ORDER NUMBER
G-141-17A
IN THE MATTER OF
the Utilities Commission Act, RSBC 1996, Chapter 473
and
FortisBC Energy Inc.
Application for an Exemption from Commission Order G-161-15
Regarding Encryption Keys for Paperless Expense Management Solution
BEFORE:
D. M. Morton, Commissioner
D. J. Enns, Commissioner
H. G. Harowitz, Commissioner
M. Kresivo, Commissioner
B. A. Magnan, Commissioner
R. I. Mason, Commissioner
R. D. Revel, Commissioner
on September 14, 2017
ORDER
WHEREAS:
A. On July 21, 2017, FortisBC Energy Inc. (FEI) submitted an application with the British Columbia Utilities Commission (Commission) for an Exemption from Commission Order G-161-15 Regarding Encryption Keys for Paperless Expense Management Solution (Application), pursuant to section 88(2) of the Utilities Commission Act;
B. On October 13, 2015, the Commission issued Order G-161-15 and its Decision in the matter of the FortisBC Energy Utilities (FEU) Application for Removal of the Restriction on the Location of Data and Servers Providing Service to the FEU currently Restricted to Canada;
C. While the FEU were the original applicants in this proceeding, the companies that comprised the FEU were amalgamated on December 31, 2014, and the amalgamated entity carries on business under the name FEI;
D. Pursuant to Recital D of Order G-161-15 and subsequently approved by the Commission, FEI is permitted to store certain classes of data on servers outside of Canada only where (i) the data is encrypted or de-identified, and (ii) the encryption keys and de-identification keys are located within FEI’s data centres that are located in Canada;
E. In its Application, FEI is seeking an exemption from Order G-161-15 to implement the Paperless Expense Management Solution (PEMS). Concur Technologies, Inc. (Concur), a company based in the United States (US) and third-party vendor of PEMS, requires the ability to decrypt and identify the stored employee personal information within the US on its own servers in order to administer, support, and perform the expense management service; and
F. The Commission reviewed the Application and considers that an exemption from Order G-161-15 should be denied.
NOW THEREFORE for the reasons attached as Appendix A to this order, the Commission orders that the FEI Application for an exemption from Order G-161-15 for the PEMS project is denied.
DATED at the City of Vancouver, in the Province of British Columbia, this 3rd day of October 2017.
BY ORDER
Original signed by:
D. M. Morton
Commissioner
Attachment
FortisBC Energy Inc.
Application for an Exemption from Commission Order G-161-15
Regarding Encryption Keys for Paperless Expense Management Solution
REASONS FOR DECISION
1.0 Background
On October 13, 2015, the British Columbia Utilities Commission (Commission) issued Order G-161-15 and the accompanying Decision in the matter of the FortisBC Energy Utilities (FEU) Application for Removal of the Restriction on the Location of Data and Servers Providing Service to the FEU Currently Restricted to Canada (Remove Data Location Restriction Decision).
While the FEU were the original applicants in this proceeding, the companies that comprised the FEU were amalgamated on December 31, 2014, and the amalgamated entity carries on business under the name FortisBC Energy Inc. (FEI).
Pursuant to the Remove Data Location Restriction Decision, FEI is permitted to store certain classes of data on servers outside of Canada only where (i) the data is encrypted or de-identified, and (ii) the encryption keys and de-identification keys are located within FEI data centres in Canada. Specifically, recital D of the Decision states:
The approval sought by FEI is as follows:
...
(b) For the purposes of this order:
• “Customer Information” means information of or about the FEI residential, commercial, or industrial customers.
• “Employee Information” means information of or about the FEI employees.
• “Sensitive Information” includes:
o financial, commercial, scientific or technical information, the disclosure of which could result in undue financial harm or prejudice to the FEI; and
o information that relates to the security of the FEI critical infrastructure and operations, the disclosure of which could pose a potential threat to the FEI operations or create or increase the risk of a debilitating impact on the safe and reliable operation of the FEI system.
• “Encrypted” means an encryption methodology using current industry standards for secure encryption.
• “De-identified” means a de-identification methodology consistent with current industry practice for the purpose of protecting personal information.
• “Encryption keys” and “De-identification keys” mean any information or methodology used to access encrypted or de-identified data.
