british columbia utilities commission · 6/12/2015 · british columbia utilities commission in...

Allwest Reporting Ltd. #1200 - 1125 Howe Street Vancouver, B.C. V6Z 2K8

BRITISH COLUMBIA UTILITIES COMMISSION

IN THE MATTER OF THE UTILITIES COMMISSION ACT R.S.B.C. 1996, CHAPTER 473

and

RE: FortisBC Energy Utilities (FEU) Application for Removal of the Restriction on the Location of Data and

Servers Providing Service to the FEU, currently Restricted to Canada

BEFORE:

L. O’Hara, Panel Chair / Commissioner

N. MacMurchy, Commissioner

K. Keilty, Commissioner

VOLUME 2

STREAMLINED REVIEW PROCESS

Vancouver, B.C. June 12, 2015

APPEARANCES P. MILLER. Commission Counsel J. JOLY FortisBC D. CURTIS Counsel for FortisBC Energy Utilities D. SWANSON FortisBC M. PRATCH FortisBC T. SWANSON FortisBC W.J. ANDREWS Counsel for B.C. Sustainable Energy

Association and Sierra Club of British Columbia (BCSEA-SCBC)

T. HACKNEY B.C. Sustainable Energy Association and

Sierra Club of British Columbia (BCSEA-SCBC)

D. CRAIG Commercial Energy Consumers’ Association

of British Columbia (CEC) L. SADREHASHEMI

Counsel for BCOAPO

R. DALL'ANTONIA FortisBC S. HILL Counsel for FortisBC Energy Utilities L. COCHEY Commission Staff J. HAILS Commission Staff L. CHEUNG Commission Staff L. KELLY Commission Staff

INDEX PAGE

Volume 2, June 12, 2015

FORTISBC PRESENTATIONS:

PRESENTATION BY MR. D. SWANSON .....................51

PRESENTATION BY MS. PRATCH .........................55

PRESENTATION BY MR. T. SWANSON .....................60

PRESENTATION BY MS. PRATCH .........................71

PRESENTATION BY MR. D. SWANSON .....................74

SUBMISSIONS BY MR. ANDREWS .........................77

INDEX OF EXHIBITS

NO. DESCRIPTION PAGE

B-13 FEU PRESENTATION ...........................205

FEU-Remove Data Location Restriction Streamlined Review Process - Volume 2 Page: 47

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Allwest Reporting Ltd., Vancouver, B.C.

CAARS

VANCOUVER, B.C.

June 12th, 2015

(PROCEEDINGS COMMENCED AT 9:03 A.M.)

THE CHAIRPERSON: Good morning, ladies and gentlemen. My

name is Liisa O’Hara. With me are Commissioners Karen

Keilty and Norman MacMurchy. And welcome to this

streamlined review process. As the panel chair, I

will act as the moderator for this proceeding.

Before going around the table for

introductions, I will briefly comment on the

application and the review process to date.

On August 1st, 2014, FEU filed an

application with the Commission for the removal of a

restriction on the location of the FEU’s data and

servers. FEU requested that the Commission issue an

Order directing that the current restriction that the

location of data and severs providing service to FEU

be restricted to Canada, is removed and no longer in

effect.

Through the IR process, the issue started

to crystallize, but it was not until the final

submissions were filed that the diversity of positions

and concerns became abundantly clear. The FEU reply

submissions and then included quotations, new

alternative remedy proposed by the applicant in


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


response to the concerns expressed by the registered

interveners.

A Procedural Conference was held on

February 18th, 2015 to consider whether the evidentiary

record should be re-opened to include the proposed --

the proposed alternative relief as part of the

application. By Order G-26-15, dated February 24th,

2015, the Panel directed the evidentiary record be

reopened for evidence related to the proposed

alternative relief.

FEU filed its evidence on March 17th, 2015

and responded to a number of IRs. No intervener filed

evidence on this alternative relief.

The same Order also established a

streamlined review process for Friday, June 12th, which

is meant to cover the entire proceeding record. And

that is, of course, why we are convening here today.

Our anticipated plan for today is as

follows. First, we go around the table for

introductions, and that is followed by the FEU initial

presentation. And I can tell you are prepared, so we

look forward to that. And then that presentation is

followed with the question and -- Q&A period. FEU

will respond to questions from interveners, Commission

staff, and the Panel.

Before proceeding further, I am also


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


reminding you of the May 26th, 2015 letter in which the

Panel indicated that you will be asked to share your

views and explain whether this proceeding should

conclude by way of first, verbal submissions at the

end of this SRP day; two, written final submissions;

three, or any other way you can propose.

You will be given this opportunity to

provide your position after FEU responds to the

questions from the participants. Most likely we will

take a break first, so everybody can still reflect

before you formulate your position.

Proceeding Time 9:07 a.m. T2

As a housekeeping matter I wish to remind

the parties that the proceeding is being transcribed.

Therefore it is crucial to remember that only one

person can speak at a time and the speaker needs to

state their name for the record before speaking every

time, remember that, every time, so that the

proceeding can be properly recorded.

We will now start with the introductions

beginning there with the FEU representatives and move

around the table.

MS. JOLY: My name is Janice Joly, Regulatory Governance

Coordinator for FortisBC.

MR. CURTIS: My name is David Curtis of Fasken Martineau,

external counsel for FortisBC.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. SWANSON: My name is Dennis Swanson, Vice President

of Corporate Services, FortisBC.

MS. PRATCH: My name is Monic Pratch, Chief Privacy

Officer, Corporate Secretary and Counsel for FortisBC.

MR. SWANSON: My name is Tim Swanson, the Director of

Information Systems for FortisBC.

MR. ANDREWS: I’m Bill Andrews. I’m counsel for the B.C.

Sustainable Energy Association and Sierra Club B.C.

MR. HACKNEY: Tom Hackney, case manager for B.C.

Sustainable Energy Association and Sierra Club of B.C.

MR. CRAIG: David Craig, Executive Director, Commercial

Energy Consumers.

MS. SADREHASHEMI: Lobat Sadrehashemi, counsel for

BCOAPO.

MR. DALL'ANTONIA: Good morning. Roger Dall'Antonia,

Executive Vice President, Customer Service Regulatory

Affairs for FortisBC.

MS. HILL: Song Hill, in-house counsel for FortisBC.

COMMISSIONER MACMURCHY: Norm MacMurchy, Commissioner.

THE CHAIRPERSON: And Liisa O’Hara.

COMMISSIONER KEILTY: Karen Keilty.

MR. MILLER: Paul Miller, Boughton Law Corporation,

counsel to the Commission.

MS. THORSON: Alison Thorson, Director of Policy Planning

and Customer Relations at the Commission.

MR. COCHEY: Lionel Cochey, Commission Staff Consultant.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. HAILS: Jason Hails, Consultant with the Commission.

MR. CHEUNG: Leon Cheung, BCUC Staff.

MS. KELLY: Lea Kelly, BCUC.

THE CHAIRPERSON: Thank you everybody. And now we have

all the names on the record and we are ready then to

move to the presentation by Fortis. Please proceed.

MR. D. SWANSON: Thank you.

FORTISBC PRESENTATIONS:

PRESENTATION BY MR. D. SWANSON:

Good morning. My name is Dennis Swanson,

Vice President of Corporate Services for FortisBC.

Both Information Services and Data Security, as well

as Privacy Legislation Compliance, are items that are

within my portfolio at the company.

Also presenting with me today are Tim

Swanson who is the Director of Information Systems.

Tim is accountable for all of our information systems

and our cyber security, as well as I have Monic Pratch

to my left, who is FortisBC’s Chief Privacy Officer,

Corporate Secretary and Counsel. Monic will be

appearing today in her capacity as Chief Privacy

Officer.

MR. CURTIS: And I am just going to make one comment on

that. It’s a bit of a unique circumstance today to

have a lawyer on a panel in a proceeding like this.

So I just want to be clear that Ms. Pratch is here in


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


her capacity as Chief Privacy Officer. She’s not here

in her role as counsel. She’s here to speak to the

record, to answer your questions, but she’s not here

to give legal opinions or to engage in legal debate or

that kind of thing. So I just wanted to make that

clear at the outset.

THE CHAIRPERSON: Thanks for that clarification, good.

MR. D. SWANSON: So this morning we’re going to go

through a fairly short presentation, then we’ll open

the floor up for a further discussion and any

questions and answers that may follow. Our aim today

is to have an open and transparent discussion in hopes

of creating a common understanding of our request in

the application and address any related concerns.

I’m going to start off by introducing the

purpose of the application. I’ll explore some of the

customer benefits associated with our ask in the

application, and then summarize the approvals that are

being requested.


Then Monic is going to talk about foreign

ownership, unauthorized access, and privacy. And Tim

Swanson will discuss security and risk mitigation.

Then I’ll do a brief wrap-up of the presentation, and

we expect to have further discussion and questions and

answers.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Getting into the purpose of the

application, what we’re requesting is that the

restriction related to the location of data storage

that was put in place during the acquisition of the

gas utility by Kinder Morgan be removed. And the

reason is, we want to be able to investigate and

implement information services opportunities that

could benefit our customers. We want to be able to

keep pace with technology changes. We want to be able

to operate efficiently and effectively. And really we

want to be treated the same as other private-sector

organizations under the Personal Information

Protection Act, PIPA, and the Personal Information

Protection and Electronic Documents Act, PIPEDA.

From a customer benefits' perspective, we

want an ability to consider technologies and services

to serve customers where the use of such technologies

may be more cost-effective. An example would be the

use of a third-party vendor that stores data or

provides services.

We want an ability to pursue opportunities

that will reduce information services’ capital

investment requirements and/or reduce information

services’ operating and maintenance expenses.

We recognize the current Order does allow

the company to bring forward individual applications


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


to remove the data restriction for specific projects.

However, bringing forward many small discrete

applications, we feel, would be cost-prohibitive and

would result in lost opportunities for our customers.

Our request also allows us to more easily access

cross-jurisdictional industry information. And this

type of cross-jurisdictional analytics can be used to

improve our customer offerings in areas such as energy

conservation programs.

For the approval sought, we’re requesting

that the current Order be rescinded, that the existing

-- or the current Order rescinding the existing data

restriction, and a new Order is granted that permits

the FEU to store data about customers that would

otherwise meet the definition of personal information

outside Canada, if it is either (a) de-identified, or

(b) encrypted. And in that order, confirming that

data of any kind, customer or otherwise, that does not

meet the definition of personal information under PIPA

is permitted to be stored outside of Canada.

And again, we’re seeking to permit FEU to

apply for certain exemptions from the revised Order.

Now, Monic Pratch and Tim Swanson will

address the topics that have been raised to date

within the application process.

PRESENTATION BY MS. PRATCH:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MS. PRATCH: Thank you, Dennis. It’s Monic Pratch, Chief

Privacy Officer and counsel for FortisBC.

As Dennis mentioned, one of the concerns

throughout this application has been concerns around

foreign ownership and unauthorized access to data.

While these issues are related, they are distinct

issues. First, with respect to foreign ownership, one

of the major concerns raised by interveners in 2005

was that Kinder Morgan was an American company.

Specifically, the concern was that information would

be transferred to the U.S. and, as a result, control

of that information and those that have access to that

information would be lost.

This particular issue was resolved in 2007

when Fortis Inc. purchased Terasen Gas and the natural

gas utility was once again owned by a Canadian

company. Today, this is still the case.

The risk identified is simple. The

question is whether a foreign court can compel

disclosure of data held by a Canadian company that’s

located in Canada. There is no evidence to suggest

that this is possible, but rather, FortisBC accepts

the position and guidance that has been published by

the British Columbia office of the Information and

Privacy Commissioner. That guidance states that there

is a privacy risk of an American court compelling


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


disclosure records where the records are held by

American companies or their foreign subsidiaries.

FortisBC submits that the issue raised regarding

jurisdiction of a foreign -- of foreign courts to

compel disclosure of data held by a Canadian company

is not a risk, given that the FEU are Canadian-owned

and controlled.


Now with respect to the concern over the

risk of access to information. FortisBC submits that

there is no greater risk that that information will be

accessed by an unauthorized party by storing that

information outside of Canada. And there are two main

reasons that I’d like to provide to give support to

this assertion.

First, FortisBC uses the same security

protocols, procedures, policies, assessments, and

requirements no matter where data is stored. In

addition, FortisBC is still subject to the same

British Columbia and Canadian privacy legislation

regardless of where it chooses to store data and will

still be held accountable in exactly the same way.

Secondly, the digital universe has no

borders. In other words, if a person wanted to gain

unauthorized access to data, that person could be

located anywhere in the world, and the location of the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


data itself would not change that fact. In the

unlikely event of a breach of data that is not --

sorry. In the unlikely event of a breach of that

data, it wouldn’t be protected by borders.

The issue really comes down to the security

that you put around that data. And FortisBC once

again uses the same high level of security

requirements regardless of where that data is stored.

Whether we put that security around data stored in

Canada, around data stored in the U.S., around data

stored in England, or anywhere else in the world, that

data and the requirements, the security requirements,

are the same.

Accordingly, the storage of data outside of

Canada does not increase the risk of unauthorized

access to that data.

I’m going to spend a few minutes discussing

the evolution of the privacy regime in British

Columbia, and FortisBC’s comprehensive privacy

management program. The key message is that FortisBC

follows best practices and is able to appropriately

address privacy concerns.

So, a bit of history. The federal private-

sector privacy legislation came into force in 2001.

And the provincial private-sector privacy legislation

came into force in 2004. When the original data


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


restriction order was put in place, the privacy regime

was in its infancy in British Columbia. Since 2004,

when the Personal Information Protection Act, or PIPA,

came into force, the regime has evolved considerably

and FortisBC submits that it appropriately addresses

the privacy concerns raised in the context of the

original order.

FortisBC must be compliant with PIPA and

PIPEDA as applicable and, as time has passed, the

office of the federal and provincial Privacy

Commissioners have produced an extensive body of

knowledge, guidance, and directions that did not

previously exist. This body of knowledge has provided

privacy officers like me with appropriate guidance and

support to be able to properly assess privacy risks,

so that companies can assure that they are PIPA and

PIPEDA compliant.

For example, the Privacy Commissioners have

created guidance on best practices around the uses of

privacy impact assessments, breach management,

contractual terms, and a host of other guidance on

privacy hot topics.

Finally, over the last ten years, FortisBC

has developed a comprehensive privacy management

program which begins with the FortisBC privacy policy.

I refer you to the first paragraph of that policy,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


which states, “We at FortisBC value your privacy, and

we strive to ensure that our customers are aware that

their privacy is of the utmost importance to us.”

Privacy, like safety and security, is

extremely important to FortisBC. We take customer and

employee privacy very seriously. This is evidenced by

the fact that privacy is a topic that is discussed at

the very highest level, our Board of Directors, and

receives review and attention from our executive

leadership team and senior management. And this has

been ingrained throughout our entire organization.

FortisBC’s privacy management program

includes training, internal policies, procedures,

auditing, incident response, and a large internal

support network. One of the tools that our program

takes advantage of is privacy impact assessments,

which are used to assess our project managers and

myself as the privacy officer to identify potential

risks and mitigate those risks. We will be discussing

privacy impact assessments in more detail later in

this presentation.

We’ve heard a lot about privacy concerns in

this proceeding. One of our messages in this

presentation is that these concerns should be

alleviated by the fact that there is a robust privacy

regime in place. FortisBC has agreed to additional


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


restriction on top of the current private-sector

privacy legislation, in the alternative relief, by

requiring data to be encrypted or de-identified prior

to storing that information outside of Canada. And

all of the keys would be held within Canada.


The privacy regime I’ve been talking about

should give you comfort that FortisBC is able to

properly assess that risk and mitigate that risk

through security requirements, contractual

requirements, reliance on Office of the Information

and Privacy Commissioner guidance, and the current

policies and procedures we have in place and already

follow today. In other words, the privacy concerns

that have been raised are appropriately addressed by

another regime and by FortisBC’s Privacy Management

Program.

With that I’ll ask Tim or pass things over

to Tim to talk about security.

PRESENTATION BY MR. T. SWANSON:

MR. T. SWANSON: Thank you, Monic. Good morning

everyone. Tim Swanson, Director of Information

Systems, and this morning I’m going to talk to you

about security.

So what is security? Security is the

protection put in place to protect something of value.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Protecting FortisBC information, including customer

and other private information, is critical and

FortisBC takes it very seriously.

As we’ve said in our evidence, it is

something FortisBC is very familiar with and has

extensive experience with. Stringent industry

standards in regards to data and infrastructure

protection are in place and independently tested on a

regular basis to confirm their effectiveness. It is,

of course, not in the best interest of FortisBC to put

any data at risk, including personal, personal

information, infrastructure, or any other information

at risk as we rely on them as much as our customers

do. We use independent third party annual auditing to

check the security of FortisBC’s systems by testing,

confirming the correct technology and processes are in

place based on current standards.

That being said, FortisBC would not use any

service, whether inside or outside of Canada, that did

not meet FortisBC’s requirements for security and

reliability. FortisBC would also not use any service

that could put us in a position of non-compliance with

privacy or any other legislation. From the security

perspective, the protection we put around the data

stored outside of Canada is the same regardless where

it’s located geographically.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


FortisBC believes that its robust security

requirements ensures the risk to its data or

infrastructure is not increased regardless of

location.

The next two points on the slide you’ll see

are -- you’ll recognize from Exhibit B-8 and the

evidence on alternative relief, and these are key

security mechanism we currently use and will continue

to use for data that is stored outside of FortisBC

data centres.

First of all, encryption is primarily used

to store data outside FortisBC data centers, is

generally used in cases where the data is not needed

to be recognized by parties outside of the FortisBC.

Encryption isn’t appropriate for sending data for

analysis generally outside of FortisBC. That’s where

de-identification tends to work a little better and

I’ll talk about that in a minute.

Encryption uses an algorithm to randomize

data to transmit or store outside of FortisBC.

Encryption makes data unrecognizable and unusable

without a decryption key, which we keep within our

FortisBC data centres.

As described in evidence, FortisBC uses the

current industry standard, 256 bit advanced

encryption, to protect our data. In regards to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


encryption, FortisBC has been using encryption to

protect company information for many years. Again,

independent third party experts on security, including

encryption, test and report on FortisBC’s methods and

technology to confirm their effectiveness.

As stated earlier, to further protect

FortisBC’s data, encryption keys are held within

FortisBC data centres to ensure encrypted data stored

outside of FortisBC data centres is unusable and

unrecognizable in the unlikely event that it is

accessed by unauthorized parties.

Similarly to encryption, de-identification

is used in some instances to protect FortisBC’s data.

De-identification removes personal information either

by deleting the field or replacing the data in the

field with random characters. As discussed in

evidence, de-identification has a different function

than encryption, in that it allows FortisBC to send

data, without encrypting, for purposes of analysis or

collaboration with vendors or other industry groups.

It allows us to do that without the concern of private

information being in jeopardy.

Also as discussed in evidence, FortisBC may

have a requirement to re-identify the data when it is

returned to the FortisBC data centres, and in which

case the keys to do that would be kept within FortisBC


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


data centres.


So now we’ve stated that we encrypt or de-

identify data. So I’m going to talk about the risks

around these strategies and what FortisBC does to

mitigate those risks regardless of where the data is

located.

Of course, the risks to encrypted or de-

identified data is that it gets decrypted or re-

identified. In the case of encryption, as pointed out

in the evidence, it is considered fundamentally

impossible to decrypt information encrypted using the

methodologies that FortisBC uses, without the key.

Which again we keep in our data centres. There is

simply not enough processing power on the planet to

brute-force decrypt the data that has been encrypted

using FortisBC’s methodologies.

Regarding the risk of re-identifying de-

identified data, it is not reasonably possible because

the data is removed completely or replaced with random

information. And again, if there was a key to re-

identify that information, it would be kept in our

data centres.

So in the unlikely event that a third-party

data storage provider was breached, whether by a

hacker or other means, any compromised data would be


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


unusable, unidentifiable, and undecipherable. This is

very important to understand because in the unlikely

event data has been breached, the originating location

of the data has no impact on controlling the breach

once it has occurred. Once breached data is out in

the digital world, as Monic said, there are no borders

or boundaries to protect it.

