Data Security Agreement. The DAF Order specifically requires the User Agreement to “not include the cybersecurity and privacy requirements necessary for [Green Button Connect or] GBC as those will be handled through the ESE Data Ready Certification process and reflected in a Data Access Agreement.” The DAF Order further adopts and requires the Data Ready Certification process to “replace the current Data Security Agreement (DSA) and Self Attestation (SA) process that requires an ESE to certify it has the necessary cybersecurity and privacy requirements with each utility from which it seeks access to data.” The October 2023 Order stated that “ESE seeking access to data via the IEDR platform must comply with the policies and requirements established as part of the DAF for release of such data, including the signing of a Data Security Agreement or Data Access Agreement between the data custodian and the ESE, which details the responsibilities of both parties in protection of said data.” NYSERDA and E-Source hereby present the IEDR DSA and SA that meets the minimum cybersecurity and privacy protections as set forth in the Commission Order Establishing Minimum Cybersecurity and Privacy Protections and Making Other Findings, issued October 17, 2019. While the NYSERDA and E-Source proposed DSA/SA is modeled on the existing, Commission approved DSA/SA, the agreement includes narrowly tailored edits to 1) provide ESEs appropriate IEDR specific context before entering the agreement and 2) account for the fact that the IEDR is not being operated by a regulated utility. NYSERDA and E-Source believe these modifications are required because in the IEDR use case, the DSA will be executed between E-Source (as the IEDR Platform Administrator), not the Investor Owned Utilities, and ESEs. Examples of the proposed modifications in the IEDR DSA/SA include: • References to the IEDR Orders in the agreement recitals to establish the regulatory context for the IEDR’s DAF compliant requirements, which include an ESE’s completion of the DSA/SA. • Removing reference to “a direct connection with the Utility IT systems”, because in the case of an ESE utilizing the IEDR, no such connection would ever be established by an ESE and renders such reference inaccurate. • Establishing rights and obligations with E-Source rights and obligations (e.g., under the Provision of Information, E-Source, not a utility, is agreeing to provide to an ESE or its Third-Party Representative certain Confidential Customer Information ...
Data Security Agreement. Access to confidential customer data, if needed for purposes of engaging in the activities contemplated in this agreement, shall be approved by RCEA on a case-by-case basis and shall be compliant with CPUC Decision 00-00-000. Prior to receiving confidential customer data, Developer shall execute a Data Security Agreement, in a form to be provided by RCEA. Execution of the Data Security Agreement will be an express condition precedent to RCEA’s provision of customer data. The executed Data Security Agreements including all terms, conditions, responsibilities, and liabilities, are incorporated herein by reference. Developer may not use customer data for any other purpose than to perform the activities described herein. Improper use or disclosure of confidential customer data shall be a material breach of this Agreement and shall give RCEA the immediate right to terminate this Agreement. Developer hereby indemnifies, defends and holds harmless RCEA and its officers, employees, and agents from and against any and all losses that may occur as a result of improper use or disclosure of confidential customer data caused by Developer.
