Environmental Services, Audit, Ethics and Compliance, and … · Environmental Services, Audit,...

SCE Application No.: A.19-08- Exhibit No.: SCE-06, Vol. 04 Witnesses: D. Neal

J. Shotwell J. Tran D. Yarbrough

(U 338-E)

2021 General Rate Case

Environmental Services, Audit, Ethics and Compliance, and Safety Programs

Before the

Public Utilities Commission of the State of California

Rosemead, California

August 30, 2019

SCE-06, Vol. 04: Environmental Services, Audit, Ethics and Compliance, and Safety Programs

Table Of Contents Section Page Witness

-i-

I. INTRODUCTION .............................................................................................1 D. Neal

A. Content and Organization of Volume ....................................................1

B. Summary of O&M and Capital Request ................................................2

II. ENVIRONMENTAL SERVICES .....................................................................5

A. Overview ................................................................................................5

1. Regulatory Background/Policies Driving SCE’s Request .......................................................................................5

2. Compliance Requirements .........................................................5

a) Compliance with D.18-03-027 Adopting the Cost Recovery of the Wheeler North Reef Expansion Project Marine Mitigation Costs ..................5

3. Overview of ESD Work Activities ............................................6

a) Major Environmental Projects Division: .......................6

b) Environmental Resources Management Division: .........................................................................7

c) Programs and Governance Division: .............................7

d) Environmental Operations Division: .............................7

e) Business Planning and Analytics Division: ...................8

B. Comparison of Authorized 2018 to Recorded .......................................8

C. O&M Forecast .....................................................................................11

1. Environmental Management and Development .......................12

a) Work Description .........................................................12

(1) Environmental Management ............................12

(2) Development and Training ..............................12


Table Of Contents (Continued) Section Page Witness

-ii-

(3) Maintenance, Fuel, Direct and Indirect Costs Associated with Use of Vehicles .......................................................13

b) Need for Activity .........................................................13

c) Scope and Forecast Analysis .......................................13

(1) Historical Variance Analysis ...........................14

(2) Forecast ............................................................16

d) Basis for O&M Cost Forecast ......................................16

2. Environmental Programs .........................................................17


(1) Environmental Compliance Programs ..........................................................17

(2) Marine Mitigation ............................................18




(2) Forecast ............................................................23

d) Basis for O&M Cost Forecast ......................................24

D. Capital Expenditures for Implementing Environmental Services ................................................................................................25

1. Well Decommission Program ..................................................25

a) Program Description ....................................................26

b) Need for Capital Program ............................................27

c) Basis for Capital Expenditure Forecast ........................27

2. Avian Retrofit ..........................................................................27



-iii-

a) Program Description ....................................................28

b) Need for Capital Program ............................................28

c) Basis for Capital Expenditure Forecast ........................29

3. Programmatic Permits ..............................................................29

a) Program Description and Need ....................................29

b) Basis for Capital Expenditure Forecast ........................30

III. AUDIT, ETHICS AND COMPLIANCE ........................................................31 J. Shotwell

A. Overview ..............................................................................................31

1. Regulatory Background/Policies Driving SCE’s Request .....................................................................................32

2. Compliance Requirements .......................................................33

a) Compliance with Smart Grid Privacy (2012 GRC Decision) .............................................................33

B. 2018 Decision ......................................................................................34

1. Comparison of Authorized 2018 to Recorded .........................34

a) Audits, Ethics and Compliance ....................................34

C. O&M Forecast .....................................................................................35 J. Tran

1. Audits .......................................................................................35

a) Work Description and Need for Activity .....................35

b) Scope and Forecast Analysis .......................................38


(2) Forecast ............................................................41

c) Basis for O&M Cost Forecast ......................................42

2. Ethics & Compliance ...............................................................43 J. Shotwell



-iv-

a) Work Description and Need for Activity .....................43

b) Scope and Forecast Analysis .......................................45


(2) Forecast ............................................................47

IV. SAFETY PROGRAMS ...................................................................................49 D.Yarbrough

A. Overview ..............................................................................................49

1. Risk Factors, Safety, Reliability and Connection with RAMP ..............................................................................49

2. Regulatory Background/Policies Driving SCE’s Request .....................................................................................50

B. 2018 Decision ......................................................................................51

1. Comparison of Authorized 2018 to Recorded .........................51

C. SCE’s Safety Culture Transformation and Organization Structure ...............................................................................................52

D. O&M Forecast .....................................................................................53

1. Employee and Contractor Safety .............................................53


(1) Safety Programs and Compliance ....................54

(2) Office and Contractor Safety ...........................55

(3) Field Safety ......................................................57

(4) Performance Improvement...............................58


c) RAMP Integration ........................................................58

(1) Reconciliation Between RAMP and GRC .................................................................58



-v-

d) Scope and Forecast Analysis .......................................59


(2) Forecast ............................................................61

2. Public Safety ............................................................................63





(2) Forecast ............................................................66

3. Safety Culture Transformation ................................................66



c) RAMP Integration ........................................................67

(1) Reconciliation between RAMP and GRC .................................................................67

a) Scope and Forecast Analysis .......................................68


(2) Forecast ............................................................70

4. Safety Activities – Transmission & Distribution (T&D) ......................................................................................70

a) Employee Safety Work Description ............................70

(1) Safety Leadership Development ......................70

(2) Safety Meetings and Stand-Downs ..................71

b) Worker Engagement Work Description .......................72



-vi-

(1) Safety Congresses and Teams ..........................72

(2) Safety Partnership with Union Leadership ........................................................73

(3) Safety Forum Meetings ....................................73

c) Safety Systems Work Description ...............................74

(1) Therapeutic Exercise, Stretching, and Warm-up Programs ...................................74

(2) Best Practice Sharing .......................................74

(3) T&D Safety Metrics .........................................75

d) Need for Activity .........................................................76

e) RAMP Integration ........................................................76

(1) Reconciliation between RAMP and GRC .................................................................76

f) Scope and Forecast Analysis .......................................76


(2) Forecast ............................................................78

Appendix A SCE CPUC Covered Information Privacy and Security Assessment Report – July 26, 2019 ..................................................................... J. Shotwell

Appendix B SCE 2015-2019 Safety Culture Transformation Roadmaps ....................... D. Yarbrough

1

I. 1

INTRODUCTION 2

A. Content and Organization of Volume 3

This volume includes the work activities associated with the Environmental Services (ES), 4

Audit, Ethics and Compliance, and Safety Programs Business Plan Elements (BPE). 5

The Environmental Services Department (ESD) develops and manages environmental programs 6

that support and fulfill SCE’s compliance with laws and regulations established by federal, state, and 7

local government statutes enacted to protect the environment. 8

The Audit Services Department’s (Audits) work activities provide reasonable assurance1 that 9

business risks are appropriately identified, compliance with regulatory requirements occurs, 10

management’s response to such risks and requirements is effective, and that senior management and the 11

board of directors receive consistent information and proactive advice regarding risk mitigation. 12

Ethics and Compliance (E&C) provides the framework for an ethical and compliant work 13

environment where acting ethically, obeying the law, and protecting the rights and interests of 14

customers, co-workers and the public is the natural and everyday course of business. E&C resources 15

establish and promote expectations for employee behavior, along with tools for employees to seek 16

advice and report concerns. It directly manages energy regulation, affiliate transaction, privacy, records 17

and disability rights compliance, and provides oversight for other areas of compliance that are directly 18

managed in operating units, such as environmental and employment law compliance. In addition, E&C 19

manages the company’s Information Governance Program, which provides the framework, tools, and 20

processes for managing the company structured and unstructured information. 21

Edison Safety and its work activities associated with SCE’s Safety Programs Business Plan 22

Element (BPE), include health and safety oversight and services at the SCE’s corporate level. Edison 23

Safety provides guidance, governance, and oversight of the company’s safety programs and activities, 24

including public, contractor, and worker safety activities to accomplish the common goal of having an 25

injury-free workplace. 26

1 The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and

consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” Available at: https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx, as of August 14, 2019.

2

This volume includes SCE’s funding request for the following areas by Chapter. 1

• Chapter II: Environmental Services. 2

• Chapter III: Audit, Ethics and Compliance. 3

• Chapter IV: Safety Programs. 4

Each chapter in this volume includes analyses of: (1) Regulatory and compliance requirements, 5

(2) Operation and Maintenance (O&M) expense and capital funding authorized in the 2018 General Rate 6

Case (GRC) compared to recorded amounts in 2018, and (3) the 2021 O&M Test Year forecast relative 7

to historical spending and (4) the 2019 – 2023 capital expenditure forecast. 8

B. Summary of O&M and Capital Request 9

This volume of testimony presents SCE’s requests for $76.6 million (constant 2018 dollars) in 10

O&M expenses for the 2021 Test Year and $9.9 million in capital expenditures for 2019-2023. SCE’s 11

total requests for this Exhibit by volume are shown below in Figure I-1 and Figure I-2. 12

Figure I-1 Environmental Services, Audit, Ethics and Compliance

and Safety Programs O&M Expenses 2021 Forecast

(Constant 2018 $Million)

3

Figure I-2 Environmental Services, Audit, Ethics and Compliance and

Safety Programs Capital Expenditures 2019-2023 Forecast

(Total Company - Nominal $Million)

A breakdown of the O&M expenses for the 2021 Test Year and capital expenditures for 2019 – 1

2023 for this volume are displayed below in Table I-1 and Table I-2 by chapter. 2

Table I-1 O&M Expenses by Chapter

2021 Forecast (Constant 2018 $Millions)

2021Environmental Services $27.7Audit, Ethics & Compliance $23.9Safety Programs $25.0Totals $76.6

4

Table I-2 Capital Expenditures by Chapter

2019 – 2023 Forecast (Total Company – Nominal $Million)

2019 2020 2021 2022 2023 TotalEnvironmental Services $0.6 $0.5 $2.9 $3.0 $3.0 $9.9Totals $0.6 $0.5 $2.9 $3.0 $3.0 $9.9

5

II. 1

ENVIRONMENTAL SERVICES 2

A. Overview 3

The Environmental Services Department’s Business Plan Element includes the development and 4

management of environmental programs required to support SCE’s compliance with environmental laws 5

and regulations established by federal, state, and local governments. All costs supported by this 6

testimony directly or indirectly relate to environmental compliance activities. ESD’s direct costs relate 7

to developing and managing environmental compliance programs. ESD’s indirect costs involve 8

administrative and general activities such as training employees and supporting and maintaining the 9

ESD organization. 10

SCE forecasts $27.683 million in O&M expenses in test year 2021. This includes $9.745 million 11

for Environmental Management and Development and $17.937 million for Environmental Programs. 12

Environmental Programs encompass $13.198 million for Environmental Compliance Programs and 13

$4.739 million for Marine Mitigation. 14

SCE forecasts $9.935 million in capital expenditures from 2019 -2023. This includes $2.765 15

million to decommission unused water wells, $3.750 million for the Proactive Avian Retrofit program, 16

and $3.420 million for Programmatic Permits. 17

1. Regulatory Background/Policies Driving SCE’s Request 18

The environmental laws, regulations, and statutes that SCE must comply with include the 19

National Environmental Policy Act (NEPA), California Environmental Quality Act (CEQA), California 20

Public Utility Commission (CPUC) General Orders, Federal Endangered Species Act/California 21

Endangered Species Act, California Fish and Game Code, Clean Air Act, Clean Water Act, Toxic 22

Substance Control Act (TSCA), Resource Conservation and Recovery Act, Bald and Golden Eagle 23

Protection Act, and the Migratory Bird Treaty Act. 24

2. Compliance Requirements 25

a) Compliance with D.18-03-027 Adopting the Cost Recovery of the Wheeler 26

North Reef Expansion Project Marine Mitigation Costs 27

In D.18-03-027, the Commission ordered that if at the completion of the Wheeler 28

North Reef Expansion Project the recorded costs for the project are greater than the authorized cost 29

forecast, then SCE and SDG&E bear the burden of proof to demonstrate these incremental expenses are 30

reasonable. To demonstrate that these costs are reasonable, SCE and SDG&E will file testimony in 31

6

SCE’s Test Year 2021 GRC.2 The Wheeler North Reef Expansion is still in progress, no authorized cost 1

forecast has been approved, and SCE does not have final recorded costs for the project. Therefore, no 2

testimony to demonstrate the reasonableness of Wheeler North Reef Expansion expenses is required in 3

the 2021 GRC. Pursuant to D.18-03-027, SCE submitted an advice letter in August, 2019 providing an 4

updated cost estimate to establish the authorized cost forecast.3 5

In addition, the Commission ordered that any continuing expenses for the 6

Wheeler North Reef Expansion Project beyond 2020 will be included in SCE’s Test Year 2021 GRC 7

forecast, with accompanying testimony. Such expenses are anticipated to be for ongoing monitoring, 8

operation and maintenance of the reef, and not for construction of the Wheeler North Reef Expansion 9

Project.4 SCE has complied with the above condition set forth in D.18-03-027. In 2021 GRC, SCE 10

included ongoing reef expenses for the Wheeler North Reef Expansion project that will occur beyond 11

2020.5 12

3. Overview of ESD Work Activities 13

The work carried out in ESD is organized into five divisions. The work is associated 14

with: (1) environmental licensing and execution support (Major Environmental Projects Division), 15

(2) biological and archaeological resources management, wetlands and surface water quality protection, 16

post-construction habitat restoration, and SONGS marine mitigation (Environmental Resources 17

Management Division), (3) technical environmental services and environmental compliance (Programs 18

and Governance Division), (4) environmental field compliance (Environmental Operations Division), 19

and (5) contract management, General Rate Case (GRC), budget analysis, and other miscellaneous 20

support (Business Planning and Analytics Division). 21

a) Major Environmental Projects Division: 22

The work performed by the Major Environmental Projects (MEP) Division 23

requires experienced Environmental Project Managers (EPM) who oversee the development of 24

multidisciplinary environmental documents necessary to obtain government agency permits for SCE 25

projects. These documents are prepared pursuant to the National Environmental Policy Act (NEPA) 26

2 D.18-03-027, Ordering Paragraph (OP) 7.h. 3 See Advice Letter 4052-E – Update of Cost Estimate for Wheeler North Reef Expansion Project – August 8,

2019. 4 D.18-03-027, OP 7.i. 5 See Section II.C.2.(2)(c), pp. 24-25, for Wheeler North Reef Expansion.

7

and/or the California Environmental Quality Act (CEQA). MEP also manages the implementation of 1

environmental compliance requirements during major project construction; SCEs Coastal Permitting 2

Program; environmental assessments for CPUC General Order 131D evaluations; and Renewable 3

Generator and Customer Interconnect projects. 4

b) Environmental Resources Management Division: 5

The work performed by the Environmental Resources Management (ERM) 6

division is associated with developing and implementing programs to ensure compliance with Federal, 7

state, and local laws and regulations that protect cultural resources, biological resources, and water 8

quality. This division provides technical support for capital and O&M projects with avian protection 9

requirements and complex permitting issues related to water quality, threatened and endangered species, 10

and archaeological resources. This division also manages the environmental clearance program that 11

involves conducting reviews of over 20,000 O&M and Capital projects annually to identify their 12

potential for environmental resource impacts and, when necessary, imposes avoidance and mitigation 13

measures for construction crews to follow to reduce or eliminate those impacts. This division also 14

manages post-construction restoration activities for O&M and Capital projects, as well as the SONGS 15

marine mitigation program. 16

c) Programs and Governance Division: 17

The work performed by the Programs and Governance Division (PGD) is 18

primarily centered around: Air Quality; Site Assessment and Remediation, Hazardous Materials and 19

Waste Management and Environmental Management Systems. In order to perform these activities SCE 20

must employ experienced subject matter experts and technical specialists that lead the development and 21

implementation of environmental programs to help ensure compliance. PGD oversees SCE’s 22

environmental management system (EMS) that monitors and measures program effectiveness. PGD also 23

manages EMS software applications including SCE’s internally branded solution EHSync, an SAP 24

product. 25

d) Environmental Operations Division: 26

The work performed by Environmental Operations Division (EOD) is the 27

management and field implementation of environmental compliance programs and PCB 28

(polychlorinated biphenyls) analysis on transformer oil. This division is also responsible for the 29

Environmental Notification Center (ENC), a centralized service for all operating units to call for 30

8

reporting spills. ENC staff receive calls for transformer oil spills, deploy emergency response crews to 1

field locations, make regulatory agency notifications, and complete EHSync incident reports. 2

e) Business Planning and Analytics Division: 3

The activities performed by the Business Planning and Analytics Division (BPA) 4

include support for the General Rate Case (GRC), budget analysis, contract management, and other 5

miscellaneous support, such as managing contractor safety program, processing invoices and check 6

requests, etc. 7

B. Comparison of Authorized 2018 to Recorded 8

The 2018 GRC Decision requires SCE to compare the 2018 request and authorized amounts to 9

recorded;6 Figure II-3 below shows 2018 requested, authorized, and recorded O&M expenses. 10

Figure II-3 Environmental Services

O&M Expenses for 2018 – Authorized versus Recorded7 (2018 Constant $Millions, Total Company)

For Environmental Management and Development, SCE requested $9.316 million O&M 11

(constant 2018 dollars) in 2018 GRC. The 2018 GRC decision authorized $9.316 million. In 2018, SCE 12

6 D.19-05-020, Ordering Paragraph 22, pp. 441-442. 7 Refer to WP SCE-07, Vol. 01 - O&M Authorized to Recorded.

9

recorded expenses were $11.208 million. The variance between 2018 authorized and recorded expenses 1

is $1.892 million. SCE centralized all environmental functions under ESD in 2016.8 There was increased 2

spend under ESD for activities previously performed by other organizations. ESD established a new 3

division (Environmental Operations) to manage and perform field implementation of environmental 4

compliance programs and perform PCB (polychlorinated biphenyls) analysis on transformer oil. ESD 5

incurred spend on Environmental Notification Center and supplies and equipment maintenance costs for 6

material test lab. 2018 spend reflected higher costs for ESD due to the environmental centralization 7

efforts. 8

For funding the Environmental Program activities, SCE requested $14.596 million O&M 9

(constant 2018 dollars) in 2018 GRC. The 2018 GRC decision authorized $14.596 million. 2018 10

recorded expenses were $23.016 million. The variance between 2018 authorized and recorded expenses 11

is $8.419 million, driven by new agency requirements, unpredictable environmental and weather 12

conditions, and centralization of environmental functions. SCE’s recorded 2018 spend for TRTP 4-11 13

post-construction restoration activities was approximately $4 million higher than the amount requested 14

in 2018 GRC. These costs stem from regulatory drivers and permits’ requirements.9 The recorded 2018 15

spend included performance of restoration activities to restore habitat in areas impacted by project, as 16

well as tasks to fulfill post-construction close-out measures and project compliance monitoring and 17

reporting. ESD assumed capital activities to be completed prior to 2015. The majority of construction 18

activities were not completed until 2017, which pushed out significant restoration activities and 19

expenses into 2018 causing the recorded costs to exceed authorized amounts. There were environmental 20

conditions (drought, Phytophthora water mold, fires) which created unanticipated challenges to 21

restoration and contributed to increased costs and delays in implementation activities.10 2018 spend 22

reflected significantly higher costs for TRTP 4-11 than previously anticipated due to the above factors. 23

8 This work was previously performed by ESD as well as other organizations including T&D and Power

Supply. 9 Final Environmental Impact Report (FEIR)/Final Environmental Impact Statement (FEIS), Biological

Opinion (BO), Special Use Permit (SUP), Angeles National Forest (ANF) Record of Decision (ROD), etc. 10 Drought conditions delayed growth of recovering habitats, requiring costly supplemental watering of sites to

sustain growth. ANF established new restrictions to nursery plants and required a three year monitoring period due to issues with Phytophthora water mold. ESD implemented intensive seeding and weeding techniques which resulted in higher monitoring and maintenance costs. ESD performed remediation efforts for damaged sites and plant mortalities resulting from 2017 San Gabriel complex fires.

10

ESD incurred higher spend of approximately $2 million in 2018 for activities performed on 1

distribution level assets.11 2018 spend reflected increased costs for environmental review, surveys, and 2

monitoring activities associated with vegetation management and weed abatement programs, driven by 3

changes to environmental compliance procedures (new Forest Service MSUP, ESAs, other compliance 4

requirements, etc.).12 5

SCE’s 2018 recorded spend was approximately $1.8 million higher than what was requested in 6

2018 GRC for Mohave site maintenance activities. 2018 spend included significant costs for repairs at 7

Ash Canyon landfill at Mohave site stemming from storms and other weather conditions. 2018 8

authorized amount included only costs for maintenance activities and excluded repair costs. 9

ESD incurred over $1 million spend in 2018 for permit fees required for facilities. These fees are 10

required to operate SCE facilities under jurisdiction of state and federal environmental agencies.13 11

Figure II-4 below shows 2018 requested, authorized, and recorded capital expenditures for ESD. 12

ESD requested $678,000 for 2018 in 2018 GRC request for Capital Well Decommissioning. The 2018 13

GRC decision authorized $678,000. 2018 recorded spend was $706,000, which comprised of $508,000 14

for Well Decommissioning and $198,000 for Transformer Trays to ensure safe transportation of 15

electrical equipment. 16

11 Centralization of environmental functions resulted in higher spend for ESD. Storm Water Pollution

Prevention Plan (SWPPP) activities transitioned from T&D to ESD. ESD also assumed permitting and compliance functions performed by Generation.

12 Additional costs were driven by increase in volume of sites and maintenance frequency to support routine line clearing and Right-of-Way clearing due to new regulatory clearance requirements and SCE's wildfire mitigation plan for enhanced vegetation management. This included expansion of Environmental Sensitive Areas, environmental screening for pole/tower brushing activities, new Region 5 Forest Service Master Special Use Permit requirements, increasing local jurisdictional requirements for routine utility activities in coastal zone areas, and implementation of SCE's Integrated Vegetation Management Program. Additional costs were also due to increase in number of ESA sites and higher volume of work from increased abatement frequency.

13 This included South Coast Air Quality Management District, Los Angeles County Fire Department, San Bernardino County Fire Protection, Orange County Sanitation District, Environmental Health Division, and other counties and agencies.

11


Capital Expenditures for 2018 - Authorized versus Recorded14 (Nominal $ Millions, Total Company)

C. O&M Forecast 1

The historical and forecasted O&M expenses for ESD are shown below in Figure II-5. The BPE 2

consists of two O&M activities: (1) Environmental Management and Development, and 3

(2) Environmental Programs. These activities are described in more detail in Sections II.C.1. and II.C.2. 4

14 Refer to WP SCE-07, Vol. 01, Capital Authorized vs. Recorded.

12


Recorded 2014-2018/Forecast 2019-2021 (Constant 2018 $000)

1. Environmental Management and Development 1

a) Work Description 2

All costs associated with Environmental Management and Development involve 3

the administrative and general activities for ESD to support and maintain SCE’s environmental 4

responsibilities. Costs also include the maintenance and use of company vehicles necessary for travel 5

required to perform job functions. 6

(1) Environmental Management 7

Environmental Management includes creation and maintenance of 8

environmental programs that govern SCE compliance with government requirements. In order to 9

comply with these requirements SCE maintains a staff of environmental professionals who: obtain 10

environmental permits; maintain environmental programs; respond to environmental incidents and 11

perform required inspections; and/or report environmental information to government agencies. 12

(2) Development and Training 13

ESD consists of a highly technical workforce. Given the technical nature 14

of the work, ESD employees require continuing education to keep abreast of new regulatory and 15

2014 2015 2016 2017 2018 2019 2020 2021Labor $7,521 $8,677 $9,683 $12,541 $12,967 $12,064 $12,004 $11,584

Non-Labor ($3,482) $14,011 $17,568 $20,932 $21,250 $33,202 $18,009 $16,098Other $579 $620 $12 $10 $7

Total Expenses $4,618 $23,307 $27,263 $33,483 $34,224 $45,266 $30,014 $27,683

Ratio of Labor to Total 163% 37% 36% 37% 38% 27% 40% 42%

Recorded Forecast

($10,000)

$10,000

$20,000

$30,000

$40,000

$50,000

2014 2015 2016 2017 2018 2019 2020 2021

Labor Non-Labor Other

13

technical developments. This includes all personnel who perform work that requires technical expertise 1

in their specific concentration including but not limited to hazardous waste, air quality, hazardous 2

materials and waste management, and water quality. Some environmental professionals require 3

certifications (e.g. Hazardous Waste Operations and Emergency Response, and the California 4

Professional Engineer Certification) that mandate training and professional development. 5

(3) Maintenance, Fuel, Direct and Indirect Costs Associated with Use of 6

Vehicles 7

This activity’s costs includes vehicle fleet maintenance (fuel, direct and 8

indirect costs associated with use of vehicles), equipment maintenance, operation of the Environmental 9

Notification Center (ENC),15 and other miscellaneous program costs. 10

b) Need for Activity 11

SCE’s 50,000 square mile service territory spans many environmentally sensitive 12

areas, including national parks and forests, endangered species habitat, multiple air quality management 13

districts, and multiple water quality and coastal zone areas. ESD’s O&M activities must comply with the 14

myriad of federal and state environmental laws. As such, we have established programs to comply with 15

these laws to minimize or avoid impacts to the environment. This activity is related to management and 16

oversight of these programs, and includes education and travel expenses for ESD employees, as well as 17

other miscellaneous program costs. 18

c) Scope and Forecast Analysis 19

The historical and forecasted O&M expenses for Environmental Management and 20

Development are shown below in Figure II-6. 21

15 ENC is a centralized system for all operating units for release reporting. ENC receives calls associated with

transformer oil releases, deploys emergency response crews, notifies regulatory agencies, and completes required reports.