Also in the unlikely event of a breach or

compromise of FortisBC data stored outside of FortisBC

data centres, an incident management program is in

place to ensure any actual or perceived incidents are

reacted to appropriately. FortisBC’s incident

management program includes comprehensive root cause

analysis, an investigation, which is required for any

incident that affects the reliability or security of

FortisBC’s systems or infrastructure.

Again, in regards to risk, FortisBC does

not consider there to be an impact on risk to the data

due to its location, because it’s the security

standards and requirements that protect the data,

regardless of where it’s located. And those standards

and requirements are not negotiable.

So the next topic is assessments. If the

Order were to be granted, we wanted to explain the key

processes we use to ensure the protection of FortisBC

data. We thought it might be helpful to relate this


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


slide to a real-world example.

So recently our Energy Efficiency and

Conservations Group was looking into an on-line energy

analytics solution to provide customers with energy

analytics tools to help them make decisions around

their consumption. Well, it turned out the most

functional and cost-effective option was a service

provided by a U.S. firm. If we were able to consider

a U.S. provider for this service, a privacy and

security assessment would be completed. And these are

some of the key components of those assessments we

would have considered.

In regards to the security assessment, some

of the important areas we would include would be

requirements such as vendor viability, for which we

use independent reviewers and consultants, as well as

contacting reference organizations. Performance and

reliability include disaster recovery and backup

capabilities and review; a demonstration of security

capabilities, which includes specific security

requirements regarding firewalls and access control is

required; a documented incident management program

that meets FortisBC’s criteria for reporting and

mitigating -- and mitigation is required. Even the

physical security of third-party facilities, where

FortisBC data would be stored, is reviewed for


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


compliance with FortisBC’s requirements.

Logical access controls are required, and

approved by FortisBC, to ensure a minimum number of

people have access to the systems or the

infrastructure housing FortisBC data.

MR. ANDREWS: Madam Chair --

MR. T. SWANSON: Oh.

MR. ANDREWS: I wonder if I can ask at this point whether

the --

THE CHAIRPERSON: Your name first, for the record.

MR. ANDREWS: Oh, for the record, Bill Andrews, B.C.

Sustainable Energy Association.

THE CHAIRPERSON: Thank you. Please proceed.

MR. ANDREWS: I wonder if the Panel can ask the witness

whether this -- what’s being talked about now is

evidence that’s on the record, that we have a

reference to, or whether this is new information.

THE CHAIRPERSON: This is SRP, right? So I think that is

quite all right.

MR. T. SWANSON: Would you like us to answer?

THE CHAIRPERSON: What is your answer to that, Mr.

Swanson?

MR. T. SWANSON: Tim Swanson. This is an example that

highlights some of the information that we have in the

evidence and in the Information Requests that we

received.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. ANDREWS: All right. Well -- well, I’ll just leave

it at that, thank you.

THE CHAIRPERSON: But perhaps also to remind everybody,

although we have this set plan, that it is the

presentation, then the intervener and staff questions.

I think if there is sort of a burning question during

the presentation, it’s okay.

So do you want to expand on that?

MR. D. SWANSON: I’d just like to clarify that. The

example itself is not on the record, no.

MR. T. SWANSON: Correct.

MR. D. SWANSON: The protections we have in place is on

the record, but the example is just meant to try and

explain how it would be applied.

MR. CURTIS: Dave Curtis here. There have been several

IRs asked about threat assessment and privacy impact

assessment, and answers provided. Instead of reading

back the answers we gave in IRs, the panel members are

here to talk through those issues in a bit more

detail, and they’re here to answer questions about it.

So we don’t think it’s all that helpful to just read

back verbatim the evidence we gave. That’s not what

we’re here to do.

So these topics are definitely dealt with

on the record. And I just wanted to make that

comment.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26



THE CHAIRPERSON: Receiving here some advice from our

legal counsel too, but this is -- again, just a

reminder, this is an SRP, and that the purpose of this

day is really to help all the parties understand

what’s behind the evidence and what was said in IRs.

So providing these examples, as FEU is doing right

now, should be perfectly acceptable.

MR. ANDREWS: So can I ask that if there are examples --

THE CHAIRPERSON: Just repeat your name for the record

please.

MR. ANDREWS: Bill Andrews. I’m not objecting to the

concept of bringing in new information, but I think it

would certainly be helpful to me if, when an example

that’s not on the record is put forward, that it be

identified as not being something that’s on the

record. Otherwise I’m canvassing my brain cells

thinking I don’t recall anything on the record about

an example of a conservation analysis, and it may be

very helpful information that these people are here to

give evidence and they don’t have to only parrot

what’s already been given as evidence, but it would be

helpful to know what’s new and what’s old.

THE CHAIRPERSON: So can FEU make an effort to

accommodate this?

MR. CURTIS: You know what, of course, we’ll do that.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


There isn’t much longer left in the presentation and

this may be the only example of this kind given. It’s

kind of an awkward approach, but we’ll do our best to

accommodate that, sure.

THE CHAIRPERSON: Thank you.

MR. T. SWANSON: Tim Swanson again. So to clarify, this

assessment would -- these are the things that we would

do in any assessment of a project. So just to go back

to the previous point so we can continue appropriately

and it makes sense, we talked about the logical access

controls that we require that ensures that any

provider has the minimum number of people accessing

FortisBC’s information. Additionally, audits of

access logs for those individuals who have access to

the systems housing FortisBC data is required and

reviewed by FortisBC.

Review of the security tools such as

firewalls, anti-malware systems and act of defence

would be completed to ensure their compliance with

FortisBC requirements. And a guarantee of appropriate

security resources required is -- and training. So

it’s a guarantee of appropriate security resources

with required training is needed. A review of

proponents’ overall policies and procedures is

completed to ensure they meet FortisBC’s requirements.

And finally, system maintenance plans and schedules


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


are required to ensure the proponent has a documented

maintenance plan that works with FortisBC schedule and

that it ensures ongoing security.

These are not all the criteria considered

in the security assessment, but it demonstrates some

of the key areas we review. In each case they would

be required to meet FortisBC standards. All the

layers of security that we require are what we

consider defence in depth. What this means is we do

not have a single point of failure that could

compromise FortisBC’s data.

An organization’s inability to comply with

any one of FortisBC’s security requirements would make

them ineligible to provide service to FortisBC. Costs

do not override requirements.

The next part of the assessment, if it was

determined there was private information involved by

the group that was doing the analysis on the

initiative, they would engage our -- they would start

a privacy impact assessment. And I’ll pass it over to

Monic Pratch to give you a rundown on what a privacy

impact assessment might look like.

PRESENTATION BY MS. PRATCH:

Thanks, Tim. It’s Monic Pratch. As I

mentioned before, Privacy Impact Assessment is a tool

which is used to assist the project manager and myself


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


as the privacy officer in identifying privacy-related

risks and tools that we can use to mitigate those

risks. Once a security assessment is completed, the

IS Department works with the project manager to

determine if the project involves the collection, use,

or disclosure of personal -- of a significant amount

of personal information. If so, the project manager

will usually contact me or a member of my team and

we’ll begin the process of developing a privacy impact

assessment.

This assessment asks a variety of questions

to help flesh out privacy risks. For example, a

privacy impact assessment may include questions such

as what personal information is being collected, how

is this information being collected, for what purposes

is the information being collected, used or disclosed?

Is it absolutely necessary to collect that personal

information to achieve the objective of whatever

product or service is being offered? Does the

contractor we’re proposing to use have a privacy

policy and a privacy officer? What does that policy

say about privacy practices and privacy management

programs that the vendor might employ?


Once we work through answering these

questions, we can then begin to look at ways to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


mitigate any privacy-sensitive areas that may be

identified. For example, in the case Tim mentioned,

we would complete a privacy impact assessment and

perhaps the analytics tool we were developing required

consumption information of customers in order to find

better ways to provide them with energy-saving tips.

In that particular case, we would look at

ways we could mitigate any privacy-related concerns.

So for example, the analytics service provider may not

need access to the customer’s name or billing address

in order to provide that customer with such energy-

saving tips. We may be able to de-identify that data

which would mitigate the risk of an unauthorized

disclosure, releasing identifiable information about

an individual.

It is important to note that FortisBC

already completes this assessment at the current time.

We are not proposing to change our process, but rather

to lift the general restriction and instead to put

parameters around personal information specifically.

In the example Tim and I have just

reviewed, the benefits of the project and being able

to possibly use an American service provider would be

eroded if we needed to bring an initiative of this

small size to the BCUC as the cost savings would be

eaten up by the amount of time spent on the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


application itself.

The bottom line is that if a privacy impact

assessment is completed, and the privacy risks that

have been identified cannot be appropriately

mitigated, the project will not move forward.

With that said, I’ll turn it back over to

Dennis.

PRESENTATION BY MR. D. SWANSON:

MR. D. SWANSON: Thanks, Monic.

So, going forward, if approval is granted,

the FEU will continue to apply the same high level of

rigour around security and privacy. We’ll continue to

perform privacy impact assessments and security

assessments. We’ll continue with the practice of

encrypting or de-identifying sensitive data before it

leaves the company; continue with the practice of

maintaining encryption keys and de-identification

tables within the possession of FortisBC at all times

within Canada.

The application was put forward to

eliminate certain data storage restrictions that have

previously been placed upon the company. We have

stated that we do not consider there to be an increase

in risk associated with the location in which data is

stored. We have explained that it is the security

standard that protects the data regardless of physical


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


location. We have attempted to demonstrate our

experience and expertise in our ability to protect our

systems and our information through appropriate

controls around security and privacy.

We have discussed the fact that

unauthorized access to data is not protected by

borders. The key is to ensure that security standards

are in place to protect against unauthorized access,

and in the unlikely event of a breach, ensure that the

data is unusable and unrecognizable.

We have explained that foreign government

access to FEU data should not be of a concern, due to

the fact that any sensitive data stored outside of

Canada would not be usable or recognizable without the

encryption or re-identification keys. That again

would be stored in FortisBC’s data centres within

Canada.

The important consideration for doing

business in this digital world is to ensure that

appropriate levels of security and data protection are

in place, regardless of the location the data is

stored. FortisBC did not pursue this application to

start moving vast quantities of data inside or outside

of Canada. This application was made in order for the

FEU to continue to officially do business in the

current digital business environment, for the benefit


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


of our customers.

And with that, I’d like to open it up to

questions.

THE CHAIRPERSON: Thank you, FEU team, for that

presentation. So, for questions, the interveners come

first, so do you have sort of preferences in what

order you would proceed? Or --

MR. ANDREWS: We haven’t discussed order, but before we

even get to that, may I --

THE CHAIRPERSON: Mr. Andrews, again --

MR. ANDREWS: Bill Andrews. Might I suggest that before

we have questions, the interveners have at least an

opportunity for a brief statement about what their

approach to the application and today’s proceeding is?

THE CHAIRPERSON: Mr. Andrews, again, coming back, but

the SRP format is supposed to be -- it is the

presentation by the applicant, and followed by Q&A.

And normally the time for submissions is then at the

end. But if you are -- if you can keep your

submissions brief, perhaps that will help everybody to

stay focused, so we’ll let you to do that.


MR. ANDREWS: All right then, and in terms of order,

shall I go first then?

MR. CRAIG: David Craig, Commercial Energy Consumers.

Madam Chair, we don’t intent to make an opening


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


statement, so we will go to questions and answers.

THE CHAIRPERSON: How about BCOAPO?

MS. SADREHASHEMI: Lobat Sadrehashemi for BCOAPO, we can

make a few statement.

THE CHAIRPERSON: Mr. Andrews please proceed.

SUBMISSIONS BY MR. ANDREWS:

Thank you. The B. C. Sustainable Energy

Association and the Sierra Club of B.C. members are

ratepayers of FortisBC Energy as natural gas

customers, And to the extent that the company is

arguing consistency with its Fortis Electric, there

are members of my clients in the Fortis Electric

service territory.

Significantly among the membership that are

represented are non-individual ratepayers. That is

ratepayers that are incorporated either as companies

or institutions or non-profit organizations, societies

and so on.

In terms of the application I just want to

say that my clients are not approaching this

application from a perspective that is ideological or

paranoid. The intention is to be strictly practical

and it was on that basis that the IRs were made and

the responses to the arguments that we made.

I’ll just itemize four items that are sort

of on the top of my list by way of kind of


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


introduction to the questions. One is, I think it

would be useful to confirm what the company’s position

is regarding the original order request. That is,

it’s new that the order requested is the revised order

because in the way the submissions were left the

company had asked for the original order and only in

the alternative the revised order. So if the original

order requested is still on the table then I will have

a lot of comment and question and submission on that

order. If it’s not on the table, that might save time

if we knew that now.

THE CHAIRPERSON: That would help everybody. So Mr.

Curtis, can you perhaps set the record straight there

or Mr. Swanson?

MR. D. SWANSON: It’s Dennis Swanson. I can confirm that

the request is now the alternative relief.

MR. ANDREWS: Thank you. My second topic then, well let

me -- is the -- the company had characterized the

concerns that my client’s and other interveners raised

as being privacy concerns. And then there’s a kind of

a switch goes on in that the company says privacy

means as defined under the B.C. Privacy Legislation,

and that excludes protection for corporate customers.

And I’m a bit disappointed in the Fortis presentation

there was no acknowledgment of that. That was the

subject of a information request. It’s clearly an


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


important issue. The company is proposing to protect

the privacy of individual customers and it’s saying

that it’s proposing not to protect the same interests

as applied to corporate customers. And I’m -- I hope

that you would be willing to change your approach on

that and replace individual customers with customers

period in what you're proposing.

THE CHAIRPERSON: Does FEU wish to respond to this?

MR. T. SWANSON: Sure. Tim Swanson. In regards to the

way we protect information, it is the same whether

it’s personal or corporate information, it is all

protected in the same way. I agree we didn’t

recognize that in the presentation, but just to be

clear, we don’t treat corporate data differently than

we do personal information from a security

prospective, from a privacy perspective.

MS. PRATCH: From a privacy prospective, the privacy

legislation only applies to the information of

individual -- or of information that is identifiable

about an individual. So the original concerns that we

read about from the original order, as well as a

number of the information requests and submissions,

dealt specifically with privacy concerns. And we

attempted to address those concerns by specifically

referencing the privacy legislation and the processes

that we put in place with respect to individual, the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


information of individual customers.

Certainly I don’t think we’re suggesting

that we would not maintain confidentiality over the

information of industrial or commercial customers as a

result of that. But, you know, the privacy

legislation itself only applies to that of

individuals.

Track 10


MR. ANDREWS: So, rather than engaging in --

THE CHAIRPERSON: Mr. Andrews.

MR. ANDREWS: Do you want me to identify myself every

time I ask a question?

THE CHAIRPERSON: Well, maybe our -- no, it’s all right

is it?

All right thank you. Only when you start.

Thank you.

MR. ANDREWS: Let me -- first of all the questions that

my clients asked were never framed under B.C. Privacy

legislation. It was Fortis that introduced privacy

legislation terminology as a response to the

questions. The concern was always of a customers,

whether they were individual or corporate.

And so I guess what I am hearing is a

willingness, and you've said that the customers are

treated the same way. If that's the case, then would


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Fortis be amendable to the same protection applying to

customers regardless of their individual versus

corporate status?

MR. T. SWANSON: Tim Swanson. In the Exhibit B-8, the

evidence on alternative relief, we specified that we

were going to protect any sensitive data with the

level of protection we have for all of our data. So

if we -- corporate data would be considered sensitive

as well, it would be protected from a security

prospective in the same way.

COMMISSIONER MACMURCHY: Who determines what’s sensitive?

MR. T. SWANSON: I knew that question would come up. Tim

Swanson again.

Sensitive is a difficult term to analyze

and I think that’s why we use more of a blanket

technology for all of our data stored outside of

FortisBC data centres. We go back to our application,

we keep all of our data that we store outside of

FortisBC data centres encrypted. We don’t discern

whether it’s -- whether it’s particular to personal or

such.

That being said, it’s most cost effective

just to encrypt everything that is stored outside the

FortisBC data centres unless in such a case where we

said that the identification is a more appropriate

means for the means of using it for analytics and


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


other uses, in which case personal information is the

key there and we remove it by de-identifying.

COMMISSION MACMURCHY: Let me just ask one further

question, and I am sure Mr. Andrews might have asked

it anyway, but I guess -- the problem we’ve got to

wrestle with is we’ve got to make a decision and give

an order at some point in time. And I guess my

question to you is, if in that order we specify that

corporate information will be treated with the same

level of privacy and security as personal information,

would that be a problem to FortisBC?

MR. D. SWANSON: It’s Dennis Swanson. Generally speaking

no it wouldn’t, and if I might offer a suggestion. In

the new order granted slide, in that first bullet

where it says "permits the FEU to store data about

customers that would otherwise meet the definition of

personal information outside of Canada if it is either

de-identified or (b) encrypted", we could say "permits

the FEU to store data about customers outside of

Canada if it is either de-identified or encrypted."

If that would assist.

COMMISSIONER MACMURCHY: Thank you. Go ahead Mr.

Andrews, sorry to cut you off there.

MR. ANDREWS: I appreciate that, and I don’t know that we

need to get into the wordsmithing at this point, but I

think that the concept is clear and that is a major


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


concern of my clients coming into this discussion.

The second, the kind of general area, is

that the company appears to have glossed over in the

focus on unauthorized access, which is a legitimate

major area of concern, the whole area of authorized

access to data. And in particular the United States

authorization processes, plural, for accessing

information that hasn’t been addressed early on and

even now I got the sense -- first of all during the

presentation I didn’t hear this, but then in Dennis

Swanson’s summary I heard this acknowledgement that

authorized government access -- that government access

should not be a problem because only encrypted or de-

identified information would be available.

So my clients are very concerned about the

information both that relates to themselves as

customers and about the utility itself as a matter of

public interest. Being stored in a location where

it’s accessible to U.S. government authorities

according to U.S. government rules, which as a

generalization are secret, sweeping and powerful.

They could collect the entire data of Fortis’s utility

operation as a matter of national security and they

routinely do acquire data on that type of scale, and

no one would know that it had even been done because

the regime itself makes it illegal for someone to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


acknowledge that data has been acquired or accessed

under these regimes.


MR. ANDREWS: So from that perspective, there remains a

concern, that data stored outside of Canada is

qualitatively different than data stored inside

Canada. And so I guess I’m open to your response to

that.

MS. PRATCH: It’s Monic Pratch. Thank you, Mr. Andrews.

And I think we’re talking about two scenarios. The

first scenario is where FortisBC uses some sort of

hosted solution, or moves the database down to the

United States, or does something of that nature. And

that’s certainly not something that we’re suggesting.

The two scenarios I kind of want to refer

to is, the ability for the U.S. government or any

foreign government to be able to compel the disclosure

of data that’s held within Canadian borders. So the

encryption keys themselves. And I think that we’ve

shown, certainly in the evidence and that we accept

the position of the Office of the Information and

Privacy Commissioner, that the real concern is that if

we were storing that data in the United States, or if

we were an American company that was -- or we were

owned or controlled by an American company that would

have the ability to reach up to Canada and pull down


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


those encryption keys.

MR. ANDREWS: Your response is addressing encrypted data,

but the requested Order is that Fortis be able to

store outside of Canada all data that is not covered

by the customer exception. You’re asking that apart

from information that’s associated with a customer,

and we’ve discussed whether that includes individuals

as well as companies; you’re asking that all the rest

of the company’s information should be allowed to be

stored in the United States without encryption.

MS. PRATCH: Certainly --

MR. ANDREWS: That’s what you’re asking. And if I’m

wrong about that, tell me.

MS. PRATCH: Thank you. It’s Monic Pratch again.

Certainly we’re not suggesting that immediately after

an Order is granted we would start moving large

volumes of data down to the United States. We’re just

asking for the ability to look at potential solutions.

And those solutions would still need to meet all of

the security requirements that FortisBC has,

regardless of where that data is stored. So they

would still need to go through a complete security

assessment, they would still need to follow all of the

protocols. They would still need to have the same

level of protection around that data that FortisBC

currently uses for all of its data.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. ANDREWS: Would you agree with me that all of the

security that we’ve been told about to this point does

not relate one iota to authorized government access?

