New York State Electric & Gas and Rochester Gas and Electric, which have a combined 1.8 million customers, sent letters in January to customers warning about a data breach involving an employee at a third-party contractor who allowed unauthorized access to customer information systems. Information that was accessed included customers' social security numbers, dates of birth, and some financial account information, the PSC noted.
The PSC conducted an investigation into the breach, concluding that the utilities “failed to meet industry standards and best practices to protect personally identifiable information of customers”, said Chairman Garry Brown.
“As a result, we are directing the companies to immediately take action to address the vulnerabilities on its computer billing and records systems currently used to take and maintain confidential customer information”, he added.
Brown explained that the commission investigated deficiencies in the utilities' systems and procedures regarding the protection of confidential information.
The report concluded that there is no evidence to date that any confidential customer information was misused. However, several deficiencies in the companies’ systems and practices contributed to the security breach, the report noted.
The PSC recommended that the companies refine policies, processes, and procedures regarding confidentiality safeguards; minimize access to the most sensitive personally identifiable information by maintaining a strictly ‘need to know’ standard for contractors and employees; conduct, at least annually, an incident response exercise simulating a breach of such data; establish a protocol for notification of regulators in the event of any significant cyber incident involving a possible compromise of customer data; and implement steps to ensure the security of all data stored on company mobile computers and removable data storage media.
The utilities have 60 days to report on their progress in implementing the recommendations.