14

Figure II-6 Environmental Management and Development


(1) Historical Variance Analysis 1

(a) Labor 2

Figure II-6 above shows 2014-2018 recorded and adjusted 3

expenses for Environmental Management and Development. Besides changes in the number of full-time 4

employees, employee labor recorded to this activity fluctuates year over year depending on the 5

percentage of work capitalized or charged directly to OU O&M projects. 6

From 2014-2015, labor increased by $1.086 million and was 7

primarily driven by decreased capital project work and discontinuing charge back17 of O&M labor to 8

other organizational units. ESD also incurred additional spend for O&M programs such as EHSync 9

maintenance. 10

16 Refer to WP SCE-06, Vol. 04, Ch. II, pp. 3-9 – O&M Detail for Environmental Management and

Development. 17 In 2014, ESD O&M labor costs for programs (Well Management, Hazardous Materials Business Plans

(HMBP) & Spill Prevention, etc.) were charged back to other Organizational Units (Transmission and Distribution (T&D), Power Production, etc.) and starting in 2015, these activities’ costs were charged to ESD.

2014 2015 2016 2017 2018 2019 2020 2021Labor $4,644 $5,730 $7,881 $9,547 $8,876 $7,778 $7,778 $7,778

Non-Labor $1,929 $2,120 $3,398 $1,371 $2,326 $1,834 $1,938 $1,968Other $579 $620 $12 $10 $7

Total Expenses $7,152 $8,469 $11,291 $10,928 $11,208 $9,612 $9,716 $9,745


Recorded Forecast

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

2014 2015 2016 2017 2018 2019 2020 2021Labor Non-Labor Other

15

There were fluctuations from 2015-2016 and 2016-2017 labor 1

spend due to the environmental centralization efforts. Between 2015 and 2017, labor increased by 2

$3.817 million. Environmental professionals were centralized into ESD from Operational Services, 3

Power Production, Transmission and Distribution, and Major Projects Organization. In addition, there 4

was new work focused on designing the new environmental business model. ESD incurred additional 5

labor costs associated with transitioning staff from other departments to ESD, filling vacant positions 6

created by the business model changes, and establishing a new division to manage and perform field 7

implementation of environmental compliance programs. 8

(b) Non-Labor 9

Figure II-6 shows 2014-2018 recorded and adjusted expenses for 10

Environmental Management and Development. Yearly variances for non-labor are driven by similar 11

causes for labor fluctuations between years, including centralization of SCE’s environmental functions 12

under ESD. 13

From 2014 to 2015, non-labor increased by $191,000. O&M labor 14

increased between 2014 and 2015, as a result of additional compliance training curriculum 15

development.18 16

There were fluctuations between 2015-2016 and 2016-2017 non-17

labor spend due to the environmental centralization efforts. Between 2015 and 2017, non-labor 18

decreased by $749,000. Non-labor costs for some programs19 shifted from Environmental Management 19

and Development to Environmental Programs. 20

From 2017 to 2018, non-labor increased by $955,000. 2018 21

included a California Coastal Commission (CCC) payment for agency overhead costs related to a 22

Memorandum of Understanding (MOU) between SCE and CCC. In 2018, there were also increased 23

costs for trade organization dues and membership fees, and increased costs to support decontamination 24

and waste disposal services for ENC. 25

18 New curriculums include Hazardous Waste Generators Release Response and Awareness, Spill Prevention

Control and Countermeasures, California Accidental Release Prevention, and Department of Transportation Hazardous Materials Transportation.

19 Programs include Avian Protection, Archaeology, National Pollutant Discharge Elimination System (NPDES), Geographic Information System (GIS), etc.

16

(2) Forecast 1

(a) Labor 2

For Test Year 2021, SCE forecasts labor expenses of $7.778 3

million for this account, a decrease of $1.098 million over the last year 2018 recorded spend of $8.876 4

million. Overall, ESD’s O&M labor for Environmental Management and Development and 5

Environmental Programs is forecasted to decrease by $1.383 million between 2018 and 2021 (refer to 6

Figure II-5). 2018 recorded spend included labor costs from other OUs20 for Mohave site maintenance 7

activities and substation hazardous waste disposal. For 2021 forecast, ESD assumed this additional work 8

can be performed through departmental efficiencies without increasing O&M labor. 2018 recorded 9

spend also included labor costs for post-construction restoration activities. Beginning in 2021, SCE is 10

requesting these environmental restoration costs be treated as capital since the activities are required to 11

obtain permits and comply with permit requirements for the associated capital projects. Consistent with 12

that request, SCE’s 2021 O&M forecast excludes labor costs for these activities.21 13

(b) Non-Labor 14

For Test Year 2021, SCE forecasts non-labor expenses of $1.968 15

million for this account, a decrease of $358,000 over last year 2018 recorded spend of $2.326 million. 16

ESD reduced employee expenses and continuing education and excluded costs related to proactive 17

environmental programs (such as EHSync maintenance) to achieve cost savings. 18

d) Basis for O&M Cost Forecast 19

SCE’s 2021 forecast is $9.745 million, compared to 2018 recorded spend of 20

$11.208 million. For the projected labor decrease, ESD assumed additional work for Mohave site 21

maintenance activities and substation hazardous waste disposal can be performed through departmental 22

efficiencies without increasing O&M labor. ESD also excluded labor costs for post-construction 23

restoration activities which will be requested as capital starting in 2021.22 The non-labor decrease is due 24

to implementation of cost saving strategies to reduce employee expenses and costs for proactive 25

20 Generation and Transmission and Distribution (T&D). 21 In parallel, SCE will be submitting a request to the Federal Energy Regulatory Commission for approval of

this accounting treatment. The environmental restoration capital costs can be found in Exhibit SCE-02, Vol. 04, Part 2. To the extent FERC denies our request, SCE will make the necessary update to its forecast to reclassify the costs as O&M expense.

22 Section II.(C).1(c).2(a) includes SCE’s explanation to request these costs as capital.

17

environmental programs. SCE’s 2021 forecast of $9.745 million is to support the environmental 1

activities delineated in the above section under Work Description.23 This work is performed to comply 2

with federal and state environmental laws to minimize or avoid impacts to the environment. 3

2. Environmental Programs 4


This work involves activities performed by ESD to comply with environmental 6

requirements such as storm water management, air quality permitting, environmental clearance, 7

hazardous waste management, spill prevention control and countermeasures, hazardous materials 8

management and marine mitigation programs. Activities in Environmental Programs include 9

Environmental Compliance Programs and Marine Mitigation. 10

(1) Environmental Compliance Programs 11

This activity includes labor and non-labor expenses for implementation of 12

environmental compliance programs. These programs ensure compliance with federal, state, and local 13

government regulations for: 14

• Biological and natural resources 15

• Avian protection 16

• Wetland permitting support 17

• Water and air quality 18

• Spill prevention and control 19

• Environmental review and any necessary surveys and monitoring 20

for vegetation management and weed abatement programs required 21

for compliance. 22

• Environmental remediation such as, site assessments and 23

remediation activities. 24

• Hazardous materials and waste management activities, including 25

lab work and disposal of equipment and material removed from the 26

field, such as transformers, hazardous materials, non-hazardous 27

materials, wood poles, and universal waste. ESD must manage 28

waste in compliance with California regulations such as Toxic 29

23 Section II.(C).1(a) Work Description.

18

Substance Control Act (TSCA) and Resource Conservation and 1

Recovery Act (RCRA). SCE could incur daily fines if the company 2

does not comply with these statutes. Failure to properly dispose of 3

waste could also expose SCE to future long-term environmental 4

remediation obligations. 5

• Site maintenance activities for Mohave site which includes the Ash 6

Canyon Landfill. There are environmental requirements SCE needs 7

to maintain to continue to remediate landfill for life of landfill. 8

ESD employees develop and implement company-wide management 9

systems, controls, and standards for compliance with environmental requirements imposed by 10

government agencies that affect SCE’s operations such as: 11

• The avian and desert tortoise protection programs mitigates 12

impacts from SCE operations to those species. 13

• The NPDES program defines operational requirements to comply 14

with water quality standards. 15

• The environmental compliance program supports environmental 16

compliance at our substations and service centers. 17

(2) Marine Mitigation 18

This activity includes labor and non-labor expenses associated with 19

monitoring and maintenance of the San Dieguito Wetlands and the Wheeler North Reef required by the 20

CCC pursuant to a Coastal Development Permit. The CDP requires SCE to maintain and monitor the 21

wetlands and reef and fund an independent Science Advisory Panel to oversee the two projects. 22

(a) San Dieguito Wetlands 23

As outlined in the CDP, SCE was required to create or restore a 24

minimum of 150 acres in the Southern California Bight as a tidal wetland. On June 11, 1992, the CCC 25

approved SCE’s request to restore the San Dieguito River Valley in San Diego County. Construction of 26

150 acres of tidal wetland began in September 2006 and was completed in September 2010. Under the 27

CDP, SCE must fund CCC-supervised monitoring and oversight of the wetlands and provide funding for 28

park rangers within the wetlands. SCE must also remove exotic species, perform inlet dredging to help 29

provide an adequate supply of salt water, and conduct routine inspections of the berms and weir. The 30

O&M forecast includes ESD labor, contracts between SCE and third-party vendors for maintenance, 31

19

CCC monitoring, and park rangers. The San Dieguito wetland has not yet achieved the minimum 1

requirement for vegetation cover since construction was completed. The CCC is in the process of 2

analyzing different field methods to increase vegetation cover and is expected to issue a letter to SCE 3

requiring remedial actions to bring the project into compliance (a similar approach was taken with the 4

Wheeler North Reef). Remedial activities may include planting, re-contouring, grading, irrigating, or 5

soil amendments. The letter is expected between 2021-2023 (after field methods are validated). SCE is 6

not requesting funding for any remedial activities at part of this GRC application since we have not 7

received any communication from the CCC compelling SCE to perform additional work in the San 8

Dieguito wetlands. However, we seek the Commission’s approval to seek recovery of such costs in a 9

separate proceeding similar to that for the expansion of the Wheeler North Reef (WNR Decision 18-03-10

027). 11

(b) Wheeler North Reef Maintenance 12

As amended, the CDP required SCE to construct a reef near the 13

San Onofre Kelp Bed. The reef was built in two phases at a site just south of the San Clemente Pier and 14

totals over 176 acres. Reef construction was completed in 2008. The CCC conducted annual reef 15

performance monitoring starting in 2009 to track the status of the reef in performance areas. SCE must 16

continue to fund the CCC to monitor the reef against the performance standards set by the CCC until 17

SCE demonstrates compliance with the performance standards for the number of years of SONGS 18

operation. As of April 2019, SCE has met 11 of the 15 performance standards, but has not met the 19

standards that require a standing fish stock of 28 tons in any of the years it has been monitored. 20

The CCC issued a letter compelling SCE to expand the reef to improve the reef performance. 21

(c) Wheeler North Reef Expansion 22

In the 2015 GRC the Commission authorized a separate 23

proceeding to consider the Wheeler North Reef Expansion project (Application 16-12-002). 24

The Commission approved the expansion project and ordered SCE to track project costs in a balancing 25

account which SCE is requesting for recovery based on WNR Decision 18-03-027. SCE seeks recovery 26

of the Wheeler North Reef Expansion project as part of this GRC. While the actual costs associated with 27

construction are not being requested through 2021 GRC (these costs settle to a separate memorandum 28

account), the CPUC’s order in WNR D.18.03-027 requires SCE to include any new ongoing 29

maintenance costs resulting from the Wheeler North Reef Expansion Project into 2021 GRC. 30

Specifically, condition in (WNR D.18.03-027) states the following: 31

20

Any continuing expenses for the Wheeler North Reef Expansion 1

Project beyond 2020 will be included in Southern California Edison’s Test Year 2021 GRC forecast 2

with accompanying testimony. Such expenses are anticipated to be for ongoing monitoring, operation 3

and maintenance of the reef, and not for construction of the Wheeler North Reef Expansion Project. 4

The CA State Lands Commission issued SCE a new lease for use 5

of state lands on which the reef will be built. The annual lease amount for the Wheeler North Reef 6

Expansion Project is $190,000. This annual lease payment is a new annual cost associated with the 7

ongoing maintenance of the project. In order to comply with the above condition, ESD added $570,000 8

($190,000 per year for 2021, 2022, and 2023) to the Wheeler North Reef Maintenance budget in 2021 9

GRC. 10


Environmental Compliance Programs are mandated by government agencies who 12

regulate air, water, wetlands, wildlife, waste, hazardous materials, drinking water, and other 13

environmental disciplines. The San Dieguito Wetlands, Wheeler North Reef Maintenance, and Wheeler 14

North Reef Expansion projects are mandated by the CCC through the CDP. SCE must comply with all 15

conditions outlined in the CDP. These activities drive the costs related to Environmental Programs. 16


The historical and forecasted O&M expenses for Environmental Programs work 18

activity are shown below in Figure II-7. 19

21

Figure II-7 Environmental Programs



(a) Labor 2


Environmental Programs. 4

There were fluctuations between 2015-2016 and 2016-2017 labor 5

spend due to the environmental centralization efforts. Between 2015 and 2017, labor costs were 6

relatively stable as reflected by an increase of $46,000. 7

From 2017-2018, labor costs increased by $1.098 million. 8

The magnitude of this increase is overstated because Environmental Management and Development’s 9

labor costs decreased by $672,000 during the same period. As seen in Figure II-5, overall, ESD staff 10

24 Refer to WP SCE-06, Vol. 04, Ch. II, pp. 10-16 – O&M Detail for Environmental Programs.

2014 2015 2016 2017 2018 2019 2020 2021Labor $2,876 $2,947 $1,802 $2,993 $4,091 $4,286 $4,227 $3,807

Non-Labor ($5,411) $11,891 $14,170 $19,561 $18,925 $31,368 $16,071 $14,130Other

Total Expenses ($2,535) $14,838 $15,972 $22,555 $23,016 $35,654 $20,298 $17,937

Ratio of Labor to Total -113% 20% 11% 13% 18% 12% 21% 21%

Recorded Forecast

($10,000)($5,000)

$5,000$10,000$15,000$20,000$25,000$30,000$35,000$40,000

2014 2015 2016 2017 2018 2019 2020 2021

Labor Non-Labor Other

22

O&M labor for both activities increased by $426,000 from 2017-2018.25 ESD shifted more labor from 1

capital projects to support O&M work and programmatic activities.26 2

(b) Non-Labor 3


Environmental Programs. 5

From 2014-2015, the non-labor increase of $17.302 million was 6

driven by Marine Mitigation. SONGS participant credits of $12.133 million posted in 2014 from O&M 7

charges related to decommissioning activities. SONGS charged decommissioning work to FERC 8

Accounts 517 and 520, including license fees from various agencies (State Board of Equalization, CA 9

Dept of Public Health, SWRCB, etc.). Activities encompassed training, decommissioning, disposal 10

services, mechanical services, equipment repairs, and other tasks. The large variance between 2014 and 11

2015 is due to SONGS decommissioning charges being recorded to a different cost structure. Starting in 12

2015, cost centers under FERC accounts 517 and 520 are utilized to record only non-decommissioning 13

costs, which included only Marine Mitigation charges because the plant is not operating. 14

Decommissioning costs were charged to these cost centers from when the plant went into 15

decommissioning in June 2013 until the decommissioning cost structure was active in January 2015. 16

In 2015, in accordance with the 2015 GRC decision, ESD stopped capitalizing Marine Mitigation 17

program expenses and began applying those costs to O&M. The 2015 non-labor spend of $4.832 million 18

was primarily composed of consultant support and agency fees required to comply with the monitoring 19

and maintenance provisions of the CDP. 20

There were fluctuations between 2015-2016 and 2016-2017 non-21

labor spend driven by similar factors. Between 2015 and 2017, non-labor costs increased by $7.670 22

million. There were increased costs for post-construction restoration activities,27 substation hazardous 23

waste disposal, San Dieguito Wetlands, and Wheeler North Reef Expansion. TRTP 4-11, Red Bluff 24

Substation, and Silver State South projects transitioned from capital to expense between 2016 and 2017. 25

25 Year 2017 spend was $12.541 million and Year 2018 spend was $12.967 million. 26 For example, there were increased costs in Biology Program related to producing guidance documents,

developing Endangered Species standards and guidance, supporting programmatic permitting efforts, and developing resource management strategies within SCE's service territory.

27 Restoration activities are performed to restore habitat in areas impacted by projects. They include planting, monitoring, weeding, reporting, and other tasks.

23

SCE incurred higher waste disposal costs in 2016 due to emergent hazardous waste removal work at 1

Cerritos Substation, where SCE had to perform lead paint remediation and soil excavation. San Dieguito 2

Wetlands28 is not in compliance with CDP requirements. 2017 included additional costs to remediate the 3

wetlands. Activities encompassed repairs for San Dieguito trails and slopes29 to prevent sedimentation 4

into wetlands. 2017 also included additional costs for dredging the San Dieguito Wetlands inlet channel. 5

ESD started providing support for Wheeler North Reef (WNR) Expansion in 2017. 2017 spend included 6

State Lands Commission fees related to environmental studies, surveys, engineering, and design tasks in 7

support of a lease amendment necessary to accommodate the WNR Expansion project. 8

(2) Forecast 9

SCE’s 2021 Test Year Forecast is $17.937 million, composed of 10

$13.198 million for Environmental Compliance Programs and $4.739 million for Marine Mitigation. 11

The amount of $4.739 million for Marine Mitigation reflects SCE’s share (78.21%) of the project’s 12

costs, composed of $2.855 million for San Dieguito Wetlands and $1.884 million for Wheeler North 13

Reef Maintenance. 14

(a) Labor 15

For Test Year 2021, SCE forecasts labor expenses of $3.807 16

million for this account, a decrease of $284,000 over 2018 recorded spend of $4.091 million. Overall, as 17

shown in Figure II-5, ESD O&M labor for Environmental Programs and Environmental Management 18

and Development is forecasted to decrease by $1.382 million between 2018 and 2021. As noted in the 19

2021 labor forecast for Environmental Management and Development, 2018 recorded spend included 20

labor costs from other OUs for Mohave site maintenance activities and substation hazardous waste 21

disposal. For 2021 forecast, ESD assumed this additional work can be performed through departmental 22

efficiencies without increasing O&M labor. 2018 recorded spend also included labor costs for post-23

construction restoration activities. 2021 forecast excludes labor costs for these activities as SCE will 24

request these costs as capital starting in 2021. 25

28 San Dieguito Wetlands has coverage under State Water Resources Control Board's Construction General

Permit and the City of San Diego Grading Permit, which requires management of storm water discharges and revegetation and stabilization of construction sites.

29 This included an engineered drainage swale to route surface flows and prevent erosion to trails and slopes.

24

(b) Non-Labor 1

For Test Year 2021, SCE forecasts non-labor expenses of $14.130 2

million for this account, a decrease of $4.795 million over 2018 recorded spend of $18.925 million. This 3

decrease is also due to exclusion of non-labor costs for post-construction restoration activities. SCE will 4

request these costs as capital starting in 2021.30 2018 recorded spend included post-construction 5

restoration costs, whereas 2021 forecast excluded these costs. The site maintenance work31 performed at 6

Mohave site includes the Ash Canyon Landfill. 2018 recorded spend included costs for repairs 7

performed at Ash Canyon Landfill due to adverse weather conditions (storms, monsoons, etc.). 8

2021 forecast includes only maintenance activities and excludes 9

repair costs due to weather conditions. 10

d) Basis for O&M Cost Forecast 11

SCE’s 2021 forecast is $17.937 million for Environmental Programs. ESD 12

estimates decrease in spend of $5.079 million for SCE’s 2021 forecast of $17.937 million compared to 13

2018 recorded spend of $23.016 million. ESD assumed additional work for Mohave site and substation 14

hazardous waste disposal can be performed through departmental efficiencies without increasing O&M 15

labor for 2021 forecast. 2021 forecast excludes labor and non-labor costs for post-construction 16

restoration activities as SCE will request these costs as capital starting in 2021. 2021 forecast also 17

excludes costs for repairs at Ash Canyon Landfill due to adverse weather conditions, whereas 2018 18

recorded spend included costs related to this work. 19

ESD estimates to spend $14.598 million in 2019 for Wheeler North Reef 20

Expansion construction activities. ESD anticipates construction activities will extend into 2020, due to 21

delays in agency permitting process and contractor issues with procurement of materials (rocks) for 22

project. ESD anticipates these costs will not continue past 2020, with exception of increase in California 23

Coastal Commission (CCC) monitoring expenses and State Lands Lease (SLC) fees related to expansion 24

of reef. These expenses will continue beyond 2020 and will be charged to Wheeler North Reef 25

Maintenance account. 26

30 Section II.(C).1(c).2(a) includes SCE’s explanation to request these costs as capital. 31 Activities include caretaking, security, ground water monitoring, and repairs.

25

SCE’s 2021 forecast of $17.937 million is to support the environmental activities 1

delineated in the above section under Work Description.32 This work is performed to comply with 2

federal and state environmental laws to minimize or avoid impacts to the environment. 3

D. Capital Expenditures for Implementing Environmental Services 4

SCE forecasts $9.935 million in capital expenditures from 2019-2023. This includes $2.765 5

million to decommission unused water wells, $3.750 million for the Proactive Avian Retrofit program, 6

and $3.420 million for Programmatic Permits as shown below in Table II-3. 7

Table II-3 Environmental Services Capital Expenditure Forecast 2019-2023

(Total Company - Nominal $000)

1. Well Decommission Program 8

Figure II-8 below shows historical and forecasted capital expenditures associated with 9

SCE’s Well Decommissioning Program. 10

32 Section II.(c).2(a) Work Description.

2019 2020 2021 2022 2023 TotalWell Decommissioning $560 $530 $541 $562 $573 $2,765Avian Retrofits $1,250 $1,250 $1,250 $3,750Programmatic Permits $1,140 $1,140 $1,140 $3,420Totals $560 $530 $2,931 $2,952 $2,963 $9,935

26

Figure II-8 Well Decommissioning

2014-2018 Recorded/2019-2023 Forecast COS-00-EH-TS-WELL33


a) Program Description 1

SCE has over 500 wells on properties associated with SCE facilities or rights of 2

way. This includes over 200 water wells and over 300 monitoring and remediation wells. These wells 3

are subject to numerous environmental, health and safety requirements34 for the safety of the public and 4

protection of the environment. Wells no longer in use must be decommissioned.35 SCE developed the 5

Well Decommission Program in 2013 to addresses this requirement. This project involves securing and 6

destructing wells no longer in use in accordance with applicable environmental, safety, regulatory, and 7

engineering standards. 8

When SCE retires a well, we must use a method approved by the appropriate 9

permitting agency, and it is referred to as well destruction or well decommission. Retiring a well 10

includes removal of surface and subsurface equipment, pumps, and debris. The scope also includes 11

perforation of casing with either explosives or mechanically and grouting and sealing below grade to 12

33 Refer to WP SCE-06, Vol. 04, Ch. II, pp. 17-18 – Well Decommissioning Capital WP. 34 Refer to California Well Standards Bulletin, pp. 74-90, Part III, Section 21, p. 28. 35 In accordance with Section 24400 of the California Health and Safety Code, the well owner shall properly

maintain an inactive well as evidence of intention for future use in such a way that requirements are met.

27

prevent future safety or environmental issues. Agency permitting and material disposal are included in 1

the cost. 2

b) Need for Capital Program 3

Costs associated with well decommission in an ideal case gives the appearance of 4

a simple procedure, but the practical complexities of effective and compliant well decommissioning in 5

multi-aquifer systems, environmentally sensitive locations, urbanized areas, and other situations are 6

challenging and complex. For wells on SCE properties, SCE must comply with the environmental policy 7

and regulatory framework as outlined in California’s Department of Water Resources Bulletin 74-81 and 8

the updated Bulletin 74-90 (California Department of Water Resources 1981, 1990, 2013). 9

c) Basis for Capital Expenditure Forecast 10

As seen in Figure II-8 SCE forecasts $2.766 million to decommission wells in 11

2019-2023. At the start of this program in 2013 there were 221 wells to retire. SCE has successfully 12

retired 100 of the 221 wells as of May 2019. SCE believes that $560,000 for 2019 is reasonable because 13

each well to decommission has different locations, depths, construction materials and dimensions. These 14

factors affect individual well decommission cost. 15

SCE plans to decommission approximately 14 wells per year from now through 16

2028 to complete the decommissioning of all unused wells. The forecast is based on $40,00036 (2018 17

dollars) to decommission each well. 18

2. Avian Retrofit 19

Figure II-9 below shows forecasted capital expenditures associated with SCE’s Avian 20

Retrofit program. This is a new program starting in 2021. 21

36 Forecast is based on actual costs for retirement in the most recent full calendar year (2018). The purchase

order for the work was competitively bid. The costs include, labor, well casing removal, perforation, well screen, addressing related permits, surface, and subsurface infrastructure (e.g., tanks, pumps, and pipes). Each well and associated activity to accomplish the retirement is unique; however, on average, future well assets to retire are expected to be similar in scope and cost to those addressed in 2018.