Everything that Mr. Swanson and Ms. Pratch said

relates to preventing unauthorized access to

information.

MR. D. SWANSON: It’s Dennis Swanson. We’re a little bit

confused, because our position is, there is no

authorized government access from foreign governments

to our data.

MR. ANDREWS: Well, if you store the data in the United

States, are you disagreeing that the United States

government has legal authority to acquire access to

that data in a number of different regimes?

MR. D. SWANSON: We -- what we -- I think I understand.

I think I understand the issue here.

If I’m interpreting you correctly, what

you’re alluding to is if we stored, let’s say,

critical asset information down in the States that

isn’t customer information, and we didn’t encrypt or

de-identify that data, then the government has access.

Is that an example of what you were referring to?

MR. ANDREWS: The question that -- the fact is, and you

can tell me I’m wrong about this, that the U.S.

government has the authority to access gov -- to

information that’s within its jurisdiction, and that


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


would certainly include present on servers in the

United States. Whether the information is encrypted

is another whole level, but they can acquire that

information.

MR. CURTIS: But we’re drifting a little bit here into

legal argument. These guys aren’t here to talk about

U.S. foreign laws. We stated in an IR, I think it was

BCUC 1.4.1, we gave the statement that data in a

foreign country could be subject to foreign laws.

These guys can say that. They’re not going to argue

about specific foreign laws or make legal -- you’re

got to -- that’s fair.

MR. ANDREWS: But I -- so, fair enough. So let’s --

MR. CURTIS: Absolutely. If we can start with what we

said in BCUC 4.1 and then you can ask them questions

around the facts, I think that’s fine. But these guys

aren’t going to get into legal argument on this stuff.

The word is “restrained” here --

MR. ANDREWS: The ultimate issue -- but the issue that

I’m trying to address here is not the legal nuances of

the American government’s mechanisms for gaining

access. But let’s -- Fortis has acknowledged that the

U.S. government has the ability to, in an authorized

way, access information that’s in the United States.

Am I right there?

MR. CURTIS: Fortis has said that data --


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


THE CHAIRPERSON: If you could --

MR. CURTIS: Sorry. David Curtis. Fortis has said that

data in a foreign jurisdiction could be subject to

foreign law.

MR. ANDREWS: So Fortis is now asking for the -- like

Fortis is currently is not allowed to store

information outside of Canada.

MR. CURTIS: Yes.

MR. ANDREWS: And it’s asking that that restriction be

removed, and let’s set aside information to do with

customers. Fortis is asking that it be allowed to

store information, not to do with customers, in other

countries including the United States, correct?


MS. PRATCH: It’s Monic Pratch. I think what we’re

asking for is the ability to consider different

alternatives, which may involve the storage of

information outside of Canada. Certainly we haven’t

completed a full security risk assessment around any

individual project. So no, we’re not asking to store

specific information outside of Canada at this point.

MR. D. SWANSON: In addition -- it’s Dennis Swanson. In

our evidence we also refer to the fact that we apply

our security and our protection, including encryption

and de-identification, to sensitive data. Not just

customer data, but sensitive data is not a term that’s


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


defined anywhere. So we apply that level of security

to our data regardless where we store it. So the

information that I believe Mr. Andrews would be

referring to, if it’s sensitive in nature, would be

encrypted and de-identified. What we haven’t done is

gone through every type of information the company has

and try to identify this is how we handle each type of

data. But yeah, we do provide that level of security

over all of our data.

MR. ANDREWS: From what Ms. Pratch was just saying, if it

isn’t clear yet what exactly the company would be

doing with data, and setting aside the customer data,

then is it reasonable that anything that the company

did end up actually proposing come back to the

Commission for approval?

MR. D. SWANSON: It’s Dennis Swanson. I believe we

addressed that as well in the presentation. Both

Monic Pratch spoke to it and I did as well. And that

is it’s not like we’re looking at transferring all of

our data into the States. These are small little

initiatives. And if we were to come back with each

small little initiative, the cost of doing so,

preparing an application, would simply outweigh the

benefits. So we’d restrict the amount of benefit

that’s available to customers.

We believe we’ve got strong processes in


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


place to protect our data. We believe we have the

expertise in-house to make that analysis of what data

is sensitive to the company and to customers, and we

do make that analysis. This isn’t a new step for the

company. This is something we take very seriously.

We’ve had these processes in place for years. We

don’t believe the risk changes with the storage

location of the data.

MR. ANDREWS: Well, let me come back to that aspect of

it, because you’re asking the Commission and the

parties in terms of their support to trust Fortis’s

approach, but I have great difficulty if the company

is so resistant to acknowledging that information

stored in the United States is accessible to the U.S.

government, and that that is at least an issue that

needs to be considered, then I have trouble with the

concept that decisions about that data should simply

be left to Fortis without supervision of the

Commission. Give a response to that?

MR. D. SWANSON: Dennis Swanson again. That is

considered. That is absolutely considered. And any

data that we believe is sensitive is encrypted and de-

identified. So even if foreign governments did get

access to it, it’s meaningless. It’s a listing of --

MR. ANDREWS: But if I may, you’re not -- you’re

specifically proposing that you be allowed to store


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


data, apart from customer data, outside of Canada in

an unencrypted way. The conditions about encryption

that you’re proposing for customer data don’t apply to

any other corporate data. Now, you’re saying, “Trust

us, we’ll know which data to encrypt and which not.”

And in the context of the kind of the new information

realities and concerns, that strikes me as a very big

area in which to give the company carte blanche to

take utility data and make it available to the U.S.

government.

MR. D. SWANSON: Dennis Swanson again. Again what we are

saying is let us manage the company. We have the

expertise in-house to determine what data is sensitive

and not sensitive. We do that on a regular basis

regardless of where we store data. We want to apply

the same rigour that we currently apply and that we’re

experts on applying, and protect data on behalf of the

customers and on behalf of the company. Protecting

that data is important to us.

MR. ANDREWS: So the company has acknowledged that it’s

no longer seeking the original remedy, so I won’t go

back to that. But I do think it’s relevant that

throughout the course of this whole proceeding, the

concerns about the protection of the information have

been met -- have been raised by parties by information

requests and Commission Staff, and then Fortis has


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


responded. There was nothing in the original

application that said anything about encrypting any

data.


It was just let us dismiss the data

retraction and now -- so now we’re looking at the

particular area of the non-customer utility data --

and let me put it to you this way. One of the things

that was asserted by the company early on is that

these information technology market solutions that

required information to be stored outside of Canada

that were blocked because of the existing restriction,

were not available in Canada. That the restriction

had to be removed in order for the company to have

access to the cost savings that would accrue from

these new data management solutions.

So my question is, is that still the case?

Exhibit A-2-1 shows that there is at least some Cloud

storage being proposed to being posted within Canada.

So what about that? Why can’t Fortis us Cloud storage

and innovative class saving information technologies

that are hosted in Canada?

MR. T. SWANSON: Tim Swanson. You’re referring to the

Microsoft data centres being put in Canada?

MR. ANDREWS: Yes.

MR. T. SWANSON: I actually met with Microsoft yesterday


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


regarding that offering. It’s a good example of where

they’re trying to market to Canadian people. They

position the data centres in a location outside of

western North America.

And I would also like to point out that

this is one example of services that we look at.

There are a lot of smaller solutions that we consider

as well, that are for specific services, that the

economies of scale aren’t there to offer them outside

of the United States in some cases or possibly other

jurisdictions. So it’s really, it’s really just one

example of what’s happening. And we can’t anticipate

that all organizations that have services that we’re

considering are going to start locating their data

centres in Canada. It really comes down to what their

market looks like. So that’s one example.

The other piece of that was the Microsoft

data centres in Eastern Canada, according to

Microsoft, may have latency issues for Western Canada,

and they still recommend using the Quincy data centres

for their services in Western North America because of

some latency issues there may be. We don’t know yet.

We will find out, but those are a lot of the concerns

that have come up.

And so you're aware, when they build data

centres like this they generally structure them in


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


such a way that they’re positioned around internet

hubs, and the internet hubs provide the performance

that you need for these Cloud services. Unfortunately

in Western Canada we don’t have the population for

some of the organizations to consider us for data

centres, but that’s some of the reasons I got from

Microsoft.

MR. ANDREWS: Would you agree that one of the reasons

that Microsoft claims to have located the proposed

centre in Canada is because there is a market for

information services by customers that want their

information to stay within Canada?

MR. T. SWANSON: Yeah, so in the article they talked

about -- you’re right servicing some of those clients

that have certain restrictions. Those client’s don’t

necessarily have the same restriction we’re talking

about here, but there is -- that was one of the

reasons they put out there. And, you know, it’s

really a marketing position for them.

MR. D. SWANSON: It’s Dennis Swanson. In addition, I

don’t believe Microsoft had taken the position it’s

not going to use its back-up data centres that are in

the United States for back-up of that data. They

typically store back-ups in various locations. This

is a primary data centre only, it’s not a chain of

data centres.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. ANDREWS: So if that was the case then, the marketing

that was pitched to customers that required data to be

stored within Canada would not be accurate, is that

what you’re saying?

MR. D. SWANSON: Dennis Swanson again. The data would be

stored in Canada, but it may be backed up in the U.S.

as well. I can’t speak to Microsoft’s marketing.

MR. T. SWANSON: Tim Swanson. Can I clarify a little bit

for you, Mr. Andrews?

MR. ANDREWS: Please.

MR. T. SWANSON: Microsoft hasn’t settled on what their

architecture is going to look like finally, but to

Dennis’s point, Microsoft bases their reliability on

connecting all of their data centres, so that they can

use them for resiliency and redundancy. They haven’t

settled on what infrastructure looks like. I am not

sure what kind of negotiations they would have with

clients regarding where their data is going to be --

where the back-ups may be stored. So that’s something

that is kind of yet to be determined.

MR. ANDREWS: So if the Commission was to decide not to

remove the restriction to the extent that Fortis could

just put data into storage places outside of Canada,

it would be solutions like this Microsoft one that

would be available depending on what the responses

from the suppliers were to the requirements of


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Fortis’s RFP.

MR. T. SWANSON: Tim Swanson. FortisBC, on its own,

generally doesn’t have -- would not be enough of a

market share for most organizations to consider

putting in a Canadian data centre. If that’s the

question you’re asking.

Track 14


MR. ANDREWS: No, that wasn’t what I intended to ask.

I’m sorry.

MR. D. SWANSON: Dennis Swanson. I believe you’re asking

that if the Commission did not grant the Order

requested, would FortisBC be able to consider the new

Microsoft data centre located on the east coast of

Canada as an option? And the answer to that would be,

yes, we’d be able to consider it, assuming they didn’t

back-up data into the U.S., and assuming there weren’t

latency issues, but yes, it would be one we’d be able

to consider.

But again, you have to remember, this

wasn’t a request about a Microsoft data centre, or

about Cloud service. This was a request to allow us

to consider options that would be for the benefit of

customers in general. That was but an example of

that.

MR. ANDREWS: So, speaking of examples, one of them was


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Office 365, that Fortis provided as an example, that

at the time FortisBC said was only available in --

hosted by servers located in the U.S. And now

Microsoft has said it’s going to have servers located

in Canada that are at least marketed for customers

that want to have their data stored within Canada. Is

that a fair statement?

MR. T. SWANSON: Yes.

MR. ANDREWS: So would you agree that the availability of

services -- electronic services that meet customer

concerns to do with the location of the storage of the

data is changing rapidly?

MR. T. SWANSON: Tim Swanson. I agree, technology does

change very rapidly, and that’s actually one of the

reasons that we put this application in. Again,

Microsoft is one of the examples we used. And there

are a number of nuances around that opportunity in

Canada that we’ve discussed a little bit. With the

changes in technology also comes the ability for

organizations, data storage organizations, to build

affiliations with U.S. counterparts. There could be

cost of service reasons that they go to U.S.

providers. You could even see Canadian organizations,

potentially, this is hypothetically, looking at

partnering with U.S. organizations for storage

facilities. And the only reason I bring this up is


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


that you referenced technology and the ever-changing

technology, and you’re exactly right, Mr. Andrews.

Technology is changing all the time, and that’s one of

the reasons that we put this application in. Because

of some of the services we use, that we could

potentially use, you know, that that’s a reason we put

this in, so we could consider some of those services.

Like I said, Microsoft was only one example.

MS. PRATCH: It’s Monic Pratch. Just to add onto that, I

think it’s really important to understand, as I’m

listening to the examples and the situations we’re

talking about, I think it’s really important to

identify that regardless of whether we’re talking

about Microsoft or any other provider, we still go

through the same policies and rigour of assessing

whether or not there is a risk, and what those risks

are to storing that data with that vendor. Regardless

if it’s Microsoft’s, you know, servers located in

Canada, in the U.S., or anywhere else. Or whether

we’re looking at storing information on a much smaller

scale, dealing with an individual vendor or a much

smaller project.

Part of that assessment is always going to

be the jurisdiction of which that information would be

stored in. And if that risk was identified as one

that was too great, or if that risk couldn’t be


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


mitigated in some other way, i.e., encryption or de-

identification, FortisBC wouldn’t proceed with a

project of that nature.

So, you know, Microsoft is a good example,

and it’s recently been in the news, but the number of

projects that Tim and I get asked about with respect

to ensuring that we’re complying with the current

Order are usually on a much, much smaller scale. So

we’re not talking about moving large reams of data,

we’re talking about, you know, wanting to use a very

small -- on a very small project, we’re talking about

wanting to store small bits of information in an

encrypted or de-identified form, to be able to work

within those projects.

So I just want to make the point that it’s

-- you know, it really is allowing us to explore

alternatives, but still making sure that as we’re

exploring those alternatives we’re going through

proper assessments of the risks associated with them.

MR. ANDREWS: Well, I won’t -- I won’t reply to that

argument, thank you. But then let me change the topic

to the -- one of the points that Fortis made in the

application was that removing data restriction would

assist Fortis with using consistent IT approaches

between the Fortis Electric and Fortis Gas. And as

emerged in responses to Information Requests, FortisBC


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Electric is subject to a data location restriction

associated with approval of the Smart Meters there.

What do you say about that? Are you -- is Fortis

intending to apply to change the Fortis Electric Smart

Meter data restriction? Or would it -- that just be

carved out of this broader approach?

MR. CURTIS: These folks can’t speak to what FortisBC

Electric is going to be doing with respect to any AMI

data restrictions. They’re not -- they can’t give

that evidence.

MR. ANDREWS: So, that’s -- I mean, can we then say that

the Commission ought not to be looking towards

benefits of combining data, IT facilities between

Fortis Gas and Fortis Electric, as in the benefit

column of this application?

MS. PRATCH: If I could, Mr. Andrews, it’s Monic Pratch.

The FEC -- or the FortisBC Electric data restriction

around AMI data applies to customer information, which

is entirely in line with what the alternative remedy

is asking.


So the restriction around the AMI data,

it’s customer data and that data needs to be stored

within Canada, period. We’re certainly not suggesting

that we’re making any -- this application is making

any sort of statement about what we would be doing


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


with respect to that, with respect to that order.

MR. ANDREWS: Well, this application is to be able to

store customer data in encrypted form outside of

Canada, which would be contrary to the Fortis Electric

CPCN for the Smart Meters.

MS. PRATCH: It’s Monic Pratch.

MR. ANDREWS: It’s not a legal question.

MS. PRATCH: Mr. Andrews, it’s Monic Pratch. I agree

that that order does deal with customer information in

the electric context. I think what you’re referring

to is -- what we’re referring to is information

outside of that AMI data. We’d like to be able to

treat FortisBC gas data the same way that we’re

allowed to treat FortisBC electric data that is not

AMI data.

COMMISSIONER MACMURCHY: Can you explain to me what that

is? I mean, I read -- I went back and -- as a result

of your response to the IR, I happened to sit on that

AMI, interesting proceeding. And I was quite

intrigued with your interpretation because the wording

that was used in the Commission determination made no

reference to AMI data whatsoever.

So how do you interpret -- it just said

customer information, period. So I’d like you to

explain to me what customer information isn’t covered

or what information isn’t covered by the direction


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


that was put forward at that time.

MR. CURTIS: I’m going to ask for a bit of clarification.

Are you asking her to interpret the AMI decision or

the AMI --

COMMISSIONER MACMURCHY: I’m asking her to interpret the

response that she made -- that was made in an IR that

was sent to the -- well, that was asked by the BCUC.

I can give you the IR number. And I just don’t

understand that response in the context of the words

that was laid out in the decision. So if you could

elaborate on that, that would be helpful to me.

THE CHAIRPERSON: It might be better for everybody’s

benefit if we take a break now, and then the FEU

group, you have time to look at the reference by

Commissioner MacMurchy, and then you’ll return and get

back to the question.

So it is now 25 after -- ten minutes, is

that good? Right. Ten minutes break please.

(PROCEEDINGS ADJOURNED AT 10:25 A.M.)

(PROCEEDINGS RESUMED AT 10:38 A.M.) T16

THE CHAIRPERSON: Good to go.

So back to Commissioner MacMurchy’s

question. Do you want to repeat it or --

COMMISSIONER MACMURCHY: Do you need it repeated?

MS. PRATCH: I’m okay, thank you.

THE CHAIRPERSON: You know what the question was, all


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


right.

MS. PRATCH: Thank you. It's Monic Pratch.

I’ve had an opportunity now to review our

response and the question with respect to BCUC IR

1.8.1, and I just want to make this statement that

that particular sentence within the order needs to be

taken in the context of the order itself. And the

concerns that were addressed in that hearing were

namely around data as it was collected by the AMI

system, and as a result, you know, it’s our position

that that particular sentence refers to AMI data or

data that’s collected by the AMI system.

COMMISSIONER MACMURCHY: What data would be excluded?

MS. PRATCH: Just --

COMMISSIONER MACMURCHY: -- personal information.

MS. PRATCH: Monic Pratch. Just by way of an example,

for example say there’s energy efficiency information

that was collected by our power sense group on

particular -- in order to provide energy analytics or

to provide energy saving tips, for example, to a

customer. That’s not data that is collected by that

AMI system or runs through that. It wasn’t the

subject of that particular application or order, and

as a result I don’t think that that particular

sentence or that particular order would apply to that

data itself.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER MACMURCHY: Well, I guess I was -- one of

the things that caused me to question this a little

bit is that there was another statement in that

particular finding that said -- well, let me ask

another question a different way.

Does Fortis, the gas company and Fortis the

electric company have different privacy policies?

MS. PRATCH: Monic Pratch, no.

COMMISSIONER MACMURCHY: In the same determination in the

AMI decision there was a direction that the privacy

policy be updated to reflect that customer information

should be stored in Canada only. Could you direct me

to where that has taken place? I looked on the

website yesterday and I couldn’t find any change to

the privacy policy since that time.

MS. PRATCH: When we looked at the current privacy policy

and that privacy policy applies to FortisBC Energy

Inc., to FortisBC Inc., to all of the FortisBC group

of companies that exist. And as a result, because the

statement doesn’t say we will store your information

outside of Canada or we do store your information

outside of Canada, but uses language that say, we may

we wanted to make sure that that policy was consistent

for our customers. And so we don’t feel that the AMI

order is inconsistent with the current policy in

place.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER MACMURCHY: You were given a specific

direction in that decision to do something. I have

not seen any application asking for relief from that,

so I guess my question is have you -- is it Fortis

policy when you don’t agree with something that -- a

determination, that you just ignore it?

MR. CURTIS: I really have to respectfully intervene here

because you’re -- I think the initial questions around

the AMI decision and what was raised in the IR are

fair, they deal with stuff on the record here. But

you’re now asking a witness in a FEU proceeding to

talk about an FBC matter. We’re not here prepared to

speak to that at all, especially the types of

questions you’re asking right now. So I don’t think

we should be going there.

COMMISSIONER MACMURCHY: I guess, let me -- I recognize

that I don’t need to pursue that further. But my

expectation was that if an order had been given to

Fortis Electric to amend the privacy policy, by

looking at that amended privacy policy I could have

understood better what you were saying in response to

8.1, which is what customer information or what

information you see can be stored in Canada and what

won’t be stored in Canada. I went to try and do that

and I was not able to do that.

