british columbia utilities commission · 6/12/2015 · british columbia utilities commission in...
TRANSCRIPT
Allwest Reporting Ltd. #1200 - 1125 Howe Street Vancouver, B.C. V6Z 2K8
BRITISH COLUMBIA UTILITIES COMMISSION
IN THE MATTER OF THE UTILITIES COMMISSION ACT R.S.B.C. 1996, CHAPTER 473
and
RE: FortisBC Energy Utilities (FEU) Application for Removal of the Restriction on the Location of Data and
Servers Providing Service to the FEU, currently Restricted to Canada
BEFORE:
L. O’Hara, Panel Chair / Commissioner
N. MacMurchy, Commissioner
K. Keilty, Commissioner
VOLUME 2
STREAMLINED REVIEW PROCESS
Vancouver, B.C. June 12, 2015
APPEARANCES P. MILLER. Commission Counsel J. JOLY FortisBC D. CURTIS Counsel for FortisBC Energy Utilities D. SWANSON FortisBC M. PRATCH FortisBC T. SWANSON FortisBC W.J. ANDREWS Counsel for B.C. Sustainable Energy
Association and Sierra Club of British Columbia (BCSEA-SCBC)
T. HACKNEY B.C. Sustainable Energy Association and
Sierra Club of British Columbia (BCSEA-SCBC)
D. CRAIG Commercial Energy Consumers’ Association
of British Columbia (CEC) L. SADREHASHEMI
Counsel for BCOAPO
R. DALL'ANTONIA FortisBC S. HILL Counsel for FortisBC Energy Utilities L. COCHEY Commission Staff J. HAILS Commission Staff L. CHEUNG Commission Staff L. KELLY Commission Staff
INDEX PAGE
Volume 2, June 12, 2015
FORTISBC PRESENTATIONS:
PRESENTATION BY MR. D. SWANSON .....................51
PRESENTATION BY MS. PRATCH .........................55
PRESENTATION BY MR. T. SWANSON .....................60
PRESENTATION BY MS. PRATCH .........................71
PRESENTATION BY MR. D. SWANSON .....................74
SUBMISSIONS BY MR. ANDREWS .........................77
INDEX OF EXHIBITS
NO. DESCRIPTION PAGE
B-13 FEU PRESENTATION ...........................205
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
CAARS
VANCOUVER, B.C.
June 12th, 2015
(PROCEEDINGS COMMENCED AT 9:03 A.M.)
THE CHAIRPERSON: Good morning, ladies and gentlemen. My
name is Liisa O’Hara. With me are Commissioners Karen
Keilty and Norman MacMurchy. And welcome to this
streamlined review process. As the panel chair, I
will act as the moderator for this proceeding.
Before going around the table for
introductions, I will briefly comment on the
application and the review process to date.
On August 1st, 2014, FEU filed an
application with the Commission for the removal of a
restriction on the location of the FEU’s data and
servers. FEU requested that the Commission issue an
Order directing that the current restriction that the
location of data and severs providing service to FEU
be restricted to Canada, is removed and no longer in
effect.
Through the IR process, the issue started
to crystallize, but it was not until the final
submissions were filed that the diversity of positions
and concerns became abundantly clear. The FEU reply
submissions and then included quotations, new
alternative remedy proposed by the applicant in
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
response to the concerns expressed by the registered
interveners.
A Procedural Conference was held on
February 18th, 2015 to consider whether the evidentiary
record should be re-opened to include the proposed --
the proposed alternative relief as part of the
application. By Order G-26-15, dated February 24th,
2015, the Panel directed the evidentiary record be
reopened for evidence related to the proposed
alternative relief.
FEU filed its evidence on March 17th, 2015
and responded to a number of IRs. No intervener filed
evidence on this alternative relief.
The same Order also established a
streamlined review process for Friday, June 12th, which
is meant to cover the entire proceeding record. And
that is, of course, why we are convening here today.
Our anticipated plan for today is as
follows. First, we go around the table for
introductions, and that is followed by the FEU initial
presentation. And I can tell you are prepared, so we
look forward to that. And then that presentation is
followed with the question and -- Q&A period. FEU
will respond to questions from interveners, Commission
staff, and the Panel.
Before proceeding further, I am also
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
reminding you of the May 26th, 2015 letter in which the
Panel indicated that you will be asked to share your
views and explain whether this proceeding should
conclude by way of first, verbal submissions at the
end of this SRP day; two, written final submissions;
three, or any other way you can propose.
You will be given this opportunity to
provide your position after FEU responds to the
questions from the participants. Most likely we will
take a break first, so everybody can still reflect
before you formulate your position.
Proceeding Time 9:07 a.m. T2
As a housekeeping matter I wish to remind
the parties that the proceeding is being transcribed.
Therefore it is crucial to remember that only one
person can speak at a time and the speaker needs to
state their name for the record before speaking every
time, remember that, every time, so that the
proceeding can be properly recorded.
We will now start with the introductions
beginning there with the FEU representatives and move
around the table.
MS. JOLY: My name is Janice Joly, Regulatory Governance
Coordinator for FortisBC.
MR. CURTIS: My name is David Curtis of Fasken Martineau,
external counsel for FortisBC.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. SWANSON: My name is Dennis Swanson, Vice President
of Corporate Services, FortisBC.
MS. PRATCH: My name is Monic Pratch, Chief Privacy
Officer, Corporate Secretary and Counsel for FortisBC.
MR. SWANSON: My name is Tim Swanson, the Director of
Information Systems for FortisBC.
MR. ANDREWS: I’m Bill Andrews. I’m counsel for the B.C.
Sustainable Energy Association and Sierra Club B.C.
MR. HACKNEY: Tom Hackney, case manager for B.C.
Sustainable Energy Association and Sierra Club of B.C.
MR. CRAIG: David Craig, Executive Director, Commercial
Energy Consumers.
MS. SADREHASHEMI: Lobat Sadrehashemi, counsel for
BCOAPO.
MR. DALL'ANTONIA: Good morning. Roger Dall'Antonia,
Executive Vice President, Customer Service Regulatory
Affairs for FortisBC.
MS. HILL: Song Hill, in-house counsel for FortisBC.
COMMISSIONER MACMURCHY: Norm MacMurchy, Commissioner.
THE CHAIRPERSON: And Liisa O’Hara.
COMMISSIONER KEILTY: Karen Keilty.
MR. MILLER: Paul Miller, Boughton Law Corporation,
counsel to the Commission.
MS. THORSON: Alison Thorson, Director of Policy Planning
and Customer Relations at the Commission.
MR. COCHEY: Lionel Cochey, Commission Staff Consultant.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. HAILS: Jason Hails, Consultant with the Commission.
MR. CHEUNG: Leon Cheung, BCUC Staff.
MS. KELLY: Lea Kelly, BCUC.
THE CHAIRPERSON: Thank you everybody. And now we have
all the names on the record and we are ready then to
move to the presentation by Fortis. Please proceed.
MR. D. SWANSON: Thank you.
FORTISBC PRESENTATIONS:
PRESENTATION BY MR. D. SWANSON:
Good morning. My name is Dennis Swanson,
Vice President of Corporate Services for FortisBC.
Both Information Services and Data Security, as well
as Privacy Legislation Compliance, are items that are
within my portfolio at the company.
Also presenting with me today are Tim
Swanson who is the Director of Information Systems.
Tim is accountable for all of our information systems
and our cyber security, as well as I have Monic Pratch
to my left, who is FortisBC’s Chief Privacy Officer,
Corporate Secretary and Counsel. Monic will be
appearing today in her capacity as Chief Privacy
Officer.
MR. CURTIS: And I am just going to make one comment on
that. It’s a bit of a unique circumstance today to
have a lawyer on a panel in a proceeding like this.
So I just want to be clear that Ms. Pratch is here in
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
her capacity as Chief Privacy Officer. She’s not here
in her role as counsel. She’s here to speak to the
record, to answer your questions, but she’s not here
to give legal opinions or to engage in legal debate or
that kind of thing. So I just wanted to make that
clear at the outset.
THE CHAIRPERSON: Thanks for that clarification, good.
MR. D. SWANSON: So this morning we’re going to go
through a fairly short presentation, then we’ll open
the floor up for a further discussion and any
questions and answers that may follow. Our aim today
is to have an open and transparent discussion in hopes
of creating a common understanding of our request in
the application and address any related concerns.
I’m going to start off by introducing the
purpose of the application. I’ll explore some of the
customer benefits associated with our ask in the
application, and then summarize the approvals that are
being requested.
Proceeding Time 9:11 a.m. T03
Then Monic is going to talk about foreign
ownership, unauthorized access, and privacy. And Tim
Swanson will discuss security and risk mitigation.
Then I’ll do a brief wrap-up of the presentation, and
we expect to have further discussion and questions and
answers.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Getting into the purpose of the
application, what we’re requesting is that the
restriction related to the location of data storage
that was put in place during the acquisition of the
gas utility by Kinder Morgan be removed. And the
reason is, we want to be able to investigate and
implement information services opportunities that
could benefit our customers. We want to be able to
keep pace with technology changes. We want to be able
to operate efficiently and effectively. And really we
want to be treated the same as other private-sector
organizations under the Personal Information
Protection Act, PIPA, and the Personal Information
Protection and Electronic Documents Act, PIPEDA.
From a customer benefits' perspective, we
want an ability to consider technologies and services
to serve customers where the use of such technologies
may be more cost-effective. An example would be the
use of a third-party vendor that stores data or
provides services.
We want an ability to pursue opportunities
that will reduce information services’ capital
investment requirements and/or reduce information
services’ operating and maintenance expenses.
We recognize the current Order does allow
the company to bring forward individual applications
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
to remove the data restriction for specific projects.
However, bringing forward many small discrete
applications, we feel, would be cost-prohibitive and
would result in lost opportunities for our customers.
Our request also allows us to more easily access
cross-jurisdictional industry information. And this
type of cross-jurisdictional analytics can be used to
improve our customer offerings in areas such as energy
conservation programs.
For the approval sought, we’re requesting
that the current Order be rescinded, that the existing
-- or the current Order rescinding the existing data
restriction, and a new Order is granted that permits
the FEU to store data about customers that would
otherwise meet the definition of personal information
outside Canada, if it is either (a) de-identified, or
(b) encrypted. And in that order, confirming that
data of any kind, customer or otherwise, that does not
meet the definition of personal information under PIPA
is permitted to be stored outside of Canada.
And again, we’re seeking to permit FEU to
apply for certain exemptions from the revised Order.
Now, Monic Pratch and Tim Swanson will
address the topics that have been raised to date
within the application process.
PRESENTATION BY MS. PRATCH:
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 55
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MS. PRATCH: Thank you, Dennis. It’s Monic Pratch, Chief
Privacy Officer and counsel for FortisBC.
As Dennis mentioned, one of the concerns
throughout this application has been concerns around
foreign ownership and unauthorized access to data.
While these issues are related, they are distinct
issues. First, with respect to foreign ownership, one
of the major concerns raised by interveners in 2005
was that Kinder Morgan was an American company.
Specifically, the concern was that information would
be transferred to the U.S. and, as a result, control
of that information and those that have access to that
information would be lost.
This particular issue was resolved in 2007
when Fortis Inc. purchased Terasen Gas and the natural
gas utility was once again owned by a Canadian
company. Today, this is still the case.
The risk identified is simple. The
question is whether a foreign court can compel
disclosure of data held by a Canadian company that’s
located in Canada. There is no evidence to suggest
that this is possible, but rather, FortisBC accepts
the position and guidance that has been published by
the British Columbia office of the Information and
Privacy Commissioner. That guidance states that there
is a privacy risk of an American court compelling
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 56
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
disclosure records where the records are held by
American companies or their foreign subsidiaries.
FortisBC submits that the issue raised regarding
jurisdiction of a foreign -- of foreign courts to
compel disclosure of data held by a Canadian company
is not a risk, given that the FEU are Canadian-owned
and controlled.
Proceeding Time 9:16 a.m. T04
Now with respect to the concern over the
risk of access to information. FortisBC submits that
there is no greater risk that that information will be
accessed by an unauthorized party by storing that
information outside of Canada. And there are two main
reasons that I’d like to provide to give support to
this assertion.
First, FortisBC uses the same security
protocols, procedures, policies, assessments, and
requirements no matter where data is stored. In
addition, FortisBC is still subject to the same
British Columbia and Canadian privacy legislation
regardless of where it chooses to store data and will
still be held accountable in exactly the same way.
Secondly, the digital universe has no
borders. In other words, if a person wanted to gain
unauthorized access to data, that person could be
located anywhere in the world, and the location of the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
data itself would not change that fact. In the
unlikely event of a breach of data that is not --
sorry. In the unlikely event of a breach of that
data, it wouldn’t be protected by borders.
The issue really comes down to the security
that you put around that data. And FortisBC once
again uses the same high level of security
requirements regardless of where that data is stored.
Whether we put that security around data stored in
Canada, around data stored in the U.S., around data
stored in England, or anywhere else in the world, that
data and the requirements, the security requirements,
are the same.
Accordingly, the storage of data outside of
Canada does not increase the risk of unauthorized
access to that data.
I’m going to spend a few minutes discussing
the evolution of the privacy regime in British
Columbia, and FortisBC’s comprehensive privacy
management program. The key message is that FortisBC
follows best practices and is able to appropriately
address privacy concerns.
So, a bit of history. The federal private-
sector privacy legislation came into force in 2001.
And the provincial private-sector privacy legislation
came into force in 2004. When the original data
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 58
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
restriction order was put in place, the privacy regime
was in its infancy in British Columbia. Since 2004,
when the Personal Information Protection Act, or PIPA,
came into force, the regime has evolved considerably
and FortisBC submits that it appropriately addresses
the privacy concerns raised in the context of the
original order.
FortisBC must be compliant with PIPA and
PIPEDA as applicable and, as time has passed, the
office of the federal and provincial Privacy
Commissioners have produced an extensive body of
knowledge, guidance, and directions that did not
previously exist. This body of knowledge has provided
privacy officers like me with appropriate guidance and
support to be able to properly assess privacy risks,
so that companies can assure that they are PIPA and
PIPEDA compliant.
For example, the Privacy Commissioners have
created guidance on best practices around the uses of
privacy impact assessments, breach management,
contractual terms, and a host of other guidance on
privacy hot topics.
Finally, over the last ten years, FortisBC
has developed a comprehensive privacy management
program which begins with the FortisBC privacy policy.
I refer you to the first paragraph of that policy,
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 59
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
which states, “We at FortisBC value your privacy, and
we strive to ensure that our customers are aware that
their privacy is of the utmost importance to us.”
Privacy, like safety and security, is
extremely important to FortisBC. We take customer and
employee privacy very seriously. This is evidenced by
the fact that privacy is a topic that is discussed at
the very highest level, our Board of Directors, and
receives review and attention from our executive
leadership team and senior management. And this has
been ingrained throughout our entire organization.
FortisBC’s privacy management program
includes training, internal policies, procedures,
auditing, incident response, and a large internal
support network. One of the tools that our program
takes advantage of is privacy impact assessments,
which are used to assess our project managers and
myself as the privacy officer to identify potential
risks and mitigate those risks. We will be discussing
privacy impact assessments in more detail later in
this presentation.
We’ve heard a lot about privacy concerns in
this proceeding. One of our messages in this
presentation is that these concerns should be
alleviated by the fact that there is a robust privacy
regime in place. FortisBC has agreed to additional
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
restriction on top of the current private-sector
privacy legislation, in the alternative relief, by
requiring data to be encrypted or de-identified prior
to storing that information outside of Canada. And
all of the keys would be held within Canada.
Proceeding Time 9:21 a.m. T5
The privacy regime I’ve been talking about
should give you comfort that FortisBC is able to
properly assess that risk and mitigate that risk
through security requirements, contractual
requirements, reliance on Office of the Information
and Privacy Commissioner guidance, and the current
policies and procedures we have in place and already
follow today. In other words, the privacy concerns
that have been raised are appropriately addressed by
another regime and by FortisBC’s Privacy Management
Program.
With that I’ll ask Tim or pass things over
to Tim to talk about security.
PRESENTATION BY MR. T. SWANSON:
MR. T. SWANSON: Thank you, Monic. Good morning
everyone. Tim Swanson, Director of Information
Systems, and this morning I’m going to talk to you
about security.
So what is security? Security is the
protection put in place to protect something of value.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 61
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Protecting FortisBC information, including customer
and other private information, is critical and
FortisBC takes it very seriously.
As we’ve said in our evidence, it is
something FortisBC is very familiar with and has
extensive experience with. Stringent industry
standards in regards to data and infrastructure
protection are in place and independently tested on a
regular basis to confirm their effectiveness. It is,
of course, not in the best interest of FortisBC to put
any data at risk, including personal, personal
information, infrastructure, or any other information
at risk as we rely on them as much as our customers
do. We use independent third party annual auditing to
check the security of FortisBC’s systems by testing,
confirming the correct technology and processes are in
place based on current standards.
That being said, FortisBC would not use any
service, whether inside or outside of Canada, that did
not meet FortisBC’s requirements for security and
reliability. FortisBC would also not use any service
that could put us in a position of non-compliance with
privacy or any other legislation. From the security
perspective, the protection we put around the data
stored outside of Canada is the same regardless where
it’s located geographically.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 62
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
FortisBC believes that its robust security
requirements ensures the risk to its data or
infrastructure is not increased regardless of
location.
The next two points on the slide you’ll see
are -- you’ll recognize from Exhibit B-8 and the
evidence on alternative relief, and these are key
security mechanism we currently use and will continue
to use for data that is stored outside of FortisBC
data centres.
First of all, encryption is primarily used
to store data outside FortisBC data centers, is
generally used in cases where the data is not needed
to be recognized by parties outside of the FortisBC.
Encryption isn’t appropriate for sending data for
analysis generally outside of FortisBC. That’s where
de-identification tends to work a little better and
I’ll talk about that in a minute.
Encryption uses an algorithm to randomize
data to transmit or store outside of FortisBC.
Encryption makes data unrecognizable and unusable
without a decryption key, which we keep within our
FortisBC data centres.
As described in evidence, FortisBC uses the
current industry standard, 256 bit advanced
encryption, to protect our data. In regards to
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 63
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
encryption, FortisBC has been using encryption to
protect company information for many years. Again,
independent third party experts on security, including
encryption, test and report on FortisBC’s methods and
technology to confirm their effectiveness.
As stated earlier, to further protect
FortisBC’s data, encryption keys are held within
FortisBC data centres to ensure encrypted data stored
outside of FortisBC data centres is unusable and
unrecognizable in the unlikely event that it is
accessed by unauthorized parties.
Similarly to encryption, de-identification
is used in some instances to protect FortisBC’s data.
De-identification removes personal information either
by deleting the field or replacing the data in the
field with random characters. As discussed in
evidence, de-identification has a different function
than encryption, in that it allows FortisBC to send
data, without encrypting, for purposes of analysis or
collaboration with vendors or other industry groups.
It allows us to do that without the concern of private
information being in jeopardy.
Also as discussed in evidence, FortisBC may
have a requirement to re-identify the data when it is
returned to the FortisBC data centres, and in which
case the keys to do that would be kept within FortisBC
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
data centres.
Proceeding Time 9:26 a.m. T06
So now we’ve stated that we encrypt or de-
identify data. So I’m going to talk about the risks
around these strategies and what FortisBC does to
mitigate those risks regardless of where the data is
located.
Of course, the risks to encrypted or de-
identified data is that it gets decrypted or re-
identified. In the case of encryption, as pointed out
in the evidence, it is considered fundamentally
impossible to decrypt information encrypted using the
methodologies that FortisBC uses, without the key.
Which again we keep in our data centres. There is
simply not enough processing power on the planet to
brute-force decrypt the data that has been encrypted
using FortisBC’s methodologies.
Regarding the risk of re-identifying de-
identified data, it is not reasonably possible because
the data is removed completely or replaced with random
information. And again, if there was a key to re-
identify that information, it would be kept in our
data centres.
So in the unlikely event that a third-party
data storage provider was breached, whether by a
hacker or other means, any compromised data would be
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 65
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
unusable, unidentifiable, and undecipherable. This is
very important to understand because in the unlikely
event data has been breached, the originating location
of the data has no impact on controlling the breach
once it has occurred. Once breached data is out in
the digital world, as Monic said, there are no borders
or boundaries to protect it.