28

Figure II-9 Avian Retrofit

Forecast 2019-2023 COS-00-EH-BC-AR00137


a) Program Description 1

The Avian Retrofit program was developed because birds frequently perch to rest 2

or to hunt on utility poles as they are often the highest and most prominent point in the landscape. 3

This can be risky, both for the birds, and for SCE’s customers due to potential power outages. 4

The Avian Retrofit program will fund work necessary to upgrade deficient poles to SCE’s avian safe 5

construction standards, including proactive and reactive retrofits. Proactive retrofit is retrofitting a pole 6

before an avian incident occurs. Reactive retrofit is retrofitting a pole where an avian incident occurred. 7

Work activities include reframing poles to space out wires to make it avian safe. 8

b) Need for Capital Program 9

Avian Retrofit reduces impacts to birds, improves reliability, and helps with fire 10

prevention. Avian Retrofit involves older poles in locations ESD identified from historic data of avian 11

mortalities as hot spots or high fire risk areas. ESD is primarily concerned with older poles not deemed 12

avian safe and are not yet up for replacement. 13

37 Refer to WP SCE-06, Vol. 04, Ch. II, pp. 19-20 – Avian Retrofit Capital WP.

29

c) Basis for Capital Expenditure Forecast 1

SCE forecasts $3.750 million for Avian Retrofit in 2021 - 2023. This includes 2

labor costs for reframing pole and material costs to redesign pole to make it avian safe. The forecast is 3

based on $5,000 (2018 dollars) to reframe pole for 250 poles each year for 3 years (Years 2021-2023). 4

3. Programmatic Permits 5

Figure II-10 below shows forecasted capital expenditures associated with SCE’s 6

programmatic permits program. This is a new program starting in 2021. 7

Figure II-10 Programmatic Permits

2019-2023 Forecast COS-00-EH-BC-PP00138


a) Program Description and Need 8

The Programmatic Permits program involves developing and acquiring two types 9

of programmatic permits (Incidental Take Permit (ITP) and Habitat Compensation Plan (HCP)). 10

Activities include developing NEPA and CEQA documents, reviewing environmental impacts 11

associated with activities covered under permits, analyzing species impacts, developing conservation 12

measures, and determining mitigation. 13

38 Refer to WP SCE-06, Vol. 04, Ch. II, pp. 21-22 – Programmatic Permits Capital WP.

30

HCPs/Long-Term ITPs allow SCE to carry out capital projects in full compliance 1

with the Endangered Species Act (ESA)/California Endangered Species Act (CESA) for a defined 2

period ranging from 30 to 50 years. This enhances efficiency of ESA/CESA permitting process for 3

capital projects because SCE would no longer need to obtain take permits on a project by project basis. 4

This also eliminates impacts to schedule because SCE will have permits in place in advance of projects. 5

b) Basis for Capital Expenditure Forecast 6

SCE forecasts $3.420 million for Programmatic Permits in 2021 - 2023. Average 7

costs for regional HCPs and state ITPs have ranged from $2 - $15 million each, depending on size, 8

number of species, activities, etc. SCE is currently forecasting development of HCPs covering a few key 9

species within limited geographic areas, and may develop Long-Term ITPs in parallel depending on 10

whether any covered species are both federal and state listed. The estimate includes SCE staff time, 11

consultant labor, and agency funding agreement costs, and is based on our consultant’s historic HCP/ITP 12

development costs, internal permitting analysis, and the size and complexity of the HCPs/ITPs. 13

31

III. 1

AUDIT, ETHICS AND COMPLIANCE 2

A. Overview 3

This chapter requests O&M expenses to fund the work activities under the Audit, Ethics and 4

Compliance Business Planning Element (BPE). The Audit Services Department (Audits) helps make 5

sure that: 6

• Business risks are appropriately identified; 7

• Compliance with regulatory requirements occurs; 8

• Management response to such risks and requirements is effective; and 9

• Senior management and the Board of Directors receive consistent information and 10

proactive advice about mitigating risks. 11

Due to the increasingly complex and rapidly changing risk environment, auditors who perform 12

this work require additional technical abilities to continue to effectively and efficiently carry out their 13

responsibilities. Our request here will allow SCE to effectively complete its annual audit requirements 14

using the right technical resources to audit increasingly complex processes and subject matters. 15

Ethics and Compliance (E&C) provides the framework and fosters a culture where acting 16

ethically, obeying the law, and protecting the rights and interests of customers, co-workers and the 17

public is the expected and everyday course of business, consistent with our corporate values (Safety, 18

Integrity, Excellence, Respect, Continuous Improvement and Teamwork). We are particularly sensitive 19

to laws and regulations designed to help ensure safe, reliable and affordable service to our customers, 20

including those enforced by the Commission, Federal Energy Regulatory Commission (FERC) and 21

North American Electric Reliability Corporation (NERC). In its decision adopting the E&C forecast in 22

SCE’s Test Year 2015 GRC, the Commission stated: “Ratepayers benefit from a strong culture of ethics 23

and compliance, and SCE has demonstrated success in making improvements in the department.”39 24

The Audit, Ethics and Compliance BPE supports the company in preparing for and mitigating 25

wildfires, improving safety, maintaining reliability, and providing the service our customers expect from 26

SCE on a day-to-day basis. This chapter presents the Test Year 2021 forecast of expenses for the Audit, 27

Ethics and Compliance BPE. 28

39 D.15-11-021, p. 279.

32

SCE forecasts $23.9 million in O&M expenses in Test Year 2021 to manage all Audit, Ethics 1

and Compliance activities. This consists of $9.7 million for Audits and $14.2 million for Ethics and 2

Compliance. 3


SCE must adhere to compliance and reporting requirements established by a multitude of 5

regulatory and governing bodies, including: 6

• U.S. Generally Accepted Accounting Principles (GAAP) 7

• California Public Utilities Commission (CPUC) 8

• North American Electric Reliability Corporation (NERC) 9

• Federal Energy Regulatory Commission (FERC) 10

• U.S. Securities and Exchange Commission (SEC) 11

• Commodities Futures Trading Commission (CFTC) 12

• California Air Resource Board (CARB) 13

• California Energy Commission (CEC) 14

• U.S. Internal Revenue Service (IRS) 15

• State and federal legislation 16

SCE’s Audits conducts audits and other related activities to evaluate SCE’s controls and 17

processes. In doing so, Audits helps provide senior management, the board of directors, and regulators 18

with reasonable assurance on the reliability of financial data, operational efficiency, safety, operating 19

unit risk management, and compliance with regulatory requirements, including new wildfire-related 20

requirements. 21

SCE’s Ethics and Compliance is responsible for establishing and sustaining a rigorous, 22

forward-looking Ethics and Compliance Program across SCE. It uses a Company-wide, integrated 23

compliance management framework, based on the U.S. Federal Sentencing Guidelines,40 Sarbanes 24

Oxley Act of 2002, and FERC standards of conduct. These are the three key elements to this approach: 25

• Prevention ‒ establishing expectations for employee behavior; identifying, 26

interpreting, and implementing compliance requirements; and helping ensure that 27

affected employees understand and follow their related roles and responsibilities. 28

40 This includes the most recent Department of Justice guidance, issued on April 30, 2019, for effective

compliance programs.

33

These activities include leadership standards, controls, risk management practices, 1

policies and procedures, communications, training, and resources for employees 2

to seek advice; 3

• Detection and Monitoring ‒ reviewing processes, practices, and controls, 4

evaluating process outcomes to provide reasonable assurance that operations are 5

carried out in accordance with applicable requirements, and providing resources 6

for employees to report concerns; and 7

• Response ‒ investigating and implementing appropriate controls to prevent or 8

remediate noncompliance issues, and reporting such issues whenever it is 9

warranted. 10

FERC has embraced the U.S. Federal Sentencing Guideline’s approach to compliance 11

programs, both in its policy and enforcement statements. FERC emphasizes that: (1) the compliance 12

program should be operated and managed independently, with full support from senior management; 13

(2) mechanisms and controls are in place to prevent non-compliances; (3) methods exist to audit, 14

monitor, and review compliance; and (4) the capability exists to appropriately enforce internal controls. 15

In addition, the Department of Justice (DOJ) recently expanded its guidance and emphasized that 16

comprehensive corporate compliance programs should have: (1) a risk-based approach to compliance; 17

(2) effective policies and procedures; (3) training and communications; (4) confidential reporting 18

structures and investigation processes; (5) risk-based third-party management; and (6) mergers and 19

acquisitions due diligence. 20

2. Compliance Requirements 21

a) Compliance with Smart Grid Privacy (2012 GRC Decision) 22

In D.11-07-056, the Commission ordered that SCE conduct triennial independent 23

assessments of its data privacy and security practices, as set forth in Rule 9(d) of the Rules Regarding 24

Privacy and Security Protection for Energy Usage Data.41 The Commission also directed that SCE report 25

the assessment findings as part of each general rate case application filed after 2012. 26

After conducting an open-bid process, SCE awarded KPMG the contract for this 27

independent assessment. KPMG began its assessment on January 07, 2018. The assessment was 28

completed on July 26, 2019. This assessment covered the period of January 1, 2018-December 31, 2018. 29

41 Refer to D.11-07-056, Attachment D.

34

The report finds that the Company has a dedicated Privacy Compliance Program Leader that provides 1

executive and management support, oversight, and visibility to key program metrics and performance 2

indicators. SCE had two low-risk observations. One of these items was remediated in May 2019, and the 3

other is in process of being remediated. The Assessment report is provided in Appendix A.42 4

B. 2018 Decision 5

1. Comparison of Authorized 2018 to Recorded 6

a) Audits, Ethics and Compliance 7

In D.19-05-020, the Commission adopted Audit, Ethics and Compliance BPE’s 8

request of $21.5 million in O&M expenses for Test Year 2018 (a combination of $12.2 million from 9

Ethics and Compliance, and $9.3 million from Audits). Figure III-11 below shows the comparison of 10

authorized vs. recorded expenses for Test Year 2018. 11

Audit and Ethics & Compliance’s BPE combined labor and non-labor expenses 12

had an underspend of $2.1 million of the authorized amount (a combination of $0.3 million underspend 13

from Ethics and Compliance, and $1.8 million underspend from Audits). E&C’s underspend was 14

primarily due to the reprioritization of compliance work activities; this reduced consulting spend and 15

delayed the filling of vacancies. 16

Audits underspending was primarily driven by two items. First, Audits was very 17

conservatively spending our money until a final 2018 GRC decision was received. Second, the 18

underspending reflected Audits’ new departmental strategy. That strategy encompassed a new staff 19

requirement for requisite licensure and credentials (e.g., Certified Internal Auditor, Professional 20

Engineer, Certified Safety Specialist, etc.) as described in Section III.C.1.b)(1) below. Filling vacancies 21

with staff with the requisite licensure and credentials necessarily took time, and in fact took longer than 22

anticipated. 23

42 Refer to Appendix A – SCE 2019 Covered Info Privacy Sec Assmt Report.

35

Figure III-11 Audits, Ethics and Compliance O&M Expenses for 2018 –

Authorized versus Recorded43 (Total Company, 2018 Constant $ Millions)

C. O&M Forecast 1

SCE forecasts $23.9 million in O&M expenses in test year 2021 to manage all Audits, and Ethics 2

and Compliance activities. This includes $9.7 million for Audits and $14.2 million for Ethics and 3

Compliance. Additional details on the work activities and requests are described below in sections 4

III.C.1 and III.C.2. 5

1. Audits 6

a) Work Description and Need for Activity 7

SCE has an Enterprise Risk Management (ERM) function that provides a 8

company-wide structure to identify, assess, understand, monitor, and assign ownership for risks. 9

Audits serves an independent assurance role44 supporting this function and collaborates with SCE’s 10

43 Refer to WP SCE-07, Vol. 01 - O&M Authorized to Recorded. 44 As mentioned in the introduction to this volume, the Institute of Internal Auditors defines internal auditing as

“an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

36

executive management, the ERM function, and SCE operating units. Alignment among these groups 1

enables Audits to evaluate SCE’s controls and processes, including systems of internal controls, in order 2

to provide reasonable assurance on the reliability of financial data, operational efficiency, safety, 3

operating unit risk management, and compliance with regulatory requirements. 4

In the Three Lines of Defense model45 – a common structure used in governance, 5

risk, and compliance – the internal audit team provides the governing body and senior management with 6

comprehensive reasonable assurance based on the highest level of independence and objectivity within 7

the organization.46 Audits provides reasonable assurance by conducting audits, investigations, consulting 8

engagements, and other related activities. Audits does this by gathering evidence to test and support 9

conclusions about inherent and residual risks, compliance with regulatory requirements, and controls 10

applicable to SCE. These activities are conducted pursuant to standards issued by the Institute of Internal 11

Auditors47 and include gathering objective evidence through risk assessments, analytical reviews, data 12

analytics, budget-to-actual and industry ratio analysis, site visits and inspections, independent testing of 13

procedures, and detailed interviews. In connection with the audits it performs, Audits will identify and 14

monitor actions taken to successfully mitigate gaps or residual risks to make sure that the right actions 15

and follow-up are occurring. 16

Audits proactively evaluates business risks, including compliance, financial, 17

safety, operational/reliability, and environmental risks. As appropriate, Audits provides 18

recommendations on how to mitigate risks before they occur. Audits’ activities (including testing of 19

controls and procedures) identify risks that feed into the ERM process and generate recommendations to 20

strengthen risk mitigation efforts. 21

In order to plan and perform assurance activities, Audits conducts a risk 22

assessment which is informed by: 23

• ERM’s key enterprise risks; 24

• Information provided by Ethics and Compliance; 25

45 Management control, which owns and manages the risk, is the first line of defense in risk management.

The various risk control and compliance oversight functions established by management are the second line of defense. Functions which provide independent assurance, such as internal audits, are the third line of defense.

46 The Chief Audit Executive reports to the chair of the Audit and Finance Committee of the Board of Directors. 47 The Institute of Internal Auditors develops professional standards, practice guidance, and certification

programs. The Institute also researches, disseminates, and promotes knowledge for the global profession of internal auditing.

37

• Interviews with business leaders throughout the company; 1

• Risk data collected from wildfire and cybersecurity risk assessments; 2

• Sarbanes-Oxley testing; and 3

• Audit testing throughout the year. 4

Audits also tests mandated compliance activities related to rulings, decisions, and 5

orders issued by various regulators including the CPUC, NERC, FERC, and SEC. Audit projects are 6

then designed to provide reasonable assurance on these risks, including compliance requirements, and 7

audit hours are allocated to the projects accordingly. 8

Audits currently spends approximately 60% of available audit hours on audits 9

designed to provide reasonable assurance on risks, including providing proactive advice on emerging 10

issues. Audits spends approximately 40% of available hours on compliance-related activities.48 11

Examples of Audits’ assurance activities include: 12

• Evaluating information technology-related controls and procedures 13

designed to meet SCE’s cybersecurity, identity, and account management 14

policies; 15

• Examining and providing reasonable assurance on various financial and 16

operational aspects of wildfire risk mitigation efforts; 17

• Performing operational and environmental health and safety audits to 18

improve public safety and worker safety and to minimize environmental 19

risks; 20

• Auditing employee expenses, inventory controls, procurement practices, 21

and other processes to help safeguard assets and funds by deterring 22

potential fraud, waste, and abuse; and 23

• Investigating potential fraud and/or waste. 24

Examples of Audits’ assurance activities associated with program compliance 25

include: 26

• Evaluating compliance with various Commission requirements by 27

reviewing the administration of multiple programs over multiple years, 28

such as energy efficiency, demand response, distribution maintenance and 29

48 Refer to WP SCE-06, Vol. 04, Ch. III, pp. 23-30 – Analysis of Compliance vs. Assurance Hours.

38

inspections (General Order 165), and overhead, underground, and 1

substation construction and maintenance rules (General Order 95, 128, and 2

174); 3

• Performing independent audits of reporting requirements such as the 4

power content label and power source disclosure report, Green-e Energy 5

program verification, and settlement quality meter data; 6

• Conducting design and effectiveness evaluations of the company’s internal 7

controls as part of Section 404 of the Sarbanes-Oxley Act; 8

• Reviewing applicable procedures and supporting documentation for 9

selected NERC Reliability Standards and Critical Infrastructure Protection 10

Standards; 11

• Assessing compliance with various federal and state mandated 12

Occupational Safety and Health Administration (OSHA), US 13

Environmental Protection Agency (EPA), California Air Resources Board 14

(CARB), US Department of Transportation (DOT), and California Code 15

of Regulations (CCR) environmental, health and safety requirements; 16

• Evaluating compliance with various FERC requirements; 17

• Reviewing SCE’s compliance with various tariffs and rules; and 18

• Reviewing compliance with the Commission’s affiliate transaction rules. 19

Audits is requesting funds to complete its annual audit activities and annual audit 20

plan requirements. Audits proactively evaluates business risks, including financial, compliance, safety, 21

operational/reliability, and environmental risks. In doing so, Audits enhances and protects organizational 22

value by providing risk-based and objective assurance, advice, and insight. 23

b) Scope and Forecast Analysis 24

The historical and forecast O&M expenses for Audits are shown below in Figure 25

III-12. 26

39

Figure III-12 Audits


The amounts that Audits has recorded and forecast include salaries, contract/co-1

sourced resources costs, and employee-related expenses such as employee travel, office supplies, and 2

training. 3


(a) Labor 5

SCE’s business environment is becoming more dynamic and 6

complex as technology changes, new risks emerge, and the speed of change increases. Accordingly, 7

Audits developed a new departmental strategy in 2015 that aligned people, technology, and processes to 8

provide risk-focused, proactive reasonable assurance. The revised departmental strategy combined: 9

• Relying on outside experts to provide highly specialized 10

technical skills when we plan and execute audits (this 11

arrangement is called co-sourcing); 12

49 Refer to WP SCE-06, Vol. 04, Ch. III, pp. 31-37 – O&M Detail for Audits.

2014 2015 2016 2017 2018 2019 2020 2021Labor $7,325 $6,099 $4,433 $3,853 $4,280 $4,730 $4,730 $4,730

Non-Labor $1,281 $1,761 $3,798 $4,836 $3,268 $5,086 $5,008 $4,980Other

Total Expenses $8,606 $7,860 $8,231 $8,689 $7,548 $9,816 $9,738 $9,710


Recorded Forecast

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000


40

• Training and developing existing staff (e.g., emerging and 1

key risks, business acumen, and new processes such as data 2

analytics); and 3

• Hiring staff with technical skill sets such as engineering 4

and health and safety expertise. 5

We developed this strategy to continue to help ensure SCE 6

complies with regulatory directives, to help ensure risks are appropriately identified and prioritized in 7

the annual audit plan, to monitor emerging risks throughout the year and adapt the annual audit plan for 8

any required changes, and to provide senior management, the board of directors, and regulators with 9

reasonable assurance and rigorous independent information regarding operations and the achievement of 10

key business objectives. 11

In order to support executing the new departmental strategy, 12

Audits reorganized the department in late April of 2016. As part of this reorganization, Audits identified 13

several key technical skills and areas of subject matter expertise which were needed for audit staff to 14

better fulfill their roles in evaluating the processes and systems of SCE. Several professional 15

designations can serve as evidence of such skills and expertise including Certified Public Accountant, 16

Certified Internal Auditor, Certified Information Systems Auditor, Professional Engineers, Certified 17

Safety Specialist and Certified Industrial Hygienist. 18

From 2014 to 2018, labor costs decreased by $3.0 million due to 19

voluntary and involuntary headcount reductions. Vacancies were held open and hiring slowed in 20

anticipation of the revised departmental strategy and reorganization in late April of 2016. After the 21

reorganization, Audits started to fill vacancies with the requisite licensure and credentials. The decrease 22

in labor costs was offset by an increase in non-labor spending, as contractors were needed to supplement 23

a reduced labor force in 2014 and 2015 and as we implemented our co-sourcing strategy in 2016. Our 24

staffing strategy is dynamic by design, in that we funded immediate co-sourcing needs by using the 25

labor underrun that resulted from unfilled vacancies. 26

(b) Non-Labor 27

From 2014 to 2015, non-labor costs increased by $0.5 million. 28

The increase was driven by the need to supplement audit work with contractors, as discussed in the labor 29

section above. 30

41

From 2015 to 2017, non-labor costs increased by $3.1 million as 1

Audits implemented the revised departmental strategy after the reorganization in April 2016. 2

Audits increased contract spending for co-sourcing resources to increase reliance on outside experts 3

possessing highly specialized technical skills in high-risk areas. Such areas include cybersecurity audits, 4

where the continued increase in sophistication and frequency of disruptive threats required subject 5

matter specialists to effectively assess risk and provide appropriate recommendations to mitigate those 6

risks. Audits also used co-sourcing resources to perform mandated compliance work, such as Sarbanes-7

Oxley business process and information technology general controls testing. 8

Non-labor costs decreased by $1.5 million in 2018 as Audits 9

continued to adjust internal and co-sourcing staffing levels. For example, Audits continued to co-source 10

the majority of the information technology audits (both cybersecurity and non-cyber assurance audits), 11

but started using internal staff to lead some of the non-cyber assurance audits. 12

(2) Forecast 13

(a) Labor 14

Audits forecasts labor spending to be $4.7 million for the 2021 15

Test Year, which is an increase of $0.5 million over the 2018 base year recorded costs. The increase in 16

forecast labor spending is primarily driven by filling existing auditor vacancies and hiring one data 17

scientist in order to obtain data and predictive analytics capabilities. 18

(b) Non-Labor 19

Audits forecasts non-labor costs to be $5.0 million for the 2021 20

Test Year, an incremental increase of $1.7 million over base year non-labor costs. This is primarily 21

due to the increased need to respond to wildfire mitigation- and critical business records-related work 22

(e.g., evaluating processes and procedures to help ensure that critical business records are complete, 23

accurate, up-to-date, and available). Areas requiring increased assurance activities include the strategies, 24

programs, and activities that are in place, being implemented, or under development by SCE to 25

proactively address the threat of electrical infrastructure-associated ignitions that could lead to wildfires. 26

Audit hours will be increased to address new or enhanced 27

programs under SCE’s Commission-approved Wildfire Mitigation Plan (WMP) including changes in 28

operational practices, inspection processes, and system hardening in high fire risk areas. WMP-related 29

programs and activities will include auditing: (a) the covered conductor program, (b) enhanced overhead 30

inspections and remediation activities, (c) vegetation management, and (d) public safety power shut-off 31

42

program. In addition, there will be increased quality oversight/quality control of inspection programs. 1

The proposed increase reflects the estimated amount required to adequately staff assurance projects with 2

expert co-sourced resources as well as to augment existing staff with specialized contractor-sourced 3

resources. 4

c) Basis for O&M Cost Forecast 5

In developing Audits’ cost forecast, we evaluated the volume of work expected to 6

be performed by Audits in the test year. Then, in light of our department’s co-sourcing staffing model, 7

we determined the portion of expected work that would be performed by SCE labor resources to 8

determine the labor forecast in 2021. 9

An increase of approximately 5,000 contract/co-sourced resource audit hours is 10

needed to respond to a greater workload, as Audits participates in a greater number of special projects. 11

Special projects typically include assurance work conducted to evaluate the existence of emerging risks, 12

increasing significance of existing risks, new company activities or controls, or new rules or regulations. 13

Additionally, audit hours will be increased to address new or enhanced programs under the WMP as 14

well as audit work related to critical business records. Many of the technical skills (e.g., engineering, 15

operations, risk management) needed to audit these increasingly complex areas are in short supply in the 16

labor market, thus increasing the cost to attract and retain skilled talent.50 SCE also requires more 17

specialized technical expertise to design and complete assurance projects. The proposed specialized non-18

labor resources will support the execution of required audit work activities while providing expertise 19

that is not currently available within SCE’s internal audit department resources. The specialized 20

resources will also address staff shortages by letting SCE add resources using just-in-time flexibility. 21

If Audits was not able to fill vacancies and utilize outside experts under our co-22

sourcing strategy, there would be a significant decrease in audit hours available to respond to safety and 23

compliance risks, new and changing regulatory requirements, and increasing risks such as cybersecurity 24

and wildfire mitigation efforts. The lack of adequate staffing and co-sourcing resources will compromise 25

Audits’ ability to effectively and efficiently provide reasonable assurance that SCE is complying with 26

applicable rules and regulations and is addressing risks. These risks include ones related to safety, cyber 27

50 2018 Internal Audit Compensation Executive Report. This report is copyrighted, so we are not including it in

our workpapers. It is available upon request from the Institute of Internal Auditors (IIA). SCE attempted to secure in-advance permission to include the document in SCE’s workpapers. However, the IIA indicated that the report could not be included as a non-confidential workpaper.

