Privacy & Security Requirements

Security Considerations

Prior to the release of consumer information, eligible third parties will be validated and thoroughly reviewed, and must adhere to SDG&E's Cyber Security & Privacy requirements.  SDG&E expects and requires third parties to adhere to the security considerations published in NIST 800-53 Revision 4 before they receive consumer information. SDG&E may require third parties to undergo a security assessment before consumer information can be disclosed. For more information about how we protect consumer information, please visit our Cyber Security page.

NIST 800-53 R4 is a comprehensive set of security controls to ensure that sensitive information is safeguarded appropriately. NIST 800-53 includes the following families of controls that third parties should expect to adhere to before receiving consumer information:

Privacy

SDG&E also maintains privacy controls based on the Generally Accepted Privacy Principles and Privacy by Design Principles. Third parties are expected to review these principles and ensure they can and will protect SDG&E consumer privacy with the same rigor SDG&E applies. In order to comply with the California Consumer Privacy Act of 2018 (CCPA), SDG&E may request additional information from third parties regarding their data request or require additional privacy or security controls before disclosing consumer information to authorized third parties. More information on SDG&E's practices regarding CCPA can be found here. Regarding the consumer information they receive from SDG&E, third parties are expected to abide by SDG&E's privacy policy and privacy notice.  For more information, please review our Privacy Policy and Privacy Notice.