integrity of information. The third-party demand response service provider, to the extent practicable, shall ensure that all individual customer information is accurate, relevant, timely, and complete. The third-party demand response service provider shall correct erroneous information that is challenged by the consumer. (G) The third-party demand response service provider shall maintain the security of the information gathering system. The third-party demand response service provider shall protect individual customer information through appropriate security safeguards against risks of loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure, and the demand response technology employed by the third-party demand response service provider shall be capable of implementing these security safeguards. (H) (1) The third-party demand response service provider shall undertake reasonable auditing to verify compliance with the third-party demand response service provider's statement of principles. The third-party demand response service provider shall be responsible for ensuring compliance with its statement of privacy and security principles for the demand response technologies utilized by the third-party demand response service provider and, to that end, shall undertake appropriate training of its employees and contractors and audit the individual customer information being gathered and maintained and the dissemination of that information. (2) No later than six months following the adoption of the statement of privacy and security principles for a third-party demand response service provider, the third-party demand response service provider shall adopt a work plan for implementation of the statement of principles. Information in the work plan that might be detrimental to the security of the demand response technology utilized by the third-party demand response service provider shall be handled in a manner that preserves the confidentiality of the information. (3) Upon adoption of the statement of privacy, security principles, and the work plan, the third-party demand response service provider shall make the statement of principles and the work plan available on the third-party demand response service provider's Internet Web site or supply it to customers in writing or as an electronic record, as defined in Section 1633 of the Civil Code. Information that might be detrimental to the security of the demand response technology utilized by the third-party demand response service provider shall be omitted from the information made available on the Internet Web site or directly supplied to customers. The third-party demand response service provider shall provide a mechanism for customers to make inquiries about, or comment upon, the statement of principles and work plan. (4) A third-party demand response service provider shall ensure that any person, other than the customer, or corporation that is permitted to have access to the demand response technology utilized by the third-party demand response service provider, including a contractor, equipment supplier, or software supplier of the third-party demand response service provider, is aware of the third-party demand response service provider's statement of privacy, security principles, and the work plan, and agrees to follow the requirements of the work plan and act in a manner that is compatible with the statement of principles. (5) A third-party demand response service provider shall promptly investigate and take corrective action to prevent any violation of the work plan by any employee of the third-party demand response service provider or any person or corporation that is permitted to have access to the demand response technology utilized by the third-party demand response service provider. (e) The commission may adopt rules to ensure the privacy of electrical end-use customer information and may adopt other rules that the commission determines are necessary or useful to implement the requirements of this chapter. (f) This section does not limit the ability of the electrical end-use customer to directly and voluntarily provide confidential information to any person or corporation. (g) This section does not limit the authority of the commission to adopt rules authorizing the sharing of information between a third-party demand response service provider and an electrical corporation when this sharing is in the interest of the electrical end-use customer, provided the requirements of this section are applicable to any information provided to the third-party demand response service provider and the requirements of Section 2750 are applicable to any information provided to the electrical corporation. 5602. The commission may exercise its authority pursuant to Sections 2111 and 2113 to enforce the requirements of this chapter or any rule adopted by the commission. SEC. 11. Section 8364.5 is added to the Public Utilities Code , to read: 8364.5. (a) The commission shall ensure that each smart grid deployment plan includes testing and technology standards. (b) Testing standards shall include all of the following: (1) A requirement that the smart metering technology have a comprehensive security audit. The security auditing plan and the results of the security audit shall be made publicly available upon approval by the commission. (2) A requirement that the manufacturer disclose whether it created a cryptographic protocol for data encryption and specify the protocol used. (3) A requirement that the manufacturer submit security audit results as part of a direct access meter project self-certification program. (c) Technology standards shall do both of the following: (1) Ensure that the particular smart metering technology is compatible with other smart technologies. (2) Ensure that the particular smart metering technology is compatible with the electrical corporation's data collection and billing system. (d) The commission shall ensure that each metering technology works properly in a field test in a real home setting. SEC. 12. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.SECTION 1.It is the intent of the Legislature to enact legislation that requires the Public Utilities Commission to ensure that electrical corporations that are authorized to deploy Smart Grid technology, including smart meters, are meeting their intended goals and have not shifted unnecessary deployment costs onto consumers.