43

and physical security, reliability of operations, and wildfire mitigation efforts. In addition, Audits will 1

not have sufficient resources and capacity to address the expanded consulting services and audits 2

requested by management. 3

2. Ethics & Compliance 4

a) Work Description and Need for Activity 5

Ethics & Compliance’s principal functions are to: 6

• Develop, promote and administer the Edison International Employee, 7

Supplier, and Board of Director’s Codes of Conduct, along with core 8

compliance policies, corporate programs, procedures, and standards; 9

• Administer the Annual Ethics and Compliance Certification process by 10

which employees specifically certify their adherence to the Employee 11

Code of Conduct (the Code); 12

• Develop ethics and compliance resources and communicate on ethics and 13

compliance topics; 14

• Provide advice on ethics and compliance matters; 15

• Oversee and implement a risk-based compliance approach with effective 16

compliance structures and practices in place and additional emphasis on 17

critical areas of compliance, including compliance with North American 18

Reliability Corporation (NERC) requirements; 19

• Provide the framework, tools, and processes for managing the Company’s 20

structured and unstructured information, helping ensure that the 21

information is accurate, readily accessible for reliable company 22

operations, and compliant with records retention and privacy 23

requirements, including the new California Consumer Privacy Act, 24

enacted on June 28, 2018; 25

• Monitor and investigate alleged misconduct reported through the Edison 26

HelpLine; and 27

• Oversee the enterprise-wide Ethics and Compliance Training curriculum 28

and provide training on specific ethics and compliance topics. 29

SCE strives to apply consistent and rigorous practices to all compliance areas by 30

verifying new regulatory requirements, validating existing regulatory requirements, creating and 31

44

tracking compliance controls, continuously assessing risks, investigating all alleged potential 1

noncompliance issues and escalating to appropriate senior leadership if deemed necessary. E&C is 2

responsible for the overarching compliance framework applicable to all compliance areas and guiding 3

each compliance area to provide reasonable assurance that they have effective processes in place to 4

prevent, monitor, detect and respond to noncompliance events or incidents. 5

E&C has oversight of 15 compliance programs across SCE and directly manages 6

several compliance areas, including energy regulation, information governance, privacy, and disability 7

rights.51 Other compliance areas are managed within other operating units of the Company. Examples of 8

such subject-specific compliance areas include the Environmental Compliance Program housed in the 9

Operational Services Operating Unit, and the Human Resources Compliance Program housed in the 10

Human Resources Operating Unit. These compliance programs are led by designated Compliance 11

Program Leaders and have staff that manage the compliance work in their respective areas. 12

However, they are still subject to E&C’s overarching compliance framework and operate under the 13

overall direction of the Chief Ethics and Compliance Officer, consistent with the U.S. Federal 14

Sentencing Guidelines. 15

Accordingly, in places where a Compliance Program Leader is located in another 16

operating unit, that operating unit is providing testimony supporting how the unit administers its 17

individual compliance programs on behalf of the Company. These activities supplement, and are not 18

redundant of, E&C’s request in addressing how E&C oversees and coordinates all compliance functions. 19

E&C is not staffed to carry out all compliance functions throughout the Company. Instead, E&C relies 20

on a combined effort between E&C and individual compliance areas to manage compliance activities at 21

a reasonable cost to customers. E&C also provides independent compliance oversight. 22

In 2011, the Information Governance organization was moved to E&C. 23

This allowed for greater oversight of records management and closer alignment with associated 24

compliance areas. 25

In 2012, the helpline, intake and investigation functions were moved to a new 26

HelpLine and Investigations group in EIX. This mitigates the possibility of any SCE personnel 27

(including executives) influencing, controlling, or affecting how an investigation is conducted, or how 28

far the investigation might reach. Costs for the helpline function and related investigations that the EIX 29

51 Further details are found in our workpapers. Refer to WP SCE-06, Vo1. 04, Ch. III, pp. 38-46 – Ethics and

Compliance Functions.

45

HelpLine and Investigations group conducts for SCE are charged to SCE’s E&C organization in 1

accordance with California’s affiliate transaction rules. SCE employees have several ways to seek 2

guidance regarding: (1) the Code; (2) SCE policies about compliant and ethical decision-making; and 3

(3) the reporting of potential violations of the Code and policies. Any employee can directly contact 4

their supervisor or manager, the Human Resource Department, or any Company executive. 5

The employee can seek advice or submit a concern to the Edison HelpLine (HelpLine) via phone or 6

through the Company’s Portal (intranet) site. The HelpLine is operated by an independent vendor, and is 7

available to employees, business partners, and customers 24 hours a day, 365 days a year. Through the 8

HelpLine, employees can report ethical or compliance concerns, or seek guidance/clarification. Our 9

HelpLine vendor provides services to many large companies in the U.S. and elsewhere.52 10

SCE requests funds for Ethics & Compliance to continue the oversight of the 11

SCE’s Ethics and Compliance Program. SCE anticipates an increase in labor and non-labor due to new 12

requirements from California Senate Bill 901 (SB 901), Commission Vegetation Management and 13

Wildfire Mitigation mandates, and new NERC CIP Reliability Standards. A detailed description of 14

Ethics and Compliance’s oversight activities can be found in our workpapers.53 15

b) Scope and Forecast Analysis 16

The historical and forecast O&M expenses for Ethics and Compliance are shown 17

below in Figure III-13. 18

52 Edison HelpLine available at: https://secure.ethicspoint.com/domain/media/en/gui/37078/index.html, as of

August 19, 2019. 53 Refer to WP SCE-06, Vo1. 04, Ch. III, pp. 38-46 – Ethics and Compliance Functions.

46

Figure III-13 Ethics & Compliance



(a) Labor and Non-Labor 2

Figure III-13 above shows recorded 2014-2018 labor and non-3

labor costs for Ethics & Compliance. Reflecting the Operational Excellence initiative, Ethics and 4

Compliance labor and non-labor showed a downward trend from 2015-2018. This initiative included: 5

• Re-designing the Ethics and Compliance functions; 6

• Eliminating vacant positions in Ethics and Compliance; 7

• Consolidating quality assurance and quality control 8

functions; 9

• Designating a compliance touchpoint within each impacted 10

OU; and 11

• Implementing a program ownership model to establish 12

clear business line accountability for compliance 13

54 Refer to WP SCE-06, Vol. 04, Ch. III, pp. 47-53 – O&M Detail for Ethics and Compliance.

2014 2015 2016 2017 2018 2019 2020 2021Labor $9,867 $10,648 $8,964 $7,371 $7,533 $7,921 $8,233 $8,256

Non-Labor $7,056 $7,798 $4,579 $4,293 $4,378 $5,560 $6,157 $5,968Other

Total Expenses $16,922 $18,446 $13,543 $11,664 $11,912 $13,481 $14,390 $14,224


Recorded Forecast

$2,000$4,000$6,000$8,000

$10,000$12,000$14,000$16,000$18,000$20,000


47

requirements that impact the business line’s operational 1

work. 2

These changes enabled SCE to more effectively manage its 3

compliance activities across the Company. The organizational changes were completed in the third 4

quarter of 2016. 5

(2) Forecast 6

(a) Labor and Non-Labor 7

In D.89-12-057, and subsequently in D.04-07-022, the CPUC 8

stated that if costs have been relatively stable over three or more years, the last recorded year is an 9

appropriate base estimate. For this work activity, costs have proven to be relatively stable over the last 10

three recorded years. However, in light of emergent compliance requirements such as wildfire 11

mitigation, and to improve our effectiveness in managing SCE’s critical business records, the financial 12

landscape of Ethics & Compliance for this GRC cycle is changing significantly. For this reason, the last 13

recorded year of $11.9 million is an appropriate base estimate. To the base we have added an additional 14

$2.4 million to account for the net increase in labor and non-labor expenses (combined total $14.3 15

million). This increase in labor and non-labor expenses includes resources to support the ramp-up of 16

wildfire mitigation compliance activities. Such activities include: 17

• Facilitating an increase in external and field audits; 18

• Responding to data requests and regulatory inquiries; 19

• Assisting Organizational Units in addressing new 20

compliance requirements; and 21

• Coordinating with the Commission’s Safety Enforcement 22

Division and our T&D operating unit with respect to 23

increased regulatory compliance requirements 24

encompassing: (a) General Orders (GOs) 95, 128, 165, and 25

174; and (b) SB 901. 26

Additional resources are needed to help implement the Critical 27

Business Records (CBR) Management Program. This new program aims to effectively manage critical 28

business records and reduce risks in the following areas: employee and public safety, reliability of 29

critical operations, regulatory and financial compliance, and restoration of company operations after an 30

emergency event. These additional resources are required to perform the following activities: 31

48

• Determine the applicable regulatory requirements and 1

company policies associated with critical records; 2

• Conduct compliance risk assessment(s) as needed; 3

• Analyze current business processes associated with the 4

records and the changes needed to comply with 5

regulations/policies; 6

• Identify current internal controls and the changes needed to 7

mitigate risks; 8

• Inventory current evidence and the changes needed to 9

demonstrate compliance to regulations/policies; and 10

• Ensure the appropriate level of governance for the record. 11

49

IV. 1

SAFETY PROGRAMS 2

A. Overview 3

The Edison Safety organization is responsible for managing the activities associated with the 4

Safety Programs Business Plan Element (BPE), aimed at providing health and safety oversight and 5

support services at the corporate level with groups such as Transmission and Distribution (T&D). 6

Edison Safety’s vision is to strengthen our culture, eliminate serious injuries & fatalities, and reduce all 7

injuries. Edison Safety provides guidance, governance, and oversight of the company’s safety programs 8

and activities focused on public, contractor and worker safety to accomplish the common goal of 9

creating an injury-free workplace. This includes developing and managing programs to meet 10

requirements outlined by governing regulatory agencies including Occupational Safety and Health 11

Administration (OSHA) and the California Division of Occupational Safety and Health (Cal/OSHA), 12

leading all major safety incident evaluations, tracking and analyzing the company’s safety data and 13

records, managing and implementing SCE’s Safety Culture Transformation, as well as managing all 14

other employee (field and office) and contractor safety programs and standards. Edison Safety also 15

partners with SCE operating units (OUs) to ensure that each OU’s activity-specific safety programs meet 16

applicable regulatory requirements. 17

The requested funding is necessary to continue transformation of the safety culture at SCE, 18

through development and maintenance of worker safety programs and through partnership with other 19

SCE workgroups on public safety initiatives. 20

SCE forecasts $24.98 million in O&M expenses in test year 2021 to manage the Safety Programs 21

BPE. This includes $4.29 million for Employee and Contractor Safety, $0.60 million for Public Safety, 22

$2.28 million for Safety Culture Transformation and $17.81 million for Safety Activities – Transmission 23

& Distribution (T&D). 24

1. Risk Factors, Safety, Reliability and Connection with RAMP 25

The following Safety Program activities, listed in Table IV-4 below, address Employee, 26

Contractor, and Public Safety Risk identified as one of the top nine safety risks in SCE’s 2018 RAMP 27

50

report.55 Table IV-4 summarizes the compliance items, controls, and mitigations included in RAMP by 1

GRC activity.56 More detailed descriptions of the activities can be found in in Section IV.D. 2

Table IV-4 GRC Activities Included in SCE’s 2018 RAMP Filing57


Edison Safety develops programs that meet or exceed the regulations set by OSHA, the 4

Department of Transportation (DOT), and other state agencies related to occupational safety and health, 5

and transportation safety. Title 8 of the California Code of Regulations and Title 29 of the Code of 6

Federal Regulations require that employers maintain safety standards, programs, and policies for the 7

welfare of their employees. Additional information on the types of programs can be found in Section 8

IV.D.1.a)(1). 9

55 I.18-11-006 Southern California Edison Company’s 2018 Risk Assessment and Mitigation Phase Report

(RAMP). 56 The RAMP control and mitigations listed in Table IV-4 do not represent all that were identified in Chapter 7

of SCE’s RAMP report for Employee, Contractor, and Public Safety. Some controls and mitigations are located within other areas of SCE’s 2021 GRC testimony. For instance, there are GRC activities associated with C1 Safety controls within the Human Resources’ (HR) employee benefits section of testimony (SCE-06, Vol. 03) and workers’ compensation activities within Legal’s testimony (SCE-06, Vol. 02). In addition to the Safety Culture Transformation work described in this chapter, there are additional training-related activities included within HR’s testimony (SCE-06, Vol. 03).

57 RAMP ID Definitions – M = Mitigation. This is an activity commencing in 2018 or later to affect Employee, Contractor and Public safety risk. Mitigations were modeled in the RAMP report. CM = Compliance. This is an activity required by law or regulation. Compliance activities were not modeled in the RAMP report. C = Control. This is an activity performed prior to 2018 to address the Employee, Contractor and Public safety risk, and which may continue through the RAMP period. Controls were modeled in the RAMP report.

GRC Activity RAMP Compliance/Control/Mitigation Name RAMP ID Risk AddressedSafety Compliance (Standards, Programs & Policies) CM1Contractor Safety Program C2Industrial Ergonomics M2

Safety Culture Transformation Safety Culture Transformation (CORE Program) M1aSafety Compliance (Technical Training) CM2Contractor Safety Program C2

Employee and Contractor Safety

Employee and Contractor Safety

Safety Activiites - Transmission & Distribution

51

B. 2018 Decision 1

1. Comparison of Authorized 2018 to Recorded 2

The 2018 GRC Decision requires SCE to compare the 2018 request and authorized 3

amounts to recorded;58 Figure IV-14 below provides that comparison for SCE’s Safety Program O&M 4

expenses. 5

Figure IV-14 Safety Programs

O&M Expenses for 2018 – Authorized versus Recorded59 (2018 Constant $Millions)

In 2018, Employee and Contractor Safety spent $1.2 million more than authorized due to 6

the re-organization which resulted in additional employees from Generation, Customer Service and 7

Operational Services charging to the Employee and Contractor Safety activity. Public Safety was a 8

newly formed group in 2018 which caused the increase of $0.3 million. For Safety culture 9

transformation recorded amounts were $0.5 million less than authorized. The authorized amounts in the 10

2018 GRC were normalized in anticipation of increased costs due to the 2020 safety culture assessment. 11

In 2018, SCE spent more than authorized on T&D Safety Activities within the T&D organization, as we 12

58 D.19-05-020, Ordering Paragraph 22, pp. 441-442. 59 Refer to WP SCE-07, Vol. 01 – O&M Authorized to Recorded.

52

experienced greater-than-expected participation in safety meetings. In addition, there were additional 1

expenses for the therapeutic exercise programs and larger-than-anticipated safety recognition expenses. 2

C. SCE’s Safety Culture Transformation and Organization Structure 3

SCE implemented its new Safety Culture Transformation program in 2018. This program, 4

helping to transform our safety culture is scheduled to be implemented through 2021. SCE employees 5

have been participating in new safety culture training with three components called SWITCH, 6

ENGAGE, and CONNECT that began rollout in 2018. This training provides cognitive-based tools to 7

enable participants to make safer choices by obtaining a deeper understanding of how our brain works 8

and errors that can lead to injuries. SCE plans to continually assess progress and will augment this 9

approach as necessary to transform the safety culture and eliminate all types of injuries. 10

On October 1, 2018, SCE created the Edison Safety organization as depicted in Figure IV-15. 11

This organization is led by the Vice President of Safety, Security and Business Resiliency, and 12

consolidates several existing safety organizations across Transmission and Distribution, Generation, 13

Customer Service, Operational Services, and Corporate Health and Safety. The new Edison Safety 14

organization is dedicated to operationalizing the Edison Safety strategy across the company with 15

individual working groups established to drive increased focus on Employee and Contractor Safety, 16

Public Safety, and Safety Culture Transformation. 17

Figure IV-15 Edison Safety High Level Organizational Chart

Efforts to improve Edison’s safety culture are centered on: 18

• Employee safety programs aimed at maintaining and improving worker safety. 19

• Worker engagement activities designed to engage workers on safety principles to create a 20

safe work environment for employees and improve public safety. 21

53

• Safety systems intended to address incidents and injuries, share best practices, and utilize 1

performance metrics to support the safety culture at SCE. 2

D. O&M Forecast 3

The historical and forecast O&M expenses for the Safety Programs BPE are shown below in 4

Figure IV-16. The Safety Programs BPE consists of four O&M activities: Employee and Contractor 5

Safety, Public Safety, Safety Culture Transformation and Safety Activities – Transmission & 6

Distribution. These activities are described in more detail in the following sections. 7

Figure IV-16 Safety Programs

Recorded Adjusted 2014-2018/Forecast 2019-2021 (Constant 2018 $000)

1. Employee and Contractor Safety 8


The work performed under the Employee and Contractor Safety activity is 10

associated with developing and maintaining corporate safety programs in areas such as electrical safety, 11

industrial ergonomics, industrial hygiene, and contractor safety. Employee and Contractor Safety is also 12

responsible for the development and maintenance of field safety programs that are specific to various 13

OU work activities. SCE’s OSHA and Days Away, Restrictions, and Transfers (DART) injury rates 14

2014 2015 2016 2017 2018 2019 2020 2021Labor $15,431 $14,316 $15,969 $15,386 $15,827 $14,966 $14,819 $14,852

Non-Labor $5,284 $3,742 $5,408 $6,210 $8,792 $10,126 $10,625 $10,123Other -

Total Expenses $20,714 $18,059 $21,378 $21,597 $24,619 $25,092 $25,444 $24,975


Recorded Forecast

$5,000

$10,000

$15,000

$20,000

$25,000

$30,000


54

decreased significantly from 2011-2016. (see Figure IV-17) In 2016, SCE started tracking EEI Serious 1

Injury & Fatality Rates as an additional safety metric. As the company’s DART rate improved from 2

2011-2016, it was critical for the company to start to measure the EEI Serious Injury & Fatality Rate in 3

order to improve the company’s overall safety performance. SCE is currently at a stage where changing 4

our safety culture will be the focus in order to improve our safety performance and take SCE’s safety to 5

the next level of improve all employees’ ownership of their own safety. The work in the Employee and 6

Contractor Safety activity plays a critical role in operationalizing workstreams identified in the safety 7

culture transformation roadmap.60 8

Figure IV-17 SCE OSHA, DART and EEI Serious Injurt & Fatality Rates

(1) Safety Programs and Compliance 9

The Safety Programs and Compliance division leads the development and 10

maintenance of corporate safety programs and manages the Accident Prevention Manual.61 Examples of 11

these programs include: 12

• Bloodborne Pathogens Exposure Control Standard 13

60 Refer to Appendix B for Safety Culture Transformation Roadmap. 61 Accident Prevention Manual is a consolidated file which provide guidance on rules and process to prevent

accidents.

55

• Chemical Management 1

• Confined Space Program 2

• Fall Protection Standard 3

• Hazardous Energy Control 4

• Hearing Conservation Program 5

• Heat Illness Prevention Program 6

• Hot Work Program 7

• Injury and Illness Prevention Program 8

• Respiratory Protection Program 9

• Safety Incident Management Standard 10

SCE routinely reviews its standards, programs, and policies for accuracy, 11

effectiveness, and relevancy. SCE is required to perform these activities according to Title 8 of the 12

California Code of Regulations and Title 29 of the Code of Federal Regulations, as well as function-13

specific regulations according to the Department of Transportation and Federal Aviation Administration. 14

(2) Office and Contractor Safety 15

The Office and Contractor Safety division leads contractor safety 16

management, office safety and ergonomics, and industrial ergonomics at the corporate level. 17

SCE’s Contractor Safety Management Program is focused on the 18

elimination of serious injuries and fatalities through improving safety oversight of and collaboration 19

with contractors/subcontractors, and more effectively managing risk associated with contracted work. 20

The program components include safety prequalification of all contractors/subcontractors conducting 21

high-risk work, oversight of contractor work planning process, field monitoring, incident analyses, 22

safety performance improvement process for individual contractors, and efforts to influence the 23

development of strong safety cultures amongst our contractor partners. 24

In 2017, Edison Safety fully implemented the program as highlighted in 25

Table IV-5. In order to strengthen our contractor safety performance and increase focus on the 26

elimination of serious injuries and fatalities, SCE further enhanced the program in the first quarter of 27

56

2019 by implementing more stringent qualification criteria,62 increasing observation requirements, and 1

improving the incident management process. 2

Table IV-5 Key Elements of Contractor Safety Program

The Office Safety group has specialists who provide office safety program 3

support and expertise for the company in ergonomics, safety issue resolution, incident follow-up, cause 4

evaluation, and safety team support. Ergonomic self-assessments and training increase employee 5

knowledge of ergonomic risk factors and skill around ergonomic hazard identification, helping to 6

mitigate strain and sprain risks. 7

62 Revisions to the CSM Standard and EH&S Handbook for Contractors with specific improvements to

eliminate serious injuries and fatalities and more stringent grading criteria in ISNetworld effective March 1, 2019.

Elements Description

Third Party AdministratorReview and qualify contractors identified as performing higher-risk activities.

Contractor and Subcontractor Qualification

Additional criteria for an entity to become qualified to contract with SCE, such as Occupational Safety and Health Administration (OSHA) citation history, fatality history, and significant public safety events.

Field Safety ObservationsSCE contractor liaisons conduct regular field safety observations.

Hazard Assessment and Environmental, Health, and Safety Plans

Collaborating with contractors to identify safety risks and verifying that contractors have strong hazard mitigation plans in place.

Quality Assurance ReviewsDetailed on-site assessments of selected high-risk contractors to validate the implementation of written contractual safety commitments.

Contractor Safety Forums

Joint SCE/contractor safety forums to discuss safety lessons learned and share best practices help to promote collaboration and a strong safety culture amongst contractor workforce.

57

Edison Safety’s industrial ergonomics initiative is currently being 1

expanded to include Physical Demands Analysis Evaluation63 and Wearable Technology.64 The goal of 2

SCE’s Industrial Ergonomic effort is to address the common causes of industrial musculoskeletal 3

injuries and provide solutions to significantly reduce and eliminate their occurrences. The Industrial 4

Ergonomics program was identified in SCE’s RAMP filing (Table IV-4) as a mitigation aimed at 5

reducing some of the key drivers impacting employee injuries. 6

(3) Field Safety 7

The Field Safety division partners with OUs in developing, maintaining, 8

and monitoring field safety programs and activities that are specific to the work in their area of 9

responsibility. The work focuses on programs specifically designed for field employees in T&D, 10

Generation, and Operational Services to ensure that the Accident Prevention Manual, safety programs, 11

policies, incident reporting, and close calls are being updated and maintained. 12

A portion of the field safety work is dedicated to contractor field safety. 13

The Contractor Field Safety (CFS) group focuses on three major components that affect contractor 14

safety performance which include: 1) partnering with OU representatives and their contractors 15

conducting high-risk work; 2) mentoring high-risk contractors through observation and coaching for 16

behavior and work methods; and 3) collaborating with the Office & Contractor Safety group, OU 17

representatives, and contractor leadership to continuously align expectations for the successful 18

implementation of SCE’s Contractor Safety Management (CSM) Standard.65 19

The primary objectives of the CFS are to: 20

• Eliminate of serious injuries and fatalities 21

• Validate compliance with standards and regulations 22

• Challenge undesired normalized behaviors to improve overall 23

safety performance 24

• Support contractor safety forums and internal discussions to 25

communicate opportunities for improvement 26

63 Physical Demands Analysis Evaluation is a process for examining postures, body movements, force, and

duration. 64 Wearable Technology utilizes technology-embedded clothing that gives feedback, through computer-based

systems, on muscle engagement and potential for overexertion injuries when performing certain work tasks. 65 Contractor Safety Management Standard is SCE’s policy for managing contractor safety.

58

• Function as subject matter experts on contractor-related topics 1

• Support, coach and mentor SCE employees and contractors on all 2

elements of SCE’s CSM Standard, and SCE’s safety programs, 3

standards, and regulatory requirements 4

(4) Performance Improvement 5

The Performance Improvement group collects, analyzes, and manages 6

safety incident reporting and lessons learned for employees, contractors, and members of the public. 7

This includes the management of incident screening, coding, cause evaluations, OSHA Recordkeeping, 8

safety metrics and performance data, dashboards, metric trees, and predictive analytics. Performance 9

Improvement also manages safety databases, including the Incident Management database. This work 10

requires subject matter experts to be responsible for internal communication of safety data as well as 11

external reporting to California OSHA, Edison Electric Institute, and the North American Transmission 12

Forum. 13


The safety of our employees and contractors is one of the most important values 15

at SCE. Employee and Contractor Safety plays a critical role following Edison Safety’s vision of 16

eliminating serious injuries and fatalities and reducing all types of potential life-altering or life-threating 17

incidents. Expenses include the labor and non-labor for Safety Programs and Compliance, Office and 18

Contractor Safety, Field Safety, and Performance Improvement. Employee and Contractor Safety’s 19

expenses directly relate to SCE’s efforts to maintain compliance with safety regulations and continue to 20

improve the company’s employee and contractor safety performance. 21

c) RAMP Integration 22

The two RAMP controls (Safety Compliance and Contractor Safety) and 23

mitigation (industrial Ergonomics) work descriptions in the Employee and Contractor Safety GRC 24

activity are discussed above in Section IV.D.1.a) – Office and Contractor Safety. The Contractor Safety 25

Management Program was identified in SCE’s RAMP filing (Table IV-4) as a program aimed at 26

reducing key drivers of contractor injuries and fatalities. 27

(1) Reconciliation Between RAMP and GRC 28

There are no changes in expense forecasts (as shown in Table IV-6) or 29

scope for the Contractor Safety Program control and Industrial Ergonomics mitigation as estimated in 30

SCE’s 2018 RAMP report and the forecast requested in this GRC. 31

59

Table IV-6 Employee and Contractor Safety RAMP Controls and Mitigations

RAMP vs. GRC O&M Forecast Comparison (Nominal 2018 $000)

d) Scope and Forecast Analysis 1

The historical and forecasted O&M expenses for Employee and Contractor Safety 2

are shown below in Figure IV-18. 3

RAMP Risk RAMP ID

RAMP Control / Mitigation Name

Filing Name 2019 2020 2021

C2 Contractor Safety Program 200$ 200$ 200$

M2 Industrial Ergonomics 15$ 15$ 15$

Total 215$ 215$ 215$

C2 Contractor Safety Program 200$ 200$ 200$

M2 Industrial Ergonomics 15$ 15$ 15$

Total 215$ 215$ 215$

C2 Contractor Safety Program -$ -$ -$

M2 Industrial Ergonomics -$ -$ -$ Total -$ -$ -$

Employee, Contractor & Public Safety



RAMP

GRC

Variance

60

Figure IV-18 Employee and Contractor Safety



(a) Labor 2

Labor costs decreased by $418,000 from 2014 to 2015 due to 3

increased level of vacancies held in anticipation of SCE’s Operational Excellence initiative in 2016.67 4

From 2015-2017, labor cost fluctuated as employees moved in and out of Corporate Health and Safety 5

due to multiple re-organizations. In 2018, safety groups68 throughout SCE were centralized into one 6

organization, Edison Safety. As part of the centralization in 2018, labor costs for support of T&D 7

activities were inadvertently charged directly to O&M artificially driving costs higher when portions of 8

these costs should have been allocated to the underlying projects and programs being supported. For 9

instance, labor expenses for Health and Safety Advisors from the Field Safety group that are embedded 10

with the field crews should have been charged to the associated projects. 11

66 Refer to WP SCE-06, Vol. 04, Ch. IV, pp. 54-60 – O&M Detail for Employee and Contractor Safety. 67 Operational Excellence (OpX) initiative consists of a serious of activities occurred within Edison to reduce

costs and improve operating efficiencies. 68 Safety groups in the following OU’s: Customer Service, Generations, Transmission & Distribution and

Operation Services.