(c) Effective as the date of this Order, FEI is permitted to store data on servers located outside of Canada, provided that data containing Customer Information, Employee Information, or Sensitive Information, or any combination thereof, must be either Encrypted or De-identified if such data is to be stored on servers located outside of Canada.
(d) Encryption keys and De-identification keys for Encrypted or De-identified FEI data stored outside of Canada must be stored on servers located within FEI’s data centres that are located in Canada.
2.0 FEI Application for Exemption
On July 21, 2017, FEI submitted an Application for an Exemption from Commission Order G-161-15 Regarding Encryption Keys for Paperless Expense Management Solution (Application), pursuant to section 88(2) of the Utilities Commission Act (UCA).
Section 88(2) of the UCA states:
The commission may exempt a person from the operation of an order, rule or regulation made under this Act for a time the commission considers advisable.
The Paperless Expense Management Solution (PEMS) is a paperless solution for employee expenditure management. FEI submits that the current expense management process is paper-based and out-of-date, and therefore is undertaking the PEMS initiative. The PEMS is a joint initiative between FEI and FortisBC Inc. FEI submits that implementing the PEMS will result in operational efficiencies and some operating and maintenance cost reductions.
Concur Technologies, Inc. (Concur), a company based in the United States (US), is the preferred third-party vendor of the PEMS. The PEMS involves storing certain employee personal information such as mode of transportation, location of accommodation, duration of stay, restaurants and food services used, as may be itemized on receipt and invoices that an employee discloses in the course of incurring expenditures. This information would be stored on Concur’s US servers in an encrypted or de-identified format (Encrypted Information).
However, in order for Concur to administer, support, and perform the PEMS service, Concur also requires the ability to, on its own servers, decrypt or identify the Encrypted Information. As a result, FEI seeks an exemption from the order that requires FEI to store the encryption or de-identification keys only within FEI’s data centres in Canada.
3.0 Commission Determination
The Commission reviewed the Application and for the reasons set out below, the Commission orders that the FEI application for an exemption for the PEMS project from Order G-161-15 be denied.
As noted in the FEU 2015 Remove Data Location Restriction Decision, there are risks of authorized government access if encryption keys and de-identification keys are stored outside of Canada, regardless of the level of security in place by the vendor. The Decision states:[1]
Regarding the risk of authorized foreign government access, all parties in this proceeding agree that this risk exists because data is subject to the laws of the jurisdiction in which it is stored. FEU’s primary mitigation strategy against this risk is encrypting and de-identifying personal, customer and sensitive data that is stored outside of Canada and keeping the encryption and de-identification keys in Canada. Encryption and de-identification is so difficult to break without the keys that the relevant consideration for this risk assessment is whether a foreign government can compel the provision of keys stored by FEU in Canada through the foreign judicial system.
The Panel accepts FEU’s assessment that under the principles of international law a foreign authority may not legally compel FEU, which are owned and controlled by a Canadian company, to provide encryption and/or de-identification keys, unless ordered to do so by the Canadian court. The key factor of this protection, however, is that FEU are Canadian owned and controlled by their parent company, Fortis Inc. which is located in Canada.
The Commission finds that FEI did not provide compelling evidence to warrant an exemption. The PEMS utilizes a third-party vendor, Concur, a company based outside of Canada, and will be holding the encryption and/or de-identification keys outside of Canada. While the Commission acknowledges that the Concur solution may have met or exceeded FEI’s security requirements, the risk of authorized government access remains a key issue that was raised in the Remove Data Location Restriction Decision. A foreign government has the ability to compel the vendor located within its own jurisdiction to provide access to the encrypted or de-identified information and the keys required to decrypt or identify the data, where these are stored on the vendor’s servers. Therefore, employee information stored outside of Canada under the PEMS would be exposed to the risk of authorized foreign government access. The Commission considers that employee personal information should not be treated differently than customer information and sensitive information. Accordingly, the Application for an exemption for the PEMS project from Order G-161-15 is denied.
If FEI believe that the general risks and considerations of storing data outside of Canada have significantly changed since Order G-161-15 and the accompanying Remove Data Location Restriction Decision, FEI may file an application to the Commission to consider this matter on a broader scale.