So I was just asking the question is, is


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


there something that had -- that I’ve missed that

would help, would have helped me in terms of any

changes you made to your privacy policy as a result of

previous decisions by the board -- the Commission?

MR. CURTIS: Again, I think we’re still -- we’re really

on a FBC side of the fence with that question. The

point is taken, but again, these folks are here to

speak for FBC today, they’re here to speak for the FEU

on this application. And I just -- with the greatest

respect, I don’t think that that’s -- that we should

be going further with it.

Track 17


COMMISSIONER MACMURCHY: I guess my question, then, is a

little one, it’s related to something else. I might

as well put it on the table now.

You stated that in response to -- I can

give you the IR number. BCUC IR 1.7.3, that FEU does

not share platforms with other Fortis companies

outside of B.C., like the subsidiaries that Fortis

Inc. has in the United States or the Caribbean. But

you do share platforms with FBC, which actually you’ve

been encouraged to do in order to provide efficiencies

and cost savings. Is that correct?

MR. D. SWANSON: Dennis Swanson. Yes, we share some

platforms but not all.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER MACMURCHY: Okay. And I guess the question

I really had, and it was what I was leading up to in

some of the other things, is there any danger that if

your request is granted by -- to lift the restriction

on FEU, that you could inadvertently put FBC offside

by -- in terms of violating the provisions that were

imposed in the AMI decision?

MR. T. SWANSON: Tim Swanson. As I pointed out in my

component of the presentation, we would not do

anything that would contravene existing orders or any

legislation. So, certainly we would consider anything

in other orders to be part of our consideration when

considering services.

COMMISSIONER MACMURCHY: So, could you, then, since you

wouldn’t do anything that would do that, can you

explain to me what data, then, you see you would be

restricted in using in terms of a shared platform that

you might have with FBC?

MR. T. SWANSON: Commissioner MacMurchy, can you repeat

that one more time? I want to make sure I answer your

question.

COMMISSIONER MACMURCHY: That is my question, it’s really

quite simple. You made a statement on how FEU is

interpreting a decision that was made with respect to

FBC. And I don’t think it’s -- and I agree with Mr.

Curtis that this probably isn’t the place to debate


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


whether that interpretation is agreeable to the

Commission or not. But having said that, the real

question is, do you know what data is subject to a

restriction in FBC to make sure that if you were to do

something that you wouldn’t be inadvertently getting

offside with your Fortis Electric restrictions.

MR. T. SWANSON: Tim Swanson. I totally understand your

question. Yeah. We certainly do understand our data

and what restrictions are around particular data. I

think that’s always part of our security and privacy

assessment process. So, yes, we do understand the

restrictions around particular data, that are in both

of our systems. If that’s the question you’re asking?

COMMISSIONER MACMURCHY: And so, I think I’ve beat this

horse just about to death. So I’ll stop it. Thank

you.

THE CHAIRPERSON: Back to Mr. Andrews, then.

MR. ANDREWS: Thank you. Let me, I guess, to a certain

extent follow up. On the topic of Fortis Electric and

Fortis Gas having the same privacy policy, can you

confirm or explain otherwise that Fortis’s privacy

policy applies only to customers that are individuals

and not to corporate customers?

MS. PRATCH: It’s Monic Pratch. Yes, I can confirm that.

MR. ANDREWS: So if the Commission was looking to the

privacy policy as a method of protecting the privacy


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


interests of corporate customers, Fortis policy in

that respect would have to change.

MS. PRATCH: It’s Monic Pratch. The privacy policy has

been put in place, one, as part of our governance

structure; but two, in specific compliance with the

Personal Information Protection Act, which requires us

to have a separate privacy policy relating to the

information that is governed by that Act. So it’s

partially a legislative requirement and it’s also part

of our governance structure.

MR. ANDREWS: So would there be any problem with

expanding the privacy policy so that it covered the

interests of corporate customers?

MR. D. SWANSON: It’s Dennis Swanson. I would suggest

that we wouldn’t change our privacy policy, because,

again, privacy policy has implications with respect to

certain Acts.

What we had suggested, though, when we had

this discussion earlier, is maybe change the word of

the Order to instead of saying “personal information”,

to say “customer information”.

In addition, our customer information

that’s within our systems really doesn’t

differentiate, whether you’re a commercial customer or

residential customer. So we treat it all the same

anyway. So the same level of protection over a


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


residential customer exists in our systems over a

commercial customer. Because we don’t parse the data

and say, “You’re a residential customer so your

information goes down this path, and you’re a

commercial customer so your information goes down this

path.” It’s just customer data and it’s treated the

same.


MR. ANDREWS: So from the point of view of the interests

of corporate customers, they are kind of free riders

on the individual customer privacy policy.

MR. D. SWANSON: Dennis Swanson again. Not with respect

to the privacy policy, but with respect to our data

security, yes.

MR. ANDREWS: And with the privacy policy they’re simply

not covered whatsoever.

MS. PRATCH: It’s Monic Pratch. Correct. With the

privacy policy they’re not. But we also have other

policies in place within the organization that govern

confidentiality of information and govern data

security, and I’m sure Tim can speak to a few of those

as well. So it’s not as if there’s no policy in place

that governs commercial or industrial customers.

MR. ANDREWS: Is there any policy that governs corporate

customers that covers the same issues that are

addressed in the privacy policy that applies to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


individual customers?

MS. PRATCH: It’s Monic Pratch. I think it would depend

on the -- it would depend on the specific sections

that you’re interested in. If you’re talking about

data security, ways that we protect information, all

of those things, absolutely we have policies in place

that govern that for all customers and all data. If

you’re talking about would sections of the Privacy

Policy that are specific legislative requirements

necessarily apply to commercial or industrial

customers, I think not, because the Privacy Policy

itself -- privacy itself by nature is with respect to

individuals.

MR. ANDREWS: So that actually wasn’t my question.

MS. PRATCH: I apologize.

MR. ANDREWS: Privacy as defined provincially as

individuals, but to the extent that under the

Utilities Commission Act the Commission is concerned

about, and I’ll use the term “privacy” not in a legal

sense of restricted to individuals, the privacy

interests of corporate customers.

The question is, does Fortis have a policy

that addresses the same thing for corporate customers

that the privacy policy addresses for individual

customers? And I think what I’m hearing is the answer

is no, but there’s some other policies that maybe


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


help.

MR. D. SWANSON: It’s Dennis Swanson. I think our

challenge here is, and we’re not trying to be evasive.

It’s when you say “the same thing”, is the privacy

policies as they apply to individuals encompass a lot

of things.

MR. ANDREWS: Yes.

MR. D. SWANSON: And a lot of those things are

legislative with respect to the protection you have to

have over privacy legislation.

MR. ANDREWS: Well, let’s just start with one of the

opening statements of the Privacy Policy, is that

“Fortis takes your privacy very seriously.” Now, that

policy does not apply to corporate customers. And I’m

saying, does Fortis have a policy that says, “We take

the privacy of you, the corporate customer, very

seriously”?

MR. D. SWANSON: Dennis Swanson again. We have

information security policies which cover all data,

which would include this -- corporate customers, which

provide, I don’t want to say the same protection that

privacy legislation provides because privacy

legislation is very specific, but it provides the same

-- it provides the protection over the disclosure of

that information and the access to that information

for other sets of customers and for our data in


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


general.

MR. ANDREWS: On page 3 of the notes for today, the

purpose of the application, the last bullet on the

page is to have operational consistency across

FortisBC Utilities. Is that a reference to Fortis

Electric and Fortis Gas?

MR. D. SWANSON: Generally speaking, yes.

MR. ANDREWS: And beyond generally, what would that -- is

that including other Fortis entities than those two?

MS. PRATCH: Oh, I’m sorry, Mr. Andrews, could you just

repeat that last question?

MR. ANDREWS: Okay, let’s just start with what does

FortisBC Utilities include in this context?

MS. PRATCH: It’s Monic Pratch. I think all of the

FortisBC Utilities. So FortisBC Energy Inc., FortisBC

Inc.

MR. ANDREWS: FortisBC Alternative Energy Systems?

MS. PRATCH: Yes.

MR. ANDREWS: Any residual Fortis Energy (Vancouver

Island) if it existed and --

MS. PRATCH: So now that amalgamation has -- sorry, it’s

Monic Pratch. Since amalgamation, all of those

utilities, Whistler, Vancouver Island, and FortisBC

Energy Inc., have been amalgamated into one. So yes,

it would have included those former utilities now

captured by the FEU.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER MacMURCHY: And just so that we are

(inaudible).

MR. ANDREWS: Yes, and just so that we are clear, is Fort

Nelson included in that?

MR. D. SWANSON: Dennis Swanson, yes. The intention here

is all the FortisBC related utilities in B.C.


MR. ANDREWS: So, how would the -- the purpose of the

application is, among other things, to have

operational consistency among the FortisBC utilities.

And let’s focus on Fortis Energy, FortisBC Energy and

FortisBC Electric. Am I right that -- I don't know

how to put this. How do you see achieving operational

consistency with Fortis Electric IT concerning

customer data that is affected by the Commission's

data restriction applicable without getting into the

content of that restriction? But how do you see

Fortis Gas dealing with that restriction and yet

achieving operational consistency by the granting of

the order?

MR. T. SWANSON: Tim Swanson. In regards to operational

efficiencies between inter-organizations, the

particular order I believe you’re referring to is

specific around customers. We segregate our customer

information currently between the two, the electric

and gas utilities. So it’s clear and defined


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


definition between the two. There’s many other

services that are offered that we could, we could

share and be consistent on. Is that the question you

asked?

MR. D. SWANSON: Dennis Swanson. Also adding to Tim

Swanson’s comments, it doesn’t say treat all data

identical in every system. It says look for -- we’re

talking about operational efficiencies. So there’s a

lot of non-customer data that’s affected by the

current data restriction order, where we can treat

information -- we could treat information consistently

if the restriction were rescinded.

MR. ANDREWS: I want to ask a question that -- before you

answer Mr. Curtis may want to address, because I’m not

sure whether this goes back too far into the AMI

certificate. But there were questions about what

types of customer data, but to do with FortisBC

Electric, would not be covered by the data restriction

and would therefore be subject to consistency or

initiatives that engaged or produced consistency.

My question is, would an example of that

type of data be customer credit information and

payment information that doesn’t flow through the AMI

meter?

MR. CURTIS: David Curtis. Again, I don’t think my -- I

don’t think the folk here should be going any further


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


on the interpretation of the AMI decision today.

That’s not why they’re here. They’re not FortisBC

Electric, so.

MR. ANDREWS: I will leave it at that then.

Thank you, those are my questions and I

certainly look forward to the other questions and

submissions and the discussion that we will have

later. Thanks.

THE CHAIRPERSON: So over to Mr. Craig next.

MR. CRAIG: Yes, David Craig, Commercial Energy

Consumers.

I want to start with BCUC 1.4.1, which you

have previously referenced. And talk about the

question of authorized access in another jurisdiction.

And I accept that you can’t talk about what the laws

in foreign jurisdictions may or may not do. But I

can, I think I can get you to confirm that if the data

is stored in Canada, foreign jurisdictions cannot

compel access to it.

MR. CURTIS: Again, that’s a legal point about

international law. I am going to address that in my

submissions, if that helps.

MR. CRAIG: Okay.

MR. CURTIS: It’s a pure question of law.

MR. CRAIG: So if I interpret BCUC 1.4.1 as authorized

jurisdiction providing the authorization under foreign


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


laws could allow a foreign government to compel access

to the information, is that also a legal question that

you will address or can they answer that?

MS. PRATCH: Monic Pratch. We can confirm that. And

that’s addressed in the response to BCUC IR 1.4.1.

MR. CRAIG: That’s what I’m reading, is that it “could

compel” access and “could compel” de-encryption.

MS. PRATCH: It's Monic Pratch. I think they could

compel access to data that is stored in the United

States. We would not -- certainly not suggest they

could compel de-encryption or decryption of that data.

And that’s why we’re proposing to store the keys

within Canada, so that that information cannot be

compelled by a foreign jurisdiction.

Track 20


MR. CRAIG: Then, is that then a question of law that

you’re going to speak to?

MR. CURTIS: In my submissions I’ll certainly address the

legal issue around the ability of a foreign government

to compel the FEU to release an encryption key, for

example. I’ll speak to that.

MS. PRATCH: And, Mr. Craig, if I may, it’s Monic Pratch.

That is part of the reason that we brought in the

evidence regarding what the B.C. Office of the

Information and Privacy Commissioner has said about


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


the real risk of a foreign jurisdiction and access by

foreign governments. And really, what she identified

was that the real risk is where you’ve got an American

company that holds the data or you’ve got an American

company with a foreign subsidiary, and that American

company would have the ability to be compelled to

reach in and grab the data from that foreign

subsidiary, bringing it back. And I think we’ve

probably beaten this horse and said that, you know,

obviously because we’re owned by -- an entirely

Canadian-owned and controlled parent company, that

that’s not a risk for FortisBC.

MR. CRAIG: And when you do speak to it with regard to

the legal context, my presumption would be that if the

data questions were in the courts, supreme courts, in

the U.S. jurisdictions, that the answers might be

otherwise. And maybe you could address that when you

come to addressing --

MR. CURTIS: I’m not sure I understand the point you want

me to address.

MR. CRAIG: Whether or not the encryption can be

compelled in order for, say, a clerk to have access to

the information.

MR. CURTIS: Where -- okay, where the encryption key is

held in Canada.

MR. CRAIG: Where the encryption key is held in Canada,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


but the data is held in the U.S., and you’re not

speaking to what the laws may or may not do, but I’m

presuming from this that they will have whatever

jurisdiction they put in their laws, and their courts

will have conceivable powers to compel.

MR. CURTIS: I have your point, and I’ll reiterate what

Ms. Pratch has said. Like, we put -- the company’s

characterization of this risk is on the record in

Exhibit B-8. I don't have the section -- I think it’s

3.3.2. That’s our -- that’s Elizabeth Denham’s

description of that risk, going all the way back to

the Privacy Commissioner’s report on the Patriot Act

in 2004. And she’s still saying the same thing in

2014.

So we put that description -- that’s in the

evidence. And that’s really where I want to point

people on this issue. And I’ll speak to it in legal

submissions. But I won’t say much more than that.

I’m not going to go into detail on American

legislation and what it can or cannot do to an

American company. Because the high-level principles

embodied in the Privacy Commissioner’s summary of that

risk capture everything that we need to say on this

topic.

So, I’ll speak to it in submissions. Ms.

Pratch has directed everyone to the way we


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


characterize the risk. But there won’t be much more

to it than that, because I don’t think there needs to

be.

MR. CRAIG: Good, I’ve got your answer there.

If Fortis Inc. were to change its

jurisdiction, I think you have said today that that

would change control, and that that would potentially

open up a risk potential.

MR. D. SWANSON: Can I -- sorry, Dennis Swanson. Can I

clarify? Are you saying if Fortis Inc. became an

American corporation?

MR. CRAIG: Yeah, to change jurisdiction.

MR. D. SWANSON: Then the applicable laws that would

apply to an American corporation would exist and

therefore, given the evidence we’ve already got on the

record, yes, that would open the door, even if the

data was stored in Canada. So it would open the door

for the U.S. government to access that data even if it

was stored in Canada, would be our evidence.

MR. CRAIG: So just a concluding comment there would be

whether or not you’d have an objection to there being

a subject to immediate notification of any change of

control over the FEU utilities. I’m not expecting

that to occur, but it’s something that you’ve put on

the record would create an access.

MR. CURTIS: I think that’s -- I’d like to discuss that


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


with my folks here at the break. It’s something I

think we need to just discuss internally and get back

to you on it.


MR. CRAIG: Yes, no problem. And it’s just covering off

a point that I consider remote, but sometimes things

happen and it’s useful to have remote things covered.

I just want to confirm that the evidence on

the record is that we don’t have a specific business

case with costs and benefits. At this stage your

discussion of benefits and costs is generic for the

purpose of getting open generic approval.

MR. D. SWANSON: Dennis Swanson. Yes, it is. It is a

generic request. And what it will allow us to do, if

granted, is to evaluate by way of -- when we do

tenders, for instance, we could include American

vendors in our tenders where there are certain

instances where we’re not able to do that. So it

would allow us to evaluate whether there was a benefit

in looking at other service vendors, et cetera.

MR. CRAIG: Thank you. Under a grant of the new order,

which is slide 5, the reference in bullet 2 is to meet

the definition of personal information under PIPA, and

in other information you had also the PIPEDA as

another piece of legislation that was applicable.

Should that cover those pieces or is it applicable


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


only to PIPA?

MR. CURTIS: And that’s a legal question, but I think we

can address that right now. I mean, both definitions

define personal information as information about an

identifiable individual. PIPEDA, I think, has a few

more sub-categories in it and I think it would be

problematic to put two different, slightly different

definitions in one order. And I think that the

preference is to use the B.C. legislation that governs

-- that sort of primarily governs the FEU. It’s just

a much cleaner and more understandable approach going

forward, I think. And Ms. Pratch may even have

something to add on that. She's --

MR. CRAIG: One further question, just to follow up on

that is, do we need to specify the legislation at all?

Personal information will be governed by the

legislation anyway and it’s not necessary for us to

try and specify. And that leads to the further

question that your second bullet point looks like it’s

almost a duplication of the first one, in terms of

referring to personal information.

MR. D. SWANSON: Dennis Swanson. Just to clarify though,

that first bullet, the company has, in dealing with

Mr. Andrews, the company has said they’d be willing to

replace that personal information section with

customer information.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. CURTIS: Yeah, so actually that’s a good reminder.

So we have, I think we’ve made that sort of progress

today. So there might be -- we’re going to need to

look at that language a bit going forward. Things

have changed a bit today.

MR. CRAIG: Yeah, agreed, and I’m assuming that it’s

wordsmithing, so I’m just putting on the record that

you may want to consider just boiling it down into the

first one and --

MR. CURTIS: Well, that’s helpful. I’m going to think

about that.

MR. CRAIG: Where you’ve suggested dealing with it as

storing data about customers and then excluding some

of the other material, that would get us into

precluding the discussion that we’ve had about

sensitive information, and you may want to look at it

from the point of view of storing data with regard to

personal information, confidential customer

information, or sensitive information. At least

you’ve been advocating that sensitive information is

one of the criteria that you currently use and that

you would continue to want to use.

MR. CURTIS: Yeah, and again, I think we’ll need to think

about that.

MR. CRAIG: I’m not looking to conclude the wordsmithing.

MR. CURTIS: No, but what’s happening right now is what I


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


was hoping would happen at the Procedural Conference.

This is very constructive.

THE CHAIRPERSON: It’s the SRP magic?

MR. CURTIS: Yeah. No, this is good. And sorry, Dave

Curtis. I keep doing that. One of the issues we’re

going to have with tweaking the order in those ways

is, when you put a word like “sensitive” into an

order, then you’ve got to know what it means. And we

haven’t had that problem with personal information or

PIPA because that’s right there in legislation. So

we’ll need to think about that a bit more. I don’t

have the answer to that right now and how we could

make that work and have a clear order going forward,

so.

MR. CRAIG: I agree there’s a problem there, but there’s

also a public interest in trying to come to grips with

it. And from our group’s point of view, we’re not

concerned about being absolutely precise, so that it’s

all known ahead of time, but that --

MR. CURTIS: Dave Curtis. Those are --

MR. CRAIG: -- was an understanding between Commission

oversight and the utility as to -- such as, but not

absolutely including everything in the list.

MR. CURTIS: Dave Curtis. I think those are all fair

points and I think stuff we need to consider.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER MACMURCHY: And the added benefit of

applying customer information, you can make sure

you’re consistent with FBC too.