2014 2015 2016 2017 2018 2019 2020 2021Labor $3,480 $3,062 $3,332 $2,788 $3,386 $2,706 $2,481 $2,514

Non-Labor $645 $271 $220 $349 $944 $1,834 $1,778 $1,777Other

Total Expenses $4,125 $3,333 $3,552 $3,137 $4,330 $4,540 $4,260 $4,291


Recorded Forecast

$500$1,000$1,500$2,000$2,500$3,000$3,500$4,000$4,500$5,000


61

(b) Non-Labor 1

Non-Labor costs decreased by $374,000 from 2014 to 2015 due to 2

lower consulting costs for employee and contractor safety evaluation activities. Non-Labor expenses 3

were relatively flat from 2015 to 2016 and then increased by $129,000 from 2016-2017 due to additional 4

safety evaluation activities and increased by $595,000 from 2017-2018 due to the centralization of 5

safety organizations across SCE. In addition, SCE expanded the scope of the contractor safety program. 6

For instance, the contractor safety manual was revised to increasing observation requirements and 7

improving the overall incident management process. 8

(2) Forecast 9

(a) Labor 10

Edison Safety anticipates a similar level of resources needed to 11

support all of the initiatives and work activities for Employee and Contractor safety through this rate 12

case cycle. SCE’s Employee and Contractor Safety’s 2021 labor forecasts is $2.51 million which is 13

$872,000 lower than 2018 based on last year’s recorded amount with adjustments. As discussed above 14

in Section IV.D.1.d)(1)(a) labor costs in support of T&D activities during the centralization were 15

inadvertently charged to O&M. The forecast of labor expenses reflects the appropriate allocation of 16

O&M and capital. This is the primary driver of the $872,000 reduction of labor expenses from base year 17

2018 to the test year 2021. 18

(b) Non-Labor 19

SCE forecasts Non-Labor for 2021 will increase by $833,000 to 20

$1.78 million primarily due to the centralization of the safety organizations within SCE. SCE used last 21

year recorded with adjustments to come up with forecast for Employee and Contractor Safety activities 22

for 2021. An average approach was not utilized because of the centralization effort that occurred in 23

2018. 24

Approximately $765,000 program costs that were previously 25

captured within T&D are now directly within Employee and Contractor Safety as a result of the 26

centralization effort in 2018. For example, Error Prevention training69 was previously within T&D’s 27

activities and now being transferred to Edison Safety in 2018. In addition, based on the Commission’s 28

69 Error prevention training is an application of human and organization improvement principles and practices to

proactively and actively prevent injuries/fatalities, system reliability interruption and damage triggered by human errors and/or system errors (organization hidden conditions/weaknesses) at critical/irreversible steps.

62

approval in D.19-05-020 (SCE’s 2018 GRC decision), SCE is requesting to continue its membership and 1

participation in the Electric Power Research Institute’s (EPRI) Program 60 (Electric and Magnetic 2

Fields and Radio-Frequency Health Assessment and Safety). EPRI’s Program 60 addresses key 3

environmental health and safety issues related to public and worker exposure to electromagnetic fields 4

associated with the electric power system infrastructure, and is especially relevant as the electric 5

industry transitions to smarter grid technologies, distributed energy resources, electric vehicles, and 6

other innovations that can increase residential exposure to radiofrequencies.70 By allowing membership 7

in EPRI’s Program 60, SCE would have access to EPRI’s EMF studies which will help SCE provide 8

safe and reliable electricity to its customers. 9

In SCE’s 2018 GRC decision (D.19-05-020), the Commission 10

approved SCE’s request for $700,000 for its membership and participation in EPRI Program 60 and 11

specifically agreed that SCE could seek these funds in its general rate case and not in the EPIC 12

proceeding, under which utilities may only conduct demonstration projects.71 SCE respectfully requests 13

that the Commission again approve SCE’s request to continue its membership in EPRI’s Program 60, at 14

$700,000 for its membership fees. The Commission has approved SCE’s request for EPRI funding in 15

SCE’s 2012 GRC proceeding and now the 2018 decision.72 Funding EPRI is not necessarily about 16

research; it allows SCE to stay at the forefront of EMF-related science, which provides SCE with the 17

ability to prudently address customer concerns with credible, independent, and industry leading studies 18

and mitigation strategies. Importantly, and in compliance with Ordering Paragraph 17 of CPUC 19

Decision 12-05-037, the EPRI Program 60 effort maps to the Grid Operations/Market Design, 20

70 Available at: https://www.epri.com/#/portfolio/2020/research_areas/2/025025?lang=en-US, as of August 14,

2019. 71 Decision No. 19-05-020. Section 9.4. In Ordering Paragraph 17 of D.12-05-037, the CPUC indicated that if

utilities seek expenditures outside of the EPIC investment plans, the utility will face the burden to explain why such expenditures could not have been considered within the EPIC program. Any such requests should explain how they meet objectives and metrics of the EPIC program. Because EPIC only authorizes utilities to perform demonstration activities (classified as Technology Demonstration and Deployment), SCE is not seeking Program 60 funding in the EPIC program. EPRI Program 60 addresses public health impacts of electricity related activities by providing independent and unbiased studies and activities related to electric and magnetic fields as well as radio frequency related to electric utilities infrastructure. This meets the EPIC Applied Research and Development objective. However, electric utilities are not allocated any budget in EPIC to fund independent research entities, and thus SCE seeks funding in this GRC for its membership in EPRI to have access to EMF-related studies which will improve public safety.

72 Id.

63

Transmission and Distribution EPIC Value Chain and directly supports the following EPIC metrics: 1

Public Safety and Environmental Benefits,73 Potential Energy and Cost Savings,74 and Economic 2

Benefits.75 Further, SCE will file this request on the service list of the most recent EPIC proceeding. The 3

Commission has clearly determined that expenditures for EPRI EMF research should be approved,76 and 4

has also indicated that research institutes [like EPRI] may be funded.77 The Commission should continue 5

to support such science-based EMF efforts. 6

2. Public Safety 7


The newly created Public Safety group focuses on strategies with opportunities to 9

create and manage an enterprise-wide inventory of all risks. The new group is adopting a more central 10

approach focusing on the evaluation of public risks. The Public Safety group is working on developing 11

and implementing the metric trees78 to explain variation in our company’s public safety performance. In 12

addition, this team collaborates with the Enterprise Risk Management group (ERM) to make informed 13

mitigation decisions. We will evaluate where performing beyond compliance standards is necessary to 14

adequately mitigate risk. Tools and methods such as the metric tree will be introduced to evaluate public 15

safety risks and make informed decisions. 16

The Public Safety team works closely with key stakeholders throughout the 17

company to achieve the company goal of no serious injuries to the public. SCE’s public safety risks are 18

primarily concentrated in four areas of our business: 19

• Wildfire 20

73 SCE will be able to quickly deploy the results of the EPRI work to its operations, transmission and

distribution activities with a particular emphasis on public and employee safety. 74 In addition to receiving excellent work product, SCE will leverage its investment with other utilities and an

EPRI-estimated total Program 60 budget of $3.7 million for 2020. A 2021 estimate is not yet available. (Please see: https://www.epri.com/#/portfolio/2019/research_areas/2/025025?lang=en-US).

75 Because SCE will participate in EPRI Program 60 with a number of other electric utilities and stakeholders, the results of the RD&D will provide the economic benefits associated with economies of scale. Specifically, the technologies resulting from the effort have a greater potential for usage by a broader group of entities rather than only SCE. This also supports the EPIC metrics associated with the effectiveness of information dissemination, technology adoption and funding support from other entities.

76 Decision No. 93-11-013, COL 18. 77 Decision No. 15-04-020, p. 23. 78 Metric trees will access status of performance management, reveal leading and lagging indicators, determine

data owners, incorporate additional input from subject matter experts and explain overall performances.

64

• Contact with Energized Equipment 1

• Underground Equipment Failure 2

• Hydro Asset Safety 3


This Public Safety GRC activity supports all public safety related efforts within 5

SCE. For instance, Public Safety partnered closely with Corporate Communications to contribute to the 6

development of wire down communication campaign in 2019. Protecting the public is central to our 7

mission. The causes of public safety incidents vary and include vehicle incidents, SCE facility failures, 8

outages, and trespassing. SCE’s public safety approach is three-pronged that first focuses on grid 9

resiliency through our design and construction standards, inspection and maintenance programs, and 10

infrastructure replacement programs. Secondly, SCE has controls and mitigations in place such as Public 11

Safety Power Shutoff. Our Business Resiliency organization manages Public Safety Power Shutoff and 12

the monitoring of weather stations and HD cameras. Lastly, our outreach and education programs target 13

our customers, at-risk workers, first responders, educators, and schoolchildren. We facilitate 3rd party 14

cause evaluations on public safety incidents in order to gather lessons learned to implement 15

improvements and proactively mitigate similar incidents from recurring. 16

Maintenance and Inspection programs and Infrastructure Replacement programs 17

mitigate the risk of system failure that may contribute to public safety incidents. These programs are 18

managed and maintained by SCE’s T&D organization. 19

SCE’s outreach programs provide education and essential information to the 20

public including billboards, radio spots, mailers, and television campaigns in multiple languages. 21

External safety communication programs are developed and maintained by Corporate Communications 22

and focus on topics such as the dangers of releasing metallic balloons, the importance of maintaining ten 23

feet of clearance from our power lines, the Call Before you Dig “811” program, and preventing contact 24

with downed wires. SCE also provides educational seminars for communities, schools, and first 25

responders on the dangers of electricity. 26


The historical and forecast O&M expenses for Public Safety are shown in Figure 28

IV-19. 29

65

Figure IV-19 Public Safety

Recorded 2014-2018/Forecast 2019 -202179 (Constant 2018 $000)


(a) Labor 2

Public Safety is a newly formed working group, so labor costs 3

during 2014 -2016 were immaterial because at that time the costs were within other organizations’ 4

(i.e., Corporate Communication). Edison Safety (previously known as Corporate Health & Safety) began 5

coordinating public safety functions through a working team consisting of various organizational unit 6

stakeholders. Labor cost increased to $218,000 in 2017 and to $247,000 in 2018, a $29,000 increase 7

from 2017, due to increasing support from various groups’ personnel across the company. For instance, 8

some employees and managers were helping with Public Safety initiatives in addition to their role from 9

different grouping within Edison Safety. Although there were charges supporting this activity in 2017, 10

the organization was not officially established until late 2018. 11

79 Refer to WP SCE-06, Vol. 04, Ch. IV, pp. 61-67 – O&M Detail for Public Safety.

2014 2015 2016 2017 2018 2019 2020 2021Labor $3 $218 $247 $441 $515 $515

Non-Labor $11 $2 $5 $47 $48 $61 $88 $87Other

Total Expenses $11 $5 $5 $266 $295 $502 $602 $603


Recorded Forecast

$100

$200

$300

$400

$500

$600

$700


66

(b) Non-Labor 1

Public Safety was a working group in 2017 so non-labor costs 2

during 2014-2016 were immaterial and generally followed the same trend as labor. 3

(2) Forecast 4

(a) Labor 5

SCE forecasts labor will increase to $441,000 in 2019 and then to 6

$515,000 in 2021 as the newly formed group will be developing and implementing the metric trees, 7

collaborating with ERM to make informed mitigation decisions and evaluating where performing 8

beyond compliance standards is necessary to adequately mitigate risk. 9

(b) Non-Labor 10

Non-Labor is forecast to increase by $26,000 to $87,000 in Test 11

Year 2021 as the staff in the group will continue improving our public safety program which include 12

benchmarking of industry wide public safety best practices. 13

3. Safety Culture Transformation 14


In 2018, Edison Safety implemented its new Safety Culture Transformation 16

program. This program includes safety culture training for all company employees to foster the mindset 17

of making the right safety choices. The rationale and development of the program, along with recorded 18

and forecasted costs, is covered in SCE’s Human Resources Department testimony, Exhibit SCE-06, 19

Vol. 3, Part 1, Chapter IV.A.3a)(1)(e). Safety Culture Transformation is responsible for implementing 20

initiatives and workstreams identified in the Safety Culture Transformation Roadmap.80 21


Safety Culture Transformation is one of the most important safety initiatives at 23

SCE. This group provides the organization with context for the importance of safety culture change and 24

the means to achieve this change. In 2018 Edison Safety created a new dashboard for employee, 25

contractor, and public safety. SCE’s 2019 efforts will be focused on creating and expanding additional 26

dashboard views. This working group will develop an organizational change management strategy to 27

ensure leaders are using the dashboard to make more informed safety decisions. We will use a predictive 28

model identifying key drivers for DART and life-altering/life-threating injuries which will help us 29

80 Refer to Appendix B for Safety Culture Transformation Roadmap.

67

prevent recurrent injuries. The risk score framework based on the predictive model will be piloted and 1

implemented across select locations, with gradual expansion across all T&D field locations over 2019 2

through 2021. 3

c) RAMP Integration 4

As mentioned in the RAMP filing, SCE does not currently have an integrated and 5

comprehensive safety data system that houses all safety data. For example, one current system captures 6

employee safety, while another system tracks related corrective actions and yet another tracks safety 7

observations. SCE proposed as one part of the Safety Culture Transformation – mitigation in RAMP to 8

develop and implement a comprehensive safety data system, that handles incident management, 9

facilitates incident cause evaluations and collects safety observation data allowing for correlations to be 10

identified between observed hazards and incurred incidents. With this system in place to better collect, 11

analyze, and report data, SCE will increase its ability to identify major contributing factors that lead to 12

incidents and close calls.81 13

(1) Reconciliation between RAMP and GRC 14

As shown in Table IV-7, there are material differences between the 15

forecast for the capital expenditures for Safety Culture Transformation as estimated in SCE’s 2018 16

RAMP report and the forecast requested in this GRC. 17

SCE is still committed to developing and implementing an integrated and 18

comprehensive safety data system. SCE issued a request for quote (RFQ) in May 2019 to evaluate 19

consultants to help complete strategy and market analysis for the safety data system. SCE is currently 20

evaluating the RFQ responses. Until a final consultant is selected, we will not have a final quote 21

available to provide a cost estimate for the data system. The forecast provided in RAMP was based on 22

subject matter experts’ (SMEs) implementation of similar systems in the past, however a final cost 23

estimate may be different from the initial RAMP estimate depending on the recommendation and 24

ultimate solution implemented with the selected consultant. 25

81 SCE RAMP Report Ch. 7 Employee, Contractor and Public Safety, pp. 7-24.

68

Table IV-7 Safety Culture Transformation RAMP Controls and Mitigations82

Capital Forecast (Nominal 2018 $000)

a) Scope and Forecast Analysis 1

The historical and forecast O&M expenses for Safety Culture Transformation are 2

shown below in Figure IV-20. 3

82 As mentioned above in Section IV.A.1, there is additional work associated with the Safety Culture

Transformation discussed in SCE-06, Vol. 03.

RAMP Risk RAMP

IDRAMP Control /

Mitigation NameFiling Name 2019 2020 2021 2022 2023RAMP 5,000$ 4,000$ 4,000$ -$ -$ GRC -$ -$ -$ -$ -$

Variance (5,000)$ (4,000)$ (4,000)$ -$ -$


M1aSafety Culture

Transformation (Core Program)

69

Figure IV-20 Safety Culture Transformation



(a) Labor 2

Labor increased by $432,000 from 2014-2015 due to increased 3

staffing/resourcing to implement initiatives as part of SCE’s Enterprise Safety Roadmap. From 2015-4

2017, labor decreased by $130,000 and $107,000 due to unfilled vacancies. Two positions were 5

backfilled in September 2017 and March 2018, which caused labor to increase by $71,000 due to 6

additional work that came out of the Enterprise Safety Roadmap. 7

(b) Non-Labor 8

There was a decrease in non-labor from 2014-2015 by $1.10 9

million when our contract with a vendor to review safety ended. Non-Labor cost increased in 2016 by 10

$267,000 as we started engaging with a new vendor in preparation for additional safety review in 2017. 11

In 2018, the non-labor cost increased by $196,000 as SCE expanded the safety roadmap , increasing the 12

number of safety initiatives from 7 in 2016 to 20 in 2018. 13

83 Refer to WP SCE-06, Vol. 04, Ch. IV, pp. 68-74 – O&M Detail for Safety Culture Transformation.

2014 2015 2016 2017 2018 2019 2020 2021Labor $250 $682 $552 $445 $516 $621 $625 $625

Non-Labor $2,093 $991 $1,258 $1,100 $1,296 $1,623 $2,151 $1,651Other

Total Expenses $2,342 $1,674 $1,810 $1,546 $1,812 $2,245 $2,776 $2,276


Recorded Forecast

$500

$1,000

$1,500

$2,000

$2,500

$3,000


70

(2) Forecast 1

(a) Labor 2

SCE forecasts that labor for Safety Culture Transformation will 3

increase by $109,000 over 2018 recorded levels to $625,000 in Test Year 2021. The increase in labor is 4

associated with implementing the safety culture roadmap and anticipation of additional work as a result 5

of the upcoming 2020 safety culture assessment. 6

(b) Non-Labor 7

Safety Culture Transformation’s non-labor forecast for 2019 is 8

forecasted to increase by $327,000 in 2019 due to additional initiatives relating to the safety roadmap. 9

These initiatives are included as part of the roadmap listed in Appendix B.84 In 2020, non-labor cost is 10

forecasted to increase by $528,000 due to the safety assessment to be conducted in 2020. In 2021, SCE 11

forecasts that non-labor cost will decrease by $500,000 due to the conclusion of the safety assessment in 12

2020. 13

4. Safety Activities – Transmission & Distribution (T&D) 14

While safety support resources have been centralized into Edison Safety, T&D continues 15

to drive specific activities due to its large number of field workers who require targeted safety topics. In 16

addition to participating in Edison Safety activities, T&D workers participate in safety activities specific 17

to field injuries and incidents, as described in the following sections, as well as safety training related to 18

new equipment and/or tool use. 19

a) Employee Safety Work Description 20

T&D’s employee safety activities include the costs for T&D employees to attend 21

safety-focused events, which serve to encourage worker and public safety. These events are described 22

below. 23

(1) Safety Leadership Development 24

Safety Leadership Development training is provided to all T&D 25

employees who enter a supervisory role, including represented employees in Foremen positions. Safety 26

Leadership Development provides these employees with important information on their legal 27

responsibilities for the safety of the crews under their direction, and methods for sharing best practices 28

for improving safety on the job site. 29

84 Refer to Appendix B for additional information on Safety Culture Transformation Roadmap.

71

In 2015, the training was expanded to cover six practices aimed at the 1

creation of a safety culture that drives an injury-free workplace. These practices are: show you care 2

about people; always do the right thing; be visible; coach and reinforce safety; be a steward of culture; 3

and master safety. SCE and T&D require its employees to actively demonstrate these practices to 4

reinforce the importance of safety. 5

To improve safety performance, leaders are expected to engage their staff 6

on safety issues. One example is stopping someone from participating in an unsafe behavior, such as 7

failing to use proper Personal Protective Equipment or walking and texting. If a leader observes such 8

conduct, he or she is expected to inform the employee to stop the unsafe act, express his/her concern, 9

and discuss safer practices with the employee. 10

Leaders must also follow the same safety rules as those for workers and be 11

a good model for safe behavior. Examples include performing a circle of safety prior to moving a 12

company vehicle and leading a tailboard to discuss work scope, hazards, and safety scenarios prior to 13

starting any work in the field. Finally, leaders are encouraged to promote dialogue regarding safety 14

practices and principles through SCE’s Safety Observation and Safety Recognition programs, which 15

have been absorbed in SCE’s Safety Culture Transformation which is described in Section IV.D.3. 16

(2) Safety Meetings and Stand-Downs 17

Regularly scheduled Safety Meetings with T&D employees provide an 18

opportunity to discuss important safety topics, such as changing tools and methods, safe operation of 19

vehicles and equipment, and lessons learned from incidents. Safety Meetings, Significant Safety Event 20

Calls, and Safety Stand-Downs play a vital role in conveying the importance SCE places on safety. They 21

also provide a venue to disseminate valuable and practical information to improve employee safety. 22

Safety Meetings may affect all organizations within T&D or select work 23

locations and work groups, depending on the safety topics being discussed. These meetings provide the 24

opportunity to discuss recent injuries or incidents that may have occurred across the business line, and 25

lessons learned from these incidents. The target audience varies according to the topic. For example, 26

information on preventing strains or sprains experienced from lifting heavy objects might be shared 27

across T&D, while information on the operation of new substation equipment may be shared with 28

T&D’s Transmission, Substation and Grid Operations groups, as these workers may be required to 29

operate the equipment and understand how it functions. During these meetings, SCE also recognizes 30

employees who demonstrate and promote a culture of safety at work and at home. 31

72

Significant Safety Calls and Safety Stand-Downs are held across T&D to 1

provide timely communication on recent, significant safety-related events, such as serious employee 2

injuries and close calls, recent upward trends in the frequency of accidents and incidents, or substantial 3

changes to a work method or procedure. Employees are brought together to review the event, the 4

underlying causes, and the proper procedure or other actions that are developed to prevent re-occurrence 5

of the event. These meetings allow T&D management to set the tone for a stronger safety culture and 6

inspire safety ownership in T&D workers, reinforce the requirement to follow all safety rules when 7

performing work, and give employees clear information about the impact of not following safety rules 8

and best practices. Finally, monthly Safety and Values Leadership Calls with all managers are held to 9

discuss recent safety incidents and the work environment, and to provide the managers tools to improve 10

engagement with their employees. 11

b) Worker Engagement Work Description 12

T&D employees engage in activities designed to support safety principles and 13

safety as a value at SCE. These activities encourage the creation of a safe environment for employees 14

and the public. The primary T&D safety activities are discussed below. 15

(1) Safety Congresses and Teams 16

Safety Congresses provide a forum for employees to generate and discuss 17

improvements to current safety practices and programs, exchange ideas, work through problematic 18

safety concerns and elevate those concerns directly to senior management. Safety Congresses serve as 19

direct, in-person communications of safety messages and programs to employees in T&D. Strengthening 20

lines of safety communication helps to enhance awareness of safety issues as a first step towards 21

mitigating employee accidents and injuries. 22

Safety Congresses have successfully identified and addressed important 23

safety issues and concerns. Projects include off-road driving video for large vehicles, signs identifying 24

pinch points on vehicles and equipment, and the introduction of good ergonomic practices for line work. 25

Additionally, T&D has vehicle rodeos to increase vehicle backing safety and blind spot awareness, and 26

“Call to Action” events for all crews to conduct grounding scenario training where. As safety issues and 27

concerns are identified by the Safety Congresses, teams address these concerns by identifying and 28

implementing improved work methods within T&D. 29

73

(2) Safety Partnership with Union Leadership 1

The Craft Driven Safety Program (CDSP), which began in 2012, focuses 2

on the relationship and dual responsibility between SCE and the International Brotherhood of Electrical 3

Workers (IBEW) Union Local 47 in the area of safety. The CDSP creates a role for union 4

representatives in the incident evaluation and follow-up processes, with the goal of reducing injuries 5

through positive peer reinforcement and engagement. 6

Launched in 2013, the Craft Close Call Reporting Initiative85 provides a 7

close-call injury reporting system. Individuals are expected to report the incident to their Union Safety 8

Representative (USR). The USR, in cooperation with safety advisors from Edison Safety, identifies the 9

lessons learned. These close calls are then published in weekly emails to all craft organizations. 10

This allows detailed incidents to be discussed openly with a wide audience, including the lessons 11

learned. Many incidents demonstrate proper usage of the “Stop. Think. Observe. Perform.” (S.T.O.P.) 12

program, where employees are empowered to stop work if they see an unsafe condition. This program 13

encourages safe work practices and enables employees, regardless of job classification, to feel 14

comfortable with stopping a job. 15

In addition to the close calls reported through the Craft Close Call 16

program, between 2016 and 2018, 695 close calls were reported through EHSync, by employees for 17

review and discussion of lessons learned. This increase in close-call reporting allows employees and 18

management to work together to address safety concerns before they become injuries. 19

In 2017, SCE and IBEW Local 47 partnered together to implement the 20

Code of Excellence,86 a program that emphasizes high quality work, craftsmanship, and safety. 21

This program reinforces SCE’s longstanding company values and our aspiration to be an industry-22

leading energy company. The Code of Excellence is a set of expectations around duties and behaviors 23

on the job. 24

(3) Safety Forum Meetings 25

In 2015, SCE began Safety Forum meetings between SCE and contractors. 26

Attendees share safety incidents and root causes, discuss common safety challenges, explore best safety 27

85 The Craft Close Call Reporting Initiative is distinct from the company-wide close call reporting program

through EHSync, the incident management system. 86 The Code of Excellence is a commitment between SCE and IBEW members to perform the highest quality

and quantity of work, utilize their skills and abilities to the maximum, and exercise safe and productive work practices.

