We take seriously our responsibility to protect company information and the information we collect in the course of our business. This includes personal information about our customers, employees, contractors, shareholders and other individuals, as well as the confidential information of companies that do business with us. Our corporate policies around data privacy, confidentiality and security are designed to maintain the trust of the individuals and organizations who give us information. The focus of our Information Governance program includes ongoing accountability for data privacy, confidentiality and security.
Xcel Energy operates in a highly regulated industry that requires the continued operation of sophisticated information technology systems and network infrastructure. In addition, in the ordinary course of business, we use our systems and infrastructure to create, collect, use, disclose, store, dispose of and otherwise process sensitive information, including company data, customer energy usage data and personal information regarding customers, employees and their dependents, contractors, shareholders and other individuals.
We have developed and implemented a written program that is designed to detect, prevent and mitigate identity theft in connection with opening or maintaining customer accounts. Our program identifies the patterns and activities that indicate potential identity theft fraud pertinent to activity on our customer accounts, describes our methods for detecting and responding to such patterns and activities, and implements a mechanism to periodically review and administer our program.
Since 2011, we have engaged a diverse internal team in the preparation and drilling of an action plan for managing a potential data security breach. Being prepared positions us to respond quickly and effectively to data security incidents, and hopefully mitigates any resulting impact on affected individuals and our brand.
To date, we have not experienced any significant breach of customers’ sensitive personal or financial information. However, we did experience an event in November 2013 that demonstrated our focus on protecting customer information. The event was caused by a bill print error that resulted in one day’s worth of printed bill statements for 16,000 Minnesota and North Dakota customers inadvertently including another customer’s name, address, account and meter number, energy used and amount owed. We took appropriate steps to mitigate potential fraud by contacting affected residential customers and changing their customer account numbers unless they requested we not do so. We also offered affected business customers the option of establishing new account numbers.
We continue to be active and take a lead role in the national discussion around data privacy, confidentiality and security. We regularly speak on these issues in a number of forums, including public meetings related to the U.S. Department of Energy’s (DOE) initiative to develop a voluntary code of conduct for customer energy usage data (CEUD). Our involvement in the DOE’s initiative will continue in 2014, as we are leading a Data Access and Participation workgroup made up of diverse stakeholders that will advise the DOE on related issues. In addition, we continue to be an active participant in state regulatory commission proceedings involving customer privacy in Colorado, Michigan and Minnesota.
Some of our customers have expressed concerns about privacy and health risks that they fear may be associated with the use of smart meters or the smart grid. We believe that it is important to provide our customers with information about their energy usage and the metering technology deployed in our service territory. For this reason, we have information online to help address these types of questions. Our customer communications have been recognized as leading examples of transparency and customer education for CEUD by noted privacy experts (see Privacy by Design white paper).
We continue to bolster our data privacy, confidentiality and security awareness efforts in several ways, including:
- maintaining transparent and informative customer-facing and internal privacy policies and communications
- updating internal information governance controls and training materials
- providing guidance for our customers on identity theft protection