David Curtis Direct +1 604 631 4827 Facsimile +1 604 632 4827 [email protected] December 4, 2014 File No.: 240148.00715/15951 BY ELECTRONIC FILING British Columbia Utilities Commission Sixth Floor, 900 Howe Street Vancouver, BC V6Z 2N3 Dear Sirs/Mesdames Re: FortisBC Energy Utilities (“FEU”) - Remove Data Location Restriction In accordance with the Regulatory Timetable set for this proceeding, we enclose for filing: 1. the electronic version of the FEU’s Final Argument; and 2. five legal authorities that have been cited in the Final Argument. Hardcopies of the enclosed will follow by courier. Yours truly, FASKEN MARTINEAU DuMOULIN LLP [Original signed by David Curtis] David Curtis /DC FORTISBC ENERGY UTILITIES APPLICATION FOR REMOVAL OF THE RESTRICTION ON THE LOCATION OF DATA SERVERS PROVIDING SERVICE TO THE FEU, CURRENTLY RESTRICTED TO CANADA Submissions of FortisBC Energy Utilities December 4, 2014 - i - TABLE OF CONTENTS A. INTRODUCTION ................................................................................................................................ 1 B. THE PURPOSE OF THE APPLICATION ................................................................................................ 2 C. REASONS FOR REMOVAL OF THE DATA RESTRICTION .................................................................... 3 (a) The Privacy Regime Appropriately Addresses Privacy Concerns ............................................. 3 (b) The Original Rationale for the Data Restriction No Longer Exists ........................................... 9 (c) Technology Has Advanced Since 2005 and Customers Should Benefit ................................. 10 (d) Potential Inconsistencies ....................................................................................................... 11 D. MOVING FORWARD ....................................................................................................................... 12 (a) Privacy Impact Assessment / Threat Risk Assessment .......................................................... 12 (b) Vendor Due Diligence ............................................................................................................ 12 (c) Compliance with PIPA, PIPEDA and Best Practices ................................................................ 13 (d) The FEU’s Network Security ................................................................................................... 13 (e) Service Levels and Customers Benefits ................................................................................. 14 (f) Conclusion.............................................................................................................................. 15 E. CONCLUSION .................................................................................................................................. 15 BOOK OF AUTHORITIES - 1 - A. INTRODUCTION 1. In Orders G-116-05, G-75-06, and G-49-07, and Letter L-30-06, the Commission established a restriction that requires the FortisBC Energy Utilities (FEU)1 to store all of their data on servers located within Canada (the Data Restriction). 2. On August 1, 2014, the FEU applied to the Commission for an order removing the Data Restriction (Exhibit B-1, the Application). 3. The FEU submit that the Data Restriction should be removed for the following reasons: (a) British Columbia’s private sector privacy regulation has evolved considerably since 2005, when the Data Restriction was first put in place, and the BC Information and Privacy Commissioner (the BC Privacy Commissioner) is the more appropriate tribunal to consider privacy concerns (if and when they are raised); (b) the original basis for the Data Restriction, which was largely due to the fact that the then Terasen companies were being bought up by a U.S. company (Kinder Morgan Inc., hereafter Kinder Morgan or KMI), no longer exists, as the FEU are Canadian owned utilities; (c) technology has advanced since 2005 and customers should benefit; and (d) the Data Restriction creates inconsistencies between the FEU and other private sector organizations in British Columbia, and between the FEU and FortisBC Inc. (FBC) (together FBCU), which limit the ability of the FEU and FBC to integrate systems, which could bring benefits to the customers of both companies. 