Also in the unlikely event of a breach or
compromise of FortisBC data stored outside of FortisBC
data centres, an incident management program is in
place to ensure any actual or perceived incidents are
reacted to appropriately. FortisBC’s incident
management program includes comprehensive root cause
analysis, an investigation, which is required for any
incident that affects the reliability or security of
FortisBC’s systems or infrastructure.
Again, in regards to risk, FortisBC does
not consider there to be an impact on risk to the data
due to its location, because it’s the security
standards and requirements that protect the data,
regardless of where it’s located. And those standards
and requirements are not negotiable.
So the next topic is assessments. If the
Order were to be granted, we wanted to explain the key
processes we use to ensure the protection of FortisBC
data. We thought it might be helpful to relate this
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 66
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
slide to a real-world example.
So recently our Energy Efficiency and
Conservations Group was looking into an on-line energy
analytics solution to provide customers with energy
analytics tools to help them make decisions around
their consumption. Well, it turned out the most
functional and cost-effective option was a service
provided by a U.S. firm. If we were able to consider
a U.S. provider for this service, a privacy and
security assessment would be completed. And these are
some of the key components of those assessments we
would have considered.
In regards to the security assessment, some
of the important areas we would include would be
requirements such as vendor viability, for which we
use independent reviewers and consultants, as well as
contacting reference organizations. Performance and
reliability include disaster recovery and backup
capabilities and review; a demonstration of security
capabilities, which includes specific security
requirements regarding firewalls and access control is
required; a documented incident management program
that meets FortisBC’s criteria for reporting and
mitigating -- and mitigation is required. Even the
physical security of third-party facilities, where
FortisBC data would be stored, is reviewed for
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 67
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
compliance with FortisBC’s requirements.
Logical access controls are required, and
approved by FortisBC, to ensure a minimum number of
people have access to the systems or the
infrastructure housing FortisBC data.
MR. ANDREWS: Madam Chair --
MR. T. SWANSON: Oh.
MR. ANDREWS: I wonder if I can ask at this point whether
the --
THE CHAIRPERSON: Your name first, for the record.
MR. ANDREWS: Oh, for the record, Bill Andrews, B.C.
Sustainable Energy Association.
THE CHAIRPERSON: Thank you. Please proceed.
MR. ANDREWS: I wonder if the Panel can ask the witness
whether this -- what’s being talked about now is
evidence that’s on the record, that we have a
reference to, or whether this is new information.
THE CHAIRPERSON: This is SRP, right? So I think that is
quite all right.
MR. T. SWANSON: Would you like us to answer?
THE CHAIRPERSON: What is your answer to that, Mr.
Swanson?
MR. T. SWANSON: Tim Swanson. This is an example that
highlights some of the information that we have in the
evidence and in the Information Requests that we
received.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 68
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. ANDREWS: All right. Well -- well, I’ll just leave
it at that, thank you.
THE CHAIRPERSON: But perhaps also to remind everybody,
although we have this set plan, that it is the
presentation, then the intervener and staff questions.
I think if there is sort of a burning question during
the presentation, it’s okay.
So do you want to expand on that?
MR. D. SWANSON: I’d just like to clarify that. The
example itself is not on the record, no.
MR. T. SWANSON: Correct.
MR. D. SWANSON: The protections we have in place is on
the record, but the example is just meant to try and
explain how it would be applied.
MR. CURTIS: Dave Curtis here. There have been several
IRs asked about threat assessment and privacy impact
assessment, and answers provided. Instead of reading
back the answers we gave in IRs, the panel members are
here to talk through those issues in a bit more
detail, and they’re here to answer questions about it.
So we don’t think it’s all that helpful to just read
back verbatim the evidence we gave. That’s not what
we’re here to do.
So these topics are definitely dealt with
on the record. And I just wanted to make that
comment.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 69
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Proceeding Time 9:33 a.m. T7
THE CHAIRPERSON: Receiving here some advice from our
legal counsel too, but this is -- again, just a
reminder, this is an SRP, and that the purpose of this
day is really to help all the parties understand
what’s behind the evidence and what was said in IRs.
So providing these examples, as FEU is doing right
now, should be perfectly acceptable.
MR. ANDREWS: So can I ask that if there are examples --
THE CHAIRPERSON: Just repeat your name for the record
please.
MR. ANDREWS: Bill Andrews. I’m not objecting to the
concept of bringing in new information, but I think it
would certainly be helpful to me if, when an example
that’s not on the record is put forward, that it be
identified as not being something that’s on the
record. Otherwise I’m canvassing my brain cells
thinking I don’t recall anything on the record about
an example of a conservation analysis, and it may be
very helpful information that these people are here to
give evidence and they don’t have to only parrot
what’s already been given as evidence, but it would be
helpful to know what’s new and what’s old.
THE CHAIRPERSON: So can FEU make an effort to
accommodate this?
MR. CURTIS: You know what, of course, we’ll do that.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 70
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
There isn’t much longer left in the presentation and
this may be the only example of this kind given. It’s
kind of an awkward approach, but we’ll do our best to
accommodate that, sure.
THE CHAIRPERSON: Thank you.
MR. T. SWANSON: Tim Swanson again. So to clarify, this
assessment would -- these are the things that we would
do in any assessment of a project. So just to go back
to the previous point so we can continue appropriately
and it makes sense, we talked about the logical access
controls that we require that ensures that any
provider has the minimum number of people accessing
FortisBC’s information. Additionally, audits of
access logs for those individuals who have access to
the systems housing FortisBC data is required and
reviewed by FortisBC.
Review of the security tools such as
firewalls, anti-malware systems and act of defence
would be completed to ensure their compliance with
FortisBC requirements. And a guarantee of appropriate
security resources required is -- and training. So
it’s a guarantee of appropriate security resources
with required training is needed. A review of
proponents’ overall policies and procedures is
completed to ensure they meet FortisBC’s requirements.
And finally, system maintenance plans and schedules
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 71
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
are required to ensure the proponent has a documented
maintenance plan that works with FortisBC schedule and
that it ensures ongoing security.
These are not all the criteria considered
in the security assessment, but it demonstrates some
of the key areas we review. In each case they would
be required to meet FortisBC standards. All the
layers of security that we require are what we
consider defence in depth. What this means is we do
not have a single point of failure that could
compromise FortisBC’s data.
An organization’s inability to comply with
any one of FortisBC’s security requirements would make
them ineligible to provide service to FortisBC. Costs
do not override requirements.
The next part of the assessment, if it was
determined there was private information involved by
the group that was doing the analysis on the
initiative, they would engage our -- they would start
a privacy impact assessment. And I’ll pass it over to
Monic Pratch to give you a rundown on what a privacy
impact assessment might look like.
PRESENTATION BY MS. PRATCH:
Thanks, Tim. It’s Monic Pratch. As I
mentioned before, Privacy Impact Assessment is a tool
which is used to assist the project manager and myself
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 72
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
as the privacy officer in identifying privacy-related
risks and tools that we can use to mitigate those
risks. Once a security assessment is completed, the
IS Department works with the project manager to
determine if the project involves the collection, use,
or disclosure of personal -- of a significant amount
of personal information. If so, the project manager
will usually contact me or a member of my team and
we’ll begin the process of developing a privacy impact
assessment.
This assessment asks a variety of questions
to help flesh out privacy risks. For example, a
privacy impact assessment may include questions such
as what personal information is being collected, how
is this information being collected, for what purposes
is the information being collected, used or disclosed?
Is it absolutely necessary to collect that personal
information to achieve the objective of whatever
product or service is being offered? Does the
contractor we’re proposing to use have a privacy
policy and a privacy officer? What does that policy
say about privacy practices and privacy management
programs that the vendor might employ?
Proceeding Time 9:38 a.m. T08
Once we work through answering these
questions, we can then begin to look at ways to
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 73
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
mitigate any privacy-sensitive areas that may be
identified. For example, in the case Tim mentioned,
we would complete a privacy impact assessment and
perhaps the analytics tool we were developing required
consumption information of customers in order to find
better ways to provide them with energy-saving tips.
In that particular case, we would look at
ways we could mitigate any privacy-related concerns.
So for example, the analytics service provider may not
need access to the customer’s name or billing address
in order to provide that customer with such energy-
saving tips. We may be able to de-identify that data
which would mitigate the risk of an unauthorized
disclosure, releasing identifiable information about
an individual.
It is important to note that FortisBC
already completes this assessment at the current time.
We are not proposing to change our process, but rather
to lift the general restriction and instead to put
parameters around personal information specifically.
In the example Tim and I have just
reviewed, the benefits of the project and being able
to possibly use an American service provider would be
eroded if we needed to bring an initiative of this
small size to the BCUC as the cost savings would be
eaten up by the amount of time spent on the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 74
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
application itself.
The bottom line is that if a privacy impact
assessment is completed, and the privacy risks that
have been identified cannot be appropriately
mitigated, the project will not move forward.
With that said, I’ll turn it back over to
Dennis.
PRESENTATION BY MR. D. SWANSON:
MR. D. SWANSON: Thanks, Monic.
So, going forward, if approval is granted,
the FEU will continue to apply the same high level of
rigour around security and privacy. We’ll continue to
perform privacy impact assessments and security
assessments. We’ll continue with the practice of
encrypting or de-identifying sensitive data before it
leaves the company; continue with the practice of
maintaining encryption keys and de-identification
tables within the possession of FortisBC at all times
within Canada.
The application was put forward to
eliminate certain data storage restrictions that have
previously been placed upon the company. We have
stated that we do not consider there to be an increase
in risk associated with the location in which data is
stored. We have explained that it is the security
standard that protects the data regardless of physical
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 75
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
location. We have attempted to demonstrate our
experience and expertise in our ability to protect our
systems and our information through appropriate
controls around security and privacy.
We have discussed the fact that
unauthorized access to data is not protected by
borders. The key is to ensure that security standards
are in place to protect against unauthorized access,
and in the unlikely event of a breach, ensure that the
data is unusable and unrecognizable.
We have explained that foreign government
access to FEU data should not be of a concern, due to
the fact that any sensitive data stored outside of
Canada would not be usable or recognizable without the
encryption or re-identification keys. That again
would be stored in FortisBC’s data centres within
Canada.
The important consideration for doing
business in this digital world is to ensure that
appropriate levels of security and data protection are
in place, regardless of the location the data is
stored. FortisBC did not pursue this application to
start moving vast quantities of data inside or outside
of Canada. This application was made in order for the
FEU to continue to officially do business in the
current digital business environment, for the benefit
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 76
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
of our customers.
And with that, I’d like to open it up to
questions.
THE CHAIRPERSON: Thank you, FEU team, for that
presentation. So, for questions, the interveners come
first, so do you have sort of preferences in what
order you would proceed? Or --
MR. ANDREWS: We haven’t discussed order, but before we
even get to that, may I --
THE CHAIRPERSON: Mr. Andrews, again --
MR. ANDREWS: Bill Andrews. Might I suggest that before
we have questions, the interveners have at least an
opportunity for a brief statement about what their
approach to the application and today’s proceeding is?
THE CHAIRPERSON: Mr. Andrews, again, coming back, but
the SRP format is supposed to be -- it is the
presentation by the applicant, and followed by Q&A.
And normally the time for submissions is then at the
end. But if you are -- if you can keep your
submissions brief, perhaps that will help everybody to
stay focused, so we’ll let you to do that.
Proceeding Time 9:44 a.m. T9
MR. ANDREWS: All right then, and in terms of order,
shall I go first then?
MR. CRAIG: David Craig, Commercial Energy Consumers.
Madam Chair, we don’t intent to make an opening
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 77
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
statement, so we will go to questions and answers.
THE CHAIRPERSON: How about BCOAPO?
MS. SADREHASHEMI: Lobat Sadrehashemi for BCOAPO, we can
make a few statement.
THE CHAIRPERSON: Mr. Andrews please proceed.
SUBMISSIONS BY MR. ANDREWS:
Thank you. The B. C. Sustainable Energy
Association and the Sierra Club of B.C. members are
ratepayers of FortisBC Energy as natural gas
customers, And to the extent that the company is
arguing consistency with its Fortis Electric, there
are members of my clients in the Fortis Electric
service territory.
Significantly among the membership that are
represented are non-individual ratepayers. That is
ratepayers that are incorporated either as companies
or institutions or non-profit organizations, societies
and so on.
In terms of the application I just want to
say that my clients are not approaching this
application from a perspective that is ideological or
paranoid. The intention is to be strictly practical
and it was on that basis that the IRs were made and
the responses to the arguments that we made.
I’ll just itemize four items that are sort
of on the top of my list by way of kind of
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 78
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
introduction to the questions. One is, I think it
would be useful to confirm what the company’s position
is regarding the original order request. That is,
it’s new that the order requested is the revised order
because in the way the submissions were left the
company had asked for the original order and only in
the alternative the revised order. So if the original
order requested is still on the table then I will have
a lot of comment and question and submission on that
order. If it’s not on the table, that might save time
if we knew that now.
THE CHAIRPERSON: That would help everybody. So Mr.
Curtis, can you perhaps set the record straight there
or Mr. Swanson?
MR. D. SWANSON: It’s Dennis Swanson. I can confirm that
the request is now the alternative relief.
MR. ANDREWS: Thank you. My second topic then, well let
me -- is the -- the company had characterized the
concerns that my client’s and other interveners raised
as being privacy concerns. And then there’s a kind of
a switch goes on in that the company says privacy
means as defined under the B.C. Privacy Legislation,
and that excludes protection for corporate customers.
And I’m a bit disappointed in the Fortis presentation
there was no acknowledgment of that. That was the
subject of a information request. It’s clearly an
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 79
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
important issue. The company is proposing to protect
the privacy of individual customers and it’s saying
that it’s proposing not to protect the same interests
as applied to corporate customers. And I’m -- I hope
that you would be willing to change your approach on
that and replace individual customers with customers
period in what you're proposing.
THE CHAIRPERSON: Does FEU wish to respond to this?
MR. T. SWANSON: Sure. Tim Swanson. In regards to the
way we protect information, it is the same whether
it’s personal or corporate information, it is all
protected in the same way. I agree we didn’t
recognize that in the presentation, but just to be
clear, we don’t treat corporate data differently than
we do personal information from a security
prospective, from a privacy perspective.
MS. PRATCH: From a privacy prospective, the privacy
legislation only applies to the information of
individual -- or of information that is identifiable
about an individual. So the original concerns that we
read about from the original order, as well as a
number of the information requests and submissions,
dealt specifically with privacy concerns. And we
attempted to address those concerns by specifically
referencing the privacy legislation and the processes
that we put in place with respect to individual, the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
information of individual customers.
Certainly I don’t think we’re suggesting
that we would not maintain confidentiality over the
information of industrial or commercial customers as a
result of that. But, you know, the privacy
legislation itself only applies to that of
individuals.
Track 10
Proceeding Time 9:50 a.m. T10
MR. ANDREWS: So, rather than engaging in --
THE CHAIRPERSON: Mr. Andrews.
MR. ANDREWS: Do you want me to identify myself every
time I ask a question?
THE CHAIRPERSON: Well, maybe our -- no, it’s all right
is it?
All right thank you. Only when you start.
Thank you.
MR. ANDREWS: Let me -- first of all the questions that
my clients asked were never framed under B.C. Privacy
legislation. It was Fortis that introduced privacy
legislation terminology as a response to the
questions. The concern was always of a customers,
whether they were individual or corporate.
And so I guess what I am hearing is a
willingness, and you've said that the customers are
treated the same way. If that's the case, then would
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Fortis be amendable to the same protection applying to
customers regardless of their individual versus
corporate status?
MR. T. SWANSON: Tim Swanson. In the Exhibit B-8, the
evidence on alternative relief, we specified that we
were going to protect any sensitive data with the
level of protection we have for all of our data. So
if we -- corporate data would be considered sensitive
as well, it would be protected from a security
prospective in the same way.
COMMISSIONER MACMURCHY: Who determines what’s sensitive?
MR. T. SWANSON: I knew that question would come up. Tim
Swanson again.
Sensitive is a difficult term to analyze
and I think that’s why we use more of a blanket
technology for all of our data stored outside of
FortisBC data centres. We go back to our application,
we keep all of our data that we store outside of
FortisBC data centres encrypted. We don’t discern
whether it’s -- whether it’s particular to personal or
such.
That being said, it’s most cost effective
just to encrypt everything that is stored outside the
FortisBC data centres unless in such a case where we
said that the identification is a more appropriate
means for the means of using it for analytics and
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 82
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
other uses, in which case personal information is the
key there and we remove it by de-identifying.
COMMISSION MACMURCHY: Let me just ask one further
question, and I am sure Mr. Andrews might have asked
it anyway, but I guess -- the problem we’ve got to
wrestle with is we’ve got to make a decision and give
an order at some point in time. And I guess my
question to you is, if in that order we specify that
corporate information will be treated with the same
level of privacy and security as personal information,
would that be a problem to FortisBC?
MR. D. SWANSON: It’s Dennis Swanson. Generally speaking
no it wouldn’t, and if I might offer a suggestion. In
the new order granted slide, in that first bullet
where it says "permits the FEU to store data about
customers that would otherwise meet the definition of
personal information outside of Canada if it is either
de-identified or (b) encrypted", we could say "permits
the FEU to store data about customers outside of
Canada if it is either de-identified or encrypted."
If that would assist.
COMMISSIONER MACMURCHY: Thank you. Go ahead Mr.
Andrews, sorry to cut you off there.
MR. ANDREWS: I appreciate that, and I don’t know that we
need to get into the wordsmithing at this point, but I
think that the concept is clear and that is a major
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 83
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
concern of my clients coming into this discussion.
The second, the kind of general area, is
that the company appears to have glossed over in the
focus on unauthorized access, which is a legitimate
major area of concern, the whole area of authorized
access to data. And in particular the United States
authorization processes, plural, for accessing
information that hasn’t been addressed early on and
even now I got the sense -- first of all during the
presentation I didn’t hear this, but then in Dennis
Swanson’s summary I heard this acknowledgement that
authorized government access -- that government access
should not be a problem because only encrypted or de-
identified information would be available.
So my clients are very concerned about the
information both that relates to themselves as
customers and about the utility itself as a matter of
public interest. Being stored in a location where
it’s accessible to U.S. government authorities
according to U.S. government rules, which as a
generalization are secret, sweeping and powerful.
They could collect the entire data of Fortis’s utility
operation as a matter of national security and they
routinely do acquire data on that type of scale, and
no one would know that it had even been done because
the regime itself makes it illegal for someone to
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 84
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
acknowledge that data has been acquired or accessed
under these regimes.
Proceeding Time 9:56 a.m. T11
MR. ANDREWS: So from that perspective, there remains a
concern, that data stored outside of Canada is
qualitatively different than data stored inside
Canada. And so I guess I’m open to your response to
that.
MS. PRATCH: It’s Monic Pratch. Thank you, Mr. Andrews.
And I think we’re talking about two scenarios. The
first scenario is where FortisBC uses some sort of
hosted solution, or moves the database down to the
United States, or does something of that nature. And
that’s certainly not something that we’re suggesting.
The two scenarios I kind of want to refer
to is, the ability for the U.S. government or any
foreign government to be able to compel the disclosure
of data that’s held within Canadian borders. So the
encryption keys themselves. And I think that we’ve
shown, certainly in the evidence and that we accept
the position of the Office of the Information and
Privacy Commissioner, that the real concern is that if
we were storing that data in the United States, or if
we were an American company that was -- or we were
owned or controlled by an American company that would
have the ability to reach up to Canada and pull down
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 85
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
those encryption keys.
MR. ANDREWS: Your response is addressing encrypted data,
but the requested Order is that Fortis be able to
store outside of Canada all data that is not covered
by the customer exception. You’re asking that apart
from information that’s associated with a customer,
and we’ve discussed whether that includes individuals
as well as companies; you’re asking that all the rest
of the company’s information should be allowed to be
stored in the United States without encryption.
MS. PRATCH: Certainly --
MR. ANDREWS: That’s what you’re asking. And if I’m
wrong about that, tell me.
MS. PRATCH: Thank you. It’s Monic Pratch again.
Certainly we’re not suggesting that immediately after
an Order is granted we would start moving large
volumes of data down to the United States. We’re just
asking for the ability to look at potential solutions.
And those solutions would still need to meet all of
the security requirements that FortisBC has,
regardless of where that data is stored. So they
would still need to go through a complete security
assessment, they would still need to follow all of the
protocols. They would still need to have the same
level of protection around that data that FortisBC
currently uses for all of its data.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 86
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. ANDREWS: Would you agree with me that all of the
security that we’ve been told about to this point does
not relate one iota to authorized government access?
Everything that Mr. Swanson and Ms. Pratch said
relates to preventing unauthorized access to
information.
