Privacy & Security Requirements

Security Considerations

Prior to the release of customer data, eligible third parties will be validated and thoroughly reviewed, and must adhere to Information Security & Privacy requirements.  SDG&E expects and requires third parties to adhere to the security considerations published in NIST 800-53 Revision 4 before they receive customer information. SDG&E may require third parties to undergo a security assessment before customer data can be released. For more information about how we protect our customer data, please visit our Information Security page.

NIST 800-53 R4 is a comprehensive set of security controls that help to ensure that sensitive information is safeguarded appropriately. NIST 800-53 includes the following families of controls that third parties should expect to adhere to before receiving customer information:

Security Controls
Access Controls Media Protection
Awareness & Training Physical & Environmental Protection
Audit & Accountability Planning
Security Assessment & Authorization Personnel Security
Configuration Management Risk Assessment
Contingency Planning System & Communication Protection
Identification & Authentication Planning
Incident Response System & Information Integrity
Maintenance Program Management


SDG&E also maintains privacy controls based on the Generally Accepted Privacy Principles and adheres to the Privacy by Design Principles. Third parties are expected to review these principles and ensure they can and will protect SDG&E's customers' privacy with the same rigor we apply. Third parties are required to adhere to SDG&E's privacy policy prior to the release of any customer information.  For more information on SDG&E's privacy practices, please review our Privacy Policy and Privacy Notice.

SDGE, a Sempra Energy Utility