4. In this proceeding, the FEU have responded to a number of information requests regarding issues around data security, vendor due diligence and risk assessment. The FEU submit that it has addressed the concerns expressed through these information requests, and demonstrated that they take privacy concerns seriously and follow privacy best practices to help ensure that customer data is protected. In particular: 1 Comprised of FortisBC Energy Inc., FortisBC Energy (Vancouver Island) Inc., and FortisBC Energy (Whistler) Inc. - 2 - (a) the FEU perform a privacy impact assessment as part of the assessment process for proposals/projects that have a significant involvement with the collection, use or disclosure of personal information, and will continue to do so; (b) the FEU have robust network security; and (c) the FEU conduct robust due diligence before engaging any third party vendors who store FEU data, and will continue to do so. 5. For these reasons, which are described in further detail below, the FEU submit that the Data Restriction should be removed. 6. These submissions are organized as follows: (a) Part B provides an overview of the purpose of the Application; (b) Part C provides further submissions regarding the four reasons described in the Application that support removal of the Data Restriction; (c) Part D addresses the issues raised in the proceeding through information requests, and in particular, the questions regarding how the FEU will protect customer data if the Data Restriction is removed; and (d) Part E is the conclusion to these submissions. B. THE PURPOSE OF THE APPLICATION 7. The FEU do not currently have any plans to host servers outside Canada, but wish to have the Data Restriction removed so that they can meaningfully explore such opportunities that could benefit customers, safe in the knowledge that they will be able to pursue and implement them.2 8. As discussed in the response to BCUC IR 1.1.1, the restriction imposed by the Commission has several disadvantages, including the inability of the FEU to consider all available technology platforms and solutions efficiently and cost-effectively. The FEU have requested the removal of the restriction in order to enable the Companies to consider available 2 Ex. B-2, BCUC IR 1.2.2. - 3 - options and to achieve the most cost-effective solutions when the opportunities arise.3 It is impractical and inefficient from a regulatory perspective for the FEU to have to apply for specific exemptions each time it wishes to engage a third party data service that could provide benefits to customers.4 9. Removal of the data location restriction will enable the FEU to operate their information systems requirements in the most efficient and cost effective manner. For instance, the FEU can consider and possibly select information systems, service providers and software which provide the greatest value and benefits for customers, without limiting the selection based on data location. Additionally, as service providers continue to be multi- national, the number of vendors able to serve the FEU under this restriction will continue to diminish, which may also have an impact on costs.5 Further, the economies of scale that third party providers may have for specific systems should have cost benefits, as compared to building out systems internally. 10. The FEU submit that it is in the interests of its customers that the Data Restriction be removed so that they can explore these potential benefits. C. REASONS FOR REMOVAL OF THE DATA RESTRICTION 11. In this section, the FEU provide further submissions on each of the four reasons described in the Application that support removal of the Data Restriction. (a) The Privacy Regime Appropriately Addresses Privacy Concerns 12. This section provides further submissions on the topic of “privacy concerns” that is addressed at pages 3 and 4 of the Application. 13. As noted in the Application, the privacy regime in British Columbia has evolved considerably since 2005 when the Data Restriction was put in place, and the FEU believe that 3 Ex. B-2, BCUC IR 1.2.2. 4 Ex. B-2, BCUC IR 1.1.1. 5 Ex. B-6, CEC IR 1.4.4. - 4 - British Columbia’s private sector privacy legislation provides sufficient protection for customers. The BC Privacy Commissioner is well equipped to address the subject matter of privacy, and the Commission can remove the Data Restriction safe in the knowledge that another tribunal will maintain oversight over the FEU’s collection, use and disclosure of personal information. Background to the Data Restriction 14. By way of background, the Data Restriction originated out of a 2005 application by Kinder Morgan, a U.S. company, for the acquisition of common shares of Terasen Inc. On November 10, 2005, the Commission issued Order G-116-05 and reasons for decision granting KMI’s application and establishing the Data Restriction (the KMI Decision). 15. In the KMI Decision, the Commission states: The Council of Canadians, Vancouver Chapter (Exhibit C18-8) raise concerns that the privacy of British Columbians may be violated under the provisions of the U.S. Patriot Act if billing and record keeping functions are relocated to offices within the U.S.6 … The Council of Canadians,