MR. D. SWANSON: It’s Dennis Swanson. We’re a little bit
confused, because our position is, there is no
authorized government access from foreign governments
to our data.
MR. ANDREWS: Well, if you store the data in the United
States, are you disagreeing that the United States
government has legal authority to acquire access to
that data in a number of different regimes?
MR. D. SWANSON: We -- what we -- I think I understand.
I think I understand the issue here.
If I’m interpreting you correctly, what
you’re alluding to is if we stored, let’s say,
critical asset information down in the States that
isn’t customer information, and we didn’t encrypt or
de-identify that data, then the government has access.
Is that an example of what you were referring to?
MR. ANDREWS: The question that -- the fact is, and you
can tell me I’m wrong about this, that the U.S.
government has the authority to access gov -- to
information that’s within its jurisdiction, and that
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 87
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
would certainly include present on servers in the
United States. Whether the information is encrypted
is another whole level, but they can acquire that
information.
MR. CURTIS: But we’re drifting a little bit here into
legal argument. These guys aren’t here to talk about
U.S. foreign laws. We stated in an IR, I think it was
BCUC 1.4.1, we gave the statement that data in a
foreign country could be subject to foreign laws.
These guys can say that. They’re not going to argue
about specific foreign laws or make legal -- you’re
got to -- that’s fair.
MR. ANDREWS: But I -- so, fair enough. So let’s --
MR. CURTIS: Absolutely. If we can start with what we
said in BCUC 4.1 and then you can ask them questions
around the facts, I think that’s fine. But these guys
aren’t going to get into legal argument on this stuff.
The word is “restrained” here --
MR. ANDREWS: The ultimate issue -- but the issue that
I’m trying to address here is not the legal nuances of
the American government’s mechanisms for gaining
access. But let’s -- Fortis has acknowledged that the
U.S. government has the ability to, in an authorized
way, access information that’s in the United States.
Am I right there?
MR. CURTIS: Fortis has said that data --
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 88
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
THE CHAIRPERSON: If you could --
MR. CURTIS: Sorry. David Curtis. Fortis has said that
data in a foreign jurisdiction could be subject to
foreign law.
MR. ANDREWS: So Fortis is now asking for the -- like
Fortis is currently is not allowed to store
information outside of Canada.
MR. CURTIS: Yes.
MR. ANDREWS: And it’s asking that that restriction be
removed, and let’s set aside information to do with
customers. Fortis is asking that it be allowed to
store information, not to do with customers, in other
countries including the United States, correct?
Proceeding Time 10:02 a.m. T12
MS. PRATCH: It’s Monic Pratch. I think what we’re
asking for is the ability to consider different
alternatives, which may involve the storage of
information outside of Canada. Certainly we haven’t
completed a full security risk assessment around any
individual project. So no, we’re not asking to store
specific information outside of Canada at this point.
MR. D. SWANSON: In addition -- it’s Dennis Swanson. In
our evidence we also refer to the fact that we apply
our security and our protection, including encryption
and de-identification, to sensitive data. Not just
customer data, but sensitive data is not a term that’s
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 89
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
defined anywhere. So we apply that level of security
to our data regardless where we store it. So the
information that I believe Mr. Andrews would be
referring to, if it’s sensitive in nature, would be
encrypted and de-identified. What we haven’t done is
gone through every type of information the company has
and try to identify this is how we handle each type of
data. But yeah, we do provide that level of security
over all of our data.
MR. ANDREWS: From what Ms. Pratch was just saying, if it
isn’t clear yet what exactly the company would be
doing with data, and setting aside the customer data,
then is it reasonable that anything that the company
did end up actually proposing come back to the
Commission for approval?
MR. D. SWANSON: It’s Dennis Swanson. I believe we
addressed that as well in the presentation. Both
Monic Pratch spoke to it and I did as well. And that
is it’s not like we’re looking at transferring all of
our data into the States. These are small little
initiatives. And if we were to come back with each
small little initiative, the cost of doing so,
preparing an application, would simply outweigh the
benefits. So we’d restrict the amount of benefit
that’s available to customers.
We believe we’ve got strong processes in
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 90
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
place to protect our data. We believe we have the
expertise in-house to make that analysis of what data
is sensitive to the company and to customers, and we
do make that analysis. This isn’t a new step for the
company. This is something we take very seriously.
We’ve had these processes in place for years. We
don’t believe the risk changes with the storage
location of the data.
MR. ANDREWS: Well, let me come back to that aspect of
it, because you’re asking the Commission and the
parties in terms of their support to trust Fortis’s
approach, but I have great difficulty if the company
is so resistant to acknowledging that information
stored in the United States is accessible to the U.S.
government, and that that is at least an issue that
needs to be considered, then I have trouble with the
concept that decisions about that data should simply
be left to Fortis without supervision of the
Commission. Give a response to that?
MR. D. SWANSON: Dennis Swanson again. That is
considered. That is absolutely considered. And any
data that we believe is sensitive is encrypted and de-
identified. So even if foreign governments did get
access to it, it’s meaningless. It’s a listing of --
MR. ANDREWS: But if I may, you’re not -- you’re
specifically proposing that you be allowed to store
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 91
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
data, apart from customer data, outside of Canada in
an unencrypted way. The conditions about encryption
that you’re proposing for customer data don’t apply to
any other corporate data. Now, you’re saying, “Trust
us, we’ll know which data to encrypt and which not.”
And in the context of the kind of the new information
realities and concerns, that strikes me as a very big
area in which to give the company carte blanche to
take utility data and make it available to the U.S.
government.
MR. D. SWANSON: Dennis Swanson again. Again what we are
saying is let us manage the company. We have the
expertise in-house to determine what data is sensitive
and not sensitive. We do that on a regular basis
regardless of where we store data. We want to apply
the same rigour that we currently apply and that we’re
experts on applying, and protect data on behalf of the
customers and on behalf of the company. Protecting
that data is important to us.
MR. ANDREWS: So the company has acknowledged that it’s
no longer seeking the original remedy, so I won’t go
back to that. But I do think it’s relevant that
throughout the course of this whole proceeding, the
concerns about the protection of the information have
been met -- have been raised by parties by information
requests and Commission Staff, and then Fortis has
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 92
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
responded. There was nothing in the original
application that said anything about encrypting any
data.
Proceeding Time 10:08 a.m. T13
It was just let us dismiss the data
retraction and now -- so now we’re looking at the
particular area of the non-customer utility data --
and let me put it to you this way. One of the things
that was asserted by the company early on is that
these information technology market solutions that
required information to be stored outside of Canada
that were blocked because of the existing restriction,
were not available in Canada. That the restriction
had to be removed in order for the company to have
access to the cost savings that would accrue from
these new data management solutions.
So my question is, is that still the case?
Exhibit A-2-1 shows that there is at least some Cloud
storage being proposed to being posted within Canada.
So what about that? Why can’t Fortis us Cloud storage
and innovative class saving information technologies
that are hosted in Canada?
MR. T. SWANSON: Tim Swanson. You’re referring to the
Microsoft data centres being put in Canada?
MR. ANDREWS: Yes.
MR. T. SWANSON: I actually met with Microsoft yesterday
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
regarding that offering. It’s a good example of where
they’re trying to market to Canadian people. They
position the data centres in a location outside of
western North America.
And I would also like to point out that
this is one example of services that we look at.
There are a lot of smaller solutions that we consider
as well, that are for specific services, that the
economies of scale aren’t there to offer them outside
of the United States in some cases or possibly other
jurisdictions. So it’s really, it’s really just one
example of what’s happening. And we can’t anticipate
that all organizations that have services that we’re
considering are going to start locating their data
centres in Canada. It really comes down to what their
market looks like. So that’s one example.
The other piece of that was the Microsoft
data centres in Eastern Canada, according to
Microsoft, may have latency issues for Western Canada,
and they still recommend using the Quincy data centres
for their services in Western North America because of
some latency issues there may be. We don’t know yet.
We will find out, but those are a lot of the concerns
that have come up.
And so you're aware, when they build data
centres like this they generally structure them in
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 94
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
such a way that they’re positioned around internet
hubs, and the internet hubs provide the performance
that you need for these Cloud services. Unfortunately
in Western Canada we don’t have the population for
some of the organizations to consider us for data
centres, but that’s some of the reasons I got from
Microsoft.
MR. ANDREWS: Would you agree that one of the reasons
that Microsoft claims to have located the proposed
centre in Canada is because there is a market for
information services by customers that want their
information to stay within Canada?
MR. T. SWANSON: Yeah, so in the article they talked
about -- you’re right servicing some of those clients
that have certain restrictions. Those client’s don’t
necessarily have the same restriction we’re talking
about here, but there is -- that was one of the
reasons they put out there. And, you know, it’s
really a marketing position for them.
MR. D. SWANSON: It’s Dennis Swanson. In addition, I
don’t believe Microsoft had taken the position it’s
not going to use its back-up data centres that are in
the United States for back-up of that data. They
typically store back-ups in various locations. This
is a primary data centre only, it’s not a chain of
data centres.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 95
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. ANDREWS: So if that was the case then, the marketing
that was pitched to customers that required data to be
stored within Canada would not be accurate, is that
what you’re saying?
MR. D. SWANSON: Dennis Swanson again. The data would be
stored in Canada, but it may be backed up in the U.S.
as well. I can’t speak to Microsoft’s marketing.
MR. T. SWANSON: Tim Swanson. Can I clarify a little bit
for you, Mr. Andrews?
MR. ANDREWS: Please.
MR. T. SWANSON: Microsoft hasn’t settled on what their
architecture is going to look like finally, but to
Dennis’s point, Microsoft bases their reliability on
connecting all of their data centres, so that they can
use them for resiliency and redundancy. They haven’t
settled on what infrastructure looks like. I am not
sure what kind of negotiations they would have with
clients regarding where their data is going to be --
where the back-ups may be stored. So that’s something
that is kind of yet to be determined.
MR. ANDREWS: So if the Commission was to decide not to
remove the restriction to the extent that Fortis could
just put data into storage places outside of Canada,
it would be solutions like this Microsoft one that
would be available depending on what the responses
from the suppliers were to the requirements of
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 96
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Fortis’s RFP.
MR. T. SWANSON: Tim Swanson. FortisBC, on its own,
generally doesn’t have -- would not be enough of a
market share for most organizations to consider
putting in a Canadian data centre. If that’s the
question you’re asking.
Track 14
Proceeding Time 10:14 a.m. T14
MR. ANDREWS: No, that wasn’t what I intended to ask.
I’m sorry.
MR. D. SWANSON: Dennis Swanson. I believe you’re asking
that if the Commission did not grant the Order
requested, would FortisBC be able to consider the new
Microsoft data centre located on the east coast of
Canada as an option? And the answer to that would be,
yes, we’d be able to consider it, assuming they didn’t
back-up data into the U.S., and assuming there weren’t
latency issues, but yes, it would be one we’d be able
to consider.
But again, you have to remember, this
wasn’t a request about a Microsoft data centre, or
about Cloud service. This was a request to allow us
to consider options that would be for the benefit of
customers in general. That was but an example of
that.
MR. ANDREWS: So, speaking of examples, one of them was
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 97
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Office 365, that Fortis provided as an example, that
at the time FortisBC said was only available in --
hosted by servers located in the U.S. And now
Microsoft has said it’s going to have servers located
in Canada that are at least marketed for customers
that want to have their data stored within Canada. Is
that a fair statement?
MR. T. SWANSON: Yes.
MR. ANDREWS: So would you agree that the availability of
services -- electronic services that meet customer
concerns to do with the location of the storage of the
data is changing rapidly?
MR. T. SWANSON: Tim Swanson. I agree, technology does
change very rapidly, and that’s actually one of the
reasons that we put this application in. Again,
Microsoft is one of the examples we used. And there
are a number of nuances around that opportunity in
Canada that we’ve discussed a little bit. With the
changes in technology also comes the ability for
organizations, data storage organizations, to build
affiliations with U.S. counterparts. There could be
cost of service reasons that they go to U.S.
providers. You could even see Canadian organizations,
potentially, this is hypothetically, looking at
partnering with U.S. organizations for storage
facilities. And the only reason I bring this up is
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 98
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
that you referenced technology and the ever-changing
technology, and you’re exactly right, Mr. Andrews.
Technology is changing all the time, and that’s one of
the reasons that we put this application in. Because
of some of the services we use, that we could
potentially use, you know, that that’s a reason we put
this in, so we could consider some of those services.
Like I said, Microsoft was only one example.
MS. PRATCH: It’s Monic Pratch. Just to add onto that, I
think it’s really important to understand, as I’m
listening to the examples and the situations we’re
talking about, I think it’s really important to
identify that regardless of whether we’re talking
about Microsoft or any other provider, we still go
through the same policies and rigour of assessing
whether or not there is a risk, and what those risks
are to storing that data with that vendor. Regardless
if it’s Microsoft’s, you know, servers located in
Canada, in the U.S., or anywhere else. Or whether
we’re looking at storing information on a much smaller
scale, dealing with an individual vendor or a much
smaller project.
Part of that assessment is always going to
be the jurisdiction of which that information would be
stored in. And if that risk was identified as one
that was too great, or if that risk couldn’t be
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 99
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
mitigated in some other way, i.e., encryption or de-
identification, FortisBC wouldn’t proceed with a
project of that nature.
So, you know, Microsoft is a good example,
and it’s recently been in the news, but the number of
projects that Tim and I get asked about with respect
to ensuring that we’re complying with the current
Order are usually on a much, much smaller scale. So
we’re not talking about moving large reams of data,
we’re talking about, you know, wanting to use a very
small -- on a very small project, we’re talking about
wanting to store small bits of information in an
encrypted or de-identified form, to be able to work
within those projects.
So I just want to make the point that it’s
-- you know, it really is allowing us to explore
alternatives, but still making sure that as we’re
exploring those alternatives we’re going through
proper assessments of the risks associated with them.
MR. ANDREWS: Well, I won’t -- I won’t reply to that
argument, thank you. But then let me change the topic
to the -- one of the points that Fortis made in the
application was that removing data restriction would
assist Fortis with using consistent IT approaches
between the Fortis Electric and Fortis Gas. And as
emerged in responses to Information Requests, FortisBC
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 100
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Electric is subject to a data location restriction
associated with approval of the Smart Meters there.
What do you say about that? Are you -- is Fortis
intending to apply to change the Fortis Electric Smart
Meter data restriction? Or would it -- that just be
carved out of this broader approach?
MR. CURTIS: These folks can’t speak to what FortisBC
Electric is going to be doing with respect to any AMI
data restrictions. They’re not -- they can’t give
that evidence.
MR. ANDREWS: So, that’s -- I mean, can we then say that
the Commission ought not to be looking towards
benefits of combining data, IT facilities between
Fortis Gas and Fortis Electric, as in the benefit
column of this application?
MS. PRATCH: If I could, Mr. Andrews, it’s Monic Pratch.
The FEC -- or the FortisBC Electric data restriction
around AMI data applies to customer information, which
is entirely in line with what the alternative remedy
is asking.
Proceeding Time 10:21 a.m. T15
So the restriction around the AMI data,
it’s customer data and that data needs to be stored
within Canada, period. We’re certainly not suggesting
that we’re making any -- this application is making
any sort of statement about what we would be doing
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
with respect to that, with respect to that order.
MR. ANDREWS: Well, this application is to be able to
store customer data in encrypted form outside of
Canada, which would be contrary to the Fortis Electric
CPCN for the Smart Meters.
MS. PRATCH: It’s Monic Pratch.
MR. ANDREWS: It’s not a legal question.
MS. PRATCH: Mr. Andrews, it’s Monic Pratch. I agree
that that order does deal with customer information in
the electric context. I think what you’re referring
to is -- what we’re referring to is information
outside of that AMI data. We’d like to be able to
treat FortisBC gas data the same way that we’re
allowed to treat FortisBC electric data that is not
AMI data.
COMMISSIONER MACMURCHY: Can you explain to me what that
is? I mean, I read -- I went back and -- as a result
of your response to the IR, I happened to sit on that
AMI, interesting proceeding. And I was quite
intrigued with your interpretation because the wording
that was used in the Commission determination made no
reference to AMI data whatsoever.
So how do you interpret -- it just said
customer information, period. So I’d like you to
explain to me what customer information isn’t covered
or what information isn’t covered by the direction
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 102
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
that was put forward at that time.
MR. CURTIS: I’m going to ask for a bit of clarification.
Are you asking her to interpret the AMI decision or
the AMI --
COMMISSIONER MACMURCHY: I’m asking her to interpret the
response that she made -- that was made in an IR that
was sent to the -- well, that was asked by the BCUC.
I can give you the IR number. And I just don’t
understand that response in the context of the words
that was laid out in the decision. So if you could
elaborate on that, that would be helpful to me.
THE CHAIRPERSON: It might be better for everybody’s
benefit if we take a break now, and then the FEU
group, you have time to look at the reference by
Commissioner MacMurchy, and then you’ll return and get
back to the question.
So it is now 25 after -- ten minutes, is
that good? Right. Ten minutes break please.
(PROCEEDINGS ADJOURNED AT 10:25 A.M.)
(PROCEEDINGS RESUMED AT 10:38 A.M.) T16
THE CHAIRPERSON: Good to go.
So back to Commissioner MacMurchy’s
question. Do you want to repeat it or --
COMMISSIONER MACMURCHY: Do you need it repeated?
MS. PRATCH: I’m okay, thank you.
THE CHAIRPERSON: You know what the question was, all
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 103
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
right.
MS. PRATCH: Thank you. It's Monic Pratch.
I’ve had an opportunity now to review our
response and the question with respect to BCUC IR
1.8.1, and I just want to make this statement that
that particular sentence within the order needs to be
taken in the context of the order itself. And the
concerns that were addressed in that hearing were
namely around data as it was collected by the AMI
system, and as a result, you know, it’s our position
that that particular sentence refers to AMI data or
data that’s collected by the AMI system.
COMMISSIONER MACMURCHY: What data would be excluded?
MS. PRATCH: Just --
COMMISSIONER MACMURCHY: -- personal information.
MS. PRATCH: Monic Pratch. Just by way of an example,
for example say there’s energy efficiency information
that was collected by our power sense group on
particular -- in order to provide energy analytics or
to provide energy saving tips, for example, to a
customer. That’s not data that is collected by that
AMI system or runs through that. It wasn’t the
subject of that particular application or order, and
as a result I don’t think that that particular
sentence or that particular order would apply to that
data itself.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 104
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER MACMURCHY: Well, I guess I was -- one of
the things that caused me to question this a little
bit is that there was another statement in that
particular finding that said -- well, let me ask
another question a different way.
Does Fortis, the gas company and Fortis the
electric company have different privacy policies?
MS. PRATCH: Monic Pratch, no.
COMMISSIONER MACMURCHY: In the same determination in the
AMI decision there was a direction that the privacy
policy be updated to reflect that customer information
should be stored in Canada only. Could you direct me
to where that has taken place? I looked on the
website yesterday and I couldn’t find any change to
the privacy policy since that time.
MS. PRATCH: When we looked at the current privacy policy
and that privacy policy applies to FortisBC Energy
Inc., to FortisBC Inc., to all of the FortisBC group
of companies that exist. And as a result, because the
statement doesn’t say we will store your information
outside of Canada or we do store your information
outside of Canada, but uses language that say, we may
we wanted to make sure that that policy was consistent
for our customers. And so we don’t feel that the AMI
order is inconsistent with the current policy in
place.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 105
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER MACMURCHY: You were given a specific
direction in that decision to do something. I have
not seen any application asking for relief from that,
so I guess my question is have you -- is it Fortis
policy when you don’t agree with something that -- a
determination, that you just ignore it?
MR. CURTIS: I really have to respectfully intervene here
because you’re -- I think the initial questions around
the AMI decision and what was raised in the IR are
fair, they deal with stuff on the record here. But
you’re now asking a witness in a FEU proceeding to
talk about an FBC matter. We’re not here prepared to
speak to that at all, especially the types of
questions you’re asking right now. So I don’t think
we should be going there.
COMMISSIONER MACMURCHY: I guess, let me -- I recognize
that I don’t need to pursue that further. But my
expectation was that if an order had been given to
Fortis Electric to amend the privacy policy, by
looking at that amended privacy policy I could have
understood better what you were saying in response to
8.1, which is what customer information or what
information you see can be stored in Canada and what
won’t be stored in Canada. I went to try and do that
and I was not able to do that.