MR. CRAIG: If it is that data, right now you’re got

either de-identify or encrypt and if it’s customer

sensitive information, we may not want either in the

grammatical construction. If it’s de-identified data

you may still want it encrypted. And you may want an

“or” dealing with the case example that you put

forward of de-identifying the data for authorized use

in a foreign jurisdiction where it's under

confidentiality terms. Where you’re specifically

dealing with a U.S. consultant or somebody that’s

dealing with your data. We don’t necessarily want to

preclude you from accessing the best expertise. But

it may not fit in the grammar construction that’s

there.

MR. CURTIS: Dave Curtis. I might call you when I’m

thinking about this, Mr. Craig.

MR. CRAIG: I would be more than happy to assist.

MR. CURTIS: These are very helpful comments.

MR. CRAIG: Last comment, when it comes to your

presentation about the primary reason wanting to get

to the status of private sector parties, it will be

our position that Commission oversight in pursuit of

public interest applicable to utilities will be a


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


higher standard than the private sector, and that

we’re here talking about that for that reason. And so

we’ll be interested in what is going on that leads to

a Commission decision and continued oversight over the

public interest and the customer and sensitive

information.

And to your point of all the specifics

being assessed by the people who have expertise in the

company, for sure that’s valuable and it’s certainly

not my interest to pursue that ever little bit of

detail end up in front of the Commission. But at some

level we find words and the method of leaving room for

your expertise to be applied but still getting enough

Commission oversight with regard to public interest

embedded in what that order eventually sets out.

I think those are all my questions, Madam

Commissioner, and comments.

THE CHAIRPERSON: Thank you, Mr. Craig. Moving on to

BCOAPO, Ms. Sadrehashemi.

MS. SADREHASHEMI: Lobat Sadrehashemi for BCOAPO. I

don’t need to make an opening statement. I will just

move to questions.

I was really struck today by the point that

there was no greater risk in storing -- to customer

data whether it was stored in Canada or in the U.S. as

long as the keys were held in Canada. That was the --


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


that point was made a number of times. And I don’t

know if it was -- I'm assuming it was in the evidence

before, but I guess it didn’t hit me until now that

you’re suggesting there is no greater risk.

I think that’s a pretty big statement,

especially when you’ve confirmed that in the data,

that it could be accessed by the U.S. government. The

data that is stored in the United States could be

accessed by U.S. Intelligence. And so -- because it

really comes down to the -- regardless of the key

issue and whether or not the U.S. government could

access it that way -- I mean there is also a question

of the adequacy of the encryption and the

tokenization. Because we’re -- and so I think if the

understanding is that there’s no greater risk, even

though in storing the data in the U.S. there’s a whole

new factor, the U.S. government, a very sophisticated

factor, U.S. Intelligence, that has access to the data

that is in servers in the United States.

So I don’t understand the statement at all,

to say that there is no greater risk.

MR. T. SWANSON: Tim Swanson. I can absolutely

understand the concern. I think what we need to

understand is that the methodologies that we use are

tested, not only in U.S. and Canada, but worldwide.

These are encryption standards that have been proven


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


to be, to this point, infallible.


These encryptions have not been broken by

any government in the world, yet. I’m not going to

say they’ll never be, but according to the best

authorities, and we put in evidence, there is no

ability to decrypt that data without the key. So the

fact that it’s stored, regardless of where it’s

stored, the ability to make any use of that

information or decipher it, is basically impossible.

In the case of de-identification, the

information is removed or is anonymized in such a way

that there is no logical way to reassemble that

information in any means or fashion. So it’s not

affected by the location of the data, it’s affected by

the fact that we’re using methodologies that are

proven, and reliable, and tested, and used by

organizations around the world to protect their

information.

MS. SADREHASHEMI: On the first point, about the

encryption. The Privacy Commissioner, in the paper,

the guidance that you provided in Exhibit B-8, so your

update -- updated evidence, the June 16th, 2014. So

this update is really about tokenization, because

there is a suggestion -- the suggestion here is that

if tokenization is adequate, then it could be used.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


But clearly the same has not been found about

encryption.

So even here it says, “Tokenization is

distinct from encryption. While encryption may be

deciphered, given sufficient computer analysis, tokens

cannot be decoded without access to the crosswalk

table.” And of course then she explains one of the

assumptions is that it’s been adequately tokenized.

But I mean, first -- the first point is

encryption. In the public sector, as you know, or

not, cannot store -- they cannot just encrypt data and

then store it in a -- so there’s a distinction made

between encryption and de-identification by the

Privacy Commissioner, which suggests that encryption

isn’t this foolproof thing. That there are computer

systems, and the U.S. has very sophisticated systems,

that may be able -- there may be some risk.

MR. T. SWANSON: Tim Swanson. To say there is zero risk

is impossible, I guess, in almost any case. The

evidence we supplied stated clearly that the

methodology used by FortisBC has never been

compromised. The Privacy Commissioner obviously can’t

make that statement, because there are historically

encryption systems that have been deciphered, years

ago. Encryption standards have come a long way since

then. Even the 128-bit level encryption, which is the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


previous version to what we’re using, 256-bit, was

never deciphered. Using the Rimdahl algorithm that we

use.

So the Privacy Commissioner, I’m sure, in

her wisdom, has looked at all evidence in the history

and said, “Okay, there are cases where maybe

encryption has -- information was decrypted", but it

wasn’t with any recent technology that we use today.

So, fundamentally, it’s impossible to decrypt data.

There’s not enough computing power on this planet to

decrypt it within any reasonable amount of time,

without the keys.

MS. SADREHASHEMI: Something -- I guess another question

around risk is, as you say, it can never be zero.

It’s impossible that there be zero risk, I think. You

would assume that. But risk is quantifiable. I can’t

do that. I don’t know how to do it. But people do do

that, they quantify risk. And so I think what was

really missing for me in this is that there is no

information given, I think, a really fundamental

change in how data is going to be treated, there was

no information given about what is the acceptable

level of risk to customer information being

identified.

And I think that answer -- the answer to

that question needs to be known in order to be able to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


ensure compliance, is how do you audit to that? How

do you ensure there -- you must know what level of

risk you’re willing to accept, and we don’t know that.

And we don’t know if that’s changed, or who’s looked

at that since there has been this new proposal about

storing data somewhere else, has there been -- has the

security experts that you consult on other issues,

have they been consulted about this? And have they --

what have they said about the risk?


MR. T. SWANSON: So to answer your question, we base our

risk assessments on industry standards. Our risk

assessments are tested through auditors to ensure

they’re acceptable, and we do not plan on increasing

our risk tolerance just to store data somewhere else.

And I hope we made that clear in our evidence, that we

intend on maintaining the existing risk tolerance we

have today with the -- even if this order was granted.

We won’t accept additional risk just to save money.

MS. SADREHASHEMI: And so then the question is, in order

to maintain that standard, if you’re storing -- if

you’re going to be storing the data somewhere else,

what does that mean in terms of the current systems

that you use? So wouldn’t -- I mean, this is -- I’m

assuming that there is a greater level of risk when

you do store somewhere else. I don’t accept that


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


there is no greater risk. But, so if you assume that

there is a great risk, then you would think that if

you want to maintain the same level that you’d have to

do more things. But what I got from the application

is nothing is going to really have to change, that

there is not going to be a lot more resources that we

have to use in order to do this. We have all the

resource, we have all the expertise in-house, that we

don’t have to anything else. And so that doesn’t

suggest -- that doesn’t provide confidence that you

would be maintaining that level.

MR. T. SWANSON: Tim Swanson. I guess we have to

disagree on that point and the fact that yes, we do

have the in-house expertise. And as I indicated in my

presentation and I think we’ve all reiterated a few

times, we’ve been encrypting and protecting data for a

long time. The fact that we’re storing it somewhere

else, perceiving a risk around that, I think we’ve

tried to answer that in our submissions, that the

protection we apply to it is what protects it. It’s

not the location of the data, it’s the security we put

around it. That hasn’t changed because of this

application. We’re going to continue to use the same

level of security, you know. We may disagree on the

fact that you believe there is more risk because of

the data being located outside of Canada. We


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


obviously, in our presentation, disagree with that

point based on our reasons here.

MR. D. SWANSON: Dennis Swanson. Also adding to that,

and that’s why we tried to structure the application

the way we did in terms of authorized access and

unauthorized access. From an unauthorized access

point of view, hacking, let’s use that word, it

doesn’t matter where the person accessing sits or

where the box sits that the data is on. If you’re

going to hack it, you’re going to hack it. I mean,

nowhere is there an artificial boundary in the digital

world, and that’s what we kept saying. There’s no

boundaries in a digital universe or digital world.

And then once data is stolen, if data were

-- unauthorized access stole the data, then it’s out

there. It’s not that it’s out there in Canada or it’s

out there in the United States. It’s just out there.

So we say from an unauthorized perspective

there is no greater risk. From an authorized

perspective, that’s where you get into this legal

debate on whether or not the U.S. government, for

example, would have access to compel production of

that data.

We’ve also mentioned that if you’re talking

about when we use a vendor, if there is greater risk

in using a vendor versus our systems, that doesn’t


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


change where that vendor is located or where that

vendor’s box is. We do a security assessment of their

policies and procedures around the storage of data,

regardless of their -- it’s in the States or it’s in

Canada. And in those instances, if they don’t

maintain our standards of data protection, we don’t

use a vendor. Again, regardless of where it’s stored.

So we’re not saying data is not at risk.

We’re saying the physical location of that data

doesn’t increase the risk. And by physical location I

mean the difference between storing that data in

Canada versus storing that data outside of Canada.

COMMISSIONER MACMURCHY: Just to make sure we’re

absolutely clear then. Really what you’re saying is

from the unauthorized side it doesn’t change because

the digital world is the digital world and it doesn't

have boundaries. From the authorized side what you’re

saying is that yes, they may be able to get the raw

data but it’ll be encrypted or detokenized form, and

we’ll hear the legal arguments about the ability to

compel the keys. But normally the expectation would

be that unless a Canadian court agrees, that those

keys would not be accessible. Is that sort of --

MR. D. SWANSON: Correct. And then you get back to that

whole question of can you de-encrypt the data? Do you

have enough computing power to do it? I’m not a


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


hacking expert by any means, but if you have that

computing power to do it, why wouldn’t you just hack

in and take the data while it was in Canada? It’s

probably easier than de-encrypting. So if you really

wanted it that badly.

MS. SADREHASHEMI: Right. I think my points were more

around the authorized access from U.S. Intelligence of

the raw data and their ability to -- the U.S.

Intelligence ability to decipher the data. I just

wanted to know more about that risk.

And I guess so I’m following up on what

kind of steps have you taken in finding that out?

What is the risk of U.S. Intelligence? What is their

level? What is their ability to decipher encrypted

data or to -- what level of tokenization is required

for that factor and how does that affect risk?


MR. T. SWANSON: Tim Swanson. I think we’ve addressed

this question already.

MS. SADREHASHEMI: Sorry, it’s Lobat, I don’t mean to

interrupt. I think I ended up repeating the same

question, but really my question was, who did you --

in order to come to the determination which you’ve

already told me, who did you consult?

MR. T. SWANSON: Tim Swanson. We use more than one third

party to ensure that our encryption levels are where


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


they need to be to properly protect our information.

So I don’t know if I want to disclose the names of

the firms we use, but suffice to say they’re

recognized security firms in Canada. Some actually,

some of the security firms are in the U.S. We have a

test every year and it’s done by a different

organization each year to ensure that our security is

at a level that our data is protected regardless of

who tries to hack into it.

MS. SADREHASHEMI: And so -- but were they consulted in

preparing this application and the evidence for this

application?

MR. T. SWANSON: Specifically for the application, we

used existing consultative results that we’ve had

because we didn’t see anything in this application

that was outside our normal requirements from an

encryption perspective.

MS. SADREHASHEMI: But normally you’re not storing data

outside Canada?

MR. T. SWANSON: Tim Swanson. As I indicated earlier,

even when we store data within Canada we encrypt it or

de-identify it when it’s sensitive or personal

information. So this is not a practice that we’re not

used to.

THE CHAIRPERSON: Time to move to the other side of

the table. BCUC staff.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MS. THORSON: Madam Chair, would you mind if we took just

a couple minutes just to review our questions and take

the ones -- consolidate our questions so that we’re

taking the ones off the table that have already been

asked.

THE CHAIRPERSON: I don’t mind, and I think the FEU team

might appreciate the break too. So five minutes.

(PROCEEDINGS ADJOURNED AT 11:32 A.M.)

(PROCEEDINGS RESUMED AT 11:44 A.M.) T26

THE CHAIRPERSON: We are ready to reconvene. Next

questions are coming from the BCUC staff. Please

proceed.

MR. COCHEY: So, Lionel Cochey, Commission staff,

consultant here.

I’d like to ask you a question about, you

know, the risk evaluation about storing outside of

Canada. And relative to that, don’t you believe that

there are some original specifics about the

environment of whether the -- (inaudible) be hosted,

but will impact the level of risk for this data stored

outside of Canada?

MR. T. SWANSON: Tim Swanson. As I stated earlier, risk

assessment did not -- our risk assessment did not

indicate that the risk increased based on the location

of information, because we apply the same security to

it regardless of where we store it.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. COCHEY: Don’t you believe that outside of Canada,

the way organizations may be working -- the way, you

know, specific culture related to the way people are

working, or, you know, possessing systems, possessing

data, and, you know, doing a specific working to what

is related to, you know, hosting data, processing

data, on IT systems may be different from the way

organizations and people in Canada would be doing this

type of work?

MR. T. SWANSON: Tim Swanson. That is why we have such

stringent security requirements. We don’t allow

organizations to have different processes or handling

of our data. If they don’t comply to our requirements

in regards to processing and handling of data, we

wouldn’t use them.

MS. PRATCH: And in addition to that -- it’s Monic Pratch

-- we also include stringent contractual requirements

in contracts that we have with vendors. Regardless,

right now -- or regardless of where that data would be

stored, those same contractual provisions would apply.

And so they would be contractually bound to follow our

policies, processes, legislation -- privacy

legislation, and things like that.

So, I think between our requirements and

the contractual requirements, we’d be obligating them

to -- that there would be no greater risk.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. COCHEY: I’m going to be maybe -- trying to be more

specific here. Don’t you believe that, you know,

hosting data in foreign countries, whatever the

country is, may expose this type of data to specific

risks? And when we’re looking about countries outside

of Canada, there might be a difference between, let’s

say, you know, China, Russia, India, or the U.S. Or

any other European country or whatever country.

MR. T. SWANSON: Tim Swanson. Regardless of the country

it’s located in, if they did not comply with our

security requirements, and as I indicated there’s a

number of -- there’s a number of components of that

risk assessment or security assessment, I should say

-- we would not use the service. So regardless if it

was India, China, England, United States, if we deemed

there was a security piece in there that we were not

comfortable with, we would not use the service. They

meet -- they either meet the requirements we have, or

we don’t use them.

MR. D. SWANSON: Dennis Swanson. In addition to that,

remember, if it’s sensitive data, customer data, it

would be encrypted or de-identified when it leaves

FortisBC.

MR. COCHEY: And just on that, in terms of, you know, the

specific controls that you are thinking about applying

to protect the data, outside of Canada, don’t you


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


believe that these controls should be adapted to the

specific risks that this data potentially would be

exposed outside of Canada, that the definition of the

control should be aligned with, you know, a specific

risk assessment in order to address specific risks or

mitigate specific risks that will be found -- find

outside of Canada.

MR. T. SWANSON: Tim Swanson. The security assessment

ensures that any potential risks are addressed

regardless of where the data is located. Culture,

jurisdictions, all of those are considered when we’re

looking at how we build our security assessment.

That’s why our criteria is so stringent. We don’t

allow for any sort of flexibility in our requirements.

It doesn’t matter what culture or what country is

managing our data, our information, they have to

adhere to those requirements.

And again, back to what Dennis said. We

also add the extra level of security that that

information is going to be protected even if it was

compromised, whether within that country or from

outside that country. It’s unidentifiable and

unusable. But I’m gong to go back to the fact that we

believe that there is no increased risk based on

location, if the service adheres to all our security

requirements.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26



MR. COCHEY: Lionel Cochey here again. So based on your

response I understand that you consider that it’s

important to take into consideration some specific

criteria like culture, environment, in order to

properly address the risk, is that correct?

MR. T. SWANSON: Tim Swanson. No, that was probably an

incorrect statement. Definitely we don’t -- we don’t

specifically look at culture, because we consider the

security piece alone. It’s a technical question and

if policies, process and procedures in place, we will

not -- we would not judge a culture. If I mislead you

there, I apologize.

MR. COCKEY: In terms of, you know, specific controls to

apply to protect information and when you develop and

implement this control, don’t you believe that you

need to adapt these controls to take into

consideration specific environment around where this

development -- or implemented?

MR. T. SWANSON: Tim Swanson. No, we don’t adapt our

requirements based on where the services are being

located. Our requirements are requirements regardless

of the services being considered -- the location of

the services being considered. So no, we don’t adapt

our security assessment. We build our security

assessment around the fact that these controls will


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


protect our data regardless of where it is.

MR. D. SWANSON: Dennis Swanson. In addition, whenever

we look at a vendor, we look at the reputation of the

vendor, we look at -- you know, I think Mr. Swanson,

Tim Swanson mentioned earlier we do vendor

referencing. If we’re talking about going to some, I

don’t want to be discriminatory in any way, but going

to some area of the world where we didn’t trust the

culture, quite likely we also wouldn’t trust the

company and it would fail, it would fail that

fundamental assessment when we’re looking at is this

somebody that we’re comfortable doing business with.

So we don’t specifically say in that

section of the world we treat you differently, but the

reality is, you know, if it’s a company that we’re not

comfortable doing business with, we don’t do business

with them.

MS. THORSON: This is Alison Thorson at the BCUC. So

just to follow on that, so I understand that the

privacy and security -- you’re privacy and security

assessments would rule out some vendors. Would they

also rule out some locations?

MS. PRATCH: Monic Pratch. I think certainly there’s no

specific locations that we have on a list that we’re

not going to do business with. But I will say that,

you know, Tim’s talking about the security assessment


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


side. I’ve talked about the privacy impact assessment

side. But there is also a general discussion that

exists within the organization about vendors that

we’re using, as Dennis mentioned, about vendors, you

know, reputations, company reputations that exist.

And as a result, certainly if we had any concerns

about the location of the world that we were storing

data in, for example, you know it was at a -- there

was a specific security threat around that particular

area of the world, certainly that would come into the

conversation in determining whether or not we proceed

with using a vendor in that area.

MS. THORSON: So that’s what I am trying to drill down on

here. Is you’ve told us at a high level that you have

privacy and security assessments. You haven’t told us

much detail about those assessments. Is there, are

there steps in those assessments, other than a general

conversation that happens, that would look at -- that

would assess risks about -- generally about location?

MR. T. SWANSON: Tim Swanson. In my presentation the

first items we look at on a security assessment is

vendor viability. Viability includes using third

parties to help us evaluate the viability of that

provider. We also do reference checks on the

providers. So we certainly just don’t have an

internal discussion.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


The first discussion we have internally is

that general look at the provider going, hmm, don’t

know if I want to go down that road or not. And if we

make the next step to consider them, we will start

engaging third parties to do an assessment on the

provider. And it’s really about the viability of that

provider.

That’s why in our security assessment, in

the demonstration I gave earlier or the information I

gave earlier, we talked about vendor viability being

the first thing that we look at. There’s no point in

going any further if we don’t consider a vendor to be

viable.

COMMISSIONER MACMURCHY: You’re confusing me a little,

because I think the question then -- and this may be a

little different. Let me put it another way. If

you’ve got a vendor you think is quite reliable but

he’s operating in the middle of a war zone, would you

go and do business with him?

MR. T. SWANSON: Tim Swanson again. Again, I think that

would factor into the viability of that vendor. I

mean we’re certainly not going to dismiss anything

that we should be considering in regards to a vendor,

whether it be the situation you're describing or other

situations.

So it’s a very broad topic certainly, but


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


again it’s not in our interest to put any of our

information at risk. We’re not going to make a

decision based on saving a few dollars because -- and

put our information at risk. It’s just not in our

interest or our customers' interest.


MR. COCHEY: Lionel Cochey. What is -- you know, to

clarify so we understand clearly here, what is the

objective of the risk assessment or the privacy

assessment relating to storing data outside of Canada,

in your mind?

