Data Security Agreement (DSA) Overview

New York Broker Registration Resources

Looking for a collection of resource to help you navigate changes coming in the New York Competitive Energy Marketplace?

Click Here

The Data Security Agreement (DSA) and related Self Attestation guidelines promulgated by the New York Public Service Commission (NYPSC) are aimed at safeguarding customer information and ensuring that utilities and other entities handling sensitive customer data comply with specific security protocols.

Here is an overview of key aspects:

  1. Scope: The DSA applies to utilities, energy service companies, and other entities regulated by the NYPSC. It requires them to implement specific measures to ensure the confidentiality, integrity, and availability of customer information.
  2. Data Security Requirements: The agreement sets forth various requirements to protect customer data, including encryption, access controls, regular security assessments, incident response plans, and more.
  3. Self Attestation: This refers to a process where the entities must annually attest to their compliance with the DSA’s requirements. The attestation is often signed by an officer of the company, and it confirms that the company has implemented the necessary measures and processes as outlined in the DSA.
  4. Monitoring and Enforcement: The NYPSC retains the right to monitor compliance with the DSA and can take enforcement actions if an entity is found in violation of the agreement’s terms. Penalties can include fines or other regulatory sanctions.
  5. Incident Reporting: The DSA generally requires timely reporting of security incidents, detailing the nature of the incident, the information affected, the measures taken to mitigate the incident, and plans for preventing future incidents.
  6. Alignment with Other Regulations: The DSA may also align with or complement other federal or state data privacy and security laws and regulations.
  7. Vendor Oversight: The agreement may also extend responsibilities to third-party vendors that handle customer data, ensuring that they too adhere to strict data protection standards.

It should be noted that these agreements and guidelines can be complex and are subject to change. Entities affected by the DSA should consult with legal or regulatory compliance experts to ensure that they fully understand and meet their obligations under the agreement.