So I was just asking the question is, is
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 106
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
there something that had -- that I’ve missed that
would help, would have helped me in terms of any
changes you made to your privacy policy as a result of
previous decisions by the board -- the Commission?
MR. CURTIS: Again, I think we’re still -- we’re really
on a FBC side of the fence with that question. The
point is taken, but again, these folks are here to
speak for FBC today, they’re here to speak for the FEU
on this application. And I just -- with the greatest
respect, I don’t think that that’s -- that we should
be going further with it.
Track 17
Proceeding Time 10:44 a.m. T17
COMMISSIONER MACMURCHY: I guess my question, then, is a
little one, it’s related to something else. I might
as well put it on the table now.
You stated that in response to -- I can
give you the IR number. BCUC IR 1.7.3, that FEU does
not share platforms with other Fortis companies
outside of B.C., like the subsidiaries that Fortis
Inc. has in the United States or the Caribbean. But
you do share platforms with FBC, which actually you’ve
been encouraged to do in order to provide efficiencies
and cost savings. Is that correct?
MR. D. SWANSON: Dennis Swanson. Yes, we share some
platforms but not all.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 107
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER MACMURCHY: Okay. And I guess the question
I really had, and it was what I was leading up to in
some of the other things, is there any danger that if
your request is granted by -- to lift the restriction
on FEU, that you could inadvertently put FBC offside
by -- in terms of violating the provisions that were
imposed in the AMI decision?
MR. T. SWANSON: Tim Swanson. As I pointed out in my
component of the presentation, we would not do
anything that would contravene existing orders or any
legislation. So, certainly we would consider anything
in other orders to be part of our consideration when
considering services.
COMMISSIONER MACMURCHY: So, could you, then, since you
wouldn’t do anything that would do that, can you
explain to me what data, then, you see you would be
restricted in using in terms of a shared platform that
you might have with FBC?
MR. T. SWANSON: Commissioner MacMurchy, can you repeat
that one more time? I want to make sure I answer your
question.
COMMISSIONER MACMURCHY: That is my question, it’s really
quite simple. You made a statement on how FEU is
interpreting a decision that was made with respect to
FBC. And I don’t think it’s -- and I agree with Mr.
Curtis that this probably isn’t the place to debate
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 108
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
whether that interpretation is agreeable to the
Commission or not. But having said that, the real
question is, do you know what data is subject to a
restriction in FBC to make sure that if you were to do
something that you wouldn’t be inadvertently getting
offside with your Fortis Electric restrictions.
MR. T. SWANSON: Tim Swanson. I totally understand your
question. Yeah. We certainly do understand our data
and what restrictions are around particular data. I
think that’s always part of our security and privacy
assessment process. So, yes, we do understand the
restrictions around particular data, that are in both
of our systems. If that’s the question you’re asking?
COMMISSIONER MACMURCHY: And so, I think I’ve beat this
horse just about to death. So I’ll stop it. Thank
you.
THE CHAIRPERSON: Back to Mr. Andrews, then.
MR. ANDREWS: Thank you. Let me, I guess, to a certain
extent follow up. On the topic of Fortis Electric and
Fortis Gas having the same privacy policy, can you
confirm or explain otherwise that Fortis’s privacy
policy applies only to customers that are individuals
and not to corporate customers?
MS. PRATCH: It’s Monic Pratch. Yes, I can confirm that.
MR. ANDREWS: So if the Commission was looking to the
privacy policy as a method of protecting the privacy
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 109
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
interests of corporate customers, Fortis policy in
that respect would have to change.
MS. PRATCH: It’s Monic Pratch. The privacy policy has
been put in place, one, as part of our governance
structure; but two, in specific compliance with the
Personal Information Protection Act, which requires us
to have a separate privacy policy relating to the
information that is governed by that Act. So it’s
partially a legislative requirement and it’s also part
of our governance structure.
MR. ANDREWS: So would there be any problem with
expanding the privacy policy so that it covered the
interests of corporate customers?
MR. D. SWANSON: It’s Dennis Swanson. I would suggest
that we wouldn’t change our privacy policy, because,
again, privacy policy has implications with respect to
certain Acts.
What we had suggested, though, when we had
this discussion earlier, is maybe change the word of
the Order to instead of saying “personal information”,
to say “customer information”.
In addition, our customer information
that’s within our systems really doesn’t
differentiate, whether you’re a commercial customer or
residential customer. So we treat it all the same
anyway. So the same level of protection over a
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 110
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
residential customer exists in our systems over a
commercial customer. Because we don’t parse the data
and say, “You’re a residential customer so your
information goes down this path, and you’re a
commercial customer so your information goes down this
path.” It’s just customer data and it’s treated the
same.
Proceeding Time 10:50 a.m. T18
MR. ANDREWS: So from the point of view of the interests
of corporate customers, they are kind of free riders
on the individual customer privacy policy.
MR. D. SWANSON: Dennis Swanson again. Not with respect
to the privacy policy, but with respect to our data
security, yes.
MR. ANDREWS: And with the privacy policy they’re simply
not covered whatsoever.
MS. PRATCH: It’s Monic Pratch. Correct. With the
privacy policy they’re not. But we also have other
policies in place within the organization that govern
confidentiality of information and govern data
security, and I’m sure Tim can speak to a few of those
as well. So it’s not as if there’s no policy in place
that governs commercial or industrial customers.
MR. ANDREWS: Is there any policy that governs corporate
customers that covers the same issues that are
addressed in the privacy policy that applies to
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 111
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
individual customers?
MS. PRATCH: It’s Monic Pratch. I think it would depend
on the -- it would depend on the specific sections
that you’re interested in. If you’re talking about
data security, ways that we protect information, all
of those things, absolutely we have policies in place
that govern that for all customers and all data. If
you’re talking about would sections of the Privacy
Policy that are specific legislative requirements
necessarily apply to commercial or industrial
customers, I think not, because the Privacy Policy
itself -- privacy itself by nature is with respect to
individuals.
MR. ANDREWS: So that actually wasn’t my question.
MS. PRATCH: I apologize.
MR. ANDREWS: Privacy as defined provincially as
individuals, but to the extent that under the
Utilities Commission Act the Commission is concerned
about, and I’ll use the term “privacy” not in a legal
sense of restricted to individuals, the privacy
interests of corporate customers.
The question is, does Fortis have a policy
that addresses the same thing for corporate customers
that the privacy policy addresses for individual
customers? And I think what I’m hearing is the answer
is no, but there’s some other policies that maybe
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 112
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
help.
MR. D. SWANSON: It’s Dennis Swanson. I think our
challenge here is, and we’re not trying to be evasive.
It’s when you say “the same thing”, is the privacy
policies as they apply to individuals encompass a lot
of things.
MR. ANDREWS: Yes.
MR. D. SWANSON: And a lot of those things are
legislative with respect to the protection you have to
have over privacy legislation.
MR. ANDREWS: Well, let’s just start with one of the
opening statements of the Privacy Policy, is that
“Fortis takes your privacy very seriously.” Now, that
policy does not apply to corporate customers. And I’m
saying, does Fortis have a policy that says, “We take
the privacy of you, the corporate customer, very
seriously”?
MR. D. SWANSON: Dennis Swanson again. We have
information security policies which cover all data,
which would include this -- corporate customers, which
provide, I don’t want to say the same protection that
privacy legislation provides because privacy
legislation is very specific, but it provides the same
-- it provides the protection over the disclosure of
that information and the access to that information
for other sets of customers and for our data in
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 113
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
general.
MR. ANDREWS: On page 3 of the notes for today, the
purpose of the application, the last bullet on the
page is to have operational consistency across
FortisBC Utilities. Is that a reference to Fortis
Electric and Fortis Gas?
MR. D. SWANSON: Generally speaking, yes.
MR. ANDREWS: And beyond generally, what would that -- is
that including other Fortis entities than those two?
MS. PRATCH: Oh, I’m sorry, Mr. Andrews, could you just
repeat that last question?
MR. ANDREWS: Okay, let’s just start with what does
FortisBC Utilities include in this context?
MS. PRATCH: It’s Monic Pratch. I think all of the
FortisBC Utilities. So FortisBC Energy Inc., FortisBC
Inc.
MR. ANDREWS: FortisBC Alternative Energy Systems?
MS. PRATCH: Yes.
MR. ANDREWS: Any residual Fortis Energy (Vancouver
Island) if it existed and --
MS. PRATCH: So now that amalgamation has -- sorry, it’s
Monic Pratch. Since amalgamation, all of those
utilities, Whistler, Vancouver Island, and FortisBC
Energy Inc., have been amalgamated into one. So yes,
it would have included those former utilities now
captured by the FEU.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 114
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER MacMURCHY: And just so that we are
(inaudible).
MR. ANDREWS: Yes, and just so that we are clear, is Fort
Nelson included in that?
MR. D. SWANSON: Dennis Swanson, yes. The intention here
is all the FortisBC related utilities in B.C.
Proceeding Time 10:55 a.m. T19
MR. ANDREWS: So, how would the -- the purpose of the
application is, among other things, to have
operational consistency among the FortisBC utilities.
And let’s focus on Fortis Energy, FortisBC Energy and
FortisBC Electric. Am I right that -- I don't know
how to put this. How do you see achieving operational
consistency with Fortis Electric IT concerning
customer data that is affected by the Commission's
data restriction applicable without getting into the
content of that restriction? But how do you see
Fortis Gas dealing with that restriction and yet
achieving operational consistency by the granting of
the order?
MR. T. SWANSON: Tim Swanson. In regards to operational
efficiencies between inter-organizations, the
particular order I believe you’re referring to is
specific around customers. We segregate our customer
information currently between the two, the electric
and gas utilities. So it’s clear and defined
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 115
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
definition between the two. There’s many other
services that are offered that we could, we could
share and be consistent on. Is that the question you
asked?
MR. D. SWANSON: Dennis Swanson. Also adding to Tim
Swanson’s comments, it doesn’t say treat all data
identical in every system. It says look for -- we’re
talking about operational efficiencies. So there’s a
lot of non-customer data that’s affected by the
current data restriction order, where we can treat
information -- we could treat information consistently
if the restriction were rescinded.
MR. ANDREWS: I want to ask a question that -- before you
answer Mr. Curtis may want to address, because I’m not
sure whether this goes back too far into the AMI
certificate. But there were questions about what
types of customer data, but to do with FortisBC
Electric, would not be covered by the data restriction
and would therefore be subject to consistency or
initiatives that engaged or produced consistency.
My question is, would an example of that
type of data be customer credit information and
payment information that doesn’t flow through the AMI
meter?
MR. CURTIS: David Curtis. Again, I don’t think my -- I
don’t think the folk here should be going any further
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 116
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
on the interpretation of the AMI decision today.
That’s not why they’re here. They’re not FortisBC
Electric, so.
MR. ANDREWS: I will leave it at that then.
Thank you, those are my questions and I
certainly look forward to the other questions and
submissions and the discussion that we will have
later. Thanks.
THE CHAIRPERSON: So over to Mr. Craig next.
MR. CRAIG: Yes, David Craig, Commercial Energy
Consumers.
I want to start with BCUC 1.4.1, which you
have previously referenced. And talk about the
question of authorized access in another jurisdiction.
And I accept that you can’t talk about what the laws
in foreign jurisdictions may or may not do. But I
can, I think I can get you to confirm that if the data
is stored in Canada, foreign jurisdictions cannot
compel access to it.
MR. CURTIS: Again, that’s a legal point about
international law. I am going to address that in my
submissions, if that helps.
MR. CRAIG: Okay.
MR. CURTIS: It’s a pure question of law.
MR. CRAIG: So if I interpret BCUC 1.4.1 as authorized
jurisdiction providing the authorization under foreign
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 117
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
laws could allow a foreign government to compel access
to the information, is that also a legal question that
you will address or can they answer that?
MS. PRATCH: Monic Pratch. We can confirm that. And
that’s addressed in the response to BCUC IR 1.4.1.
MR. CRAIG: That’s what I’m reading, is that it “could
compel” access and “could compel” de-encryption.
MS. PRATCH: It's Monic Pratch. I think they could
compel access to data that is stored in the United
States. We would not -- certainly not suggest they
could compel de-encryption or decryption of that data.
And that’s why we’re proposing to store the keys
within Canada, so that that information cannot be
compelled by a foreign jurisdiction.
Track 20
Proceeding Time 11:01 a.m. T20
MR. CRAIG: Then, is that then a question of law that
you’re going to speak to?
MR. CURTIS: In my submissions I’ll certainly address the
legal issue around the ability of a foreign government
to compel the FEU to release an encryption key, for
example. I’ll speak to that.
MS. PRATCH: And, Mr. Craig, if I may, it’s Monic Pratch.
That is part of the reason that we brought in the
evidence regarding what the B.C. Office of the
Information and Privacy Commissioner has said about
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 118
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
the real risk of a foreign jurisdiction and access by
foreign governments. And really, what she identified
was that the real risk is where you’ve got an American
company that holds the data or you’ve got an American
company with a foreign subsidiary, and that American
company would have the ability to be compelled to
reach in and grab the data from that foreign
subsidiary, bringing it back. And I think we’ve
probably beaten this horse and said that, you know,
obviously because we’re owned by -- an entirely
Canadian-owned and controlled parent company, that
that’s not a risk for FortisBC.
MR. CRAIG: And when you do speak to it with regard to
the legal context, my presumption would be that if the
data questions were in the courts, supreme courts, in
the U.S. jurisdictions, that the answers might be
otherwise. And maybe you could address that when you
come to addressing --
MR. CURTIS: I’m not sure I understand the point you want
me to address.
MR. CRAIG: Whether or not the encryption can be
compelled in order for, say, a clerk to have access to
the information.
MR. CURTIS: Where -- okay, where the encryption key is
held in Canada.
MR. CRAIG: Where the encryption key is held in Canada,
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 119
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
but the data is held in the U.S., and you’re not
speaking to what the laws may or may not do, but I’m
presuming from this that they will have whatever
jurisdiction they put in their laws, and their courts
will have conceivable powers to compel.
MR. CURTIS: I have your point, and I’ll reiterate what
Ms. Pratch has said. Like, we put -- the company’s
characterization of this risk is on the record in
Exhibit B-8. I don't have the section -- I think it’s
3.3.2. That’s our -- that’s Elizabeth Denham’s
description of that risk, going all the way back to
the Privacy Commissioner’s report on the Patriot Act
in 2004. And she’s still saying the same thing in
2014.
So we put that description -- that’s in the
evidence. And that’s really where I want to point
people on this issue. And I’ll speak to it in legal
submissions. But I won’t say much more than that.
I’m not going to go into detail on American
legislation and what it can or cannot do to an
American company. Because the high-level principles
embodied in the Privacy Commissioner’s summary of that
risk capture everything that we need to say on this
topic.
So, I’ll speak to it in submissions. Ms.
Pratch has directed everyone to the way we
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 120
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
characterize the risk. But there won’t be much more
to it than that, because I don’t think there needs to
be.
MR. CRAIG: Good, I’ve got your answer there.
If Fortis Inc. were to change its
jurisdiction, I think you have said today that that
would change control, and that that would potentially
open up a risk potential.
MR. D. SWANSON: Can I -- sorry, Dennis Swanson. Can I
clarify? Are you saying if Fortis Inc. became an
American corporation?
MR. CRAIG: Yeah, to change jurisdiction.
MR. D. SWANSON: Then the applicable laws that would
apply to an American corporation would exist and
therefore, given the evidence we’ve already got on the
record, yes, that would open the door, even if the
data was stored in Canada. So it would open the door
for the U.S. government to access that data even if it
was stored in Canada, would be our evidence.
MR. CRAIG: So just a concluding comment there would be
whether or not you’d have an objection to there being
a subject to immediate notification of any change of
control over the FEU utilities. I’m not expecting
that to occur, but it’s something that you’ve put on
the record would create an access.
MR. CURTIS: I think that’s -- I’d like to discuss that
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 121
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
with my folks here at the break. It’s something I
think we need to just discuss internally and get back
to you on it.
Proceeding Time 11:06 a.m. T21
MR. CRAIG: Yes, no problem. And it’s just covering off
a point that I consider remote, but sometimes things
happen and it’s useful to have remote things covered.
I just want to confirm that the evidence on
the record is that we don’t have a specific business
case with costs and benefits. At this stage your
discussion of benefits and costs is generic for the
purpose of getting open generic approval.
MR. D. SWANSON: Dennis Swanson. Yes, it is. It is a
generic request. And what it will allow us to do, if
granted, is to evaluate by way of -- when we do
tenders, for instance, we could include American
vendors in our tenders where there are certain
instances where we’re not able to do that. So it
would allow us to evaluate whether there was a benefit
in looking at other service vendors, et cetera.
MR. CRAIG: Thank you. Under a grant of the new order,
which is slide 5, the reference in bullet 2 is to meet
the definition of personal information under PIPA, and
in other information you had also the PIPEDA as
another piece of legislation that was applicable.
Should that cover those pieces or is it applicable
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 122
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
only to PIPA?
MR. CURTIS: And that’s a legal question, but I think we
can address that right now. I mean, both definitions
define personal information as information about an
identifiable individual. PIPEDA, I think, has a few
more sub-categories in it and I think it would be
problematic to put two different, slightly different
definitions in one order. And I think that the
preference is to use the B.C. legislation that governs
-- that sort of primarily governs the FEU. It’s just
a much cleaner and more understandable approach going
forward, I think. And Ms. Pratch may even have
something to add on that. She's --
MR. CRAIG: One further question, just to follow up on
that is, do we need to specify the legislation at all?
Personal information will be governed by the
legislation anyway and it’s not necessary for us to
try and specify. And that leads to the further
question that your second bullet point looks like it’s
almost a duplication of the first one, in terms of
referring to personal information.
MR. D. SWANSON: Dennis Swanson. Just to clarify though,
that first bullet, the company has, in dealing with
Mr. Andrews, the company has said they’d be willing to
replace that personal information section with
customer information.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. CURTIS: Yeah, so actually that’s a good reminder.
So we have, I think we’ve made that sort of progress
today. So there might be -- we’re going to need to
look at that language a bit going forward. Things
have changed a bit today.
MR. CRAIG: Yeah, agreed, and I’m assuming that it’s
wordsmithing, so I’m just putting on the record that
you may want to consider just boiling it down into the
first one and --
MR. CURTIS: Well, that’s helpful. I’m going to think
about that.
MR. CRAIG: Where you’ve suggested dealing with it as
storing data about customers and then excluding some
of the other material, that would get us into
precluding the discussion that we’ve had about
sensitive information, and you may want to look at it
from the point of view of storing data with regard to
personal information, confidential customer
information, or sensitive information. At least
you’ve been advocating that sensitive information is
one of the criteria that you currently use and that
you would continue to want to use.
MR. CURTIS: Yeah, and again, I think we’ll need to think
about that.
MR. CRAIG: I’m not looking to conclude the wordsmithing.
MR. CURTIS: No, but what’s happening right now is what I
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 124
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
was hoping would happen at the Procedural Conference.
This is very constructive.
THE CHAIRPERSON: It’s the SRP magic?
MR. CURTIS: Yeah. No, this is good. And sorry, Dave
Curtis. I keep doing that. One of the issues we’re
going to have with tweaking the order in those ways
is, when you put a word like “sensitive” into an
order, then you’ve got to know what it means. And we
haven’t had that problem with personal information or
PIPA because that’s right there in legislation. So
we’ll need to think about that a bit more. I don’t
have the answer to that right now and how we could
make that work and have a clear order going forward,
so.
MR. CRAIG: I agree there’s a problem there, but there’s
also a public interest in trying to come to grips with
it. And from our group’s point of view, we’re not
concerned about being absolutely precise, so that it’s
all known ahead of time, but that --
MR. CURTIS: Dave Curtis. Those are --
MR. CRAIG: -- was an understanding between Commission
oversight and the utility as to -- such as, but not
absolutely including everything in the list.
MR. CURTIS: Dave Curtis. I think those are all fair
points and I think stuff we need to consider.
Proceeding Time 11:12 a.m. T22
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 125
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER MACMURCHY: And the added benefit of
applying customer information, you can make sure
you’re consistent with FBC too.
MR. CRAIG: If it is that data, right now you’re got
either de-identify or encrypt and if it’s customer
sensitive information, we may not want either in the
grammatical construction. If it’s de-identified data
you may still want it encrypted. And you may want an
“or” dealing with the case example that you put
forward of de-identifying the data for authorized use
in a foreign jurisdiction where it's under
confidentiality terms. Where you’re specifically
dealing with a U.S. consultant or somebody that’s
dealing with your data. We don’t necessarily want to
preclude you from accessing the best expertise. But
it may not fit in the grammar construction that’s
there.