MR. T. SWANSON: Sorry, Tim Swanson here. Could you

repeat the question, please?

MR. COCHEY: So I'd like to clarify in your mind what

is the ultimate objective of the risk assessment or

the privacy assessment in investigating, you know,

potential opportunities to have data outside of

Canada.

MS. PRATCH: So – Monic Pratch – specifically with

respect to the privacy impact assessment -- I'll let

Tim speak to the security side of things in a moment.

But I think what you are asking me, just to make sure

I understand the question, is what would we do in the

case of looking -- or what would be different

effectively about a privacy impact assessment if we

were looking at a company outside of Canada to use as


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


a vendor?

MR. COCHEY: I'm mean specifically I'd like to ask you

what would be the outcome of this risk assessment and

to support what type of decisions.

MR. D. SWANSON: Dennis Swanson. Let me just try this

out, and I might be off base here as well. The

ultimate objective of us doing the privacy assessment

and the risk assessment is to ensure the safety of our

data. That's the objective. And to ensure that the

safety of our data is going to remain the same as if

we'd kept the data. So that's ultimately what we're

trying to accomplish when we're looking at this

assessment. It's not an assessment of how much

additional risk are we willing to take. It's an

assessment of how do we maintain the high level of

security and rigour that we have around our data

today.

MR. COCHEY: So to reflect what you are saying, I

understand it's to determine a set of specific

controls to protect the data. Is that correct?

MR. T. SWANSON: Tim Swanson. Fundamentally, yes,

that's correct.

MR. COCHEY: Okay, because previously, Monic, you

mentioned that on the basis, on the privacy assessment

we will decide yes or no to host data outside of

Canada. So I understand here it's a little different.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Your objective would be to go ahead with a specific

set of controls to apply.

MS. PRATCH: It's Monic Pratch. Let me just clarify.

The real objective of privacy impact assessment is to

identify any privacy related risks that exist and then

to look at tools that we can use to mitigate that

risk, and those tools may be things like contractual

provisions, specific contractual provisions. They may

be things like de-identification or encryption of

data. They may be tools such as, you know, just

looking at the project a little differently and maybe

revamping the scope of work of the project itself to

try and mitigate some of that privacy risk. And so

really it's about identifying those issues and

mitigating them.

The overall objective of a privacy impact

assessment is not to necessarily pass or fail a

project, it's really to identify what those risks are,

how we can mitigate them and make sure that any

project that we want to continue with meets all of our

already existing internal controls, security

requirements, privacy requirements and all of those

types of things.

So there's kind of a baseline and then

there's all of these other things that we're looking

at and constantly kind of working with to try and


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


mitigate.

Does that answer your question?

MR. D. SWANSON: Dennis Swanson. I want to add to

that, though. It's not like there's a sliding scale

of risk and we pull more tools out of the toolbox. As

the risk goes up, we throw more security measures in

place. We have a tolerance level.

MS. PRATCH: Yes.

MR. D. SWANSON: And we look to all the tools we have

to maintain that tolerance level, and if we look and

we say, that risk of that, storing data in that

location is here, above our tolerance level, it's not

like we have more tools we can use to get that back

down. It's just not -- it's off the table at that

point.

So it is a black and white type of test.

It's not like this gradual scale.

MR. COCHEY: Lionel Cochey here again. So thanks for

this answer, Monic, to the privacy risk assessment.

Is the objective and the process the same for like a

security risk assessment of hosting data outside of

Canada?

MR. T. SWANSON: Security risk assessments are a little

bit more prescriptive. Our requirements are not

negotiable, as I indicated in my presentation. It is

a lot more black and white. And if we see any


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


failures in that security assessment, the project will

not go ahead unless the vendor is able to change their

capabilities or their offering to meet our

requirements.

MR. COCHEY: Would you precise, you know, what you mean

by "it's more black and white"? Can you give more

specifics about that?

MR. T. SWANSON: Sure. So if they -- for example, if a

vendor has a back-up facility that's within five

kilometres of their primary data centre, that would be

a risk that we wouldn't accept because geographically

it doesn't meet our requirements for disaster

recovery. That would be a black and white example of

where we would not consider a service.

Now, if they were able to offer that -- if

everything else met the criteria and they were able to

move that data centre a ways away, the required

distance away from a risk perspective, then you know,

we may be able to consider that service. But more

than likely you're not going to do that for a single

customer. But that's an example of a risk criteria

that we wouldn't accept.

MR. HAILS: This is Jason Hails. To carry on from that

point, when you do a security risk assessment, would

the outcome of that assessment potentially result in

augmentations to your internal controls around


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


security?

Proceeding Time 12:02 p.m. T29

MR. T. SWANSON: Tim Swanson. No, our internal controls

are set regardless of the offering. Those internal

controls are something that we have. They are

reviewed by third parties on an annual basis, to make

sure that we are adequately controlled, but they don’t

generally change based on an offering.

MR. HAILS: So, may come back to the specific control

environment. But that relates to the issue of

advancements in both attack and penetration technology

over time. So, would evolution of the security -- you

know, security industry, factor into your risk

assessments? Or -- and would you then take more

measures to secure?

MR. T. SWANSON: Tim Swanson again.

MR. HAILS: Yeah.

MR. T. SWANSON: Sorry, are you finished it? Sorry, Mr.

Hails. Okay.

That’s the reason that we do an annual

review of our security assessment program, because

technology changes all the time. The risk change,

absolutely, our requirements change. And I think

where this question is leading, and appropriately so,

is would we apply those new requirements to existing

vendors? And the answer is yes.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Their inability to comply with new

requirements would mean that we would have to look at

changing our vend -- changing our provider and moving

on to somebody who can meet all of our security

requirements. But that is one of the reasons that I

pointed out in my presentation that we look at

organizations’ long-term plans for security plans, for

upgrades, upgrade plans. We want to see what their

road maps look like so that they -- we know that

they’re capable of adapting to these changes.

MR. HAILS: So, further to that, what I think I just

heard is that the security risk assessment might

evolve but you also noted earlier that your internal

control environment wouldn’t necessarily evolve with

it -- as in, it’s static, and you’re kind of flicking

the switch on or off in terms of vendor acceptance.

So it just -- it sounded different.

MR. D. SWANSON: Dennis Swanson here. No, it would

evolve with time and technology change. It doesn’t

evolve with an offering that we do to a certain

vendor. In other words, we don’t change our control

procedures because we’ve got this new vendor. But as

technology changes, yes, it changes our control

procedures and we would force new vendors to be

compliant, or we’d cease using them.

MR. T. SWANSON: Tim Swanson. To elaborate on that a


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


little bit, and I think I understand your question a

little bit here. Controls, I think you’re talking

about the layers that we have, and specifically

security assessments are -- it’s part of our controls,

our overall controls. Right?

Now, the security assessment could evolve,

and the control doesn’t change. The control is,

security assessment is one of our controls. Security

assessment, privacy assessments, can evolve. Controls

evolving would -- certainly could happen over time,

but it would mean fundamentally we change something

within -- something has changed fundamentally that

would make us change those overarching controls.

Because overarching controls tend to be fairly

consistent.

Is that kind of where you’re going with

that question?

MR. HAILS: Yeah, I think we were curious whether or not

your internal control environment would also evolve

with emerging requirements for protection.

MR. T. SWANSON: Tim Swanson. The security assessment

piece, certainly. Our risk tolerance, no. But

certainly our assessments could, and need to evolve.

Absolutely.

MR. D. SWANSON: Dennis Swanson. In addition to that,

part of our internal control in general, not just


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


around information services, but review -- involves a

review of all of our internal controls, and what are

the key controls, and what are the procedures around

those key controls. And we require our leadership to

review those controls on a regular basis, sign off on

the fact that they’re updated, those controls are

audited internally by our internal audit, and

externally by our external auditors. And that goes

far beyond just our information services, or privacy

controls. That’s in general of our control

procedures.

COMMISSIONER KIELTY: Can I just ask a question on that?

Because you have throughout these proceedings referred

to independent testing, and audit validation of

processes and controls. Do you have any unremediated

significant deficiencies in the area of privacy and

security?

MR. T. SWANSON: Tim Swanson. No, we have no outstanding

-- no outstanding issues from a security perspective.

MS. PRATCH: And the same from a privacy perspective, no

outstanding issues.

MR. HAILS: Jason Hails again. Going back, Ms. Pratch,

to your introduction and talking about your PIA, what

you did mention in relation to privacy data was that

you would determine the relative significance of that

data. Would you do something different if you deemed


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


it not significant? Versus significant? And what

kind of criteria would you apply to determine

significance?


MS. PRATCH: Thank you. It’s Monic Pratch. The

significance of data -- so what we’ve said in our

evidence is that what we currently do is that if a

project involves a significant amount of personal

information, we automatically do a personal -- or a

privacy impact assessment. If it doesn’t involve a

significant amount of personal information, and it’s

not just volume -- and I’ll talk to you in a moment

about some of those criteria -- it doesn’t involve a

significant amount of personal information, we

wouldn’t require a PIA to be done. We would still

require somebody to think about privacy, and have the

conversation, but we wouldn’t require a full privacy

impact assessment to be completed.

What we’ve also said, as part of this

application, is that if we were sending information

outside of Canada, personal information outside of

Canada, we would automatically do a privacy impact

assessment no matter what. So the idea of

significance of data wouldn’t apply in the context of

sending information outside of Canada.

To give you an example, and whether we do


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


it currently with our current processes, whether we do

a full-blown PIA or whether we just have the

conversation with respect to whether there is a

significant amount of personal information, that’s

obviously a subjective standpoint. And it usually

involves a conversation between myself, the project

manager, the IS department, and anybody else that

might be a stakeholder in that -- internal stakeholder

in that particular project.

So I think in our IRs we gave a couple of

examples of, you know, things that were -- or

responses to IRs, things that were obviously

significant and things that were obviously maybe less

significant. But it involves a determination of first

of all the amount of personal information that we’re

talking about. Are we dealing with, you know, one

particular -- is this one particular customer? Is

this, you know, a whole bunch of customers? So the

amount, the volume of data.

We also do an analysis of the sensitivity

of that data. So are we talking about addresses, for

example, that are unattached to names, and other

identifying criteria? Or are we talking about, you

know, consumption information, which is something that

we take as being extremely sensitive data to our

customers. And so we do an analysis of that.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


So I think the example that we gave in our

IRs, if I may, is the example of -- let’s say for

example we’re doing some upgrades to one of our

distribution pipelines. And we need to be able to

hire a vendor. We want that vendor to go out and

knock on doors and advise our customers that we’re

doing an upgrade in the area, and they may see a

service disruption. In that case, we have a business

need to disclose the address of the location that

we’re expecting that vendor to attend at, and to talk

to you. But we may be able to rule out other types of

information that vendor would have access to. For

example, in that case, there is no reason they would

need access to consumption information, billing

information, any other account information, including

account number, meter number -- any of that data.

They would probably only need access to the customer’s

address and potentially the customer’s name, depending

on the type of conversation we were expecting them to

have.

And so, again, we wouldn’t require

necessarily a full-blown privacy impact assessment,

but we would certainly have the conversation about

what information we needed to actually complete the

task, and making sure that we’re mitigating any

privacy risk associated that -- with that.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Does that answer the question?

MR. HAILS: I think that’s helpful. Are the decision-

making protocols documented?

MS. PRATCH: Monic Pratch. There is not a specific

policy in place that governs the decision-making tree.

That being said, there are certainly protocols in

place, and what I like to call my privacy gatekeepers

that I have across the organization in various

departments that assist me in making sure that any

project that does contain personal information or

otherwise gets this type of analysis.

So for example, I’ve done additional

training with our IS group, with our procurement

group, and those two groups specifically see the

majority of projects coming through them as obviously

they need to procure services or they’re looking at

vendor contracts, and things like that. And they have

an automatic process in place, and additional privacy

training to be able to recognize issues and bring

those forward.

That, of course, is in addition to all of

the other training that exists for our employees with

respect to personal information and privacy. So I

think there is a baseline understanding of everyone,

and then we’ve put in place this kind of next level of

privacy gatekeepers across the organization, and then


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


again I’m out as much as I possibly can talking about

privacy with folks.

So, no, there is no documented specific

decision tree, but certainly there’s a process we’ve

been using and building.

MR. HAILS: Would you bear with us if we dug into -- a

little bit more into the internal control environment?

So, typically there will be governance over a security

program. There will be specific audit programs put in

place. There will be test scripts that are developed,

there'll be testing that’s executed. There will be

some -- assuming there is some documentation that

comes out of that, there may be remediation efforts,

if there are any gaps found.

Can you tell us about the roles and

responsibilities between FEU and your external

providers in developing (a) the whole program, and

then (b) those sub-elements of, you know, testing

regime.


MR. T. SWANSON: Certainly. Tim Swanson.

We use standard iTOLL change control as our

basis for our change management processes. In regards

to external sources, third parties, they must adhere

to our standard change control processes which

includes everything from segregation of duties,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


development, QA environments -- or sorry, quality

assessment environments. That's the techie in me, in

all the acronyms. Sorry about that.

So we absolutely have all those controls in

place and those are the controls that are audited on a

regular basis by internal and our third-party

auditors. So those controls are identical for all

vendors that we use.

MR. HAILS: Are you referring to internal controls over

financial reporting?

MR. T. SWANSON: Tim Swanson. No, I'm referring right

now to internal controls around change management for

technology, whether it be in regards to financial

systems, customer systems or any other systems we use.

We use standard change control. We don't have varying

levels of change control for different types of

systems. We've settled on one standard change control

that is the -- that is acceptable at the financial

level, so it has more rigour than some change control

systems may.

MR. HAILS: So part of that would be security and

access controls. I don't doubt that it's very

difficult to decrypt a 256 bit key, however more often

than not, the protection of that key itself would

represent the weakest link in the chain. So

protection of that may be virtue of a simple employee


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


password which can be attacked. You know, you may be

inviting attention from other jurisdictions, as well

that may apply more brute force attacks if they deem

it necessary.

So it's not so much the encryption itself

which is good, but it's really the processes and

procedures that you have in place to manage, store,

retain, you know, maintain, upgrade, that are

typically at issue.

So it's not the encryption itself that will

lead to something bad happening, but it's the manner

in which you manage the keys, for instance. So what

have you got in place to address that risk and the

fact that it's not as robust as an encryption itself?

MR. T. SWANSON: Tim Swanson. Great question, and

something we recognize internally always is "the

weakness of the employee", we call it. Particularly

Canadians are very polite, kind and responsive. In

that regards, again, regardless of where information

is located, that particular risk doesn't change

because our people are our people.

What we do to manage that risk is make sure

that we have access of lease privilege, and we have

redundant controls in place when it comes to releasing

that kind of information. And specifically around

keys, keys will only be generated when requested, and


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


we don't push keys outside the organization. But I

think one of your questions there was what if we

granted someone access to our system who was a bad

actor, somebody who wanted to hack into our systems.

That is a risk regardless of where your data is

located. It comes down to your controls around access

privilege, in which case every access is authorized,

depending on the person's role in the organization, or

the contractor's role for us. It's granted on an

individual basis and it's role based and it's based on

access of least privilege.

The whole intention of controlling access

to system is to ensure that no one individual can

materially damage or access information, all

information. They are focused on areas that they need

access to, and that's it.

MR. CHEUNG: It's Leon Cheung here. A simple question,

not as techie. Ms. Pratch, this morning you talked

about having big projects and small projects, and in

one of the IRs, Exhibit B-12, CEC Alternative Relief

1.1.2 you mentioned that a project manager would go

through a checklist and after that management would

make the necessary determination to make sure that

adequate controls are in place.

Can you describe and explain the FortisBC

internal approval process, such as the process for


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


internal review. What is the required approval levels

such as senior management executives, the board, or if

you have any certain committees that look at big and

small projects. And the budget oversight, is there a

signing authority or thresholds and how do you monitor

risk management.

MS. PRATCH: Monic Pratch. I'll try and address that

in a couple of different segments. First of all, to

talk about authority levels, certainly we have an

authorities policy in place that governs specific

signing authorities and things of that nature.

When it comes to privacy, we've taken big

projects, small projects, everything comes through my

office. And so I see all of those projects. Whether

they are a $2,000 project or a $2 million project, I

will see those projects. And we do that because

privacy risk doesn't often change depending on

necessarily a dollar value. You could have a

relatively small dollar-value project that has huge

privacy implications based on the amount of data that

we're transferring or data that we're using or

processing or what we're doing with it.

So certainly there's no policy in place

that currently governs, you know, if it doesn't hit a

certain amount I won't look at it. I see everything

that comes from a -- dealing with personal


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


information.

With respect to kind of our internal

process, I think I kind of described, you know, you've

got your project managers or your folks that are

looking at different various projects, and then we've

installed these kind of privacy gatekeepers, like I

like to call them across the IS department,

procurement, and certainly in any department where

we've got a high volume of personal information. For

example, human resources or customer service. I've

got folks trained in those areas to specifically

recognize privacy issues, and they kind of act like a

first line of questions. But I'm in contact with them

on an extremely regular basis.

So it's kind of this -- it's more of an

informal process, but that we've done through training

and through ensuring that our employees are aware of

the importance of privacy. And so we've gone through

that process, and as things come up to me, I'll have a

look at that project and often I will be looking --

oh, and I guess the other privacy gatekeeper that I

can talk about is our legal department.


So as a member of that department I am

always talking about privacy and certainly the lawyers

see a variety of contracts and processes and projects


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


across their desks and they’re all trained to

recognize privacy issues as well. So anything that

any of those folks see that could be a potential risk,

we have a conversation about. And then we will

determine, as I mentioned before, whether or not it’s

a significant volume or significant amount or

sensitivity of personal information that we would

require a full blown privacy impact assessment to be

completed.

Does that sort of answer your questions

around authority levels and --

MR. CHEUNG: And how -- correct me if I’m wrong, you’re

the chief privacy officer.

MS. PRATCH: Correct.

MR. CHEUNG: And has this position been around for a

while?

MS. PRATCH: We’ve had -- sorry it’s Monic Pratch. We’ve

had privacy officers in place for a number of years as

required by the Personal Information Protection Act.

However, the office or the creation of the position of

chief privacy officer came about in 2012, I believe

and I was appointed to that position. And so I

believe it’s just an example of additional focus that

we’ve put on this issue of privacy. And I’ve

certainly received the support of senior management,

as well as our board, as well as, you know -- as I


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


said before, privacy had been engrained throughout our

organization. So I would think our regime is

becoming, you know, more compressive all the time.

And this I just another example of a step in that

direction that the organization had taken.

MR. CHEUNG: And from the security perspective do you

have any comments on the thresholds and authority

levels?

MR. T. SWANSON: So I think I have answered most of the

question previously, but if I am missing anything let

me know.

In regards to thresholds, security

assessments are done for any technology project

regardless of scope or scale. The team that does

security assessment is an internal group operated by a

manager who takes care of all the controls in that

area. And the assessment is produced and attaches as

part of the project.

MR. HAILS: Jason Hails. If you come across an issue

that you fail -- or you feel may need, you know,

further discussion, how are they escalated in the

organization?

MR. T. SWANSON: Tim Swanson. In regards to security the

infrastructure manager, who is responsible for

security assessments, would identify the issue,

address it with the potential vendor or even the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


internal -- if it’s an internal issue, address it

internally. If there is a challenge with alleviating

that risk then it would be -- he had actually the

authority to stop a project if the security assessment

fails in any way. If he feels that there is a

decision point to make and there may be some

discussion that should occur, he can escalate to

myself for that discussion.

MR. HAILS: And are there any bases where an issue may

escalate respectfully beyond the director level, in

the executive in the organization?

MR. T. SWANSON: Specifically -- sorry, Tim Swanson.

Specifically, I suppose there could be. From a

security assessment perspective we have never

escalated to the executive. Quite frankly, they're

not technical and all that savvy, and neither should

they be. Even in my position I don’t -- you know, to

have the technical expertise, more than likely if a

question was going to be asked to myself if would

probably be more around cost and negotiating with a

vendor more than the security piece itself. We have

security experts who manage and operate that group and

they’re the ones who will make the decisions.