74

practices and enhance communication between SCE and contractors. Each meeting, which takes place 1

annually, lasts approximately four hours and is attended by leadership and their guests from multiple 2

contractor companies. Meetings with Underground Civil Construction, Vegetation and Electrical Line 3

Construction contractors are held annually, while meetings with Substation Construction contractors, 4

including engineering, electrical, civil, wiring, construction support and heavy-haul contractors are held 5

four times per year. 6

c) Safety Systems Work Description 7

(1) Therapeutic Exercise, Stretching, and Warm-up Programs 8

Edison Safety provides project management and guidance to employees 9

participating in SCE’s therapeutic exercise, stretching, and warm-up programs. These comprehensive 10

programs are designed to help reduce and/or prevent employee injuries resulting from strain or sprain of 11

a tendon, ligament, or muscle, and are primarily targeted at T&D field employees. Therapeutic exercise 12

includes daily stretching and injury-prevention calisthenics in a group setting or individually in the field, 13

for approximately fifteen-to-twenty minutes, once the work shift begins. Consistent conditioning and 14

stretching better prepare employees for the strenuous work activities they perform daily and may reduce 15

soft tissue injuries. 16

The Functional Movement Screenings (FMS), a vendor delivering a 17

therapeutic exercise program, was identified in SCE’s RAMP filing as a control (see Table IV-4) aimed 18

at reducing the frequency and severity of minor injuries (e.g., strains, sprains, soft-tissue injuries, etc.). 19

T&D introduced the therapeutic exercise program in 2014 for T&D employees. This program improves 20

the physical performance of the employee, assisting them with the basic movement functions needed for 21

their job. In the current therapeutic exercise program, FMS uses a customized stretching and muscle 22

stabilizing sequence individualized or prescribed for each employee. This is designed to help 23

employees’ physical performance by targeting improvement in the basic movement functions of their 24

job. Assessments of participants provide measurable success and facilitate sustainability of the exercise 25

program. Since the program’s inception, T&D has seen a 35% decrease in strains and sprains injuries 26

among the groups that participated. 27

(2) Best Practice Sharing 28

T&D also conducts Monthly Incident Conference Calls (MICC to review 29

recent incidents, focus on corrective actions, and discuss preventative measures. The monthly calls 30

include all distribution field personnel. Personnel involved in the incident discuss the details, including 31

75

the cause, key safety information, contributing factors, and lessons learned. In addition, the call 1

highlights an example of excellent craftsmanship and promotes safety conversations across all levels. 2

Incidents are also shared via serious injury communications. A Safety 3

Discussion Guide is developed providing incident details, critical reminders, additional resources and 4

conversation starters. This communication is sent out to managers and supervisors to share with 5

employees. 6

There has been a significant improvement in the ability of supervisors to 7

evaluate incidents and articulate lessons learned from incidents. This helps front-line supervisors to 8

better lead their employees on the path to an injury-free workplace. 9

(3) T&D Safety Metrics 10

Over the past several years T&D has engaged in benchmarking against 11

peer companies with top safety records. This benchmarking identified safety best practices, such as 12

improved leadership field engagement through increased field visits and expanded safety dialogue 13

between leaders and employees and corrective action plans. Since this exercise began, T&D has 14

experienced a significant reduction in work-related injuries among employees. 15

Between 2011 and March 2019, T&D has reduced the Days Away from 16

Work or Restricted Duty (DART) injury rate by 64 percent and the Occupational Safety and Health 17

Administration (OSHA) recordable injury rate by 67 percent as can be seen in Figure IV-21. 18

Figure IV-21 T&D’s OSHA, DART and EEI Serious Injurt & Fatality Rates

76

Although there is no clear causal link between the use of safety-related 1

activities such as safety meetings, stand-downs and MICCs and the downward trend in injury rates, a 2

correlation suggests the efforts have worked to improve the safety culture. 3

d) Need for Activity 4

Safety of the public and employees is of utmost importance to SCE. As described 5

above, T&D has several programs in place to engage employees in creating and maintaining safe work 6

practices and environment, such as the Safety Congresses and Teams and Safety Stand-Downs. 7

These activities are necessary to continue to engage employees, foster trust, and improve the safety 8

culture and work environment of SCE. In order to take the performance to a higher level, SCE needs to 9

continue focus on utilizing the Safety Congresses and change the company’s safety culture through 10

enhancement of safety culture training and leader engagement. 11

e) RAMP Integration 12

As mentioned above in Section IV.D.4.c)(1) SCE provides a therapeutic exercise 13

program currently designed and implemented by FMS for T&D field employees to improve the physical 14

performance of the employee and assist them with the basic movement functions of their job to reduce 15

the severity of minor injuries. 16

(1) Reconciliation between RAMP and GRC 17

There are no changes in expense forecasts (as shown in Table IV-8) or 18

scope for the Safety Controls control in SCE’s 2018 RAMP report and the forecast requested in this 19

GRC. 20

Table IV-8 Employee and Contractor Safety RAMP Controls and Mitigations

RAMP vs. GRC O&M Forecast Comparison (Nominal 2018 $000)

f) Scope and Forecast Analysis 21

The historical and forecasted O&M expenses for Safety Activities – Transmission 22

and Distribution are shown below in Figure IV-22. 23

Ramp Risk RAMP ID

RAMP Control / Mitigation Name

Filing Name 2019 2020 2021

RAMP 2,200$ 2,200$ 2,200$ GRC 2,200$ 2,200$ 2,200$

Variance -$ -$ -$ C1 Safety Controls (FMS)Employee, Contractor and

Public Safety

77

Figure IV-22 Safety Activities – Transmission & Distribution



Labor expenses included in these accounts are dedicated to the 2

development and attendance of Safety Meetings and Safety Congresses by SCE non-exempt employees. 3

From 2015 to 2016, the labor O&M expense increase of $1.76 million was largely due to greater 4

employee attendance and a larger number of safety meetings. For non-labor, there was an increase of 5

$1.36 million resulting from increased costs associated with the therapeutic exercise program as 6

explained in Section IV.D.4.c)(1), safety recognition awards, and the employee expenses related to a 7

greater employee attendance. In 2017, non-labor O&M expense increased by $0.81 million over the 8

previous year due to more development work for safety meetings and further development of the 9

therapeutic exercise program. In 2018, non-labor O&M expense increased by $1.95 million as a result of 10

higher spending on safety recognition awards, the use of contractor training services regarding landslide 11

triggering thresholds, and the expansion of the therapeutic exercise program from 2017 for Grid 12

Operations. 13

87 Refer to WP SCE-06, Vol. 04, Ch. IV, pp. 75-81 – O&M Detail for Safety Activities – Transmission &

Distribution.

78

(2) Forecast 1

SCE expects these necessary safety activities discussed in the sections 2

above to continue at levels generally consistent with those experienced in 2018. Accordingly, SCE uses 3

the last recorded year’s costs as the basis of the 2021 Test Year forecast. To this base, slight reductions 4

are made to the test year forecast to account for expenses transferred to Edison Safety as part of 5

centralizing the delivery of safety programs and materials. Use of the last recorded year as the basis for 6

this forecast is consistent with the Commission’s guidance in Decision 89-12-057 and Decision 04-07-7

022 to use the last recorded year’s expenses as a base to forecast test year levels, if the past three 8

recorded years show a trend in a certain direction. This is the same forecast method used in SCE’s 2018 9

GRC Application and the full uncontested request was authorized in D.19-05-027.8810

88 See D.19-05-027, p. 124.

Appendix A

SCE CPUC Covered Information Privacy and Security Assessment Report – July 26, 2019

July 26, 2019

kpmg.com

Southern California Edison CPUC Covered Information Privacy and Security Assessment Report For the period January 1, 2018 through December 31, 2018

A1

Contents Document structure ............................................................................................................................ 1

Executive summary ............................................................................................................................. 2

Project approach and methodology..................................................................................................... 6

Rule assessment results, exceptions and recommendations ............................................................ 7

SCE’s Management Response to CPUC Covered Information Privacy and Security

Assessment Report........................................................................................................................... 16

Appendix I – Detailed assessment procedures and results .............................................................. 20

Appendix II – Abbreviations used in this report .............................................................................. 103

Appendix III – Stakeholders interviewed ......................................................................................... 105

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 883440

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

A2

KPMG Draft Report to Southern California Edison

Document structure This report consists of the following sections:

Executive summary – an overview of the project including: background, scope, and KPMG’s overall results and noted exceptions and recommendations, where necessary, for each Rule comprising the California Public Utility Commission Privacy Decisions.

Project approach and methodology – an overview of key project phases and activities performed by KPMG throughout the course of the assessment.

Rule assessment results, exceptions and recommendations – a summary of KPMG’s assessment associated with each of the nine (9) Rules of the CPUC Privacy Decisions including KPMG’s interviews and document reviews (e.g., test work), overall results, detailed exceptions, and improvement recommendations associated with each exception.

SCE’s Management Response to CPUC Covered Information Privacy and Security Assessment Report – SCE’s Management Response to the CPUC Covered Information Privacy and Security Assessment Report dated July 26, 2019.

Appendix I – Detailed assessment procedures and results - the full details of KPMG’s assessment criteria, procedures and results for each Rule.

Appendix II – Abbreviations used in this report - a list of the abbreviations and acronyms used throughout the course of the Report.

Appendix III – Stakeholders interviewed - a list of each stakeholder interviewed by KPMG throughout the course of the assessment.

A3


Executive summary Through Southern California Edison Company’s (hereinafter SCE or Company) SmartMeter operations, managed via Advanced Metering Infrastructure and Real Time Energy Management systems, the Company collects, processes, stores, and where authorized, discloses Covered Information.

Background On July 29, 2011, the California Public Utilities Commission (CPUC) issued Decision D.11-07-056 “Rules Regarding Privacy and Security Protections for Energy Usage Data” and Decision D.14-12-004 “Decision Extending Privacy Protections to Customers of Gas Corporations and Community Choice Aggregators and to Residential and Small Commercial Customers of Electric Service Providers (hereinafter the “Privacy Decision”). The Privacy Decision requires SCE to undergo an independent assessment of its Covered Information privacy and security practices. Covered Information is defined in the Privacy Decisions as Customer Energy Usage Data (CEUD) obtained via Advanced Metering Infrastructure (AMI) and Real Time Energy Management systems when combined with other information that could reasonably be used to identify a residential customer, family, household, residence, or nonresidential customer. Covered Information does not include information provided to the California Public Utilities Commission pursuant to its oversight responsibilities. SCE engaged KPMG to conduct an independent assessment of the Company’s Covered Information privacy and security processes, controls, and practices in conjunction with general rate case proceedings.1 This report represents the results of KPMG’s assessment.

Scope The scope of KPMG’s assessment was limited to systems and Organizational Units (OUs) collecting, processing, storing, or disclosing Covered Information. The scope does not cover an assessment of SCE’s practices, procedures, and controls to safeguard employee or contractor PII other than Covered Information.

To perform the review, KPMG used an assessment framework comprised of multiple criteria based on various industry leading standards. We mapped the Assessment Framework criteria to the nine (9) Rules in the Privacy Decision and used the framework to perform the assessment of SCE’s privacy and security practices, procedures, and controls to safeguard Covered Information.

1 Independent privacy and security practices assessment is not intended to be an audit, examination, attestation, special report or agreed-upon procedures engagement as those services are defined in American Institute of Certified Public Accountants (AICPA) literature applicable to such engagements. Accordingly, these services will not result in the issuance of a written communication to third parties by KPMG directly reporting on financial data or internal control or expressing a conclusion, an opinion, or any other form of assurance.

A4


— The Covered Information Privacy and Security Practices Assessment was based on KPMG’s review and understanding of the practices, procedures, and controls in place from January 1, 2018 through December 31, 2018.

— The Exceptions and recommendations were based on our review of policy/procedure documents, stakeholder interviews, inspection of sample communications to customers and third parties, Covered Information access reports, system security profiles, and site walkthroughs.

— KPMG conducted interviews with personnel from various OUs including Account Management, Billing Operations, Corporate Affairs, Corporate Security, Credit & Payment Services, Customer & Operational Services, Customer Contact Center, Customer Programs & Services, Data Center, EIX Risk Management Group, Ethics & Compliance, Human Resources, Information Technology, Legal, Power Supply, Regulatory Affairs, and Transmission & Distribution.

— KPMG assessed the design and implementation of privacy and security controls followed by an assessment of the operating effectiveness of key implemented controls.

The nine (9) Rules noted in the Privacy Decision are listed below.

Rule 1 Definitions

Rule 2 Transparency (Notice)

Rule 3 Purpose Specification

Rule 4 Individual Participation (Access and Choice)

Rule 5 Data Minimization

Rule 6 Use and Disclosure Limitation

Rule 7 Data Quality and Integrity

Rule 8 Data Security

Rule 9 Accountability and Auditing

A5


Summary of exceptions KPMG has noted 2 Exceptions (Exceptions are areas where SCE’s program may not be fully prepared to meet compliance with the Privacy Decisions’ requirements, as measured against KPMG’s Assessment Framework, developed to test controls around Covered Information identified in the rules). The Exceptions are shown below along with the recommendations associated with each Exception. There were 2 Low-Risk Exceptions, 0 Medium-Risk Exceptions, and 0 High-Risk Exceptions. SCE remediated 1 Low-Risk Exception prior to the finalization of the assessment report. The risk rating methodology is based on the following definitions:

Risk level Description

High Issue poses a significant risk of data breach of Covered Information and/or a significant deviation from the CPUC Privacy Decisions.

Medium Inconsistent implementation of policies and procedures that may impact the ability of SCE to protect Covered Information and/or achieve adequate alignment with the CPUC Privacy Decisions.

Low Procedures or practices supporting the protection of Covered Information and alignment with the CPUC Privacy Decisions may not be formally defined or documented.

For more details associated with each Rule, see the Rule Assessment Results, Exceptions and Recommendations and Appendix I – Detailed Assessment Procedures and Results.

CPUC rule number Risk level Exceptions noted KPMG recommendations

CPUC Rule 1 Definitions

- - N/A

CPUC Rule 2 Transparency (Notice)

Low Although a contact telephone number and mailing address are provided to customers in the online Privacy Notice, a contact email address is not included where SCE customers can contact SCE with privacy questions, concerns, or complaints as required by the Privacy Decision.

SCE remediated this Exception prior to the finalization of the assessment report. SCE acknowledged that the contact email address, as required by the Privacy Decision, was removed from the Privacy Notice when the Privacy Notice was updated in 2018. SCE added the contact email address to the English version of these notices on 5/1/2019 and added the email address to the non-English versions on 5/24/2019.

CPUC Rule 3 Purpose Specification

N/A

CPUC Rule 4 Individual Participation (Access and Choice)

- - N/A

A6


CPUC Rule 5 Data Minimization

- - N/A

CPUC Rule 6 Use and Disclosure Limitation

- - N/A

CPUC Rule 7 Data Quality and Integrity

- - N/A

CPUC Rule 8 Data Security

Low Current SCE security standards do not require all systems containing Covered Information to routinely undergo security risk assessments unless they are subject to a major upgrade or enhancement. This can result in systems going an extended period of time without an updated risk assessment if they do not trigger the formal requirement per the existing standard.

SCE should revise its existing security standards to require routine security risk assessments on all systems containing Covered Information, even if they have not recently undergone a major upgrade or enhancement.

CPUC Rule 9 Accountability and Auditing

- - N/A

A7


Project approach and methodology KPMG approached the Assessment in three (3) phases: Assess, Validate, and Report.

— Assess – KPMG developed an Assessment Framework to review SCE’s privacy and security practices based on the nine (9) Rules comprising the Privacy Decisions. KPMG identified controls for each Rule’s requirements and performed procedures to assess the Design and Implementation and Operating Effectiveness of program policies and procedures, and to identify any noted Exceptions to those controls. Given the similarity of the Generally Accepted Privacy Principles (GAPP) framework promulgated by the American Institute of Certified Public Accountants (AICPA) and CPA Canada, KPMG leveraged GAPP as a baseline to develop our assessment procedures. KPMG worked with the SCE Ethics and Compliance and Law Organizational Units to identify relevant stakeholders, reviewed the organizational structure to identify business groups where Covered Information may reside, reviewed the current IT landscape to identify systems and applications that collect, store, or process Covered Information, and documented existing system profiles for systems and applications that collect, store and process Covered Information. As part of its assessment, KPMG performed a variety of interviews with stakeholders representing various Organizational Units. KPMG interviewed a unique total number of 45 personnel, submitted approximately 180 document requests, reviewed more than 350 documents and 13 system assessments, and performed four (4) site walkthroughs of critical SCE facilities (Customer Contact Center, Data Center, Bill Payment and Credit Operations Center, and Usage and Billing Center) to observe the safeguards in place to protect Covered Information.

— Validate – KPMG validated draft observations throughout the Assessment phases with the SCE Privacy team, relevant IT and business stakeholders, and SCE leadership.

— Report – KPMG developed a final report providing Exceptions and recommendations and incorporated SCE’s Management Response to the noted Exceptions.

Assess Validate Report

A8


Rule assessment results, exceptions and recommendations For each risk identified, KPMG reviewed the risk and assigned a risk rating of High, Medium, or Low to each Exception based on the potential impact the Exception could have as it relates to the protection of Covered Information. The risk rating methodology used the following definitions:

Risk level Description

High Issue poses a significant risk of data breach of Covered Information and/or a significant deviation from the CPUC Privacy Decisions.

Medium Inconsistent implementation of policies and procedures that may impact the ability of SCE to protect Covered Information and/or achieve adequate alignment with the CPUC Privacy Decisions.

Low Procedures or practices supporting the protection of Covered Information and alignment with the CPUC Privacy Decisions are not formally defined or documented.

KPMG notes 2 specific Exceptions, comprised of 2 Low-Risk Exceptions, 0 Medium-Risk Exceptions, and 0 High-Risk Exceptions. SCE remediated 1 Low-Risk Exception prior to the finalization of the assessment report. The Exceptions identify areas where SCE’s program is not fully prepared to meet requirements under the Privacy Decisions.

The following tables provide a summary of the criteria that KPMG applied in the assessment of each of the nine (9) Rules of the Privacy Decisions, the overall assessment results of the set of criteria evaluated, and relevant Exceptions (if any) along with level of risk, risk implication and recommendation.

A9


Rule 2: Transparency Notice KPMG assessment procedures

KPMG assessed SCE’s overall customer notice program focusing on:

— Review of internal and customer-facing Privacy Policies and Privacy Notice that address SCE’s practices and procedures related to the collection, processing, storage, and disclosure of Covered Information;

— Interviews with SCE personnel and review of methods and frequency for providing customers with the Privacy Notice;

— Performance of site walkthroughs at the Customer Contact Center to observe an SCE Energy Advisor interacting with customers and discussing their Covered Information.

Results summary SCE provides its external-facing Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage (Privacy Notice) Information on its website detailing the manner in which the Company collects, stores, shares, and protects Covered Information and the methods by which customers can access their data. The Privacy Notice includes a contact telephone number and mailing address where customers can contact SCE with complaints, inquiries, and disputes regarding their Covered Information and SCE’s Privacy Notice. SCE also provides its Privacy Notice to newly registered customers as part of a welcome package, and annually thereafter in a bill insert. Customers can also find relevant notices archived on the website.

Exception Although a contact telephone number and mailing address are provided to customers in the Privacy Notice, a contact email address is not included where customers can contact SCE with privacy questions, concerns, or complaints as required by the Privacy Decision.

Risk level Low

Risk implication SCE’s customers do not have a contact email address where customers can contact SCE with privacy questions, concerns or complaints as required by the Privacy Decision.

Recommendation SCE remediated this Exception prior to the finalization of the assessment report.

SCE acknowledged that the contact email address, as required by the Privacy Decision, was removed from the Privacy Notice when the Privacy Notice was updated in 2018.

SCE added the contact email address to the English version of these notices on 5/1/2019 and added the email address to the non-English versions on 5/24/2019.

A10


Rule 3: Purpose Specification KPMG assessment procedures

KPMG assessed SCE’s specification of the purposes focusing on:

— How SCE specifies the reasons for which it collects, discloses, retains, and provides access to Covered Information;

— Review of the SCE Privacy Notice and other policies and procedures and interviews with stakeholders to understand the determination and specification of information and third party categories;

— Examination of whether the Privacy Notice included a description of how customers could access and control their Covered Information collected, processed, stored, and disclosed by SCE.

Results summary SCE has documented policies and procedures outlining the acceptable purposes for which Covered Information may be collected, stored, used, and shared. These include detailed policies regarding both primary and secondary purposes. Covered Information is not disclosed for secondary purposes, per Company policy, without customer authorization. SCE’s Privacy Notice includes the categories of third parties with which SCE may share Covered Information, and circumstances under which that information may be shared.

SCE has implemented internal policies in addition to a dedicated Third Party service desk with a trained team of employees who are instructed to determine the veracity and propriety of third party requests, and the relevant customer consent forms, prior to disclosing Covered Information.

Exception No Exceptions noted

Risk level -

Risk implication -

Recommendation -

A11


Rule 4: Individual Participation (Access and Choice) KPMG assessment procedures

KPMG assessed SCE’s customer-facing program focusing on:

— Internal and external policies and procedures to provide customers with access and consent mechanisms related to their Covered Information;

— Review of customer portals, stakeholder interviews, and walkthroughs of the Customer Contact Center and other locations where SCE Energy Advisors interact with customers with respect to their Covered Information;

— Review of customer authorization forms to understand how customers can grant and revoke authorization for secondary uses of their Covered Information;

— Examination of the process in place to disclose Covered Information pursuant to legal processes and in situations of imminent threat to life or property. Test procedures included review of policies and procedures for tracking these requests and the subsequent notice provided to customers and interviews with SCE stakeholders in relevant business functions.

Results summary SCE provides customers with multiple methods to access their Covered Information, including detailed electric usage amounts viewed electronically via the SCE My Account website, and average daily and overall monthly usage amounts viewed on monthly bill statements. Customers may contact SCE through phone, web or mail with questions or concerns regarding their monthly bills. SCE Energy Advisors authenticate customers and validate their account information when answering calls prior to addressing customers’ questions or concerns.

With implementation of the Green Button initiative, customers are able to download up to 13 months of their Covered Information and share such data with third parties for analysis. Internal guidelines for SCE employees who interact with customers are in place addressing how to provide customers with access to their Covered Information.

SCE has processes and procedures in place for customers to grant and revoke authorization to third parties using an Authorization Form. Customer-facing policies and notices indicate SCE may disclose Covered Information if it is necessary to provide energy services, to comply with relevant laws, to respond to subpoenas or warrants, or to provide emergency responders with pertinent information in the case of imminent threat to life or property. Per SCE’s 2018 Annual Privacy Report SCE received zero (0) demands to disclose Covered Information pursuant to legal process and zero (0) requests for Covered Information due to imminent threat to life or property.


Risk level -

Risk implication -

Recommendation -

A12


Rule 5: Data Minimization KPMG assessment procedures

KPMG assessed SCE’s adoption of Data Minimization principles in the collection, use, and disclosure of Covered Information focusing on: — Corporate and department-specific policies and procedures to understand how

Covered Information is segregated from other systems;

— How user access to Covered Information is limited based on business need;

— How records and assets are retained for only as long as reasonably necessary;

— Proper disposal of records upon their eligibility for disposition;

— How Data Minimization principles were adopted as part of third party disclosure practices.

Results summary SCE has implemented the Data Minimization principle as a foundational component to its overall privacy framework, and has documented policies and procedures limiting the amount of information collected, stored, and retained; the number and level of employees who have access to Covered Information; and the categories of third parties with whom it is shared. The Privacy Compliance team reinforces data minimization through various training and awareness campaigns, and employee compliance with relevant policies and procedures is routinely reviewed.

Exception No Exceptions noted.

Risk level -

Risk implication -

Recommendation -

A13


Rule 6: Use and Disclosure Limitation KPMG assessment procedures

KPMG assessed SCE’s Third-Party Management Program focusing on: — Review of processes in place for disclosure of Covered Information to third

parties. Third party is defined to include suppliers and contractors;

— Review of procedures and forms for customers to authorize and revoke a third party to receive Covered Information on behalf of the customer;

— Examination of third party management policies and procedures and interview of stakeholders to understand how SCE implements practices and procedures based on the categories of third parties (i.e., Primary Purpose and Secondary Purpose);

— Review of the third party contract management process including onboarding, contract compliance reviews, and contract termination;

— Review third parties (suppliers, vendors, contractors and consultants) risk management documentation;

— Review of data transmission protocols and ongoing monitoring of third parties for compliance with SCE policies and contractual provisions.

Results summary SCE has processes in place to allow customers to share their Covered Information with third parties. SCE has formal internal procedures to manage customer requests of disclosure to third parties, which include forms for explicit customer authorization and forms to revoke such authorization. Customers may also authorize third parties to access Covered Information through the Green Button Connect program. SCE has internal third party management policies and informs third parties about data privacy requirements. Third parties are contractually obligated, per their contract clauses, to maintain the privacy of the information shared. Third parties who receive access to Covered Information are required to self-attest annually that they provide training to their employees who access or handle SCE Covered Information.