MR. CURTIS: Dave Curtis. I might call you when I’m
thinking about this, Mr. Craig.
MR. CRAIG: I would be more than happy to assist.
MR. CURTIS: These are very helpful comments.
MR. CRAIG: Last comment, when it comes to your
presentation about the primary reason wanting to get
to the status of private sector parties, it will be
our position that Commission oversight in pursuit of
public interest applicable to utilities will be a
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 126
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
higher standard than the private sector, and that
we’re here talking about that for that reason. And so
we’ll be interested in what is going on that leads to
a Commission decision and continued oversight over the
public interest and the customer and sensitive
information.
And to your point of all the specifics
being assessed by the people who have expertise in the
company, for sure that’s valuable and it’s certainly
not my interest to pursue that ever little bit of
detail end up in front of the Commission. But at some
level we find words and the method of leaving room for
your expertise to be applied but still getting enough
Commission oversight with regard to public interest
embedded in what that order eventually sets out.
I think those are all my questions, Madam
Commissioner, and comments.
THE CHAIRPERSON: Thank you, Mr. Craig. Moving on to
BCOAPO, Ms. Sadrehashemi.
MS. SADREHASHEMI: Lobat Sadrehashemi for BCOAPO. I
don’t need to make an opening statement. I will just
move to questions.
I was really struck today by the point that
there was no greater risk in storing -- to customer
data whether it was stored in Canada or in the U.S. as
long as the keys were held in Canada. That was the --
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 127
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
that point was made a number of times. And I don’t
know if it was -- I'm assuming it was in the evidence
before, but I guess it didn’t hit me until now that
you’re suggesting there is no greater risk.
I think that’s a pretty big statement,
especially when you’ve confirmed that in the data,
that it could be accessed by the U.S. government. The
data that is stored in the United States could be
accessed by U.S. Intelligence. And so -- because it
really comes down to the -- regardless of the key
issue and whether or not the U.S. government could
access it that way -- I mean there is also a question
of the adequacy of the encryption and the
tokenization. Because we’re -- and so I think if the
understanding is that there’s no greater risk, even
though in storing the data in the U.S. there’s a whole
new factor, the U.S. government, a very sophisticated
factor, U.S. Intelligence, that has access to the data
that is in servers in the United States.
So I don’t understand the statement at all,
to say that there is no greater risk.
MR. T. SWANSON: Tim Swanson. I can absolutely
understand the concern. I think what we need to
understand is that the methodologies that we use are
tested, not only in U.S. and Canada, but worldwide.
These are encryption standards that have been proven
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 128
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
to be, to this point, infallible.
Proceeding Time 11:17 a.m. T23
These encryptions have not been broken by
any government in the world, yet. I’m not going to
say they’ll never be, but according to the best
authorities, and we put in evidence, there is no
ability to decrypt that data without the key. So the
fact that it’s stored, regardless of where it’s
stored, the ability to make any use of that
information or decipher it, is basically impossible.
In the case of de-identification, the
information is removed or is anonymized in such a way
that there is no logical way to reassemble that
information in any means or fashion. So it’s not
affected by the location of the data, it’s affected by
the fact that we’re using methodologies that are
proven, and reliable, and tested, and used by
organizations around the world to protect their
information.
MS. SADREHASHEMI: On the first point, about the
encryption. The Privacy Commissioner, in the paper,
the guidance that you provided in Exhibit B-8, so your
update -- updated evidence, the June 16th, 2014. So
this update is really about tokenization, because
there is a suggestion -- the suggestion here is that
if tokenization is adequate, then it could be used.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 129
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
But clearly the same has not been found about
encryption.
So even here it says, “Tokenization is
distinct from encryption. While encryption may be
deciphered, given sufficient computer analysis, tokens
cannot be decoded without access to the crosswalk
table.” And of course then she explains one of the
assumptions is that it’s been adequately tokenized.
But I mean, first -- the first point is
encryption. In the public sector, as you know, or
not, cannot store -- they cannot just encrypt data and
then store it in a -- so there’s a distinction made
between encryption and de-identification by the
Privacy Commissioner, which suggests that encryption
isn’t this foolproof thing. That there are computer
systems, and the U.S. has very sophisticated systems,
that may be able -- there may be some risk.
MR. T. SWANSON: Tim Swanson. To say there is zero risk
is impossible, I guess, in almost any case. The
evidence we supplied stated clearly that the
methodology used by FortisBC has never been
compromised. The Privacy Commissioner obviously can’t
make that statement, because there are historically
encryption systems that have been deciphered, years
ago. Encryption standards have come a long way since
then. Even the 128-bit level encryption, which is the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 130
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
previous version to what we’re using, 256-bit, was
never deciphered. Using the Rimdahl algorithm that we
use.
So the Privacy Commissioner, I’m sure, in
her wisdom, has looked at all evidence in the history
and said, “Okay, there are cases where maybe
encryption has -- information was decrypted", but it
wasn’t with any recent technology that we use today.
So, fundamentally, it’s impossible to decrypt data.
There’s not enough computing power on this planet to
decrypt it within any reasonable amount of time,
without the keys.
MS. SADREHASHEMI: Something -- I guess another question
around risk is, as you say, it can never be zero.
It’s impossible that there be zero risk, I think. You
would assume that. But risk is quantifiable. I can’t
do that. I don’t know how to do it. But people do do
that, they quantify risk. And so I think what was
really missing for me in this is that there is no
information given, I think, a really fundamental
change in how data is going to be treated, there was
no information given about what is the acceptable
level of risk to customer information being
identified.
And I think that answer -- the answer to
that question needs to be known in order to be able to
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 131
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
ensure compliance, is how do you audit to that? How
do you ensure there -- you must know what level of
risk you’re willing to accept, and we don’t know that.
And we don’t know if that’s changed, or who’s looked
at that since there has been this new proposal about
storing data somewhere else, has there been -- has the
security experts that you consult on other issues,
have they been consulted about this? And have they --
what have they said about the risk?
Proceeding Time 11:23 a.m. T24
MR. T. SWANSON: So to answer your question, we base our
risk assessments on industry standards. Our risk
assessments are tested through auditors to ensure
they’re acceptable, and we do not plan on increasing
our risk tolerance just to store data somewhere else.
And I hope we made that clear in our evidence, that we
intend on maintaining the existing risk tolerance we
have today with the -- even if this order was granted.
We won’t accept additional risk just to save money.
MS. SADREHASHEMI: And so then the question is, in order
to maintain that standard, if you’re storing -- if
you’re going to be storing the data somewhere else,
what does that mean in terms of the current systems
that you use? So wouldn’t -- I mean, this is -- I’m
assuming that there is a greater level of risk when
you do store somewhere else. I don’t accept that
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 132
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
there is no greater risk. But, so if you assume that
there is a great risk, then you would think that if
you want to maintain the same level that you’d have to
do more things. But what I got from the application
is nothing is going to really have to change, that
there is not going to be a lot more resources that we
have to use in order to do this. We have all the
resource, we have all the expertise in-house, that we
don’t have to anything else. And so that doesn’t
suggest -- that doesn’t provide confidence that you
would be maintaining that level.
MR. T. SWANSON: Tim Swanson. I guess we have to
disagree on that point and the fact that yes, we do
have the in-house expertise. And as I indicated in my
presentation and I think we’ve all reiterated a few
times, we’ve been encrypting and protecting data for a
long time. The fact that we’re storing it somewhere
else, perceiving a risk around that, I think we’ve
tried to answer that in our submissions, that the
protection we apply to it is what protects it. It’s
not the location of the data, it’s the security we put
around it. That hasn’t changed because of this
application. We’re going to continue to use the same
level of security, you know. We may disagree on the
fact that you believe there is more risk because of
the data being located outside of Canada. We
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 133
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
obviously, in our presentation, disagree with that
point based on our reasons here.
MR. D. SWANSON: Dennis Swanson. Also adding to that,
and that’s why we tried to structure the application
the way we did in terms of authorized access and
unauthorized access. From an unauthorized access
point of view, hacking, let’s use that word, it
doesn’t matter where the person accessing sits or
where the box sits that the data is on. If you’re
going to hack it, you’re going to hack it. I mean,
nowhere is there an artificial boundary in the digital
world, and that’s what we kept saying. There’s no
boundaries in a digital universe or digital world.
And then once data is stolen, if data were
-- unauthorized access stole the data, then it’s out
there. It’s not that it’s out there in Canada or it’s
out there in the United States. It’s just out there.
So we say from an unauthorized perspective
there is no greater risk. From an authorized
perspective, that’s where you get into this legal
debate on whether or not the U.S. government, for
example, would have access to compel production of
that data.
We’ve also mentioned that if you’re talking
about when we use a vendor, if there is greater risk
in using a vendor versus our systems, that doesn’t
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 134
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
change where that vendor is located or where that
vendor’s box is. We do a security assessment of their
policies and procedures around the storage of data,
regardless of their -- it’s in the States or it’s in
Canada. And in those instances, if they don’t
maintain our standards of data protection, we don’t
use a vendor. Again, regardless of where it’s stored.
So we’re not saying data is not at risk.
We’re saying the physical location of that data
doesn’t increase the risk. And by physical location I
mean the difference between storing that data in
Canada versus storing that data outside of Canada.
COMMISSIONER MACMURCHY: Just to make sure we’re
absolutely clear then. Really what you’re saying is
from the unauthorized side it doesn’t change because
the digital world is the digital world and it doesn't
have boundaries. From the authorized side what you’re
saying is that yes, they may be able to get the raw
data but it’ll be encrypted or detokenized form, and
we’ll hear the legal arguments about the ability to
compel the keys. But normally the expectation would
be that unless a Canadian court agrees, that those
keys would not be accessible. Is that sort of --
MR. D. SWANSON: Correct. And then you get back to that
whole question of can you de-encrypt the data? Do you
have enough computing power to do it? I’m not a
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 135
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
hacking expert by any means, but if you have that
computing power to do it, why wouldn’t you just hack
in and take the data while it was in Canada? It’s
probably easier than de-encrypting. So if you really
wanted it that badly.
MS. SADREHASHEMI: Right. I think my points were more
around the authorized access from U.S. Intelligence of
the raw data and their ability to -- the U.S.
Intelligence ability to decipher the data. I just
wanted to know more about that risk.
And I guess so I’m following up on what
kind of steps have you taken in finding that out?
What is the risk of U.S. Intelligence? What is their
level? What is their ability to decipher encrypted
data or to -- what level of tokenization is required
for that factor and how does that affect risk?
Proceeding Time 11:29 a.m. T25
MR. T. SWANSON: Tim Swanson. I think we’ve addressed
this question already.
MS. SADREHASHEMI: Sorry, it’s Lobat, I don’t mean to
interrupt. I think I ended up repeating the same
question, but really my question was, who did you --
in order to come to the determination which you’ve
already told me, who did you consult?
MR. T. SWANSON: Tim Swanson. We use more than one third
party to ensure that our encryption levels are where
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 136
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
they need to be to properly protect our information.
So I don’t know if I want to disclose the names of
the firms we use, but suffice to say they’re
recognized security firms in Canada. Some actually,
some of the security firms are in the U.S. We have a
test every year and it’s done by a different
organization each year to ensure that our security is
at a level that our data is protected regardless of
who tries to hack into it.
MS. SADREHASHEMI: And so -- but were they consulted in
preparing this application and the evidence for this
application?
MR. T. SWANSON: Specifically for the application, we
used existing consultative results that we’ve had
because we didn’t see anything in this application
that was outside our normal requirements from an
encryption perspective.
MS. SADREHASHEMI: But normally you’re not storing data
outside Canada?
MR. T. SWANSON: Tim Swanson. As I indicated earlier,
even when we store data within Canada we encrypt it or
de-identify it when it’s sensitive or personal
information. So this is not a practice that we’re not
used to.
THE CHAIRPERSON: Time to move to the other side of
the table. BCUC staff.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 137
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MS. THORSON: Madam Chair, would you mind if we took just
a couple minutes just to review our questions and take
the ones -- consolidate our questions so that we’re
taking the ones off the table that have already been
asked.
THE CHAIRPERSON: I don’t mind, and I think the FEU team
might appreciate the break too. So five minutes.
(PROCEEDINGS ADJOURNED AT 11:32 A.M.)
(PROCEEDINGS RESUMED AT 11:44 A.M.) T26
THE CHAIRPERSON: We are ready to reconvene. Next
questions are coming from the BCUC staff. Please
proceed.
MR. COCHEY: So, Lionel Cochey, Commission staff,
consultant here.
I’d like to ask you a question about, you
know, the risk evaluation about storing outside of
Canada. And relative to that, don’t you believe that
there are some original specifics about the
environment of whether the -- (inaudible) be hosted,
but will impact the level of risk for this data stored
outside of Canada?
MR. T. SWANSON: Tim Swanson. As I stated earlier, risk
assessment did not -- our risk assessment did not
indicate that the risk increased based on the location
of information, because we apply the same security to
it regardless of where we store it.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 138
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. COCHEY: Don’t you believe that outside of Canada,
the way organizations may be working -- the way, you
know, specific culture related to the way people are
working, or, you know, possessing systems, possessing
data, and, you know, doing a specific working to what
is related to, you know, hosting data, processing
data, on IT systems may be different from the way
organizations and people in Canada would be doing this
type of work?
MR. T. SWANSON: Tim Swanson. That is why we have such
stringent security requirements. We don’t allow
organizations to have different processes or handling
of our data. If they don’t comply to our requirements
in regards to processing and handling of data, we
wouldn’t use them.
MS. PRATCH: And in addition to that -- it’s Monic Pratch
-- we also include stringent contractual requirements
in contracts that we have with vendors. Regardless,
right now -- or regardless of where that data would be
stored, those same contractual provisions would apply.
And so they would be contractually bound to follow our
policies, processes, legislation -- privacy
legislation, and things like that.
So, I think between our requirements and
the contractual requirements, we’d be obligating them
to -- that there would be no greater risk.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 139
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. COCHEY: I’m going to be maybe -- trying to be more
specific here. Don’t you believe that, you know,
hosting data in foreign countries, whatever the
country is, may expose this type of data to specific
risks? And when we’re looking about countries outside
of Canada, there might be a difference between, let’s
say, you know, China, Russia, India, or the U.S. Or
any other European country or whatever country.
MR. T. SWANSON: Tim Swanson. Regardless of the country
it’s located in, if they did not comply with our
security requirements, and as I indicated there’s a
number of -- there’s a number of components of that
risk assessment or security assessment, I should say
-- we would not use the service. So regardless if it
was India, China, England, United States, if we deemed
there was a security piece in there that we were not
comfortable with, we would not use the service. They
meet -- they either meet the requirements we have, or
we don’t use them.
MR. D. SWANSON: Dennis Swanson. In addition to that,
remember, if it’s sensitive data, customer data, it
would be encrypted or de-identified when it leaves
FortisBC.
MR. COCHEY: And just on that, in terms of, you know, the
specific controls that you are thinking about applying
to protect the data, outside of Canada, don’t you
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 140
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
believe that these controls should be adapted to the
specific risks that this data potentially would be
exposed outside of Canada, that the definition of the
control should be aligned with, you know, a specific
risk assessment in order to address specific risks or
mitigate specific risks that will be found -- find
outside of Canada.
MR. T. SWANSON: Tim Swanson. The security assessment
ensures that any potential risks are addressed
regardless of where the data is located. Culture,
jurisdictions, all of those are considered when we’re
looking at how we build our security assessment.
That’s why our criteria is so stringent. We don’t
allow for any sort of flexibility in our requirements.
It doesn’t matter what culture or what country is
managing our data, our information, they have to
adhere to those requirements.
And again, back to what Dennis said. We
also add the extra level of security that that
information is going to be protected even if it was
compromised, whether within that country or from
outside that country. It’s unidentifiable and
unusable. But I’m gong to go back to the fact that we
believe that there is no increased risk based on
location, if the service adheres to all our security
requirements.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 141
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Proceeding Time 11:49 a.m. T27
MR. COCHEY: Lionel Cochey here again. So based on your
response I understand that you consider that it’s
important to take into consideration some specific
criteria like culture, environment, in order to
properly address the risk, is that correct?
MR. T. SWANSON: Tim Swanson. No, that was probably an
incorrect statement. Definitely we don’t -- we don’t
specifically look at culture, because we consider the
security piece alone. It’s a technical question and
if policies, process and procedures in place, we will
not -- we would not judge a culture. If I mislead you
there, I apologize.
MR. COCKEY: In terms of, you know, specific controls to
apply to protect information and when you develop and
implement this control, don’t you believe that you
need to adapt these controls to take into
consideration specific environment around where this
development -- or implemented?
MR. T. SWANSON: Tim Swanson. No, we don’t adapt our
requirements based on where the services are being
located. Our requirements are requirements regardless
of the services being considered -- the location of
the services being considered. So no, we don’t adapt
our security assessment. We build our security
assessment around the fact that these controls will
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 142
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
protect our data regardless of where it is.
MR. D. SWANSON: Dennis Swanson. In addition, whenever
we look at a vendor, we look at the reputation of the
vendor, we look at -- you know, I think Mr. Swanson,
Tim Swanson mentioned earlier we do vendor
referencing. If we’re talking about going to some, I
don’t want to be discriminatory in any way, but going
to some area of the world where we didn’t trust the
culture, quite likely we also wouldn’t trust the
company and it would fail, it would fail that
fundamental assessment when we’re looking at is this
somebody that we’re comfortable doing business with.
So we don’t specifically say in that
section of the world we treat you differently, but the
reality is, you know, if it’s a company that we’re not
comfortable doing business with, we don’t do business
with them.
MS. THORSON: This is Alison Thorson at the BCUC. So
just to follow on that, so I understand that the
privacy and security -- you’re privacy and security
assessments would rule out some vendors. Would they
also rule out some locations?
MS. PRATCH: Monic Pratch. I think certainly there’s no
specific locations that we have on a list that we’re
not going to do business with. But I will say that,
you know, Tim’s talking about the security assessment
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 143
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
side. I’ve talked about the privacy impact assessment
side. But there is also a general discussion that
exists within the organization about vendors that
we’re using, as Dennis mentioned, about vendors, you
know, reputations, company reputations that exist.
And as a result, certainly if we had any concerns
about the location of the world that we were storing
data in, for example, you know it was at a -- there
was a specific security threat around that particular
area of the world, certainly that would come into the
conversation in determining whether or not we proceed
with using a vendor in that area.
MS. THORSON: So that’s what I am trying to drill down on
here. Is you’ve told us at a high level that you have
privacy and security assessments. You haven’t told us
much detail about those assessments. Is there, are
there steps in those assessments, other than a general
conversation that happens, that would look at -- that
would assess risks about -- generally about location?
MR. T. SWANSON: Tim Swanson. In my presentation the
first items we look at on a security assessment is
vendor viability. Viability includes using third
parties to help us evaluate the viability of that
provider. We also do reference checks on the
providers. So we certainly just don’t have an
internal discussion.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 144
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
The first discussion we have internally is
that general look at the provider going, hmm, don’t
know if I want to go down that road or not. And if we
make the next step to consider them, we will start
engaging third parties to do an assessment on the
provider. And it’s really about the viability of that
provider.
That’s why in our security assessment, in
the demonstration I gave earlier or the information I
gave earlier, we talked about vendor viability being
the first thing that we look at. There’s no point in
going any further if we don’t consider a vendor to be
viable.
COMMISSIONER MACMURCHY: You’re confusing me a little,
because I think the question then -- and this may be a
little different. Let me put it another way. If
you’ve got a vendor you think is quite reliable but
he’s operating in the middle of a war zone, would you
go and do business with him?
MR. T. SWANSON: Tim Swanson again. Again, I think that
would factor into the viability of that vendor. I
mean we’re certainly not going to dismiss anything
that we should be considering in regards to a vendor,
whether it be the situation you're describing or other
situations.
So it’s a very broad topic certainly, but
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 145
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
again it’s not in our interest to put any of our
information at risk. We’re not going to make a
decision based on saving a few dollars because -- and
put our information at risk. It’s just not in our
interest or our customers' interest.
Proceeding Time 11:55 a.m. T28
MR. COCHEY: Lionel Cochey. What is -- you know, to
clarify so we understand clearly here, what is the
objective of the risk assessment or the privacy
assessment relating to storing data outside of Canada,
in your mind?
MR. T. SWANSON: Sorry, Tim Swanson here. Could you
repeat the question, please?