MR. D. SWANSON: Dennis Swanson. Just adding to that, I

am the vice-president over that area, who is

apparently inadequate. And I can reassure you that my


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


CEO and board or directors and my audit committee

would be holding my feet to the fire if we had issues.

Even when we do audit, internal audits and such, if

there are ever any issues identified it would come up

through the audit committee and yes, I would be held

accountable for that.

MR. HAILS: Do your internal auditors report to the chair

of the audit committee?

MR. D. SWANSON: Yes.

MR. HAILS: Who do you report to Ms. Pratch?

MS. PRATCH: Monic Pratch. I report to Dennis as well,

indirectly, but I can say in my experience as chief

privacy officer that it would be a very rare

occurrence for me to have to escalate something to the

executive level. That being said, we do have

conversations all the time. So, for example, a

particular executive may be working on a project or

may know that his folks are working on a project and

ask me, hey, how are the privacy, you know, do you

have any specific privacy concerns around that?

So I would say that while I have certainly

not had to necessarily escalate something to the

executive level from that perspective, it's certainly

of interest to the executive. So we are always having

that conversation.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. T. SWANSON: Tim Swanson. I just wanted to add that

the executive has actually made -- and the board of

directors has made extra efforts to actually become

more informed around security over the last few years,

and there has been a conscious effort and training in

place to bring up their levels of understanding to an

appropriate level. When I refer to them not being

informed from a technical level, they shouldn’t be. I

mean, like I said, these are way too in-depth, these

assessments, for them to really understand the

technical references.

MR. DALL'ANTONIA: Nice recovery.

MR. D. SWANSON: Dennis Swanson. Just to add one other

thing. These types of issues have been elevated with

boards of directors. If you take any board of

directors training right now, there is a lot on

privacy and a lot on cyber-security. So it is top of

mind with our board of directors. As a matter of

fact, Tim Swanson is currently scheduled at our next

board meeting to do a presentation to our board of

directors around cyber-security.

So, as much as they’re not having to

elevate stuff, there’s definitely questions coming

down on a regular basis, and there’s lots of

conversations around both of these topics.

The amount of corporate reputation that


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


sits with security of data and privacy is huge. Well,

we’ve seen companies around the world when they’ve had

breaches, it can really wreck the corporate reputation

of a company and that’s real, real fast. So we say

we’re protecting that data for our purposes, as much

if not more than for the customer’s purposes.

MR. HAILS: Jason Hails. Have you had any breaches?

MR. D. SWANSON: Of --

MR. T. SWANSON: Tim Swanson. Could you clarify what

kind of breaches?

MR. HAILS: Information breaches.

MR. T. SWANSON: Tim Swanson. No, we’ve had no breaches

in our security.

MS. PRATCH: Monic Pratch. I can clarify that Tim is

absolutely correct that we’ve had no breaches in

security, but we have had privacy breaches that don’t

deal with a secure -- with an information security

side of things. For example, we’ve had scenarios

where you have somebody in our billing department that

might accidentally put one customer’s bill into

another customer’s envelope before sending it out.

From that perspective, you’ve now got one customer

receiving personal information of another, and that

all gets reported pursuant to our internal breach

management incident response, and would come through

me. And I would then do an evaluation in accordance


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


with the Office of the Information and Privacy

Commissioner guidelines as to whether that customer

needed to be notified, and the appropriate protocols

to take. So, from a privacy side, yes. But extremely

minor.

MR. COCHEY: Do you think -- Lionel Cochey from the

Commission again. You think it will be more accurate

to say that you don’t have any known breaches or can

you, you know, demonstrate to, you know, the Panel and

the people around the table that you’ve got hundred

percent assurance that there was no issues on the

information security breach whatsoever?

MR. T. SWANSON: Interesting question, Mr. Cochey, and

you know, to answer that, it’s actually -- it’s not as

simple an answer as some people -- some folks might

think. We can say without a doubt that we’ve had no

security breaches externally into our systems. Now,

to say that somebody hasn’t sat down at somebody’s PC

and accessed information, I can’t say that without a

doubt. Certainly that could occur, and we wouldn’t

necessarily be able to track that.

MR. COCHEY: And to clarify, why do you think, you know,

you’re not able to go into -- to confirm that?

MR. T. SWANSON: Tim Swanson again. In any work

environment, you know, there’s PCs and equipment’s all

over the place. Folks stand up, walk away. They’re


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


required to lock their PCs, and the PCs actually lock

after a certain period of time. But there is no

system in place that would physically or biometrically

identify the person that sat down at that computer, if

it was unlocked. So that’s how -- that’s why I’m

saying there is no way that I can say that that has

never happened. Again, we go back to the fact that no

individual in the organization has the capability to

make material changes to a system. There is controls

in place from a financial perspective, from an access

perspective, and that’s why we do that, to mitigate

those kind of risks. There, you have to rely on

employee training, your policies internally, that’s

really what protects you in those situations.


Oh, yeah, well, the reason I can say

there's no known -- or there has been no reported

access from external is that we actively monitor for

external access to our systems. We have reports that

are produced -- well, they're steadily produced every

day. So we can look at attempted accesses to our

system, unauthorized accesses to our system. We also

can see authorized access to our system and we can

verify the location that those accesses came from.

MR. COCHEY: I understand that, thank you. Lionel

Cochey from the Commission. So based on your


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


response you provided here, I understand that there

are some risks that are very hard to address, you

know, specifically around the user. You know, you

can't fully control what the user was doing. Is that

correct?

MR. T. SWANSON: Tim Swanson. Again, I think we

discussed this earlier talking about the fact that

human beings are human beings and yes, there's always

a risk around the human interface.

MR. COCHEY: So continuing on that remark, don't you

think that, you know, in another country, this risk

would potentially increase because you've got

different type of persons, different type of control

and environment?

MR. T. SWANSON: No, again, because nobody in that

country has access to anything that's usable or

identifiable.

MR. COCHEY: Okay, so I will come back to the questions

I had at the beginning related to the privacy, impact

assessment and the risk assessment. And it's really

in fact, you know, for a better comprehension and a

better clarification of what you've been saying here

to us.

So I understand that the objective of the

privacy assessment is to understand, you know,

specific risks and being able to develop controls,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


mitigating controls to address or remediate or

mitigate these risks, correct?

For risk assessment, I understand it's more

kind of a baseline approach. Right? You say black

and white on some data is a baseline, where you have a

set of specific security controls that you want to see

in place to address security risks. Is that correct?

MR. T. SWANSON: We have specific controls in place,

yeah.

MR. COCHEY: So, if I'm using this baseline of, you know,

meaning a set of specific security controls that

you've defined, how was this baseline developed in the

first place?

MR. T. SWANSON: Again, as I've indicated before, we've

used third-party expertise to help us develop those

baselines. Experts in the field of security, risk

assessment and so forth, and that's how those

baselines get established. And again, those baselines

get tested on a regular basis as well to ensure that

nothing's changed in the environment that we need to

address in regards to those baselines for,

particularly, security and risk assessment.

MR. COCHEY: So I'd like to ask you, in fact, you know,

when you developed that baseline, following, you know,

the process that you've just described, is that true

that this baseline was developed for protecting


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


information in Canada? Because that's the current

situation.

MR. T. SWANSON: No, the baseline was created for

protecting information regardless of where it is,

because the protecting of information -- I'm going to

back to my presentation. We don't change the way we

protect information based on where it's stored. And

when we develop the requirements, because we use -- we

have to send to information within Canada to

organizations, including the Commission, we need to

have security and controls in place that address our

external sending of information or storing of

information.

MR. COCHEY: Yeah, I mean, it's hard to understand how

you can ensure that -- like your secure baseline that

you're referring about, or the set of controls that

you've developed, you know, in the context of the

current situation where you don't host data outside of

Canada, will adequately apply to risks of, you know,

hosting data outside of Canada.

MR. T. SWANSON: Tim Swanson. Again, I respectfully

disagree. The protection of information is consistent

regardless of where it is, and we don't determine that

our system, or our security assessments are adequate

on our own. We ensure that our security assessments,

our security practices and controls are adequate


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


regardless of where the data is stored, and we use

third parties to ensure that we are protected.

When third parties do a -- we call them

penetration tests or ethical hacking tests on our

system, they consider whether they are accessing data

in the U.S. or whether they're accessing data in

Canada. They don't concern themselves with the fact

that our data centre is in B.C. They look at our data

wherever it is, and they test to see if they can

access it.

So I can say comfortably that regardless of

where we store the data, we will ensure that that

level of protection is consistent across the board.


MR. COCHEY: When you look at countries outside of

Canada, you know they may look, you know, the same.

You’ve got different states, different people, right,

but it’s still human people, and it’s still, you know,

IT, you know, about the same everywhere, right. You

know, Windows platforms, Intel processors, you know,

it’s -- I mean, don’t you believe that there are some

specificities to some countries where, you know, you

have some poorer states with, you know, advanced, you

know, people, advanced recourses, advanced teams and

organizations who are either very keen to, and

potentially, you know, capable of accessing data, you


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


know, whatsoever.

MR. D. SWANSON: Dennis Swanson. Again, you have to step

back and you have to look at the situation. That all

-- even if that was all true, when the datas left

FortisBC, if it was sensitive data, it was encrypted

or de-identified. So the data is not actually usable

to them. It doesn’t matter what their motivation was

or what their situation was. Once that data, if it

was sensitive, has left our system, it’s unusable.

MR. HAILS: It's Jason Hails. Can you describe the scope

of work that you would have your third party security

experts work under?

MR. T. SWANSON: Tim Swanson. I can give you a high

level. So our annual assessments include, and I won’t

be able to recite the whole scope of work, but from a

high level the scope of work includes attempts to

penetrate our internal systems. An evaluation of our

websites, because those, of course, are access points

from wherever in the world. Access levels for

customers. Access levels to our hosted environments.

They test all of those from a security perspective.

There is a review of our change control documents to

ensure that change control protocol is followed,

because we have it documented and recorded change

control process for all infrastructure and

applications.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


So they review all of those to make ensure

that we’re compliant. They test our versions of

security, whether it be encryption, whether it be

security patch levels on servers. They test all of

those pieces. So that’s kind of an overview of the

scope of work that we’re looking at in those

situations.

MR. HAILS: And do you develop those scopes of work

internally?

MR. T. SWANSON: So the scopes of work actually are quite

often recommended by the third parties because they’re

-- they’ll -- there very comprehensive when they come

to us with proposals. We certainly review them to

ensure that there is no missing pieces, but we do not

recommend to them to remove components of their test

based on the fact that we don’t think we’ll pass. So

we don’t have that kind of control over them. We can

add but we can’t take away from those assessments.

MR. HAILS: And do those scopes of work change over time

from year to year?

MR. T. SWANSON: They potentially could, yes. If we

offer different customer offerings they would test

that. They’ll test whatever new systems we put in

place, certainly.

MR. HAILS: And how would you know if they should augment

the scope of work?


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. T. SWANSON: Tim Swanson. They review our systems.

We keep an inventory of all our systems and the

incremental changes would be addressed on an annual

basis. So they would look at the systems and compare

it to previous tests and ensure that they didn’t miss

any pieces on their test.

MR. COCHEY: Lionel Cochey. I am just wondering about,

you know, the self-controls that you developed here to

protect information. So what is the expertise that

was used to develop these sets of controls? Who did

you use, what specific framework, you know, did you

use to develop that set of controls?

MR. T. SWANSON: Tim Swanson. As I said earlier, like

most organizations we base our controls on the

(inaudible) information technology. It’s the standard

that everybody uses for change control. And then from

there we augment it based on our requirements.

So to put it in perspective, we’ve had

these change control process in place for well over a

decade. And they have evolved over that time based on

feedback from auditors, based on feedback from third

party testing. So the controls have changed over the

last decade to meet the needs of the systems as they

evolved.


I can give you an example of that. The


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


testing of how a virtualized server environment was a

change compared to the testing of a physical server

environment, if you want to really get into some of

the interesting details that happened, or the nuances

in technology that occur over the years, so, yeah,

there’s certainly an evolution of those controls.

And also versions of the standards are

considered, and if the versions of the standard

recommend changes in controls, we certainly look at

those. But I’d have to say in general controls are

fairly consistent. We talk about minimizing the

impact of an individual. We talk about role-based

security. We talk about levels of protection. Those

are fairly standard and really what you want to do is

test against the most current standards.

MR. COCHEY: Let’s take the example here of a virtual

environment. Can you tell us, you know, what is the

standard that you’ve been following to secure your

virtual environment?

MR. T. SWANSON: Well, we’re getting into some very --

oh, sorry, Tim Swanson. We’re getting into some very

technical questions here, and I’m not sure how much

value this is going to add to the conversation. I’m

not sure how it is relevant to what we’re talking

about here.

MR. CURTIS: Yeah, I mean, I’m not going to object to the


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


question. Tim’s, I think, foreshadowing that he’s

about to blast us with a bunch of technical jargon

that I certainly won’t understand. So, we’re in your

guys’ hands. Do you want to hear about this?

MR. T. SWANSON: And just to be clear, remember, I’ve had

-- I’ve been in a senior management role for a long

time, so if we want to get into the technical -- the

technical protection in a virtualized server

environment, I don’t think it’s going to be very

meaningful for the group here, and I don’t believe I’m

going to have a whole bunch of details that’s going to

make it very relevant for anybody. So --

MR. COCHEY: (inaudible) the assurance that you’ve been

following, you know, like what is considered as best

practice, or what will be appropriate for a security

baseline, you know, regarding the threat of, you know,

a security breach of your -- you know, with or the

opposite.

So can you describe what will allow us to

understand your -- that you have followed and did to

ensure, sufficient, you know, best practice. And what

is the level of assurance that you’ve got about that?

MR. T. SWANSON: Tim Swanson. Again, it -- the practices

we use are tested regularly, and that’s our assurance

that those practices are adequate. Simple answer.

COMMISSIONER KIELTY: And you did confirm that you have


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


no significant deficiencies as the result of those --

MR. T. SWANSON: Exactly --

MR. COCHEY: I have a question here related to that.

Lionel Cochey again. Don’t you think that in order to

ensure a good protection of an organization, in terms

of security and the protection of data, nowadays, and

as a fact, you know, you see that there is more and

more attacks. You know, cyber-security organizations

run the world, as you mentioned before, are breached,

and you get some of that -- every day now in the

press. So the sophistication of the attacks as well

is, you know, more and more complex.

So don’t you agree that you need to have

dedicated resources to protect, you know, informations

of an organization? Meaning, you know, having at

least a full-time security team.

MR. T. SWANSON: Tim Swanson. We absolutely have

dedicated resources to security. We have several

resources and their job is to ensure the security of

our networks, whether from internal or external

access. The versions of firewalls we use are --

there’s a roadmap and a strategy as to how we approach

that protection. We use the latest in firewall

protection. We have active monitoring. We have

intrusion detection, intrusion prevention. And as I

mentioned in the evidence, we also use what --we use


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


products from -- advanced products in zero-day attack,

even.

So just for the Commission’s information,

zero-day attack means that it’s an attack that nobody

has seen before. And we have -- one of our vendors

that we use has organizations around the world, and

no, we’re not sending them information, that monitor

these attacks and can upgrade our-- and tell us to

upgrade our systems on a moment’s notice. So this is

the level of security we’ve applied to our internal

systems. And this is the kind of expectations we have

when we look at third-party vendors as well.

MR. HAILS: Okay, I think we’re -- we’ve gotten to the

point where we can move on to the next topic.

MR. CHEUNG: Madam Chair, it’s 12:45 right now. Do you

want to continue, or do you want --

THE CHAIRPERSON: How much do you have? Can you give us

an estimate, how much time would you require?

MS. CHUNG: It’s Leon here. I would suspect about --

around an hour or so.

THE CHAIRPERSON: All right then. I would think that we

take a break, then. It is quarter to 1:00, so how

long a break? Is 45 minutes enough for lunch, a quick

lunch? Which means we’ll return at 1:30? Thanks.

Thank you very much.

(PROCEEDINGS ADJOURNED AT 12:47 P.M.)


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


(PROCEEDINGS RESUMED AT 1:35 P.M.) T37

THE CHAIRPERSON: Thank you. We shall get back to the

topic and hear the questions from the Commission

Staff.

MR. CHEUNG: This is Leon Cheung. I’d like to start off

with more of a clarification question, and if we can

go to Exhibit B-9, BCUC Alternative Relief, IR, the

No. 2 series. And in that IR it asked about the

personal information definition within the Personal

Information Protection Act, PIPA. It says that

"personal information means information about an

identifiable individual and includes employee and

personal information but does not include (a) contact

information or (b) work product information". And

contact information means ""information to enable an

individual at a place of business to be contacted and

includes the name, physician name or title, business

telephone number, business address, business e-mail or

business fax number of the individual".

So in question IR 1.2.3 it asks:

“Please confirm contact information under

Section (a) as defined by PIPA only applies

to employee personal information. In other

words, can FEU confirm that the contact

information of their customers must be

either de-identified or encrypted if stored


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


outside Canada as per FEU’s proposed

alternative relief.”

And then in the response, in the last

sentence, FEU said that

"Accordingly, the FEU cannot confirm that

contact information as defined by PIPA only

applies to employee personal information.

So I just want to clarify in that response,

does this mean customer contact information such as

their phone numbers and addresses could be stored

outside of Canada without encryption or de-

identification?

MR. D. SWANSON: Dennis Swanson. Just before Monic

Pratch steps in and answers that question

specifically, I just want to put it in some context

here, and that is, given where we got to in the change

in the wording in the order as assisted by Mr.

Andrews, we would back off that personal information

and change it to customer information, which would

include all of that. So I think the answer to that

ends up being irrelevant, but I’ll still let Ms.

Pratch speak to it.

MS. PRATCH: It’s Monic Pratch. Contact information of

customers, if they’re an individual customer and the

Act and PIPA applies to that individual customer,

their contact details, their home contact details


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


which is ultimately or most often what we have

regarding our customers, would be considered personal

information under PIPA.

MR. CHEUNG: Okay. Contact information including

addresses.

MS. PRATCH: Yes, because contact information itself is

defined as -- it means information to enable at a

place of business to be conducted. Most of our

residential customer information is their customer

information at their home address or their home

information.

MR. CHEUNG: Okay. Okay, that’s -- thank you. I guess

in 2.2, if I’m understanding this correctly, Fortis

said that personal information would include employee

information?

MS. PRATCH: Correct.

MR. CHEUNG: Okay. And if the directive, if the proposed

approval sought just says customer information, is

employee information going to be encrypted or de-

identified?

MS. PRATCH: Monic Pratch speaking. That’s a very

relevant point and I think that as Mr. Curtis has

mentioned earlier, we’ll have to work on the wording,

but yes, it’s out intention that employee information

would be covered in the same type of order. So it

would say something to the effect of customer


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


information which would include residential,

commercial, industrial customer information as well as

employee information, but yes, we’d have to work on

the wording certainly.


MR. CHEUNG: Okay, so since employee information is

going to be encrypted or be identified if stored

outside Canada, can you explain why FEU ratepayers

should pay for the additional encryption and de-

identification costs associated with protecting

employee information?

MR. D. SWANSON: I think that answer to that would be

because they also would get the benefit of us doing

it. Remember, the whole point of us looking at being

able to have that restriction rescinded is if there's

benefits to customers of doing so. So if it was a net

increase in costs, it's not something we'd be

considering.

MR. CHEUNG: Okay. So let's go to more clarification

on customer information. In the approval sought,

earlier we saw in slide 5, I understand that FEU would

now be rewording the approval sought. So assuming --

or let's say when I looked at this I noticed that

section A was excluded from these three bullet points.

Is there a reason why it was excluded?

MR. CURTIS: So in Section A -- what we're trying to put


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


up on -- Section A would have been included in the

version of alternative relief previously. Section A

is sort of you start with personal information to stay

in Canada but if you encrypt or de-encrypt, then it

can be stored outside of. So we're just trying to

keep the slides a bit cleaner and took that part out.

MR. CHEUNG: Okay.

MR. CURTIS: But, to be clear, we've got to go -- we're

going to go and work on this after based on what's

been discussed today. So I don't quite have it in my

head yet whether Section A stays or goes in the new

version.

