Puget Sound Energy, Washington state’s largest electricity and natural gas utility, with over 1 million customers in 11 western Washington counties, was ordered to pay a total of $995,000 in fines for selling their customer information to marketing companies over a five year period. Only 18,992 of the transferred calls during the five years of the marketing program–from November 2001 to March 2006–were subject to penalties because of a two-year statute of limitations, according to the commission statement.
The description of the misuse of customer data from the settlement agreement is a fascinating read:
“The Commission finds that PSE violated Commission rules prohibiting the release of customer information as set out in the complaint. The Commission accepts the proposed settlement — $900,000 in penalties, a contribution of $95,000 toward low-income heating assistance, and notice to customers of their privacy rights ‚Äì on condition that the Company also notify its customers of PSE’s violation of those rights and the terms of this settlement.”
“The Washington Utilities and Transportation Commission (Commission), through its Staff,1 complained against Puget Sound Energy, Inc. (PSE) on October 5, 2006, alleging that PSE had permitted improper access to consumer information more than 18,000 times, contrary to Commission rules.”
“The rules protecting customers from the release of their private information were adopted in September 2001, concluding a lengthy rulemaking proceeding in which PSE was an active participant. The rules became effective on October 29, 2001. In November 2001, PSE launched a marketing program called PSE Connections.
In that program, PSE contracted to provide another company, Allconnect, Inc. (Allconnect),3‚Äîwithout any prior customer consent‚Äîprivate consumer information of residential utility customers who initiated or transferred gas or electric service with PSE. The purpose of ‚ÄúPSE Connections‚Äù was to sell products and services of third-party providers to PSE’s customers. Allconnect paid PSE for the release of information and shared revenue from any resulting sales.”
“The companies agreed to share information in two ways; by directly transferring telephone callers from PSE to Allconnect or transferring information about callers from PSE to Allconnect.
One method occurred when PSE transferred to Allconnect a large volume of incoming telephone calls from new or transferring PSE customers. Allconnect agents introduced themselves as “PSE Connections” and marketed non-energy services such as telephone and Internet service, lawn care, and newspaper subscriptions, that target consumers taking up residence in a new home.
At the outset of the program in November 2001, PSE customer service representatives used script options that all included a brief description of the PSE Connections program and included an opportunity for the customer to opt out of the transfer of the call to Allconnect’s representatives. The options did not secure written or oral permission from the customer to transfer the customer’s private consumer information to a third party.
In October 2005, PSE changed the possible scripts significantly. They no longer explained the PSE Connections service. Three out of the four scripts informed customers that they would be transferred to PSE Connections to ‚Äúconfirm your service.‚Äù Only one script allowed the customer to decline the service ‚Äúconfirmation‚Äù orally on the call. None of the scripts asked for oral or written permission to transfer the customer’s private consumer information to a third party. Following introduction of the new scripts, the number of PSE customer calls transferred per month doubled, and even tripled in some months, as compared with comparable months of the prior year. When PSE transferred the call to Allconnect, the customer service representative electronically transferred the customer’s name, address, service start date, and a product order number.
The marketing contract between PSE and Allconnect also provided that Allconnect could receive the customer’s telephone and social security numbers, the name of the customer’s spouse or roommate, the spouse or roommate’s social security number, and whether the new residence is ‚Äúnew home construction.‚Äù Evidence supporting the settlement does not reveal any instances of the transfer of such information.
The second means of disclosure available under their agreement could occur if PSE shared with Allconnect the private consumer information of customers who refused to have their calls transferred to “PSE Connections.” The evidence supporting the proposed settlement does not reveal any such disclosures.
In return for sharing its customers‚Äô calls and information with Allconnect, PSE received a quarterly payment from Allconnect. The amount of the payment varied, based on the percentage of eligible customers PSE transferred, the number of PSE customers using Allconnect’s service and the amount of revenue Allconnect generated from this use. PSE represents that it collected $95,174 in gross revenue from Allconnect during the entire length of the program since 2001.
As noted earlier, PSE started the PSE Connections program the very next month after the Commission’s newly-adopted private consumer information disclosure rules, WAC 480-90-153 and WAC 480-100-153, became effective. PSE was well aware of these rules. It participated actively in the rulemaking proceeding that included these two rules by attending workshops held between 1999 and 2001 and by submitting extensive comments specifically directed to the proposed text of the rules. For example, it urged that the rules not prohibit the transfer of customer data for marketing purposes, and that the rules allow utilities to use customer data for marketing PSE’s own products and services, or those of its affiliates.
Staff began investigating the PSE Connections program in March 2006. On March 15, 2006, PSE suspended the PSE Connections program pending completion of the investigation. Staff completed its investigation in July 2006.
Based on information PSE provided to the Commission, Staff calculated that PSE transferred a total of 65,260 customer calls, along with private consumer information, to Allconnect between November 2001 and March 2006. RCW 4.16.100, however, restricts actions for a penalty to violations that occurred within two years prior to filing of a complaint. Consequently, the Commission may impose penalties only for those violations that occurred between October 5, 2004, two years before the filing date of this Complaint, and March 15, 2006 (the date the program was suspended). During this two-year period, Staff concluded that PSE transferred 18,992 customer calls to Allconnect.”
PSE participated in making the law prohibiting the use of customer information without their permission, and then just one month later launched a formal campaign to do just that.
Incredible.
Some possible scenarios:
1) There was a huge lack of communication within PSE from the folks who were involved with making that law to the PSE marketing folks. Or,
2) The PSE marketing folks did what they wanted despite the new law. Or,
3) The PSE business leaders thought they would not get caught, or were willing to take the chance, and endorsed the program in favor of making money over protecting customer privacy. Or,
4) The PSE folks were completely oblivious to realizing that what they wanted to do was against the new law; not realizing what it means to obtain customer permission before sharing information, in this case selling it, to another company.
Although it is probably a little of all of these issues, I think 4) is something that all organizations deal with. I’ve spoken to too many lawyers, privacy and info sec folks who don’t think selling or sharing the customer information they have collected is wrong, even knowing that there are laws against it. They either view the information as theirs and not the customers’, or, overwhelmingly, they interpret the notices they’ve given to the customers, or word them so vaguely, in such as way that they choose to believe that the customer consented to having their personal information shared by the organization, often through implied consents or lack of explicit opt-out from such activity.
There is much most organizations need to do to get their customer information sharing practices, and communications to customers, in line with the many laws that cover this issue throughout the world. The use of implied consents is running rampant, but public outcry and regulatory oversight agencies will catch up and keep them from winning the marketing race to make money off of selling customer information before the customers wise up. Just look at the FTC…they have pursued many cases involving inappropriate use of customer information and they are becoming more agressive.
The PSE incident provides a good case study for privacy officers to go over with their marketing and legal folks to better learn about the issues involved in obtaining individual consent as well as what is inappropriate with regard to sharing, or selling, customer data to another organization.
Tags: awareness and training, customer privacy, government, Information Security, IT compliance, policies and procedures, privacy, privacy incident, privacy law