MR. COCHEY: So I'd like to clarify in your mind what
is the ultimate objective of the risk assessment or
the privacy assessment in investigating, you know,
potential opportunities to have data outside of
Canada.
MS. PRATCH: So – Monic Pratch – specifically with
respect to the privacy impact assessment -- I'll let
Tim speak to the security side of things in a moment.
But I think what you are asking me, just to make sure
I understand the question, is what would we do in the
case of looking -- or what would be different
effectively about a privacy impact assessment if we
were looking at a company outside of Canada to use as
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 146
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
a vendor?
MR. COCHEY: I'm mean specifically I'd like to ask you
what would be the outcome of this risk assessment and
to support what type of decisions.
MR. D. SWANSON: Dennis Swanson. Let me just try this
out, and I might be off base here as well. The
ultimate objective of us doing the privacy assessment
and the risk assessment is to ensure the safety of our
data. That's the objective. And to ensure that the
safety of our data is going to remain the same as if
we'd kept the data. So that's ultimately what we're
trying to accomplish when we're looking at this
assessment. It's not an assessment of how much
additional risk are we willing to take. It's an
assessment of how do we maintain the high level of
security and rigour that we have around our data
today.
MR. COCHEY: So to reflect what you are saying, I
understand it's to determine a set of specific
controls to protect the data. Is that correct?
MR. T. SWANSON: Tim Swanson. Fundamentally, yes,
that's correct.
MR. COCHEY: Okay, because previously, Monic, you
mentioned that on the basis, on the privacy assessment
we will decide yes or no to host data outside of
Canada. So I understand here it's a little different.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 147
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Your objective would be to go ahead with a specific
set of controls to apply.
MS. PRATCH: It's Monic Pratch. Let me just clarify.
The real objective of privacy impact assessment is to
identify any privacy related risks that exist and then
to look at tools that we can use to mitigate that
risk, and those tools may be things like contractual
provisions, specific contractual provisions. They may
be things like de-identification or encryption of
data. They may be tools such as, you know, just
looking at the project a little differently and maybe
revamping the scope of work of the project itself to
try and mitigate some of that privacy risk. And so
really it's about identifying those issues and
mitigating them.
The overall objective of a privacy impact
assessment is not to necessarily pass or fail a
project, it's really to identify what those risks are,
how we can mitigate them and make sure that any
project that we want to continue with meets all of our
already existing internal controls, security
requirements, privacy requirements and all of those
types of things.
So there's kind of a baseline and then
there's all of these other things that we're looking
at and constantly kind of working with to try and
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 148
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
mitigate.
Does that answer your question?
MR. D. SWANSON: Dennis Swanson. I want to add to
that, though. It's not like there's a sliding scale
of risk and we pull more tools out of the toolbox. As
the risk goes up, we throw more security measures in
place. We have a tolerance level.
MS. PRATCH: Yes.
MR. D. SWANSON: And we look to all the tools we have
to maintain that tolerance level, and if we look and
we say, that risk of that, storing data in that
location is here, above our tolerance level, it's not
like we have more tools we can use to get that back
down. It's just not -- it's off the table at that
point.
So it is a black and white type of test.
It's not like this gradual scale.
MR. COCHEY: Lionel Cochey here again. So thanks for
this answer, Monic, to the privacy risk assessment.
Is the objective and the process the same for like a
security risk assessment of hosting data outside of
Canada?
MR. T. SWANSON: Security risk assessments are a little
bit more prescriptive. Our requirements are not
negotiable, as I indicated in my presentation. It is
a lot more black and white. And if we see any
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 149
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
failures in that security assessment, the project will
not go ahead unless the vendor is able to change their
capabilities or their offering to meet our
requirements.
MR. COCHEY: Would you precise, you know, what you mean
by "it's more black and white"? Can you give more
specifics about that?
MR. T. SWANSON: Sure. So if they -- for example, if a
vendor has a back-up facility that's within five
kilometres of their primary data centre, that would be
a risk that we wouldn't accept because geographically
it doesn't meet our requirements for disaster
recovery. That would be a black and white example of
where we would not consider a service.
Now, if they were able to offer that -- if
everything else met the criteria and they were able to
move that data centre a ways away, the required
distance away from a risk perspective, then you know,
we may be able to consider that service. But more
than likely you're not going to do that for a single
customer. But that's an example of a risk criteria
that we wouldn't accept.
MR. HAILS: This is Jason Hails. To carry on from that
point, when you do a security risk assessment, would
the outcome of that assessment potentially result in
augmentations to your internal controls around
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 150
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
security?
Proceeding Time 12:02 p.m. T29
MR. T. SWANSON: Tim Swanson. No, our internal controls
are set regardless of the offering. Those internal
controls are something that we have. They are
reviewed by third parties on an annual basis, to make
sure that we are adequately controlled, but they don’t
generally change based on an offering.
MR. HAILS: So, may come back to the specific control
environment. But that relates to the issue of
advancements in both attack and penetration technology
over time. So, would evolution of the security -- you
know, security industry, factor into your risk
assessments? Or -- and would you then take more
measures to secure?
MR. T. SWANSON: Tim Swanson again.
MR. HAILS: Yeah.
MR. T. SWANSON: Sorry, are you finished it? Sorry, Mr.
Hails. Okay.
That’s the reason that we do an annual
review of our security assessment program, because
technology changes all the time. The risk change,
absolutely, our requirements change. And I think
where this question is leading, and appropriately so,
is would we apply those new requirements to existing
vendors? And the answer is yes.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 151
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Their inability to comply with new
requirements would mean that we would have to look at
changing our vend -- changing our provider and moving
on to somebody who can meet all of our security
requirements. But that is one of the reasons that I
pointed out in my presentation that we look at
organizations’ long-term plans for security plans, for
upgrades, upgrade plans. We want to see what their
road maps look like so that they -- we know that
they’re capable of adapting to these changes.
MR. HAILS: So, further to that, what I think I just
heard is that the security risk assessment might
evolve but you also noted earlier that your internal
control environment wouldn’t necessarily evolve with
it -- as in, it’s static, and you’re kind of flicking
the switch on or off in terms of vendor acceptance.
So it just -- it sounded different.
MR. D. SWANSON: Dennis Swanson here. No, it would
evolve with time and technology change. It doesn’t
evolve with an offering that we do to a certain
vendor. In other words, we don’t change our control
procedures because we’ve got this new vendor. But as
technology changes, yes, it changes our control
procedures and we would force new vendors to be
compliant, or we’d cease using them.
MR. T. SWANSON: Tim Swanson. To elaborate on that a
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 152
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
little bit, and I think I understand your question a
little bit here. Controls, I think you’re talking
about the layers that we have, and specifically
security assessments are -- it’s part of our controls,
our overall controls. Right?
Now, the security assessment could evolve,
and the control doesn’t change. The control is,
security assessment is one of our controls. Security
assessment, privacy assessments, can evolve. Controls
evolving would -- certainly could happen over time,
but it would mean fundamentally we change something
within -- something has changed fundamentally that
would make us change those overarching controls.
Because overarching controls tend to be fairly
consistent.
Is that kind of where you’re going with
that question?
MR. HAILS: Yeah, I think we were curious whether or not
your internal control environment would also evolve
with emerging requirements for protection.
MR. T. SWANSON: Tim Swanson. The security assessment
piece, certainly. Our risk tolerance, no. But
certainly our assessments could, and need to evolve.
Absolutely.
MR. D. SWANSON: Dennis Swanson. In addition to that,
part of our internal control in general, not just
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 153
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
around information services, but review -- involves a
review of all of our internal controls, and what are
the key controls, and what are the procedures around
those key controls. And we require our leadership to
review those controls on a regular basis, sign off on
the fact that they’re updated, those controls are
audited internally by our internal audit, and
externally by our external auditors. And that goes
far beyond just our information services, or privacy
controls. That’s in general of our control
procedures.
COMMISSIONER KIELTY: Can I just ask a question on that?
Because you have throughout these proceedings referred
to independent testing, and audit validation of
processes and controls. Do you have any unremediated
significant deficiencies in the area of privacy and
security?
MR. T. SWANSON: Tim Swanson. No, we have no outstanding
-- no outstanding issues from a security perspective.
MS. PRATCH: And the same from a privacy perspective, no
outstanding issues.
MR. HAILS: Jason Hails again. Going back, Ms. Pratch,
to your introduction and talking about your PIA, what
you did mention in relation to privacy data was that
you would determine the relative significance of that
data. Would you do something different if you deemed
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 154
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
it not significant? Versus significant? And what
kind of criteria would you apply to determine
significance?
Proceeding Time 12:07 p.m. T30
MS. PRATCH: Thank you. It’s Monic Pratch. The
significance of data -- so what we’ve said in our
evidence is that what we currently do is that if a
project involves a significant amount of personal
information, we automatically do a personal -- or a
privacy impact assessment. If it doesn’t involve a
significant amount of personal information, and it’s
not just volume -- and I’ll talk to you in a moment
about some of those criteria -- it doesn’t involve a
significant amount of personal information, we
wouldn’t require a PIA to be done. We would still
require somebody to think about privacy, and have the
conversation, but we wouldn’t require a full privacy
impact assessment to be completed.
What we’ve also said, as part of this
application, is that if we were sending information
outside of Canada, personal information outside of
Canada, we would automatically do a privacy impact
assessment no matter what. So the idea of
significance of data wouldn’t apply in the context of
sending information outside of Canada.
To give you an example, and whether we do
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 155
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
it currently with our current processes, whether we do
a full-blown PIA or whether we just have the
conversation with respect to whether there is a
significant amount of personal information, that’s
obviously a subjective standpoint. And it usually
involves a conversation between myself, the project
manager, the IS department, and anybody else that
might be a stakeholder in that -- internal stakeholder
in that particular project.
So I think in our IRs we gave a couple of
examples of, you know, things that were -- or
responses to IRs, things that were obviously
significant and things that were obviously maybe less
significant. But it involves a determination of first
of all the amount of personal information that we’re
talking about. Are we dealing with, you know, one
particular -- is this one particular customer? Is
this, you know, a whole bunch of customers? So the
amount, the volume of data.
We also do an analysis of the sensitivity
of that data. So are we talking about addresses, for
example, that are unattached to names, and other
identifying criteria? Or are we talking about, you
know, consumption information, which is something that
we take as being extremely sensitive data to our
customers. And so we do an analysis of that.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 156
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
So I think the example that we gave in our
IRs, if I may, is the example of -- let’s say for
example we’re doing some upgrades to one of our
distribution pipelines. And we need to be able to
hire a vendor. We want that vendor to go out and
knock on doors and advise our customers that we’re
doing an upgrade in the area, and they may see a
service disruption. In that case, we have a business
need to disclose the address of the location that
we’re expecting that vendor to attend at, and to talk
to you. But we may be able to rule out other types of
information that vendor would have access to. For
example, in that case, there is no reason they would
need access to consumption information, billing
information, any other account information, including
account number, meter number -- any of that data.
They would probably only need access to the customer’s
address and potentially the customer’s name, depending
on the type of conversation we were expecting them to
have.
And so, again, we wouldn’t require
necessarily a full-blown privacy impact assessment,
but we would certainly have the conversation about
what information we needed to actually complete the
task, and making sure that we’re mitigating any
privacy risk associated that -- with that.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 157
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Does that answer the question?
MR. HAILS: I think that’s helpful. Are the decision-
making protocols documented?
MS. PRATCH: Monic Pratch. There is not a specific
policy in place that governs the decision-making tree.
That being said, there are certainly protocols in
place, and what I like to call my privacy gatekeepers
that I have across the organization in various
departments that assist me in making sure that any
project that does contain personal information or
otherwise gets this type of analysis.
So for example, I’ve done additional
training with our IS group, with our procurement
group, and those two groups specifically see the
majority of projects coming through them as obviously
they need to procure services or they’re looking at
vendor contracts, and things like that. And they have
an automatic process in place, and additional privacy
training to be able to recognize issues and bring
those forward.
That, of course, is in addition to all of
the other training that exists for our employees with
respect to personal information and privacy. So I
think there is a baseline understanding of everyone,
and then we’ve put in place this kind of next level of
privacy gatekeepers across the organization, and then
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 158
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
again I’m out as much as I possibly can talking about
privacy with folks.
So, no, there is no documented specific
decision tree, but certainly there’s a process we’ve
been using and building.
MR. HAILS: Would you bear with us if we dug into -- a
little bit more into the internal control environment?
So, typically there will be governance over a security
program. There will be specific audit programs put in
place. There will be test scripts that are developed,
there'll be testing that’s executed. There will be
some -- assuming there is some documentation that
comes out of that, there may be remediation efforts,
if there are any gaps found.
Can you tell us about the roles and
responsibilities between FEU and your external
providers in developing (a) the whole program, and
then (b) those sub-elements of, you know, testing
regime.
Proceeding Time 12:13 a.m. T31
MR. T. SWANSON: Certainly. Tim Swanson.
We use standard iTOLL change control as our
basis for our change management processes. In regards
to external sources, third parties, they must adhere
to our standard change control processes which
includes everything from segregation of duties,
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 159
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
development, QA environments -- or sorry, quality
assessment environments. That's the techie in me, in
all the acronyms. Sorry about that.
So we absolutely have all those controls in
place and those are the controls that are audited on a
regular basis by internal and our third-party
auditors. So those controls are identical for all
vendors that we use.
MR. HAILS: Are you referring to internal controls over
financial reporting?
MR. T. SWANSON: Tim Swanson. No, I'm referring right
now to internal controls around change management for
technology, whether it be in regards to financial
systems, customer systems or any other systems we use.
We use standard change control. We don't have varying
levels of change control for different types of
systems. We've settled on one standard change control
that is the -- that is acceptable at the financial
level, so it has more rigour than some change control
systems may.
MR. HAILS: So part of that would be security and
access controls. I don't doubt that it's very
difficult to decrypt a 256 bit key, however more often
than not, the protection of that key itself would
represent the weakest link in the chain. So
protection of that may be virtue of a simple employee
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 160
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
password which can be attacked. You know, you may be
inviting attention from other jurisdictions, as well
that may apply more brute force attacks if they deem
it necessary.
So it's not so much the encryption itself
which is good, but it's really the processes and
procedures that you have in place to manage, store,
retain, you know, maintain, upgrade, that are
typically at issue.
So it's not the encryption itself that will
lead to something bad happening, but it's the manner
in which you manage the keys, for instance. So what
have you got in place to address that risk and the
fact that it's not as robust as an encryption itself?
MR. T. SWANSON: Tim Swanson. Great question, and
something we recognize internally always is "the
weakness of the employee", we call it. Particularly
Canadians are very polite, kind and responsive. In
that regards, again, regardless of where information
is located, that particular risk doesn't change
because our people are our people.
What we do to manage that risk is make sure
that we have access of lease privilege, and we have
redundant controls in place when it comes to releasing
that kind of information. And specifically around
keys, keys will only be generated when requested, and
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 161
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
we don't push keys outside the organization. But I
think one of your questions there was what if we
granted someone access to our system who was a bad
actor, somebody who wanted to hack into our systems.
That is a risk regardless of where your data is
located. It comes down to your controls around access
privilege, in which case every access is authorized,
depending on the person's role in the organization, or
the contractor's role for us. It's granted on an
individual basis and it's role based and it's based on
access of least privilege.
The whole intention of controlling access
to system is to ensure that no one individual can
materially damage or access information, all
information. They are focused on areas that they need
access to, and that's it.
MR. CHEUNG: It's Leon Cheung here. A simple question,
not as techie. Ms. Pratch, this morning you talked
about having big projects and small projects, and in
one of the IRs, Exhibit B-12, CEC Alternative Relief
1.1.2 you mentioned that a project manager would go
through a checklist and after that management would
make the necessary determination to make sure that
adequate controls are in place.
Can you describe and explain the FortisBC
internal approval process, such as the process for
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 162
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
internal review. What is the required approval levels
such as senior management executives, the board, or if
you have any certain committees that look at big and
small projects. And the budget oversight, is there a
signing authority or thresholds and how do you monitor
risk management.
MS. PRATCH: Monic Pratch. I'll try and address that
in a couple of different segments. First of all, to
talk about authority levels, certainly we have an
authorities policy in place that governs specific
signing authorities and things of that nature.
When it comes to privacy, we've taken big
projects, small projects, everything comes through my
office. And so I see all of those projects. Whether
they are a $2,000 project or a $2 million project, I
will see those projects. And we do that because
privacy risk doesn't often change depending on
necessarily a dollar value. You could have a
relatively small dollar-value project that has huge
privacy implications based on the amount of data that
we're transferring or data that we're using or
processing or what we're doing with it.
So certainly there's no policy in place
that currently governs, you know, if it doesn't hit a
certain amount I won't look at it. I see everything
that comes from a -- dealing with personal
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 163
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
information.
With respect to kind of our internal
process, I think I kind of described, you know, you've
got your project managers or your folks that are
looking at different various projects, and then we've
installed these kind of privacy gatekeepers, like I
like to call them across the IS department,
procurement, and certainly in any department where
we've got a high volume of personal information. For
example, human resources or customer service. I've
got folks trained in those areas to specifically
recognize privacy issues, and they kind of act like a
first line of questions. But I'm in contact with them
on an extremely regular basis.
So it's kind of this -- it's more of an
informal process, but that we've done through training
and through ensuring that our employees are aware of
the importance of privacy. And so we've gone through
that process, and as things come up to me, I'll have a
look at that project and often I will be looking --
oh, and I guess the other privacy gatekeeper that I
can talk about is our legal department.
Proceeding Time 12:20 p.m. T32
So as a member of that department I am
always talking about privacy and certainly the lawyers
see a variety of contracts and processes and projects
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 164
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
across their desks and they’re all trained to
recognize privacy issues as well. So anything that
any of those folks see that could be a potential risk,
we have a conversation about. And then we will
determine, as I mentioned before, whether or not it’s
a significant volume or significant amount or
sensitivity of personal information that we would
require a full blown privacy impact assessment to be
completed.
Does that sort of answer your questions
around authority levels and --
MR. CHEUNG: And how -- correct me if I’m wrong, you’re
the chief privacy officer.
MS. PRATCH: Correct.
MR. CHEUNG: And has this position been around for a
while?
MS. PRATCH: We’ve had -- sorry it’s Monic Pratch. We’ve
had privacy officers in place for a number of years as
required by the Personal Information Protection Act.
However, the office or the creation of the position of
chief privacy officer came about in 2012, I believe
and I was appointed to that position. And so I
believe it’s just an example of additional focus that
we’ve put on this issue of privacy. And I’ve
certainly received the support of senior management,
as well as our board, as well as, you know -- as I
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 165
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
said before, privacy had been engrained throughout our
organization. So I would think our regime is
becoming, you know, more compressive all the time.
And this I just another example of a step in that
direction that the organization had taken.
MR. CHEUNG: And from the security perspective do you
have any comments on the thresholds and authority
levels?
MR. T. SWANSON: So I think I have answered most of the
question previously, but if I am missing anything let
me know.
In regards to thresholds, security
assessments are done for any technology project
regardless of scope or scale. The team that does
security assessment is an internal group operated by a
manager who takes care of all the controls in that
area. And the assessment is produced and attaches as
part of the project.
MR. HAILS: Jason Hails. If you come across an issue
that you fail -- or you feel may need, you know,
further discussion, how are they escalated in the
organization?
MR. T. SWANSON: Tim Swanson. In regards to security the
infrastructure manager, who is responsible for
security assessments, would identify the issue,
address it with the potential vendor or even the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 166
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
internal -- if it’s an internal issue, address it
internally. If there is a challenge with alleviating
that risk then it would be -- he had actually the
authority to stop a project if the security assessment
fails in any way. If he feels that there is a
decision point to make and there may be some
discussion that should occur, he can escalate to
myself for that discussion.
MR. HAILS: And are there any bases where an issue may
escalate respectfully beyond the director level, in
the executive in the organization?
MR. T. SWANSON: Specifically -- sorry, Tim Swanson.
Specifically, I suppose there could be. From a
security assessment perspective we have never
escalated to the executive. Quite frankly, they're
not technical and all that savvy, and neither should
they be. Even in my position I don’t -- you know, to
have the technical expertise, more than likely if a
question was going to be asked to myself if would
probably be more around cost and negotiating with a
vendor more than the security piece itself. We have
security experts who manage and operate that group and
they’re the ones who will make the decisions.
MR. D. SWANSON: Dennis Swanson. Just adding to that, I
am the vice-president over that area, who is
apparently inadequate. And I can reassure you that my
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 167
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
CEO and board or directors and my audit committee
would be holding my feet to the fire if we had issues.