Risk level -

Risk implication -

Recommendation -

A14


Rule 7: Data Quality and Integrity KPMG assessment procedures

KPMG assessed SCE’s Data Validation methods and procedures focusing on:

— Review of how SCE validates the quality and integrity of Covered Information;

— Examination of the Advanced Meter systems and infrastructure to understand how usage data is managed and reconciled;

— Review of policies and procedures and interviews with stakeholders to understand how SCE provides customers with the opportunity to modify or remove other data elements collected by the Company.

4 Results summary

SCE has policies in place that address the confirmation, validation, and relevance of customer information. The Privacy Notice provides customers with details to contact the company by phone, email or mail should they need to view and update their information. SCE’s My Account Online Services Terms and Conditions indicates it is the customers’ responsibility to ensure their Personal Information is updated and accurate.

System checks and manual processes are in place to validate energy usage reads and perform edits to help ensure completeness and accuracy of usage data prior to billing the customer.


Risk level -

Risk implication -

Recommendation -

A15


Rule 8: Data Security KPMG assessment procedures

KPMG assessed SCE’s physical and Cybersecurity measures to protect Covered Information focusing on:

— Review of Cybersecurity policies, procedures, and measures related to: Endpoint Security, the Network environment, Firewalls, Network Access Control, Mobile Security, Patch Management, Vulnerability Management, Business Continuity, System Change Control, Privileged Access, Third Party Access, and Data Classification;

— Performance of site walkthroughs at critical SCE locations focusing on the physical and technical security of Covered Information at these key areas: Customer Contact Center, Data Center, Usage and Billing Center, Billing Payment & Credit Operations Center;

— Review a sample of in-scope systems for system configuration requirements and system settings related to: System Access, Access Management, Logging and Monitoring of changes to customer data, Masking of sensitive data in production and development environments;

— Review of SCE’s Incident Response/Breach Management Program and interviews of stakeholders who are responsible and/or accountable in the response to a potential incident involving Covered Information including communications to regulators and impacted customers;

— Examination of evidence of tools deployed in the environment to detect and analyze potential threats to Covered Information.

Results summary SCE has established an Information Security Program and organization that is responsible for the design and implementation of both physical and logical information security controls to protect Covered Information. Formal policies and procedures have been established and implemented that address specific administrative, physical and technical controls to protect Covered Information. Monitoring procedures are in place to detect and address non-compliance with policies and procedures. Various technical controls have been implemented to prevent and detect network security breaches and unauthorized access to systems containing Covered Information. A process is also in place to report and track potential security incidents to help ensure they are resolved and measures are implemented to prevent similar events from occurring into the future.

Exception Current SCE security standards do not require all systems containing Covered Information to routinely undergo security risk assessments unless they are subject to a major upgrade or enhancement. This can result in systems going an extended period of time without an updated risk assessment if they do not trigger the formal requirement per the existing standard.

Risk level Low

Risk implication Unknown application vulnerabilities may exist in the production environment that can be exploited to enable unauthorized access or theft of data.

Recommendation SCE should revise its existing security standards to require routine security risk assessments on all systems containing Covered Information, even if they have not recently undergone a major upgrade or enhancement.

A16


Rule 9: Accountability and Auditing KPMG assessment procedures

KPMG assessed SCE’s overall Customer Data Privacy and Cybersecurity program, focusing on:

— Review of documentation supporting each program as well as SCE’s communication of these policies to both employees and contractors;

— Review of the process to receive, track and resolve customer complaints, disputes, and inquires related to the protection of Covered Information. Test procedures included a review of internal procedures, interviews with stakeholders involved in the Complaints process, and a walkthrough of the Customer Contact Center;

— Examination of employee training and awareness associated with the protection of Covered Information. This assessment included a review of enterprise-wide and targeted training materials provided to SCE employees and third party contractors collecting, handling, storing, or transmitting Covered Information. Additionally, KPMG observed training compliance logs maintained for the privacy training and attestations provided by third parties regarding compliance with SCE training requirements.

Results summary SCE has developed company and department policies addressing the proper safeguarding of Covered Information. The Company has a dedicated Privacy Compliance Program Senior Advisor who provides executive and management support, oversight, and visibility to key program metrics and performance indicators. In addition, the Privacy Compliance Program Senior Advisor collaborates with appropriate Organizational Units when working to finalize policies and procedures to protect Covered Information.

We also noted that a process exists to respond to complaints and inquiries levied by customers related to customer privacy.

Company-wide privacy training has been implemented and a targeted Covered Information training is provided to employees who access Covered Information. Additionally, road shows as well as data privacy and security trainings, have been rolled out to employees accessing Covered Information and are tracked for SCE employees.

Third parties are contractually obligated per their contract clauses to maintain the privacy of the information shared. Third parties who receive access to Covered Information are required to self-attest annually to SCE that they provide training to their employees who access or handle SCE Covered Information.


Risk level -

Risk implication -

Recommendation -

A17

SCE’s Management Response to CPUC Covered Information Privacy and Security Assessment Report

A18


July 26, 2019

Doron Rotman Engagement Managing Director KPMG LLP 355 South Grand Avenue, STE 2000 Los Angeles, CA 90071-1568

Re: Southern California Edison Company’s Response to KPMG Audit Report on CPUC Smart Grid Data Privacy and Security Practices Assessment Report Dated July 26, 2019:

Dear Mr. Rotman: On behalf of Southern California Edison Company (“SCE”) we appreciate conducting our third external, triennial assessment of SCE’s CPUC Smart Grid Data Privacy and Security Practices. As you are aware, this engagement was conducted in order for SCE to meet the requirement to assess our compliance with the rules described in the Smart Grid Data Privacy Decisions (D.11-07-056 and D.12-08-045). We appreciate your team’s thoroughness and professionalism throughout our assessment. SCE reviewed the open observation contained in KPMG’s Assessment Report issued on July 26, 2019 and provides the attached response. Best Regards, /s/ J.P. Shotwell

James P. Scott Shotwell

Director, Corporate Compliance & Information Governance

Attachment

A19


CPUC Rule Number

Exceptions Noted By KPMG SCE Management’s Response

CPUC Rule 8 Data Security

Current SCE security standards do not require all systems containing Covered Information to routinely undergo security risk assessments unless they are subject to a major upgrade or enhancement. This can result in systems going an extended period of time without an updated risk assessment if they do not trigger the formal requirement per the existing standard.

SCE will review its existing security standard regarding the frequency of conducting risk assessments for IT supported systems containing Covered Information, even if they have not undergone a major upgrade or enhancement and consider enhancing the standard.

A20


Appendix I – Detailed assessment procedures and results CPUC RULE 2 – Transparency (Notice)

Overall assessment result

Exception noted: SCE remediated this exception prior to the finalization of the assessment report Although a contact telephone number and mailing address are provided to customers in the online Privacy Notice, a contact email address is not included where customers can contact SCE with privacy questions, concerns, or complaints as required by the Privacy Decision. SCE acknowledged that the contact email address, as required by the Privacy Decision, was removed from the Privacy Notice when the Privacy Notice was updated in 2018. SCE added the contact email address to the English version of these notices on 5/1/2019 and added the email address to the non-English versions on 5/24/2019.

CPUC Rule 2 Rule description When provided: Covered entities shall provide written notice when confirming a new customer account and at least once a year shall inform customers how they may obtain a copy of the covered entity’s notice regarding the accessing, collection, storage, use, and disclosure of Covered Information and shall provide a conspicuous link to the notice on the home page of their website, and shall include a link to their notice in all electronic correspondence to customers.

b

A21


Assessment procedures Assessment test results Exceptions

1. Assess whether SCE has documented policies addressing the provision of notice to customers of SCE’s data collection and handling techniques.

1.a. Reviewed Privacy Compliance Program Manual and noted that the SCE Privacy Compliance Program is based on the Fair Information Practice Principles and addresses Notice/Awareness: "Notices are periodically reviewed with stakeholder(s) to ensure they are current. At a minimum, the notice informs users about: what information may be collected, the purpose of collection, how the information may be used, to whom the information may be disclosed and shared, individuals' rights to access or correct their records, if applicable; and methods to contact the Company."

1.b. Reviewed the CPUC Smart Grid Privacy Decision Tracking document and noted that Privacy Compliance identified that the SCE Privacy Notice shall provide an explicit description of: “(1) each category of [C]overed [I]nformation collected, used, stored or disclosed by the covered entity, and, for each category of [C]overed [I]nformation, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, (2) each category of [C]overed [I]nformation that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and (3) the identities of those third parties to whom data is disclosed for secondary purposes, and the secondary purposes for which the information is disclosed; b. the approximate period of time that [C]overed [I]nformation will be retained by the covered entity; c. a description of: (1) the means by which customers may view, inquire about, or dispute their [C]overed [I]nformation, and (2) the means, if any, by which customers may limit the collection, use, storage or disclosure of [C]overed [I]nformation and the consequences to customers if they exercise such limits.”

1.c. Reviewed Rule 25 Tariff Application Guide and noted that it provides guidance to SCE employees on

a. what Covered Information is,

b. an explanation of primary and secondary uses,

c. how notice is provided to customers, and what the notice must include,

d. how customers can control their energy usage data,

A22



e. how SCE should only collect, store, use, and disclose only as much Covered Information as is reasonably necessary.

1.d. Visited Company website and noted that the words “PRIVACY NOTICE” appear in all capital letters at the bottom of every SCE webpage; clicking on it brings the user to the Privacy Notice, which has an explanation of how SCE protects Personal Information.

2. Assess whether a procedure exists to assess whether new customers receive notice of the Company’s privacy policy upon registration and annually thereafter. In addition, a procedure exists to track prior iterations of the privacy policy.

2.a. Reviewed Privacy Compliance Program Manual and noted that the SCE Privacy Compliance Program is based on the Fair Information Practice Principles and addresses Notice/Awareness: "Notices are periodically reviewed with stakeholder(s) to ensure it is current. At a minimum, the notice informs users about: What information may be collected, the purpose of collection, how the information may be used, to whom the information may be disclosed and shared, individuals' rights to access or correct their records, if applicable; and methods to contact the Company."

2.b. Reviewed the CPUC Smart Grid Privacy Decision Tracking document and noted that Privacy Compliance identified that SCE shall provide the customer written notice when establishing electrical services. At least once a year SCE shall inform customer how they may obtain a copy of their usage information regarding the accessing, collection, storage, use, and disclosure. SCE shall provide a link to the data privacy notice on the home page of their website and link to their notice in all electronic correspondence to customers.

3. Assess whether SCE provides notice to customers on an annual basis and when signing up new customers as required by the CPUC regulation.

3.a. Met with Privacy Compliance Program Senior Advisor and learned that customers receive notice of the Company’s Privacy Notice of Accessing, Collecting, Storing, Using, and Disclosing Energy Usage Information (“Privacy Notice”) upon establishing electrical services and annually thereafter. All changes made to the Privacy Notice are informed through this annual communication. The Privacy Notice is also available on SCE’s website.

3.b. Reviewed the CPUC Smart Grid Data Privacy Decision Requirements Tracking sheet and noted that “SCE shall provide the customer written notice when confirming a new customer account. At least once a year SCE shall inform customer how they may obtain a copy of their usage

A23



information regarding the accessing, collection, storage, use, and disclosure.”

3.c. Reviewed the 2018 New Customer Welcome Letter and noted that it contains the web address where customers can find the Privacy Notice online.

3.d. Reviewed the 2018 Annual Bill Insert and noted that it contains the web address where customers can find the Privacy Notice online.

A24


CPUC Rule 2 Rule description When provided: The notice shall be labeled Notice of Accessing, Collecting, Storing, Using and Disclosing Energy Usage Information (1) be written in easily understandable language, and (2) be no longer than is necessary to convey the requisite information.

c(1)-(2)


1. Review SCE’s methods for providing customers notice about their privacy and accessing the privacy notice.

1.a. See CPUC Rule 2b for Test Results.

2. Assess whether a procedure exists to review the readability of the privacy notice and make updates based on customer feedback related to readability and content.

2.a. Reviewed the CPUC Smart Grid Privacy Decision Tracking document and noted that SCE “shall provide to customers upon request convenient and secure access to their Covered Information:(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties. (2) The Commission shall, by subsequent rule, prescribe what is a reasonable time for responding to customer requests for access.”

2.b. Reviewed SCE’s Privacy Notice and noted that it includes contact information where customers can ask questions and provide concerns regarding the Privacy Notice. The contact information includes a mailing address directed to the Chief Ethics & Compliance Officer, a Residential Customers phone number (1-800-655-4555) and Business Customers phone number (1-800-990-7788).

3. Assess whether SCE’s Privacy Notice is written in an easy-to-understand language.

3.a. Reviewed Privacy Notice and noted it is written at a 16th grade Flesch-Kincaid reading level (i.e. best understood by those with four years of university-level training).

3.b. Noted that the Privacy Notice is available in Spanish, Korean, Vietnamese and Chinese in addition to English, and contact information is available to customers for comments, questions or concerns.

A25


CPUC Rule 2 Rule description Content: The notice and the posted privacy policy shall state clearly— (1) the identity of the covered entity, (2) the effective date of the notice or posted privacy policy, (3) the covered entity’s process for altering the notice or posted privacy policy, including how the customer will be informed of any alterations, and where prior versions will be made available to customers, and (4) the title and contact information, including email address, postal address, and telephone number, of an official at the covered entity who can assist the customer with privacy questions, concerns, or complaints regarding the collection, storage, use, or distribution of Covered Information.

d(1)-(4)


1. Understand the procedures in place to identify covered entities and assess whether the effective date is indicated in the relevant documentation.

1.a. Reviewed Rule 25 Tariff Application Guide and noted that it provides guidance to SCE employees on the definition of Covered Entity as:

(1) SCE and its third parties

(2) any third party who accesses, collects, stores, uses or discloses Covered Information pursuant to an order of the Commission, unless specifically exempted, who obtains this information from SCE

(3) any third party, when authorized by the customer, that accesses, collects, stores, uses, or discloses Covered Information relating to 11 or more customers who obtains this information from SCE.

1.b. Reviewed the Privacy Notice and the Website Privacy Notice online and noted that they both include an effective date, both effective dates are in February 2019. Reviewed the prior version of the Privacy Notice and noted that it includes the effective date of January 31, 2018. Both the current and prior version of the Privacy Notice include language indicating that SCE is covered by the notice.

1.c. Reviewed SCE's Privacy Notice online and noted that it has a section informing customers how to access SCE's past and current Privacy Notices. Customers may call SCE or view them online on SCE’s website. The annual Privacy Notices that were in effect from 2012 through 2019 are available online on SCE's website.

2. Understand how the regulatory requirements, management review and approval process

2.a. Reviewed the Privacy Compliance Program Manual and noted that the Privacy Compliance Program Senior Advisor intakes applicable privacy requirements impacting the Company's business in an online, central repository, seeking the Legal Department's interpretation, and initiating

A26



works, including potential alterations of the privacy policies.

control development to the appropriate Compliance Lead. All applicable privacy laws, regulations and associated controls are documented in the centralized repository. In addition, the manual noted that the Privacy Compliance Program Senior Advisor is responsible for developing, implementing, and maintaining enterprise wide privacy-focused policies and procedures complying with statutory mandates and industry regulations.

2.b. Met with Privacy Compliance Program Senior Advisor and was informed that the company also uses the online centralized repository compliance tracking system to identify and track privacy compliance requirements. The Privacy Compliance Program Senior Advisor will work with the Legal Department to interpret regulatory requirements and use the tracking system to assign control owners that are responsible for implementing the requirements. Each impacted Organizational Unit (OU) shall establish specific procedures or controls assigning ownership over the management of Personal Information, which is maintained in the online centralized repository. In addition, the Privacy Compliance Program Senior Advisor is a centralized function within SCE that establishes centralized guidelines that the OU must implement.

2.c. Met with Senior Attorney, Legal Department, and were informed that she is the attorney assigned to Privacy regulations and works with the Privacy Compliance Program Senior Advisor when a new change is required to controls and privacy policies.

3. Inspect original and revision dates of policies to assess if actual updates/edits are made before approvals.

3.a. Met with SCE’s Privacy Compliance Program Senior Advisor and Senior Attorney, Legal Department, and were informed that on at least an annual basis, the Privacy Compliance Program Senior Advisor initiates a review with the appropriate stakeholders. However, changes to the notices may occur frequently based on changing business conditions. Once redlined changes are made, the Privacy Compliance Program Senior Advisor forwards to the Legal Department for review and approval. Upon the Legal Department's approval, the notice(s) are forwarded to Corporate Communication for translation in the four non-English languages offered on SCE.com. The English and translated four

A27



non-English languages notices are provided to the SCE.com web team who posts the notices.

3.b. The Privacy Compliance Program Senior Advisor and Senior Attorney, Legal Department, both stated they reviewed and approved the Privacy Notice updated in January 2018 and again in February 2019 in advance of providing the annual notice requirement to customers.

3.c. Observed redline edits and comments on the existing Privacy Notice that were implemented in advance of providing the annual notice requirement to customers.

3.d. Reviewed the Privacy Notice on the company website and observed the notice effective date and links to previous versions of the Privacy Notice that have been superseded over time.

4. Assess how SCE informs customers of any alterations to the Privacy Notice and where prior versions will be made available to customers.

4.a. Reviewed SCE’s online Privacy Notice and noted that it informs customers that SCE will periodically update the Privacy Notice on SCE.com, and customers are recommended to periodically review the Privacy Notice to find out if any changes have been made since their last visit to the website. The Privacy Notice also informs customers that they will be reminded annually in a utility bill statement about how to obtain a copy of the Privacy Notice. The website also provides customers with a telephone number ((800) 655- 4555 for Residential Customers or (800) 990-7788 for Business Customers) where individuals can request a current or prior version of the Privacy Notice and a link is provided on the webpage that contains prior versions of the Privacy Notice.

5. Observe whether SCE’s Privacy Notice identifies the title and contact information (including email address, postal address and telephone number) of an official at SCE, who can assist the customer with potential privacy questions, concerns, or complaints.

5.a. Reviewed SCE’s online Privacy Notice and noted that it provides customers with the telephone number (Residential Customers phone number (1-800-655-4555) and Business Customers phone number (1-800-990-7788)) and postal address of Chief Ethics & Compliance Officer who can help with questions, concerns, and disputes regarding privacy.

SCE remediated the Exception prior to the finalization of the assessment report.

Although a contact telephone number and mailing address are provided to customers in the online Privacy Notice, a contact email

A28



address is not included where customers can contact SCE with privacy questions, concerns, or complaints as required by the Privacy Decision.

SCE acknowledged that the contact email address, as required by the Privacy Decision, was removed from the Privacy Notice when the Privacy Notice was updated in 2018. SCE added the contact email address to the English version of these notices on 5/1/2019 and added the email address to the non-English versions on 5/24/2019.

6. Assess whether a specific person or group within SCE is responsible or accountable for privacy and security policy development, implementation, monitoring, enforcing and updating.

6.a. Reviewed the Privacy Compliance Program Manual and noted that the Privacy Compliance Program Senior Advisor is responsible for developing, implementing, and maintaining enterprise wide privacy-focused policies and procedures complying with statutory mandates and industry regulations.

6.b. Met with Privacy Compliance Program Senior Advisor and were informed that the Privacy Compliance Program Senior Advisor is responsible for privacy-focused policies and will work with the Senior Attorney, Legal Department, assigned to Privacy regulations to identify any required changes and update the policy.

A29



6.c. Reviewed the CPUC Smart Grid Data Privacy Decision Requirements Tracking sheet and noted that the Privacy Compliance Program Senior Advisor is responsible for developing, coordinating, and implementing a consistent set of privacy and security rules, and related customer information request forms as adopted in the Privacy Decision.

A30


CPUC RULE 3 – Purpose specification Overall assessment result No exceptions noted.

CPUC Rule 3 Rule description Categories of information: (1) Each category of Covered Information collected, used, stored or disclosed by the covered entity, and, for each category of Covered Information, the reasonably specific purposes for which it will be collected, stored, used, or disclosed, (2) each category of Covered Information that is disclosed to third parties, and, for each such category, (i) the purposes for which it is disclosed, and (ii) the categories of third parties to which it is disclosed, and (3) the identities of those third parties to whom data is disclosed for Secondary Purposes, and the Secondary Purposes for which the information is disclosed.

a(1)-(3)


1. Assess whether SCE’s Privacy Notice documents the (1) categories and purposes of Covered Information collected, used, stored or disclosed, (2) each category of Covered Information that is disclosed to third parties and purpose of disclosure, and (3) the identities of those third parties with whom Covered Information is shared for Secondary Purposes.

1.a. Reviewed the Privacy Notice and the Website Privacy Notice online and noted that they provide the following information:

— Why SCE Collects Energy Usage Information

— Disclosure of Energy Usage Information to Third Parties

— How Customers Can Manage and Control Their Personal Information

— Retention of Energy Usage Information

— Access to SCE's Past and Current Privacy Notice

2. Assess whether SCE tracks the categories of agents, contractors and other third parties to which they disclose Covered Information for a primary purpose.

2.a. Reviewed SCE’s Tariff Books Rule 25 “Protecting the Privacy and Security of Customer Usage Information” and noted that the document provides the definition of primary uses of Covered Information.

— Provide or bill for electrical power; and

— Provide for system, grid, or operational needs.

2.b. Met with Privacy Compliance Program Senior Advisor and Senior Manager, Customer & Operational Services, and were informed that SCE’s Third Party Security Review team in conjunction with the Privacy Compliance Program Senior Advisor track the categories of agents,

A31



contractors and other third parties to which they disclose Covered Information.

2.c. Reviewed Suppler Periodic Review Program procedure and noted that the Supply Management organization is responsible for tracking third parties and managing annual risk assessments for the third parties, which are included in a dedicated database.

2.d. Met with Senior Manager, Customer & Operational Services, and were informed that SCE has a Third Party Risk Management Program in place, which ranks third parties by risk levels and tracks whether third parties have access to Covered Information through questionnaires and annual risk assessments.

2.e. Reviewed SCE’s third party tracking document and noted that 17 third parties were identified as having access to Covered Information in 2018.

2.f. Reviewed SCE’s 2018 Annual Privacy Report submitted to the CPUC and noted that SCE disclosed Covered Information for a primary purpose to 174 customer-authorized third parties via the Green Button connect program (Option 5 on the CISR Form), 17 third parties under contract, and 2 Energy Data Center as authorized under the “Energy Data Center” decision, D.14-05-016.

3. Assess whether a procedure exists to assess whether new customers receive notice of SCE’s reasons for collecting, using, storing, or disclosing Covered Information.

3.a. See CPUC Rule 2b. Assessment Test Procedure 1 Assessment Test Results.

4. Assess whether SCE effectively monitors compliance with its collection, use, storage, and disclosure practices.

4.a. Reviewed SCE's Privacy Compliance Program Manual (Manual) and noted that internal controls will be designed, implemented and periodically assessed to monitor the Privacy Program's performance controls. Oversight, interpretation, and implementation of privacy regulations and associated controls are documented in SCE’s Enterprise Compliance Management System (ECMS). The Privacy Compliance Program Senior Advisor intakes applicable privacy requirements impacting the Company’s business in an online, central repository,

A32



ECMS, seeking the Legal Department’s interpretation, and initiating control development to the appropriate Compliance Lead. All applicable privacy laws, regulations and associated controls are documented in ECMS. Each impacted OU shall establish specific procedures or controls assigning ownership over the management of Personal Information, which is maintained in ECMS.

In addition, it is noted in the Manual that the Audit Services Department (ASD) provides an independent assurance and advisory service to Company management and the Audit Committee of the Company's Board of Directors by evaluating the system of internal controls related to risk management, governance, and compliance as it relates to the Privacy Compliance Program. ASD's audit plan may periodically include audits to evaluate an OU's compliance with the Privacy Compliance Program policy and procedures.

4.b. Met with Privacy Compliance Program Senior Advisor, and Senior Attorney, Legal Department, and were informed that as part of the Privacy Compliance Program, the Privacy Compliance and Legal Department are involved in monitoring compliance requirements from the CPUC (with the Legal Department having direct contact with the CPUC), industry trade groups, and interaction with other utilities. Compliance and reporting requirements are input by the Privacy Compliance Program Senior Advisor and approved by the Legal Department via the ECMS system. The Privacy Compliance Program Senior Advisor determines the appropriate OU leader to be assigned to develop the control (a principal manager or above). The OU leader then identifies the appropriate control owner/s, who are identified in the system and are tasked to build the control. Once built, the control is routed for approval by the OU leader.

4.c. Reviewed documentation associated with Privacy Internal Audit conducted in 2018 and noted that a data privacy and security audit was conducted by SCE working in conjunction with the audit services of a third party. The assessment found that SCE’s program “has a sufficient foundation, having made significant progress over the past two years.”

A33


CPUC Rule 3 Rule description Retention time:

The notice required under section 2 shall provide—

The approximate period of time that Covered Information will be retained by the covered entity;

b


1. Assess whether SCE’s Privacy Notice addresses the retention of Covered Information.

1.a. Reviewed the Privacy Notice and noted that the Privacy Notice addresses the retention of energy usage information "We will retain your Energy Usage information in compliance with the law and only as long as reasonably necessary or as authorized by the CPUC to accomplish one of the primary purposes described above or for a purpose you specifically authorize."

A34


CPUC Rule 3 Rule description Customer limitation:

The notice required under section 2 shall provide a description of

(1) the means by which customers may view, inquire about, or dispute their Covered Information

c(1)


1. Assess whether SCE’s Privacy Notice addresses customers’ ability to view, inquire, or dispute their Covered Information or other PII.

