Data Protection Report - Norton Rose Fulbright

The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC).  In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and procedures.  The rules will ultimately be included in Michigan’s Technical Standards for Electric Service (Mich. Admin Rule 460.3101 et seq.) and Technical Standards for Gas Service (Mich. Admin Rule Rule 460.2301 et seq.).

The MPSC issued the Order in response to a growing concern about the increased vulnerability of the electric grid with the advent of smart grids and general grid automation.  The MPSC cited two recent rate case proceedings that resulted in the utility companies providing the MPSC staff with periodic reports on the utilities’ cybersecurity programs as informing the framework and scope of the cybersecurity information the rules are intended to govern.  Specifically, the rules will require utilities to provide:

  • An overview of the electric or gas provider’s cybersecurity program
  • A list of the company’s cybersecurity departments, staffing numbers and position descriptions, and the names of key contacts
  • A description of any cybersecurity training and exercises undergone by employees
  • An explanation of any cybersecurity investment made and the rationale for such investment
  • A discussion of the tools and methods used to conduct risk and vulnerability assessments
  • A summary of cybersecurity incidents that resulted in a loss of service, financial harm, or a breach of sensitive business or customer information

Our Take

The MPSC Order is the latest example of state regulation of the utility industry.  The Order is evidence of a larger trend of states taking an interest in the cybersecurity practices and procedures of the public utility companies operating in their relative jurisdictions.  The increased oversight of utilities is perhaps unsurprising, as the potential vulnerabilities in the electric grid gain more attention on local and national level.  We will continue to monitor the MPSC Order and the staff’s proposed rules on our blog.