Even when we do audit, internal audits and such, if
there are ever any issues identified it would come up
through the audit committee and yes, I would be held
accountable for that.
MR. HAILS: Do your internal auditors report to the chair
of the audit committee?
MR. D. SWANSON: Yes.
MR. HAILS: Who do you report to Ms. Pratch?
MS. PRATCH: Monic Pratch. I report to Dennis as well,
indirectly, but I can say in my experience as chief
privacy officer that it would be a very rare
occurrence for me to have to escalate something to the
executive level. That being said, we do have
conversations all the time. So, for example, a
particular executive may be working on a project or
may know that his folks are working on a project and
ask me, hey, how are the privacy, you know, do you
have any specific privacy concerns around that?
So I would say that while I have certainly
not had to necessarily escalate something to the
executive level from that perspective, it's certainly
of interest to the executive. So we are always having
that conversation.
Proceeding Time 12:26 p.m. T33
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 168
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. T. SWANSON: Tim Swanson. I just wanted to add that
the executive has actually made -- and the board of
directors has made extra efforts to actually become
more informed around security over the last few years,
and there has been a conscious effort and training in
place to bring up their levels of understanding to an
appropriate level. When I refer to them not being
informed from a technical level, they shouldn’t be. I
mean, like I said, these are way too in-depth, these
assessments, for them to really understand the
technical references.
MR. DALL'ANTONIA: Nice recovery.
MR. D. SWANSON: Dennis Swanson. Just to add one other
thing. These types of issues have been elevated with
boards of directors. If you take any board of
directors training right now, there is a lot on
privacy and a lot on cyber-security. So it is top of
mind with our board of directors. As a matter of
fact, Tim Swanson is currently scheduled at our next
board meeting to do a presentation to our board of
directors around cyber-security.
So, as much as they’re not having to
elevate stuff, there’s definitely questions coming
down on a regular basis, and there’s lots of
conversations around both of these topics.
The amount of corporate reputation that
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 169
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
sits with security of data and privacy is huge. Well,
we’ve seen companies around the world when they’ve had
breaches, it can really wreck the corporate reputation
of a company and that’s real, real fast. So we say
we’re protecting that data for our purposes, as much
if not more than for the customer’s purposes.
MR. HAILS: Jason Hails. Have you had any breaches?
MR. D. SWANSON: Of --
MR. T. SWANSON: Tim Swanson. Could you clarify what
kind of breaches?
MR. HAILS: Information breaches.
MR. T. SWANSON: Tim Swanson. No, we’ve had no breaches
in our security.
MS. PRATCH: Monic Pratch. I can clarify that Tim is
absolutely correct that we’ve had no breaches in
security, but we have had privacy breaches that don’t
deal with a secure -- with an information security
side of things. For example, we’ve had scenarios
where you have somebody in our billing department that
might accidentally put one customer’s bill into
another customer’s envelope before sending it out.
From that perspective, you’ve now got one customer
receiving personal information of another, and that
all gets reported pursuant to our internal breach
management incident response, and would come through
me. And I would then do an evaluation in accordance
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 170
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
with the Office of the Information and Privacy
Commissioner guidelines as to whether that customer
needed to be notified, and the appropriate protocols
to take. So, from a privacy side, yes. But extremely
minor.
MR. COCHEY: Do you think -- Lionel Cochey from the
Commission again. You think it will be more accurate
to say that you don’t have any known breaches or can
you, you know, demonstrate to, you know, the Panel and
the people around the table that you’ve got hundred
percent assurance that there was no issues on the
information security breach whatsoever?
MR. T. SWANSON: Interesting question, Mr. Cochey, and
you know, to answer that, it’s actually -- it’s not as
simple an answer as some people -- some folks might
think. We can say without a doubt that we’ve had no
security breaches externally into our systems. Now,
to say that somebody hasn’t sat down at somebody’s PC
and accessed information, I can’t say that without a
doubt. Certainly that could occur, and we wouldn’t
necessarily be able to track that.
MR. COCHEY: And to clarify, why do you think, you know,
you’re not able to go into -- to confirm that?
MR. T. SWANSON: Tim Swanson again. In any work
environment, you know, there’s PCs and equipment’s all
over the place. Folks stand up, walk away. They’re
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 171
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
required to lock their PCs, and the PCs actually lock
after a certain period of time. But there is no
system in place that would physically or biometrically
identify the person that sat down at that computer, if
it was unlocked. So that’s how -- that’s why I’m
saying there is no way that I can say that that has
never happened. Again, we go back to the fact that no
individual in the organization has the capability to
make material changes to a system. There is controls
in place from a financial perspective, from an access
perspective, and that’s why we do that, to mitigate
those kind of risks. There, you have to rely on
employee training, your policies internally, that’s
really what protects you in those situations.
Proceeding Time 12:30 p.m. T34
Oh, yeah, well, the reason I can say
there's no known -- or there has been no reported
access from external is that we actively monitor for
external access to our systems. We have reports that
are produced -- well, they're steadily produced every
day. So we can look at attempted accesses to our
system, unauthorized accesses to our system. We also
can see authorized access to our system and we can
verify the location that those accesses came from.
MR. COCHEY: I understand that, thank you. Lionel
Cochey from the Commission. So based on your
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 172
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
response you provided here, I understand that there
are some risks that are very hard to address, you
know, specifically around the user. You know, you
can't fully control what the user was doing. Is that
correct?
MR. T. SWANSON: Tim Swanson. Again, I think we
discussed this earlier talking about the fact that
human beings are human beings and yes, there's always
a risk around the human interface.
MR. COCHEY: So continuing on that remark, don't you
think that, you know, in another country, this risk
would potentially increase because you've got
different type of persons, different type of control
and environment?
MR. T. SWANSON: No, again, because nobody in that
country has access to anything that's usable or
identifiable.
MR. COCHEY: Okay, so I will come back to the questions
I had at the beginning related to the privacy, impact
assessment and the risk assessment. And it's really
in fact, you know, for a better comprehension and a
better clarification of what you've been saying here
to us.
So I understand that the objective of the
privacy assessment is to understand, you know,
specific risks and being able to develop controls,
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 173
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
mitigating controls to address or remediate or
mitigate these risks, correct?
For risk assessment, I understand it's more
kind of a baseline approach. Right? You say black
and white on some data is a baseline, where you have a
set of specific security controls that you want to see
in place to address security risks. Is that correct?
MR. T. SWANSON: We have specific controls in place,
yeah.
MR. COCHEY: So, if I'm using this baseline of, you know,
meaning a set of specific security controls that
you've defined, how was this baseline developed in the
first place?
MR. T. SWANSON: Again, as I've indicated before, we've
used third-party expertise to help us develop those
baselines. Experts in the field of security, risk
assessment and so forth, and that's how those
baselines get established. And again, those baselines
get tested on a regular basis as well to ensure that
nothing's changed in the environment that we need to
address in regards to those baselines for,
particularly, security and risk assessment.
MR. COCHEY: So I'd like to ask you, in fact, you know,
when you developed that baseline, following, you know,
the process that you've just described, is that true
that this baseline was developed for protecting
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 174
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
information in Canada? Because that's the current
situation.
MR. T. SWANSON: No, the baseline was created for
protecting information regardless of where it is,
because the protecting of information -- I'm going to
back to my presentation. We don't change the way we
protect information based on where it's stored. And
when we develop the requirements, because we use -- we
have to send to information within Canada to
organizations, including the Commission, we need to
have security and controls in place that address our
external sending of information or storing of
information.
MR. COCHEY: Yeah, I mean, it's hard to understand how
you can ensure that -- like your secure baseline that
you're referring about, or the set of controls that
you've developed, you know, in the context of the
current situation where you don't host data outside of
Canada, will adequately apply to risks of, you know,
hosting data outside of Canada.
MR. T. SWANSON: Tim Swanson. Again, I respectfully
disagree. The protection of information is consistent
regardless of where it is, and we don't determine that
our system, or our security assessments are adequate
on our own. We ensure that our security assessments,
our security practices and controls are adequate
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 175
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
regardless of where the data is stored, and we use
third parties to ensure that we are protected.
When third parties do a -- we call them
penetration tests or ethical hacking tests on our
system, they consider whether they are accessing data
in the U.S. or whether they're accessing data in
Canada. They don't concern themselves with the fact
that our data centre is in B.C. They look at our data
wherever it is, and they test to see if they can
access it.
So I can say comfortably that regardless of
where we store the data, we will ensure that that
level of protection is consistent across the board.
Proceeding Time 12:36 p.m. T35
MR. COCHEY: When you look at countries outside of
Canada, you know they may look, you know, the same.
You’ve got different states, different people, right,
but it’s still human people, and it’s still, you know,
IT, you know, about the same everywhere, right. You
know, Windows platforms, Intel processors, you know,
it’s -- I mean, don’t you believe that there are some
specificities to some countries where, you know, you
have some poorer states with, you know, advanced, you
know, people, advanced recourses, advanced teams and
organizations who are either very keen to, and
potentially, you know, capable of accessing data, you
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 176
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
know, whatsoever.
MR. D. SWANSON: Dennis Swanson. Again, you have to step
back and you have to look at the situation. That all
-- even if that was all true, when the datas left
FortisBC, if it was sensitive data, it was encrypted
or de-identified. So the data is not actually usable
to them. It doesn’t matter what their motivation was
or what their situation was. Once that data, if it
was sensitive, has left our system, it’s unusable.
MR. HAILS: It's Jason Hails. Can you describe the scope
of work that you would have your third party security
experts work under?
MR. T. SWANSON: Tim Swanson. I can give you a high
level. So our annual assessments include, and I won’t
be able to recite the whole scope of work, but from a
high level the scope of work includes attempts to
penetrate our internal systems. An evaluation of our
websites, because those, of course, are access points
from wherever in the world. Access levels for
customers. Access levels to our hosted environments.
They test all of those from a security perspective.
There is a review of our change control documents to
ensure that change control protocol is followed,
because we have it documented and recorded change
control process for all infrastructure and
applications.
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 177
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
So they review all of those to make ensure
that we’re compliant. They test our versions of
security, whether it be encryption, whether it be
security patch levels on servers. They test all of
those pieces. So that’s kind of an overview of the
scope of work that we’re looking at in those
situations.
MR. HAILS: And do you develop those scopes of work
internally?
MR. T. SWANSON: So the scopes of work actually are quite
often recommended by the third parties because they’re
-- they’ll -- there very comprehensive when they come
to us with proposals. We certainly review them to
ensure that there is no missing pieces, but we do not
recommend to them to remove components of their test
based on the fact that we don’t think we’ll pass. So
we don’t have that kind of control over them. We can
add but we can’t take away from those assessments.
MR. HAILS: And do those scopes of work change over time
from year to year?
MR. T. SWANSON: They potentially could, yes. If we
offer different customer offerings they would test
that. They’ll test whatever new systems we put in
place, certainly.
MR. HAILS: And how would you know if they should augment
the scope of work?
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 178
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. T. SWANSON: Tim Swanson. They review our systems.
We keep an inventory of all our systems and the
incremental changes would be addressed on an annual
basis. So they would look at the systems and compare
it to previous tests and ensure that they didn’t miss
any pieces on their test.
MR. COCHEY: Lionel Cochey. I am just wondering about,
you know, the self-controls that you developed here to
protect information. So what is the expertise that
was used to develop these sets of controls? Who did
you use, what specific framework, you know, did you
use to develop that set of controls?
MR. T. SWANSON: Tim Swanson. As I said earlier, like
most organizations we base our controls on the
(inaudible) information technology. It’s the standard
that everybody uses for change control. And then from
there we augment it based on our requirements.
So to put it in perspective, we’ve had
these change control process in place for well over a
decade. And they have evolved over that time based on
feedback from auditors, based on feedback from third
party testing. So the controls have changed over the
last decade to meet the needs of the systems as they
evolved.
Proceeding Time 12:41 p.m. T36
I can give you an example of that. The
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 179
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
testing of how a virtualized server environment was a
change compared to the testing of a physical server
environment, if you want to really get into some of
the interesting details that happened, or the nuances
in technology that occur over the years, so, yeah,
there’s certainly an evolution of those controls.
And also versions of the standards are
considered, and if the versions of the standard
recommend changes in controls, we certainly look at
those. But I’d have to say in general controls are
fairly consistent. We talk about minimizing the
impact of an individual. We talk about role-based
security. We talk about levels of protection. Those
are fairly standard and really what you want to do is
test against the most current standards.
MR. COCHEY: Let’s take the example here of a virtual
environment. Can you tell us, you know, what is the
standard that you’ve been following to secure your
virtual environment?
MR. T. SWANSON: Well, we’re getting into some very --
oh, sorry, Tim Swanson. We’re getting into some very
technical questions here, and I’m not sure how much
value this is going to add to the conversation. I’m
not sure how it is relevant to what we’re talking
about here.
MR. CURTIS: Yeah, I mean, I’m not going to object to the
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 180
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
question. Tim’s, I think, foreshadowing that he’s
about to blast us with a bunch of technical jargon
that I certainly won’t understand. So, we’re in your
guys’ hands. Do you want to hear about this?
MR. T. SWANSON: And just to be clear, remember, I’ve had
-- I’ve been in a senior management role for a long
time, so if we want to get into the technical -- the
technical protection in a virtualized server
environment, I don’t think it’s going to be very
meaningful for the group here, and I don’t believe I’m
going to have a whole bunch of details that’s going to
make it very relevant for anybody. So --
MR. COCHEY: (inaudible) the assurance that you’ve been
following, you know, like what is considered as best
practice, or what will be appropriate for a security
baseline, you know, regarding the threat of, you know,
a security breach of your -- you know, with or the
opposite.
So can you describe what will allow us to
understand your -- that you have followed and did to
ensure, sufficient, you know, best practice. And what
is the level of assurance that you’ve got about that?
MR. T. SWANSON: Tim Swanson. Again, it -- the practices
we use are tested regularly, and that’s our assurance
that those practices are adequate. Simple answer.
COMMISSIONER KIELTY: And you did confirm that you have
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 181
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
no significant deficiencies as the result of those --
MR. T. SWANSON: Exactly --
MR. COCHEY: I have a question here related to that.
Lionel Cochey again. Don’t you think that in order to
ensure a good protection of an organization, in terms
of security and the protection of data, nowadays, and
as a fact, you know, you see that there is more and
more attacks. You know, cyber-security organizations
run the world, as you mentioned before, are breached,
and you get some of that -- every day now in the
press. So the sophistication of the attacks as well
is, you know, more and more complex.
So don’t you agree that you need to have
dedicated resources to protect, you know, informations
of an organization? Meaning, you know, having at
least a full-time security team.
MR. T. SWANSON: Tim Swanson. We absolutely have
dedicated resources to security. We have several
resources and their job is to ensure the security of
our networks, whether from internal or external
access. The versions of firewalls we use are --
there’s a roadmap and a strategy as to how we approach
that protection. We use the latest in firewall
protection. We have active monitoring. We have
intrusion detection, intrusion prevention. And as I
mentioned in the evidence, we also use what --we use
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 182
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
products from -- advanced products in zero-day attack,
even.
So just for the Commission’s information,
zero-day attack means that it’s an attack that nobody
has seen before. And we have -- one of our vendors
that we use has organizations around the world, and
no, we’re not sending them information, that monitor
these attacks and can upgrade our-- and tell us to
upgrade our systems on a moment’s notice. So this is
the level of security we’ve applied to our internal
systems. And this is the kind of expectations we have
when we look at third-party vendors as well.
MR. HAILS: Okay, I think we’re -- we’ve gotten to the
point where we can move on to the next topic.
MR. CHEUNG: Madam Chair, it’s 12:45 right now. Do you
want to continue, or do you want --
THE CHAIRPERSON: How much do you have? Can you give us
an estimate, how much time would you require?
MS. CHUNG: It’s Leon here. I would suspect about --
around an hour or so.
THE CHAIRPERSON: All right then. I would think that we
take a break, then. It is quarter to 1:00, so how
long a break? Is 45 minutes enough for lunch, a quick
lunch? Which means we’ll return at 1:30? Thanks.
Thank you very much.
(PROCEEDINGS ADJOURNED AT 12:47 P.M.)
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 183
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
(PROCEEDINGS RESUMED AT 1:35 P.M.) T37
THE CHAIRPERSON: Thank you. We shall get back to the
topic and hear the questions from the Commission
Staff.
MR. CHEUNG: This is Leon Cheung. I’d like to start off
with more of a clarification question, and if we can
go to Exhibit B-9, BCUC Alternative Relief, IR, the
No. 2 series. And in that IR it asked about the
personal information definition within the Personal
Information Protection Act, PIPA. It says that
"personal information means information about an
identifiable individual and includes employee and
personal information but does not include (a) contact
information or (b) work product information". And
contact information means ""information to enable an
individual at a place of business to be contacted and
includes the name, physician name or title, business
telephone number, business address, business e-mail or
business fax number of the individual".
So in question IR 1.2.3 it asks:
“Please confirm contact information under
Section (a) as defined by PIPA only applies
to employee personal information. In other
words, can FEU confirm that the contact
information of their customers must be
either de-identified or encrypted if stored
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 184
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
outside Canada as per FEU’s proposed
alternative relief.”
And then in the response, in the last
sentence, FEU said that
"Accordingly, the FEU cannot confirm that
contact information as defined by PIPA only
applies to employee personal information.
So I just want to clarify in that response,
does this mean customer contact information such as
their phone numbers and addresses could be stored
outside of Canada without encryption or de-
identification?
MR. D. SWANSON: Dennis Swanson. Just before Monic
Pratch steps in and answers that question
specifically, I just want to put it in some context
here, and that is, given where we got to in the change
in the wording in the order as assisted by Mr.
Andrews, we would back off that personal information
and change it to customer information, which would
include all of that. So I think the answer to that
ends up being irrelevant, but I’ll still let Ms.
Pratch speak to it.
MS. PRATCH: It’s Monic Pratch. Contact information of
customers, if they’re an individual customer and the
Act and PIPA applies to that individual customer,
their contact details, their home contact details
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 185
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
which is ultimately or most often what we have
regarding our customers, would be considered personal
information under PIPA.
MR. CHEUNG: Okay. Contact information including
addresses.
MS. PRATCH: Yes, because contact information itself is
defined as -- it means information to enable at a
place of business to be conducted. Most of our
residential customer information is their customer
information at their home address or their home
information.
MR. CHEUNG: Okay. Okay, that’s -- thank you. I guess
in 2.2, if I’m understanding this correctly, Fortis
said that personal information would include employee
information?
MS. PRATCH: Correct.
MR. CHEUNG: Okay. And if the directive, if the proposed
approval sought just says customer information, is
employee information going to be encrypted or de-
identified?
MS. PRATCH: Monic Pratch speaking. That’s a very
relevant point and I think that as Mr. Curtis has
mentioned earlier, we’ll have to work on the wording,
but yes, it’s out intention that employee information
would be covered in the same type of order. So it
would say something to the effect of customer
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 186
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
information which would include residential,
commercial, industrial customer information as well as
employee information, but yes, we’d have to work on
the wording certainly.
Proceeding Time 1:39 p.m. T38
MR. CHEUNG: Okay, so since employee information is
going to be encrypted or be identified if stored
outside Canada, can you explain why FEU ratepayers
should pay for the additional encryption and de-
identification costs associated with protecting
employee information?
MR. D. SWANSON: I think that answer to that would be
because they also would get the benefit of us doing
it. Remember, the whole point of us looking at being
able to have that restriction rescinded is if there's
benefits to customers of doing so. So if it was a net
increase in costs, it's not something we'd be
considering.
MR. CHEUNG: Okay. So let's go to more clarification
on customer information. In the approval sought,
earlier we saw in slide 5, I understand that FEU would
now be rewording the approval sought. So assuming --
or let's say when I looked at this I noticed that
section A was excluded from these three bullet points.
Is there a reason why it was excluded?
MR. CURTIS: So in Section A -- what we're trying to put
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 187
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
up on -- Section A would have been included in the
version of alternative relief previously. Section A
is sort of you start with personal information to stay
in Canada but if you encrypt or de-encrypt, then it
can be stored outside of. So we're just trying to
keep the slides a bit cleaner and took that part out.
MR. CHEUNG: Okay.
MR. CURTIS: But, to be clear, we've got to go -- we're
going to go and work on this after based on what's
been discussed today. So I don't quite have it in my
head yet whether Section A stays or goes in the new
version.
MR. CHEUNG: Okay.