MR. CHEUNG: Okay.

MR. CURTIS: I won't have that until next week sometime

when I start thinking about this some more.

MR. CHEUNG: No, that's fine. I just want to make

sure, "customer" in that context means -- it includes

industrial and commercial customer classes, yes?

MR. D. SWANSON: Yes, it does.

MR. CHEUNG: And it would also include information

about corporate and legal identity information? Are

there any circumstances where it's non-customer

information that you would protect?

MR. D. SWANSON: Dennis Swanson. Yes, any data we deem

to be sensitive would have to be protected.

MR. CHEUNG: Another question follow-up with approval


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


sought. Today we heard about sensitive information --

or not sensitive information. Customer information is

probably the most high up priority for the interveners

and for the participants here. If the Commission is

to consider a directive that says, remove the current

restriction and impose a restriction where all

customer information must be stored within Canada,

period, whether it be encrypted or not, is that

something Fortis would be amenable to?

MR. D. SWANSON: Dennis Swanson. I think that's what

we have today, unless I'm misunderstanding something.

MR. CHEUNG: I mean, all customer information has to be

stored inside Canada. Non-customer information could

be stored outside Canada. If it's encrypted, it

doesn't matter, like customer information has to be

stored inside Canada. Is that something that Fortis

would be looking for in terms of benefits,

opportunities and that kind of stuff?

MR. D. SWANSON: Dennis Swanson. I think that isn't

what we're looking for. We are looking for a more

inclusive -- I think the more limits you put on it,

the less likely you're going to be able to find any

benefits to customers. We don't believe that the risk

increases as a result of the data storage location, so

we don't think such restriction would be necessary.

MR. T. SWANSON: Tim Swanson. It's an interesting


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


question, Mr. Cheung. When we consider information

that is exchanged or even if you chose an e-mail

service, that's stored information, right? There may

be a spreadsheet in that e-mail that has customer

information in it. That e-mail, of course, is

encrypted, but it could have customer information in

it. So to Dennis's point, if you start restricting

customer information specifically it could become very

difficult to manage.


MR. CHEUNG: Going back to -- I want to turn to Exhibit

B-1, the application, page 5. Where Fortis says

potential inconsistencies as one of the reasons to

support the application. On page 5 it says that

neither PIPA of and P-I-P-E-D-A, the Personal

Information Protection and Electronic Documents Act,

"…contains a restriction to maintain the

location of data and servers for private

sector companies within B.C. or Canada.”

And then on page 11 on the FEU final

submission, dated December 4th, 2014, FEU said:

“Because this extra burden…”

And I am assuming it talks about the current restriction,

“… the FEU can be at a disadvantage when

seeking the most suitable and cost effective

information technology solutions to meet


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


customers' and companies' needs.”

When FEU talked about inconsistencies

between FEU and private sector companies and having

the current restriction as a disadvantage, what type

of disadvantage do you, FEU, mean?

MR. D. SWANSON: Dennis Swanson. I think there’s -- this

is not going to be an all inclusive list, but the

types of disadvantages we can see would be around the

costs associated with data storage. And if you -- the

more restrictions you add in the less options we have

to consider, and therefore you can’t necessarily take

advantage of cost savings that may exist.

In additions there’s certain services or

there are certain vendors that would be, say located

outside of Canada, that if we wanted them to run data

analytics on our data, for instance, we wouldn’t

necessarily be able to use those services. So it

could be in terms of level of service. It could be in

terms of level of costs.

And again not an all inclusive list but

it’s those types of things that we had in mind.

MR. CHEUNG: So it would be disadvantage, like, against

itself not against, like, private sector companies?

MR. D. SWANSON: No, sorry. Dennis Swanson again. It’s

not necessarily the utility would be disadvantaged,

it’s also the utility and its customers would be


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


disadvantaged. They wouldn’t have access to those

costs savings. Wouldn’t have access to the services

that we could provide if we had, if we had access to

those vendors.

MR. CHEUNG: Then would FEU agree that because FortisBC

Energy is a regulated public utility monopoly that

serves the public, that you might be subject to

different constraints than other private sector non-

monopolies such as storing data within Canada?

MR. D. SWANSON: Dennis Swanson again. Definitely

there’s a different set of rules that applies to FEU

as opposed to private sector companies, but the

company submits that shouldn’t disadvantage its

customers. The rules that -- generally speaking the

rules that apply to the FEU are there to protect its

customers, and I guess not disadvantage the customers.

So what we’re really talking about here is

being able to look at options that do provide benefits

to customers. And I don’t think that’s the intention

of the Utilities Commission Act, for instance, in

applying different criteria on the utility than it

does on -- than generally would apply to private

sector companies. I don’t’ believe that is intended

to disadvantage customers.


MS. PRATCH: If I may, in addition -- it's Monic


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


Pratch. We are also submitting that there's a very

robust privacy regime in place in British Columbia

that deals with these issues and deals with concerns

of this nature. And so as a result, because there's

an addition regime in place, and because we have a

comprehensive privacy management program, that in

these particular circumstances it would be appropriate

for us to be held to the same standards that are

required of other private sector organizations.

MR. CHEUNG: Okay. Possibly the last question. Just

circling back to the potential breaches that may or

may not happen. Who knows? If the Commission grants

the approval sought by the utility, what do FortisBC

Energy envision to be the communication and reporting

requirements with the Commission, if any?

MR. D. SWANSON: Dennis Swanson. Again, when you step

back to -- I'm sorry for being very repetitive here,

but when you step back to the fact that we don't

believe that risk increases as a result of where we

store the data, inside or outside of Canada. We don't

believe that there should be any further reporting

requirements or restrictions put in place. We just

don't think they warrant it.

COMMISSIONER MacMURCHY: Can I ask a question about

that? If you had a significant data breach in Canada,

would you report it to the Commission?


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. D. SWANSON: Dennis Swanson. I'm being prodded

here. Which Commission? I assume you mean the

British Columbia Utilities Commission? I don't

believe there's any requirement to.

COMMISSIONER MacMURCHY: That wasn't my question.

MR. D. SWANSON: I know.

MR. DALL'ANTONIA: I know you don't sit in the back but

every time you are there I (inaudible).

We have obviously the formal reporting

requirements – sorry, it's Roger Dall'Antonia speaking

– from a fines point of view. But we also have a

direct dialogue with staff, as well as Chairman

Kelsey. Matters of significant import we do relay to

the Commission.

During our labour dispute, as an example,

we had a number of discussions to inform the BCUC what

was going on, because we also know that the BCUC

becomes involved in these situations. The customers

write letters. You know, they file complaints. So we

have an ongoing dialogue that's beyond just the

specific reporting requirements.

If there is a significant breach that we

would reporting to other regulators, and most likely

we'd at least do the courtesy to the Commission of

informing them what was going on and let them know

what we were doing on that front based on what we


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


currently have in place.

COMMISSIONER MacMURCHY: I suspect we'd get a few cards

and letters ourselves if that happened.

MR. DALL'ANTONIA: Oh, yeah.

COMMISSIONER MacMURCHY: So it would be no different. I

guess the point I'm trying to make is you would treat

that matter no differently if the breach related to

something that was being stored in a different

location. A breach is a breach.

MR. D. SWANSON: That's correct.

MR. HAILS: It's Jason Hails. A follow-on question to

Leon's. If some kind of alternative relief were

granted, do you envision a set of reporting that may

be required to the Commission, and any subsequent

approvals, or are you looking for a blanket relief

scenario?

MR. D. SWANSON: Dennis Swanson. What is being

requested is a blanket approval or a rescinding of the

order subject to the wording that we're going to work

on, without additional reporting requirements. And

again we go back to, we always could do additional

reporting on anything, but if there isn't a need for

it, I don't think see why we would ask for it, I

guess.

MR. HAILS: Okay.

COMMISSIONER MacMURCHY: I'll follow up on that a little


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


bit. If it was just an information reporting, i.e.

reporting that you are sourcing certain data in a

certain location outside of Canada


COMMISSIONER MACMURCHY: I presume you would see that

quite differently from a reporting requirement that

required some sort of active board action. I mean,

you want to avoid that, is what -- is that -- would

that be fair?

MR. D. SWANSON: Dennis Swanson. That’s correct.

COMMISSIONER MACMURCHY: Does that not ensure that --

MR. D. SWANSON: I don’t believe it’s necessary, but if

it was just a simple reporting, that would be more

acceptable than if it was some sort of additional

process.

MR. HAILS: Page 5 of your presentation this morning, if

you’re seeking a blanket removal of the restriction,

what do you contemplate might constitute a specific

exemption from that revised order?

MR. CURTIS: Dave Curtis. Again, I think we’ll have to

look at that in light of the tweaking that’s going on.

That clause is something that we put in a lot of draft

Orders. It’s certainly part of the old data

restriction. So, it’s probably there out of an

abundance of caution more than anything, and I’m not

sure we have much to say about it. I’m also not sure


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


if it stays in the new version, but again, we’re not

quite there yet.

MR. T. SWANSON: Tim Swanson. I’d just like to add that

you -- it gives us and the Commission the ability to

address something that may come up that it’s outside

-- I mean, we can always make a separate application.

I’m not sure that the language is all that important.

But there could be -- who knows what scenarios come up

that require -- the Commission may require us to send

information outside of Canada in a decrypted format,

or some other regulatory body may do that. And that’s

sort of a vehicle for us to apply to do something like

that. So it’s not really intended for anything, I

think, other than that.

COMMISSIONER MACMURCHY: Sound like a quasi lawyer here,

but no offence intended. But I think it would be fair

to say that Fortis always has a right to come to the

Commission if it wants to do something that is

different from what it’s -- currently under the rules

it can do. Is that not fair?

MR. CURTIS: Dave Curtis. I agree with that.

MS. CHEUNG: Madam Chair, Commission Staff is finished

with the questions.

THE CHAIRPERSON: Thank you very much.

Now, it’s back to the Commissioners, then.

COMMISSIONER KIELTY: I do have one question. And it


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


relates to the approval sought. And I understand that

you will be working on the wording. I just think it

would be helpful to the Commission to have some sort

of definition of “sensitive data”, but at a principle-

based level, and so that we can understand what would

be within that category generally. And so -- and I’d

also like to understand what sort of oversight and

monitoring you’ll have of the determination of what is

sensitive data.

MR. CURTIS: Dave Curtis. Are you asking us what kind of

oversight would there be over the determination of

when a bucket of data is sensitive, and when it’s not?

Is that the question?

COMMISSIONER KIELTY: Mm-hmm.

MR. CURTIS: You know, what comes to mind when you ask

that question is just, sort of stepping back on a

basic legal principle that always operates in these

contexts, which is, you know, how far can and should

the Commission go in regulating the utility, and where

is the line between regulation under the Act and

management of day-to-day stuff. And I’m not sure what

your --

COMMISSIONER KIELTY: No, my question is what sort of

processes and monitoring will the FEU put in place.

MR. CURTIS: Oh, my apologies. Sorry. I thought you

guys wanted to look at --


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


COMMISSIONER KIELTY: You are asking the Commission to

leave it to you. So --

MR. CURTIS: I see. That is not --

COMMISSIONER KIELTY: I was surprised.

MR. CURTIS: Sorry, my apologies.

MR. D. SWANSON: Dennis Swanson. That will necessarily

involve some professional judgment, just like we

employ professional judgment on all of our decision-

making. Specifically what level of oversight would we

employ in a -- this isn’t one person’s decision.

Monic Pratch is our chief privacy officer, but

whenever we get to situations like this, and we've

seen this with every project that’s risen up relating

to this, involves discussion amongst the company.


There’s been ongoing discussion, I know we’ve been at

the executive level over some of the projects and

asking the question about, you know, what data are we

talking about. Is it personal information? Have we

considered the restrictions?

And so I think it’s just part of our

general oversight of the business. I don’t think

there’s a specific carve out that says, when it comes

to this determination of sensitive data how are we

going -- or we’re going to run it through a separate

process. Because whether or not this restriction


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


exists, we deal with sensitive data on a regular basis

and have to protect it within our system, not just if

we take it out of our systems. So it is just part of

our normal business. It’s not something over and

above.

COMMISSIONER KEILTY: Thank you. I have one more

question. You talked about the -- once the data is

encrypted that it’s virtually impossible for it to be

accessed without the keys. Is there a risk, the human

element again, of failing to encrypt data that is

sent?

MR. T. SWANSON: Tim Swanson. The process of encryption

is automated. So data cannot leave the organization

unless it’s encrypted. It’s configured within

systems. It’s tested. There’s no human intervention

in the encryption process. We can’t actually turn off

encryption. It’s part of the configuration of the

system and to reconfigure the system would actually

interrupt the data flow and we would notice that right

away. So there is no -- data from a manual

perspective is not encrypted manually.

And encryption keys, we talk about this a

lot and I’m sure all of you are thinking what the heck

does an encryption key look like. Well, really it’s

an algorithm that the server holds, and even for a

person with any organization to access it, it’s


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


unlikely. It’s because it’s built into the operating

system. So to pull it out without getting into a

FortisBC data centre, even for human intervention is a

challenge.

But to your point, we recognize the fact

that the human factor is always a factor. And it

comes down to rigorous testing, controls, access

controls, these are all the things we put into place

to ensure that those core systems are protected.

COMMISSIONER KEILTY: Thank you.

COMMISSIONER MACMURCHY: I just want to clarify one

thing. I think the statement was made that you would

be doing, automatically doing a privacy impact

assessment if you decided to move data to be out of

Canada for storage or whatever, isn’t that -- would

that be correct?

MS. PRATCH: Monic Pratch. Yes, correct.

COMMISSIONER MACMURCHY: And all of those projects that

were approved would ultimately go through yourself

then?

MS. PRATCH: Yes, correct, yes.

COMMISSIONER MACMURCH: That’s all. I just wanted to

clarify and make sure I hadn’t misunderstood.

THE CHAIRPERSON: I don’t have any further questions. I

think we have, we have fully explored the topic here.

Now, then we have to start talking about


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


the next steps. And I know, I think the plan

certainly I have had that we take a brief break and

then the parties would come back regarding your -- how

you want to bring this processes to conclusion.

But I have questions just first to Mr.

Curtis, like Commissioner Kielty was asking about the

kind of definition of what sensitive information,

like, that sounds to me almost like a undertaking. Or

would that be just part of your homework for this new

order you would be seeking? How do you think we

should go?

MR. CURTIS: The way I think we should handle that is, I

mean we’re not going to be suggesting oral submissions

or anything like that today. I’m sure that’s a relief

to everybody in the room. So then we’re going to

contemplate -- I'm sure we'll talk more about written

submissions to follow. And I think we could just deal

with the revised order in our submission to the

Commission, which would go first. That’s certainly,

that’s the most obvious way to deal with it from my

perspective.

THE CHAIRPERSON: All right. So with the statement that

orally is out of the question then, with the other

parties do you even need a break or are you ready to

speak to your views, how you want to take this process

forward? Either way. Mr. Craig?


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. CRAIG: Commercial Energy Consumers, David Craig,

we’d be ready to talk to that now.

MR. ANDREWS: Yes, we would be ready as well.

THE CHAIRPERSON: It’s a sunny Friday afternoon so

let’s do that. Who wants to go first? Mr. Andrews?


MR. ANDREWS: I will. Bill Andrews, and I will suggest

that there be a written process for submissions, and

that the company goes first and the interveners

follow, and the company have an opportunity to reply.

And I think that would be the gist of the procedure.

COMMISSIONER O'HARA: Thank you. CEC?

MR. CRAIG: I support Mr. Andrews submissions and adopt

them, and one slight variable would be that to the

extent that the utility would like to have a little

bit of what we do in negotiated settlements attached

to this, where they could go back and forth with us a

little bit before their submission, we'd be happy to

do that. Not to make it a negotiated settlement, but

just to facilitate getting a smooth set of submissions

and replies.

But other than that, a written submission

is how we'd prefer to see it conclude.

COMMISSIONER O'HARA: Thank you. BCOAPO?

MS. SADREHASHEMI: Yes, we also prefer written

submissions, and agree with what Mr. Andrews stated


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


about the process.

COMMISSIONER O'HARA: Thank you. And I know we'll give

Mr. Curtis an opportunity to respond, but I believe

staff have prepared a draft regulatory timetable for

this eventuality. So perhaps if everybody could look

at this timetable first before you, Mr. Curtis,

respond.

COMMISSIONER MacMURCHY: Is this 24 hours for FEU?

COMMISSIONER O'HARA: Perhaps we should give Mr. Curtis

the opportunity to start first, and then it's your

turn. Whenever you are ready.

MR. CURTIS: David Curtis. Yeah, I think we've had a

little collaboration here. The dates don't quite work

for a couple of -- both for us and for one of the

interveners. So we would suggest a revision to the

schedule as follows: FEU final argument, Tuesday,

June 30th. Intervener final argument, July 27th. And I

appreciate that's a gap, but that has to do with the

availability of one of the counsel. So I think that's

important for that. And then reply a week after the

27th.

There's no -- we think that timeframe

is fine from our perspective.

COMMISSIONER O'HARA: So what would be the date then, a

week after. That's August --

MR. CURTIS: August 4th, Tuesday, apparently. The Monday


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


is a holiday.

COMMISSIONER O'HARA: Thank you. Okay.

MR. CURTIS: And then on the -- yeah. And the extra

time will help us a bit on working on the order, and

we are fine with working with the interveners here

today on that order. And my suggestion is just keep

it informal.


Mr. Andrews and I have certainly talked on

the phone about this file in the past. We can do that

as counsel, and I can do that with the others as well.

And I think it will -- I don’t think we need a formal

process, we’ll just do it in --

But I do want to say it’s not -- and to Mr.

Craig’s point, I mean, it’s -- we’re happy to

circulate the draft Order and get ideas and feedback.

We may not ultimately agree on it, but I think we

should have the process, informal as it is, and it’s

not really going to be -- we’re not entering into an

NSP here or anything. But, anyways. I think you have

my point.

THE CHAIRPERSON: All right, thank you.

COMMISSIONER MACMURCHY: No, that’s fine. Because you’ll

file your submission with whatever you come up with,

and they’ll have an opportunity to comment on it if

they don't agree with it, so --


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MR. CURTIS: Absolutely.

COMMISSIONER MACMURCHY: I think that seems fair.

THE CHAIRPERSON: Okay. Thank you. So before going to

interveners, I am reminded, Mr. Curtis, that you still

need to mark as an exhibit your presentation here.

MR. CURTIS: Certainly. David Curtis. So, the

presentation would be Exhibit B-13.

THE CHAIRPERSON: Thirteen. Thank you.

(FEU PRESENTATION MARKED EXHIBIT B-13)

THE CHAIRPERSON: All right, then. Mr. Andrews, next.

MR. ANDREWS: The proposed schedule set out works for me

and my clients, thank you.

THE CHAIRPERSON: And Mr. Craig?

MR. CRAIG: For the Commercial Energy Consumers, David

Craig. Just want to comment that the SRP process has

been constructive from our point of view, and helpful

once again as a process. Thanks to the utility for

participation in it, and to the Commission for

facilitating.

The proposed agenda as amended is fine by

the Commercial Energy Consumers. Thank you.

THE CHAIRPERSON: Thank you. Next, BCOAPO.

MS. SADREHASHEMI: Yes. The proposed dates are fine for

us as well. Thank you.

THE CHAIRPERSON: I did not check with the staff yet, but

that -- does that work?


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26


MS. CHEUNG: Leon Cheung. Yes, it will.

THE CHAIRPERSON: Okay.

COMMISSIONER MACMURCHY: I can live with it, in other

words.

THE CHAIRPERSON: And is there anything else?

So, I guess then on behalf of the Panel as

well, I am very pleased where we ended today. It has

been quite an evolution since last August, so -- and

as I remember in our Procedural Conference, some

questioned whether this SRP would work. But it was

started as SRP light, and it got a bit heavy here for

a while. But we ended in a good place, so thank you,

everybody. Enjoy the sunshine and the rest of the

weekend. Thank you.

(PROCEEDINGS ADJOURNED AT 2:15 P.M.)