MR. CURTIS: I won't have that until next week sometime
when I start thinking about this some more.
MR. CHEUNG: No, that's fine. I just want to make
sure, "customer" in that context means -- it includes
industrial and commercial customer classes, yes?
MR. D. SWANSON: Yes, it does.
MR. CHEUNG: And it would also include information
about corporate and legal identity information? Are
there any circumstances where it's non-customer
information that you would protect?
MR. D. SWANSON: Dennis Swanson. Yes, any data we deem
to be sensitive would have to be protected.
MR. CHEUNG: Another question follow-up with approval
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 188
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
sought. Today we heard about sensitive information --
or not sensitive information. Customer information is
probably the most high up priority for the interveners
and for the participants here. If the Commission is
to consider a directive that says, remove the current
restriction and impose a restriction where all
customer information must be stored within Canada,
period, whether it be encrypted or not, is that
something Fortis would be amenable to?
MR. D. SWANSON: Dennis Swanson. I think that's what
we have today, unless I'm misunderstanding something.
MR. CHEUNG: I mean, all customer information has to be
stored inside Canada. Non-customer information could
be stored outside Canada. If it's encrypted, it
doesn't matter, like customer information has to be
stored inside Canada. Is that something that Fortis
would be looking for in terms of benefits,
opportunities and that kind of stuff?
MR. D. SWANSON: Dennis Swanson. I think that isn't
what we're looking for. We are looking for a more
inclusive -- I think the more limits you put on it,
the less likely you're going to be able to find any
benefits to customers. We don't believe that the risk
increases as a result of the data storage location, so
we don't think such restriction would be necessary.
MR. T. SWANSON: Tim Swanson. It's an interesting
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 189
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
question, Mr. Cheung. When we consider information
that is exchanged or even if you chose an e-mail
service, that's stored information, right? There may
be a spreadsheet in that e-mail that has customer
information in it. That e-mail, of course, is
encrypted, but it could have customer information in
it. So to Dennis's point, if you start restricting
customer information specifically it could become very
difficult to manage.
Proceeding Time 1:45 p.m. T39
MR. CHEUNG: Going back to -- I want to turn to Exhibit
B-1, the application, page 5. Where Fortis says
potential inconsistencies as one of the reasons to
support the application. On page 5 it says that
neither PIPA of and P-I-P-E-D-A, the Personal
Information Protection and Electronic Documents Act,
"…contains a restriction to maintain the
location of data and servers for private
sector companies within B.C. or Canada.”
And then on page 11 on the FEU final
submission, dated December 4th, 2014, FEU said:
“Because this extra burden…”
And I am assuming it talks about the current restriction,
“… the FEU can be at a disadvantage when
seeking the most suitable and cost effective
information technology solutions to meet
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 190
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
customers' and companies' needs.”
When FEU talked about inconsistencies
between FEU and private sector companies and having
the current restriction as a disadvantage, what type
of disadvantage do you, FEU, mean?
MR. D. SWANSON: Dennis Swanson. I think there’s -- this
is not going to be an all inclusive list, but the
types of disadvantages we can see would be around the
costs associated with data storage. And if you -- the
more restrictions you add in the less options we have
to consider, and therefore you can’t necessarily take
advantage of cost savings that may exist.
In additions there’s certain services or
there are certain vendors that would be, say located
outside of Canada, that if we wanted them to run data
analytics on our data, for instance, we wouldn’t
necessarily be able to use those services. So it
could be in terms of level of service. It could be in
terms of level of costs.
And again not an all inclusive list but
it’s those types of things that we had in mind.
MR. CHEUNG: So it would be disadvantage, like, against
itself not against, like, private sector companies?
MR. D. SWANSON: No, sorry. Dennis Swanson again. It’s
not necessarily the utility would be disadvantaged,
it’s also the utility and its customers would be
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 191
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
disadvantaged. They wouldn’t have access to those
costs savings. Wouldn’t have access to the services
that we could provide if we had, if we had access to
those vendors.
MR. CHEUNG: Then would FEU agree that because FortisBC
Energy is a regulated public utility monopoly that
serves the public, that you might be subject to
different constraints than other private sector non-
monopolies such as storing data within Canada?
MR. D. SWANSON: Dennis Swanson again. Definitely
there’s a different set of rules that applies to FEU
as opposed to private sector companies, but the
company submits that shouldn’t disadvantage its
customers. The rules that -- generally speaking the
rules that apply to the FEU are there to protect its
customers, and I guess not disadvantage the customers.
So what we’re really talking about here is
being able to look at options that do provide benefits
to customers. And I don’t think that’s the intention
of the Utilities Commission Act, for instance, in
applying different criteria on the utility than it
does on -- than generally would apply to private
sector companies. I don’t’ believe that is intended
to disadvantage customers.
Proceeding Time 1:50 p.m. T40
MS. PRATCH: If I may, in addition -- it's Monic
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 192
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
Pratch. We are also submitting that there's a very
robust privacy regime in place in British Columbia
that deals with these issues and deals with concerns
of this nature. And so as a result, because there's
an addition regime in place, and because we have a
comprehensive privacy management program, that in
these particular circumstances it would be appropriate
for us to be held to the same standards that are
required of other private sector organizations.
MR. CHEUNG: Okay. Possibly the last question. Just
circling back to the potential breaches that may or
may not happen. Who knows? If the Commission grants
the approval sought by the utility, what do FortisBC
Energy envision to be the communication and reporting
requirements with the Commission, if any?
MR. D. SWANSON: Dennis Swanson. Again, when you step
back to -- I'm sorry for being very repetitive here,
but when you step back to the fact that we don't
believe that risk increases as a result of where we
store the data, inside or outside of Canada. We don't
believe that there should be any further reporting
requirements or restrictions put in place. We just
don't think they warrant it.
COMMISSIONER MacMURCHY: Can I ask a question about
that? If you had a significant data breach in Canada,
would you report it to the Commission?
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 193
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. D. SWANSON: Dennis Swanson. I'm being prodded
here. Which Commission? I assume you mean the
British Columbia Utilities Commission? I don't
believe there's any requirement to.
COMMISSIONER MacMURCHY: That wasn't my question.
MR. D. SWANSON: I know.
MR. DALL'ANTONIA: I know you don't sit in the back but
every time you are there I (inaudible).
We have obviously the formal reporting
requirements – sorry, it's Roger Dall'Antonia speaking
– from a fines point of view. But we also have a
direct dialogue with staff, as well as Chairman
Kelsey. Matters of significant import we do relay to
the Commission.
During our labour dispute, as an example,
we had a number of discussions to inform the BCUC what
was going on, because we also know that the BCUC
becomes involved in these situations. The customers
write letters. You know, they file complaints. So we
have an ongoing dialogue that's beyond just the
specific reporting requirements.
If there is a significant breach that we
would reporting to other regulators, and most likely
we'd at least do the courtesy to the Commission of
informing them what was going on and let them know
what we were doing on that front based on what we
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 194
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
currently have in place.
COMMISSIONER MacMURCHY: I suspect we'd get a few cards
and letters ourselves if that happened.
MR. DALL'ANTONIA: Oh, yeah.
COMMISSIONER MacMURCHY: So it would be no different. I
guess the point I'm trying to make is you would treat
that matter no differently if the breach related to
something that was being stored in a different
location. A breach is a breach.
MR. D. SWANSON: That's correct.
MR. HAILS: It's Jason Hails. A follow-on question to
Leon's. If some kind of alternative relief were
granted, do you envision a set of reporting that may
be required to the Commission, and any subsequent
approvals, or are you looking for a blanket relief
scenario?
MR. D. SWANSON: Dennis Swanson. What is being
requested is a blanket approval or a rescinding of the
order subject to the wording that we're going to work
on, without additional reporting requirements. And
again we go back to, we always could do additional
reporting on anything, but if there isn't a need for
it, I don't think see why we would ask for it, I
guess.
MR. HAILS: Okay.
COMMISSIONER MacMURCHY: I'll follow up on that a little
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 195
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
bit. If it was just an information reporting, i.e.
reporting that you are sourcing certain data in a
certain location outside of Canada
Proceeding Time 1:55 p.m. T41
COMMISSIONER MACMURCHY: I presume you would see that
quite differently from a reporting requirement that
required some sort of active board action. I mean,
you want to avoid that, is what -- is that -- would
that be fair?
MR. D. SWANSON: Dennis Swanson. That’s correct.
COMMISSIONER MACMURCHY: Does that not ensure that --
MR. D. SWANSON: I don’t believe it’s necessary, but if
it was just a simple reporting, that would be more
acceptable than if it was some sort of additional
process.
MR. HAILS: Page 5 of your presentation this morning, if
you’re seeking a blanket removal of the restriction,
what do you contemplate might constitute a specific
exemption from that revised order?
MR. CURTIS: Dave Curtis. Again, I think we’ll have to
look at that in light of the tweaking that’s going on.
That clause is something that we put in a lot of draft
Orders. It’s certainly part of the old data
restriction. So, it’s probably there out of an
abundance of caution more than anything, and I’m not
sure we have much to say about it. I’m also not sure
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 196
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
if it stays in the new version, but again, we’re not
quite there yet.
MR. T. SWANSON: Tim Swanson. I’d just like to add that
you -- it gives us and the Commission the ability to
address something that may come up that it’s outside
-- I mean, we can always make a separate application.
I’m not sure that the language is all that important.
But there could be -- who knows what scenarios come up
that require -- the Commission may require us to send
information outside of Canada in a decrypted format,
or some other regulatory body may do that. And that’s
sort of a vehicle for us to apply to do something like
that. So it’s not really intended for anything, I
think, other than that.
COMMISSIONER MACMURCHY: Sound like a quasi lawyer here,
but no offence intended. But I think it would be fair
to say that Fortis always has a right to come to the
Commission if it wants to do something that is
different from what it’s -- currently under the rules
it can do. Is that not fair?
MR. CURTIS: Dave Curtis. I agree with that.
MS. CHEUNG: Madam Chair, Commission Staff is finished
with the questions.
THE CHAIRPERSON: Thank you very much.
Now, it’s back to the Commissioners, then.
COMMISSIONER KIELTY: I do have one question. And it
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 197
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
relates to the approval sought. And I understand that
you will be working on the wording. I just think it
would be helpful to the Commission to have some sort
of definition of “sensitive data”, but at a principle-
based level, and so that we can understand what would
be within that category generally. And so -- and I’d
also like to understand what sort of oversight and
monitoring you’ll have of the determination of what is
sensitive data.
MR. CURTIS: Dave Curtis. Are you asking us what kind of
oversight would there be over the determination of
when a bucket of data is sensitive, and when it’s not?
Is that the question?
COMMISSIONER KIELTY: Mm-hmm.
MR. CURTIS: You know, what comes to mind when you ask
that question is just, sort of stepping back on a
basic legal principle that always operates in these
contexts, which is, you know, how far can and should
the Commission go in regulating the utility, and where
is the line between regulation under the Act and
management of day-to-day stuff. And I’m not sure what
your --
COMMISSIONER KIELTY: No, my question is what sort of
processes and monitoring will the FEU put in place.
MR. CURTIS: Oh, my apologies. Sorry. I thought you
guys wanted to look at --
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 198
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
COMMISSIONER KIELTY: You are asking the Commission to
leave it to you. So --
MR. CURTIS: I see. That is not --
COMMISSIONER KIELTY: I was surprised.
MR. CURTIS: Sorry, my apologies.
MR. D. SWANSON: Dennis Swanson. That will necessarily
involve some professional judgment, just like we
employ professional judgment on all of our decision-
making. Specifically what level of oversight would we
employ in a -- this isn’t one person’s decision.
Monic Pratch is our chief privacy officer, but
whenever we get to situations like this, and we've
seen this with every project that’s risen up relating
to this, involves discussion amongst the company.
Proceeding Time 2:01 p.m. T42
There’s been ongoing discussion, I know we’ve been at
the executive level over some of the projects and
asking the question about, you know, what data are we
talking about. Is it personal information? Have we
considered the restrictions?
And so I think it’s just part of our
general oversight of the business. I don’t think
there’s a specific carve out that says, when it comes
to this determination of sensitive data how are we
going -- or we’re going to run it through a separate
process. Because whether or not this restriction
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 199
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
exists, we deal with sensitive data on a regular basis
and have to protect it within our system, not just if
we take it out of our systems. So it is just part of
our normal business. It’s not something over and
above.
COMMISSIONER KEILTY: Thank you. I have one more
question. You talked about the -- once the data is
encrypted that it’s virtually impossible for it to be
accessed without the keys. Is there a risk, the human
element again, of failing to encrypt data that is
sent?
MR. T. SWANSON: Tim Swanson. The process of encryption
is automated. So data cannot leave the organization
unless it’s encrypted. It’s configured within
systems. It’s tested. There’s no human intervention
in the encryption process. We can’t actually turn off
encryption. It’s part of the configuration of the
system and to reconfigure the system would actually
interrupt the data flow and we would notice that right
away. So there is no -- data from a manual
perspective is not encrypted manually.
And encryption keys, we talk about this a
lot and I’m sure all of you are thinking what the heck
does an encryption key look like. Well, really it’s
an algorithm that the server holds, and even for a
person with any organization to access it, it’s
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
unlikely. It’s because it’s built into the operating
system. So to pull it out without getting into a
FortisBC data centre, even for human intervention is a
challenge.
But to your point, we recognize the fact
that the human factor is always a factor. And it
comes down to rigorous testing, controls, access
controls, these are all the things we put into place
to ensure that those core systems are protected.
COMMISSIONER KEILTY: Thank you.
COMMISSIONER MACMURCHY: I just want to clarify one
thing. I think the statement was made that you would
be doing, automatically doing a privacy impact
assessment if you decided to move data to be out of
Canada for storage or whatever, isn’t that -- would
that be correct?
MS. PRATCH: Monic Pratch. Yes, correct.
COMMISSIONER MACMURCHY: And all of those projects that
were approved would ultimately go through yourself
then?
MS. PRATCH: Yes, correct, yes.
COMMISSIONER MACMURCH: That’s all. I just wanted to
clarify and make sure I hadn’t misunderstood.
THE CHAIRPERSON: I don’t have any further questions. I
think we have, we have fully explored the topic here.
Now, then we have to start talking about
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 201
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
the next steps. And I know, I think the plan
certainly I have had that we take a brief break and
then the parties would come back regarding your -- how
you want to bring this processes to conclusion.
But I have questions just first to Mr.
Curtis, like Commissioner Kielty was asking about the
kind of definition of what sensitive information,
like, that sounds to me almost like a undertaking. Or
would that be just part of your homework for this new
order you would be seeking? How do you think we
should go?
MR. CURTIS: The way I think we should handle that is, I
mean we’re not going to be suggesting oral submissions
or anything like that today. I’m sure that’s a relief
to everybody in the room. So then we’re going to
contemplate -- I'm sure we'll talk more about written
submissions to follow. And I think we could just deal
with the revised order in our submission to the
Commission, which would go first. That’s certainly,
that’s the most obvious way to deal with it from my
perspective.
THE CHAIRPERSON: All right. So with the statement that
orally is out of the question then, with the other
parties do you even need a break or are you ready to
speak to your views, how you want to take this process
forward? Either way. Mr. Craig?
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 202
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. CRAIG: Commercial Energy Consumers, David Craig,
we’d be ready to talk to that now.
MR. ANDREWS: Yes, we would be ready as well.
THE CHAIRPERSON: It’s a sunny Friday afternoon so
let’s do that. Who wants to go first? Mr. Andrews?
Proceeding Time 2:06 p.m. T43
MR. ANDREWS: I will. Bill Andrews, and I will suggest
that there be a written process for submissions, and
that the company goes first and the interveners
follow, and the company have an opportunity to reply.
And I think that would be the gist of the procedure.
COMMISSIONER O'HARA: Thank you. CEC?
MR. CRAIG: I support Mr. Andrews submissions and adopt
them, and one slight variable would be that to the
extent that the utility would like to have a little
bit of what we do in negotiated settlements attached
to this, where they could go back and forth with us a
little bit before their submission, we'd be happy to
do that. Not to make it a negotiated settlement, but
just to facilitate getting a smooth set of submissions
and replies.
But other than that, a written submission
is how we'd prefer to see it conclude.
COMMISSIONER O'HARA: Thank you. BCOAPO?
MS. SADREHASHEMI: Yes, we also prefer written
submissions, and agree with what Mr. Andrews stated
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 203
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
about the process.
COMMISSIONER O'HARA: Thank you. And I know we'll give
Mr. Curtis an opportunity to respond, but I believe
staff have prepared a draft regulatory timetable for
this eventuality. So perhaps if everybody could look
at this timetable first before you, Mr. Curtis,
respond.
COMMISSIONER MacMURCHY: Is this 24 hours for FEU?
COMMISSIONER O'HARA: Perhaps we should give Mr. Curtis
the opportunity to start first, and then it's your
turn. Whenever you are ready.
MR. CURTIS: David Curtis. Yeah, I think we've had a
little collaboration here. The dates don't quite work
for a couple of -- both for us and for one of the
interveners. So we would suggest a revision to the
schedule as follows: FEU final argument, Tuesday,
June 30th. Intervener final argument, July 27th. And I
appreciate that's a gap, but that has to do with the
availability of one of the counsel. So I think that's
important for that. And then reply a week after the
27th.
There's no -- we think that timeframe
is fine from our perspective.
COMMISSIONER O'HARA: So what would be the date then, a
week after. That's August --
MR. CURTIS: August 4th, Tuesday, apparently. The Monday
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 204
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
is a holiday.
COMMISSIONER O'HARA: Thank you. Okay.
MR. CURTIS: And then on the -- yeah. And the extra
time will help us a bit on working on the order, and
we are fine with working with the interveners here
today on that order. And my suggestion is just keep
it informal.
Proceeding Time 2:12 p.m. T44
Mr. Andrews and I have certainly talked on
the phone about this file in the past. We can do that
as counsel, and I can do that with the others as well.
And I think it will -- I don’t think we need a formal
process, we’ll just do it in --
But I do want to say it’s not -- and to Mr.
Craig’s point, I mean, it’s -- we’re happy to
circulate the draft Order and get ideas and feedback.
We may not ultimately agree on it, but I think we
should have the process, informal as it is, and it’s
not really going to be -- we’re not entering into an
NSP here or anything. But, anyways. I think you have
my point.
THE CHAIRPERSON: All right, thank you.
COMMISSIONER MACMURCHY: No, that’s fine. Because you’ll
file your submission with whatever you come up with,
and they’ll have an opportunity to comment on it if
they don't agree with it, so --
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 205
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MR. CURTIS: Absolutely.
COMMISSIONER MACMURCHY: I think that seems fair.
THE CHAIRPERSON: Okay. Thank you. So before going to
interveners, I am reminded, Mr. Curtis, that you still
need to mark as an exhibit your presentation here.
MR. CURTIS: Certainly. David Curtis. So, the
presentation would be Exhibit B-13.
THE CHAIRPERSON: Thirteen. Thank you.
(FEU PRESENTATION MARKED EXHIBIT B-13)
THE CHAIRPERSON: All right, then. Mr. Andrews, next.
MR. ANDREWS: The proposed schedule set out works for me
and my clients, thank you.
THE CHAIRPERSON: And Mr. Craig?
MR. CRAIG: For the Commercial Energy Consumers, David
Craig. Just want to comment that the SRP process has
been constructive from our point of view, and helpful
once again as a process. Thanks to the utility for
participation in it, and to the Commission for
facilitating.
The proposed agenda as amended is fine by
the Commercial Energy Consumers. Thank you.
THE CHAIRPERSON: Thank you. Next, BCOAPO.
MS. SADREHASHEMI: Yes. The proposed dates are fine for
us as well. Thank you.
THE CHAIRPERSON: I did not check with the staff yet, but
that -- does that work?
FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 206
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Allwest Reporting Ltd., Vancouver, B.C.
MS. CHEUNG: Leon Cheung. Yes, it will.
THE CHAIRPERSON: Okay.
COMMISSIONER MACMURCHY: I can live with it, in other
words.
THE CHAIRPERSON: And is there anything else?
So, I guess then on behalf of the Panel as
well, I am very pleased where we ended today. It has
been quite an evolution since last August, so -- and
as I remember in our Procedural Conference, some
questioned whether this SRP would work. But it was
started as SRP light, and it got a bit heavy here for
a while. But we ended in a good place, so thank you,
everybody. Enjoy the sunshine and the rest of the
weekend. Thank you.
(PROCEEDINGS ADJOURNED AT 2:15 P.M.)