1.a. Reviewed the Privacy Notice, publicly available on SCE.com, and noted that customers may contact the Chief Ethics & Compliance Officer through mail or phone (Residential Customers phone number: 1-800-655-4555 and Business Customers phone number: 1-800-990-7788) with any questions or concerns, or to find out how they can limit, view, or dispute the disclosed information.

1.b. Reviewed SCE's 2018 New Customer Welcome Mailer and noted that the letter discloses the following means to view, inquire about or dispute their Covered Information:

— Customers can manage their energy and billing information online through the “My Account” online accounts;

— Questions on how SCE protects customer privacy can be answered by visiting the privacy website, sce.com/privacy notice;

— Customers can also contact SCE via phone, or mail.

1.c. Met with Senior Manager, Regulatory Affairs, and were informed that there are processes in place for customers to inquire and dispute their Covered Information. SCE’s Energy Advisors handle general disputes, complaints and inquiries.

A35


CPUC Rule 3 Rule description Customer limitation:

The notice required under section 2 shall provide a description of –

(2) the means, if any, by which customers may limit the collection, use, storage or disclosure of Covered Information and the consequences to customers if they exercise such limits.

c(2)


1. Assess whether SCE’s Privacy Notice addresses the explicit/implicit consent required to collect, use, and disclose Covered Information and other personal information.

1.a. Reviewed the Privacy Notice, last updated on January 31, 2018, publicly available on SCE.com and noted that it addresses implicit customer consent for primary purposes and explicit consent is required for third party information sharing:

— "We do not disclose your Energy Usage Information to third parties without your prior explicit written consent" other than for the Exceptions noted in the Privacy Notice.

— Contact information for questions relating to data privacy,

— Definition of "Personal Information" by SCE includes “detailed electrical consumption data combined with [the customer’s] name and utility account number.”

— The Privacy Notice contains a section on how customers can manage and control their Personal Information, which includes how a customer can limit or opt-out of the collection and sharing of their information and the consequences for denying consent.

"In some cases you have the right to limit, or opt-out, the information you provide to us. You may use one of the methods in the Contact Us section to learn more about ways to limit, or opt-out, of the collection and sharing of your information."

“You have the right to not provide us your Social Security Number but you may be charged a deposit or have the deposit waived if enrolled in Direct Payment."

"You have the right not to provide your email address; however, you will not be able to take advantage of our digital services such as electronic billing and payments"

A36



“If you are a customer who has registered to use SCE.com My Account to access your account on our website, you can opt out of future mailings..."

1.b. Reviewed Confidential Third Party CISR Form Procedure available to SCE’s employees and noted that it referenced the following form that customers may fill to authorize release of information:

— Form 14-796: Authorization to Receive Customer Information or Act on a Customer’s Behalf

2. Assess whether SCE communicates to individuals the consequences of denying consent.

2.a. See CPUC Rule 3c(2) Audit Test Results 1.a.

2.b. Reviewed the SmartMeter Opt-Out notice publicly available at SCE.com and noted for customers who do not wish to have advanced meters installed on their homes, they can opt out by calling 1-800-810-2369. This page includes a FAQ section with details and costs associated with opting out.

3. Inspect SCE’s systems where Covered Information is collected to assess whether customers’ implicit or explicit consent preferences are captured (before data transfer).

3.a. Reviewed the "Ways to Access and Share Your Usage Data" web page on SCE.com and noted that it provides instructions to customers on how they can authorize sharing their data with a third party.

3.b. Observed the Data Sharing tab in My Account and noted that customers can select the duration for which they will share Covered Information with a third party.

A37


CPUC RULE 4 Individual Participation (Access and Control)

Overall assessment result No exceptions noted.

CPUC Rule 4 Rule description Access: Covered entities shall provide to customers upon request convenient and secure access to their Covered Information—

(1) in an easily readable format that is at a level no less detailed than that at which the covered entity discloses the data to third parties.

a(1)


1. Assess whether SCE’s Privacy Notice addresses the provision of access to individuals to their Covered Information.

1.a. Reviewed SCE’s online Privacy Notice and noted that it states that customers can receive instant access to their bill, make payments, and to receive important alerts, the customer must register for the SCE.com My Account service, which requires an email address. Also, noted that customers have the right to opt out of receiving emails. Once a customer is registered to use SCE.com My Account, they can opt out of future mailings in My Account.

2. Assess whether SCE’s internal policies describe the process for providing customers with access to their Covered Information.

2.a. Met with Senior Manager, Customer Contact Center, and were informed that SCE’s Energy Advisors are instructed on how to inform customers about ways to access their Covered Information including providing them information on how to use My Account.

2.b. Observed the SCE Energy Advisor with a desktop procedure that provided guidelines on how to inform customers about ways to access their Covered Information.

2.c. Reviewed the internal Third Party CISR Form Procedure and noted that it includes instructions to SCE's Energy Advisors regarding acceptable means of receiving third party authorization from a customer to share their Covered Information, including when the customer of record and a third party are on the telephone.

A38



3. Assess whether customers can access their Covered Information in a detailed, yet easy-to-read format.

3.a. Reviewed SCE.com and noted that customers can access their energy usage data using their user ID through the My Account service.

3.b. Reviewed Sample Customer Bills and noted that monthly bills provide customers with average usage levels for the preceding 12 months for the monthly bill cycle.

3.c. Examined My Account and noted that customers can select the Option, "Billing and Payment" and then “View Bill” and access their Usage and Tier level in an easy to read format. Also, noted that they can go to their My Account Home Page and “View Usage” to access their Usage at an Hourly, This Period, Billed Months, and Monthly Trend level. Customers can also access their account data through the mail if they do not have a My Account set up.

A39


CPUC Rule 4

Rule description Control:

Covered entities shall provide customers with convenient mechanisms for—

(1) granting and revoking authorization for secondary uses of Covered Information,

(2) disputing the accuracy or completeness of Covered Information that the covered entity is storing or distributing for any primary or Secondary Purpose, and

(3) requesting corrections or amendments to Covered Information that the covered entity is collecting, storing, using, or distributing for any primary or Secondary Purpose.

b(1)-(3)


1. Assess whether SCE has a process in place for providing customers with access to grant and revoke authorization for secondary uses.

1.a. See CPUC Rule 5c Test Results.

2. Assess whether SCE has a process in place for customers to access their Covered Information and dispute its accuracy and completeness.

2.a. Reviewed the Privacy Notice and noted that customers have access to their Covered Information through monthly bills and their SCE online account called My Account. Covered Information is provided as actual usage and displays hourly usage in 15-minute intervals. Customers can contact SCE through phone, web, or mail with questions, concerns and complaints.

2.b. Met with Senior Manager, Customer Contact Center, and performed a walkthrough at the Irwindale Contact Center, which included listening to sample customer calls, and noted that SCE Energy Advisors have the ability to make updates to customer profiles upon request and also prompt customers to complete or update their Personal Information on file with SCE, as necessary.

2.c. Obtained and inspected My Account usage reports and noted that customers who have My Account access with SCE can access their Energy Usage Data through the "View Usage" link available in the "Billing and Payments" page. This results in the option of an interactive graph or table view that organizes the customer’s electricity usage data by period, billed months, hourly, or monthly trend, as selected by the customer. In addition, My Account provides customers with online access to usage

A40



and other Personal Information, as well as the ability to dispute potential incorrect/inaccurate data.

2.d. Reviewed a Sample Customer Bills and noted that they include a phone number available from 6AM to 9PM, Monday through Friday, and 8AM through 5PM on Saturdays (1-800-684-8123) for customers to inquire, dispute or question their bill. The bills also inform customers that if not satisfied with SCE’s response, they can contact the CPUC Consumer Affairs Branch by mail, via the internet, or call them. The bill also provides a pre-addressed template for customers to fill out and update or change their Personal Information on file with SCE.

3. Assess whether SCE has a process in place to make corrections or amendments to the collection, storage, use, or distribution of Covered Information upon a customer’s request.

3.a. Reviewed the Privacy Notice and noted that it indicates that customers may contact SCE through phone or mail with any questions, or to find out how the customer can limit, view, or dispute their disclosed information.

3.b. Observed customer calls to the Irwindale Contact Center and noted that SCE Energy Advisors, once the account owner was authenticated, can update customers’ records, including correcting addresses, phone numbers, names, and social security numbers.

3.c. Reviewed Sample Customer Bills and noted that they include a phone number available from 6AM to 9PM, Monday through Friday, and 8AM to 5PM on Saturdays (1-800-684-8123) for customers to inquire, dispute or question their bill. The bills also inform customers that if they are not satisfied with SCE response, they can contact the CPUC Consumer Affairs Branch by mail, via the internet, or call them. The bill also provides a pre-addressed template for customers to fill out and update or change their Personal Information on file with SCE.

A41


CPUC Rule 4

Rule description Disclosure pursuant to legal process:

(1) Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose Covered Information except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests for real-time access to Covered Information as wiretaps, requiring approval under the federal or state wiretap law as necessary.

(2) Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of Covered Information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer seven days to appear and contest the claim of the person or entity seeking disclosure.

(6) On an annual basis, covered entities shall report to the Commission the number of demands received for disclosure of customer data pursuant to legal process or pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed. Upon request of the Commission, covered entities shall report additional information to the Commission on such disclosures. The Commission may make such reports publicly available without identifying the affected customers, unless making such reports public is prohibited by state or federal law or by order of the Commission.

c(1)-(6)


1. Assess whether SCE has procedures in place to help ensure proper handling and documentation of any Covered Information data disclosures for legal reasons.

1.a. Reviewed SCE’s Privacy Notice and noted customers are informed that SCE does not disclose Covered Information without customers’ prior consent, unless “required by law, such as to comply with a warrant, subpoena, or similar legal process…”

1.b. Reviewed the Privacy Policy and noted that SCE does not disclose Covered Information unless it is to a third party with previous written customer consent, or the Company is otherwise required to by law.

1.c. Reviewed Rule 25 Tariff Application Guide and noted that it provides the following guidance to SCE employees:

— “Except as otherwise provided in this rule or expressly authorized by state or federal law or by order of the Commission, a covered entity shall not disclose [C]overed [I]nformation except pursuant to a warrant or other court order naming with specificity the customers whose information is sought. Unless otherwise directed by a court, law, or order of the Commission, covered entities shall treat requests

A42



for real-time access to [C]overed [I]nformation as wiretaps, requiring approval under the federal or state wiretap law as necessary.

— Unless otherwise prohibited by court order, law, or order of the Commission, a covered entity, upon receipt of a subpoena for disclosure of Covered Information pursuant to legal process, shall, prior to complying, notify the customer in writing and allow the customer 7 days to appear and contest the claim of the person or entity seeking disclosure.”

1.d. Met with Senior Manager, Legal Department, and were informed that the Subpoena Coordinator reviews all administrative subpoenas, enters them into the Data Request (DR) Module within the Claims Information Management System (CIMS) and they are assigned a DR number. The subpoena is categorized by type, requestor, and the number of accounts requesting Covered Information data disclosures. Summons and complaints are reviewed by the Subpoena Coordinator and forwarded to the appropriate section of the Legal Department for handling.

1.e. Met with Senior Attorney, Legal Department, and noted that SCE has procedures in place for handling and documenting Covered Information data disclosures for legal reasons. Inquiries pursuant to legal process are handled by the Subpoena Coordinator, who reviews them for authenticity and other legal requirements prior to disclosing the requested data (e.g. SCE only discloses customer data when it has the customer’s consent, or if a lawful subpoena or warrant is present). If the Legal Department deems a request valid, SCE notifies the customer through a standard written notice, and allows seven days for the customers to contest the subpoena. SCE’s Subpoena Coordinator manages, keeps track of and reports disclosures pursuant to legal process.

1.f. Reviewed the Subpoena Formal Process document and noted that once the subpoena is received, it is then analyzed by the Subpoena Coordinator. The Subpoena will be processed and input into the DR module. The purpose of the DR module is to input and track all subpoenas. Each component is categorized by type, requestor, and number of accounts requesting usage. If the subpoena is requesting Covered Information, then once SCE validates the subpoena, they

A43



contact the requestor and advise them that in order for SCE to provide Covered Information the Company must send the customer a seven-day notice to contest. In addition, the Subpoena Coordinator will also provide the requestor with a Subpoena Cover Letter explaining SCE’s process. If the requestor does not want to proceed with the request for Covered Information due to the requirement to notify the customer; the Subpoena Coordinator will not provide usage; however, SCE can provide customer information such as name of account holder, billing, form of payments and account notes. Once completed, the subpoena file will be closed in the DR module. In the event, the requestor does want to proceed with requesting Covered Information, a seven-day notice to contest must be sent to the customer. The Subpoena Coordinator will calendar the response seven days out from the date of mailing. If the customer indicates they do not want their information disclosed, the customer must 1) file a motion to quash or modify the subpoena and give notice of that motion to Southern California Edison Company, the requesting party, and the deposition officer named in the subpoena, at least seven days before the date set for production of the records; 2) serve the requesting party and Southern California Edison Company, at least seven days before the date set for production of the records, a written objection that states the specific grounds on which production of such records should be prohibited; 3) the customer or their attorney may contact the requesting party to determine whether an agreement can be reached in writing to cancel or limit the scope of the subpoena. If the motion or objection is not received before the date specific in item 1, the records are produced and made available to all parties to the action.

1.g. Reviewed the template letter of Notice of Consent to the Requestor that is sent to the requestor of information via subpoena and noted that SCE informs the requestor of the obligation to notify the customer in writing and allows the customer seven days to appear and contest the claim of the person or entity seeking disclosure. In addition, it provides the requestor with the following alternatives: the requesting party may provide SCE with legal authority demonstrating that SCE is prohibited from notifying the customer before complying with the subpoena; the requesting party may obtain a court order prohibiting SCE from notifying the customer regarding the subpoena; the requesting party may amend

A44



the subpoena to request information that is not subject to the notice requirements; or the requesting party may withdraw the subpoena.

1.h. Reviewed the template letter of Notice to Consumer that is sent to specific customer(s) that are noted in the subpoena prior to SCE disclosing Covered Information. Noted SCE provided a seven day notice for the demand pursuant to legal process.

2. Inspect documentation regarding disclosure of Covered Information pursuant to a legal purpose to test whether SCE properly handled the demand.

2.a. See CPUC Rule 4(c)(3) Test Results.

2.b. Reviewed the Privacy Notice and the Website Privacy Notice and noted that SCE may disclose Covered Information without customer consent if required by law, such as to comply with a warrant, subpoena, or similar legal process.

2.c. Met with Senior Manager, Legal Department, and noted that the Company did not receive a request to disclose customer data pursuant to a legal process in 2018.

3. Inspect the Annual Report submitted to the Commission to test whether SCE reported the number of demands received for disclosure of customer data pursuant to a legal process and the number of customers whose records were disclosed.

3.a. Reviewed SCE’s 2018 Annual Privacy Report submitted to the CPUC and confirmed that SCE received zero (0) demands to disclose customer data pursuant to a legal process in 2018.

A45


CPUC Rule 4

Rule description Disclosure of information in situations of imminent threat to life or property:

These rules concerning access, control and disclosure do not apply to information provided to emergency responders in situations involving an imminent threat to life or property. Emergency disclosures, however, remain subject to reporting rule 4(c)(6).

d


1. Assess whether SCE has procedures in place to help ensure proper handling and documentation of any Covered Information data disclosures in situations of imminent threat to life or property.

1.a. Reviewed SCE’s Privacy Notice and noted customers are informed that SCE does not disclose Covered Information without customers’ prior consent, unless it is a“[g]ood faith disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to the request of a governmental agency…”

2. Inspect documentation regarding disclosure of Covered Information in situations of imminent threat to life of property.

2.a. Met with Privacy Compliance Program Senior Advisor and noted that the Company did not receive a request to disclose Covered Information in situations of imminent threat to life or property in 2018.

3. Inspect the Annual Report submitted to the Commission to assess whether SCE reported the number of demands received for disclosure of customer data pursuant to situations of imminent threat to life or property and the number of customers whose records were disclosed.

3.a. Reviewed the Company’s 2018 Annual Privacy Report submitted to the CPUC and confirmed that SCE received zero (0) requests to disclose Covered Information for situations in regard to a threat to life or property in 2018.

A46


CPUC RULE 5 Data Minimization


CPUC Rule 5 Rule description Generally:

Covered entities shall collect, store, use, and disclose only as much Covered Information as is reasonably necessary or as authorized by the Commission to accomplish a specific Primary Purpose identified in the notice required under section 2 or for a specific Secondary Purpose authorized by the customer.

a


1. Assess whether SCE has Data Minimization procedures in place as they relate to the collection, storage, usage, and disclosure of Covered Information for Primary Purposes.

1.a. Reviewed the Privacy Compliance Program Manual and noted that SCE has the following data minimization principles: “By limiting Personal Information to the least amount necessary to conduct an OU’s work, the Company will limit potential negative consequences in the event of a privacy incident involving Personal Information. If the OU does not need the data, it must not be collected…OUs must be mindful of the types and categories of Personal Information used, collected, and maintained. Moreover, OUs must only share the minimum amount of Personal Information necessary to an authorized employee, supplemental worker, or third party to conduct its business. If previously collected, Personal Information that serves no current business purpose must no longer be used or collected. A disposition strategy must be assessed with the Privacy Compliance Program Senior Advisor.

1.b. The Company must periodically review its holdings of previously collected Personal Information to determine whether the Personal Information is still relevant and necessary for meeting the OU’s business needs. If Personal Information is no longer required, the OU shall immediately stop the collection of Personal Information and consult with the Privacy Compliance Program Senior Advisor to determine if the information, assuming it is not subject to a Legal Hold, can be securely destroyed. Any computer hardware no longer in use must have its contents securely sanitized before recycling or disposal.”

Reviewed the Classification and Access procedure and noted that SCE limits “access to confidential Records and Business Records

A47



to authorized employees and Supplemental Workers who have a ‘need to know.’”

1.c. “Before disclosing Business Records to a Supplemental Worker, [SCE employees are to] ensure that you are sharing only those elements of the Business Records that are necessary to accomplish the task. Company employees shall communicate proper Access and Handling Classifications to Supplemental Workers and monitor their handling and treatment of that Record or Business Record. When uncertain of the classification, the employee is responsible for classifying the Record or Business Record in consultation with his/her supervisor or manager or Ethics & Compliance.”

1.d. Reviewed the CPUC Smart Grid Tracking document and noted SCE shall collect, store, use, and disclose only as much Covered Information as is reasonably necessary or as authorized by the Commission to accomplish a specific primary purpose identified within the Privacy Notice or for a specific secondary purpose authorized by the customer.

2. Assess whether SCE has Data Minimization procedures in place as they relate to the collection, storage, usage, and disclosure of Covered Information for Secondary Purposes.

2.a. Reviewed See CPUC Rule 5a.1 Test Results.

2.b. Met with Business Analysts, Customer & Operational Services, and were informed that SCE will provide information to third parties only if the Company has received a signed Customer Information Service Request (CISR) form and only the information authorized by the client will be released. If a signed form is not on file or the third party requests additional information, the request for data will be denied.

2.c. Met with Senior Supervisors, Credit & Payment Services, and conducted a walk-through of the Center. Noted that the department has data minimization policies and procedures for disposal of confidential customer information and its destruction when the information is no longer valid. Policies and procedures include:

— Only Credit Risk and Credit and Payment Services have access to the office. Access to the parking lot and building is controlled via employee key card, gates and monitored with security cameras.

A48



— Nightly walkthroughs by Supervisors are performed prior to the closing of the facility to validate no Personal Information is left on desks or printers.

— Not displaying, printing, or otherwise accessing any Personal Information that is not essential in order to performing a business-related task or job function.

— All Personal Information that is not in immediate use is stored in locked file cabinets. When disposing of Personal Information, documents are either shredded immediately or placed in a locked shred bin. Shredders are located at each printer in the facility as well as shred bins for larger files.

— Office printer and fax machine require key card scan before printing documents.

3. Assess whether SCE has internal privacy policies addressing Data Minimization.

3.a. Reviewed the Protecting Personal Information Procedure and noted that it governs the handling, transmittal, and display of Personal Information and steps to take in the event of a suspected data breach involving Personal Information.

3.b. Reviewed the Privacy Policy, and noted that it includes policy on data minimization, "The Company expects you to use, handle, and process and store Personal Information using data minimization principles. This requires you to limit the collection and sharing of Personal Information to what is directly relevant and necessary to accomplish a specified task and to only retain the data for as long as necessary to fulfill that task, in accordance with the record retention provisions of section 3.7 below.." Also, noted that the definition of Personal Information is included in the policy.

3.c. Reviewed the Privacy Compliance Program Manual and noted that it includes a section data minimization, “By limiting Personal Information to the least amount necessary to conduct an OU’s work, the Company will limit potential negative consequences in the event of a privacy incident involving Personal Information. If the OU does not need the data, it must not be collected. A “less is more” approach will enhance information security as less information is at risk. Therefore, OUs must be mindful of

A49



the types and categories of Personal Information used, collected, and maintained. Moreover, OUs must only share the minimum amount of Personal Information necessary to an authorized employee, supplemental worker, or third party to conduct its business. If previously collected, Personal Information that serves no current business purpose must no longer be used or collected. A disposition strategy must be assessed with the Privacy Compliance Program Senior Advisor. The Company must periodically review its holdings of previously collected Personal Information to determine whether the Personal Information is still relevant and necessary for meeting the OU’s business needs. If Personal Information is no longer required, the OU shall immediately stop the collection of Personal Information and consult with the Privacy Compliance Program Senior Advisor to determine if the information, assuming it is not subject to a Legal Hold, can be securely destroyed.”

3.d. Reviewed the Identity Theft Prevention Procedure and noted that SCE employees who are responsible for providing Identifying Information to authorized third parties may only provide the minimum information necessary to complete a task. Information must be transmitted securely using a Company approved method. Third Parties shall follow all contractual terms regarding management of the Covered Account information, including reporting suspected security incidents through the escalation process in their contract and taking appropriate steps to prevent or mitigate Identity Theft.

3.e. Reviewed the Employee Code of Conduct and noted that SCE limits “access to personal information to those with a legitimate business need to know the information. All employees entrusted with personal information are required to safeguard the information and use it for the business purpose for which it is intended.”

3.f. Met with Privacy Compliance Program Senior Advisor, and were informed that a company-wide customer privacy program exists that is supported by a number of privacy-related policies and procedures.

A50



4. Assess whether SCE implements Data Minimization across User Access roles to systems and applications where Covered Information is stored, used, or processed.

4.a. Reviewed the Protecting Personal Information Procedure and noted that there is a section specifically about data minimization. This includes limiting access to Personal Information to authorized personnel with business purposes, data owner review of requests for Personal Information, and only providing the minimal amount of information necessary.

4.b. Reviewed samples of how production data is protected from use outside of in-scope systems and noted that processes are in place to remove or mask all Personal Information prior to any use outside of the production environment.

4.c. Reviewed system profile questionnaires for the in-scope applications containing Covered Information and noted that user access roles are in place to help ensure data minimization.

4.d. Met with Privacy Compliance Program Senior Advisor, and were informed that the principle of data minimization is followed within the Customer Service OU and employee roles are created in CSS that limit access to information required to complete their job functions.

A51


CPUC Rule 5 Rule description Data retention:

Covered entities shall maintain Covered Information only for as long as reasonably necessary or as authorized by the Commission to accomplish a specific Primary Purpose identified in the notice required under section 2 or for a specific Secondary Purpose authorized by the customer.

b


1. Assess whether SCE’s internal policies address a document retention policy covering all relevant aspects.

1.a. Reviewed the Records Management policy that governs the retention of SCE records and noted that the policy applies to all Company employees and contingent workers who possess Company records, regardless of location or storage medium. The policy provides guidance on how to manage all records consistent with Company recordkeeping, legal hold requirements and applicable law. The recordkeeping requirements are designed to ensure that records are appropriately accessible, complete, managed, preserved, retained, and disposed of in accordance with business and applicable legal requirements. The policy states that “records that document or support the Company’s legal, historical, operational, or business transactions and events are Business Records and shall be retained according to the Company’s Records Retention Schedule.” It also provides guidance on records that do not constitute Business Records and are not subject to a specific requirement in the Records Retention Schedule. Employees or contingent workers are also instructed to contact the Ethics and Compliance Office for questions related to the disposition of records.

1.b. Reviewed the Records Retention Schedule, which provides detailed retention periods for different data sets including Interval Customer Energy Usage Data.

2. Assess whether the SCE retention policies are periodically reviewed and updated where necessary.

2.a. Reviewed Records Retention Schedule Standard and determined that the Records Retention Schedule is dated April 13, 2017, it is the fifth revision, and it is regularly reviewed and updated.

3. Assess whether a management procedure exists to help ensure that documents are retained in compliance with Company

3.a. Reviewed the job aid Completing a Records Disposition Report and noted that it provides Information Stewards with guidance on accessing Disposition Reports and identifying and verifying records that may be appropriate for destruction.

A52



policies and that records are kept for only as long as reasonably necessary.

3.b. Reviewed the Edison International Records Clean Up Procedure and noted that each operating unit (OU) shall schedule, coordinate, and implement a time for all employees and Supplemental Workers to review their Physical and Electronic records and Business records. The Records Clean-up is required to occur at least annually.

3.c. Reviewed the presentation deck for Information Stewards – Roles and Responsibilities and noted that the role of an Information Steward is as follows: Serve as Information Governance Subject Matter Expert (SME) within the OU, Leverage expertise in Information and Records Management, and knowledge of the OU operations to act as a liaison between Enterprise Information Governance and the OU, and support and coordinate implementation of Information Governance program initiatives.

3.d. Met with the Privacy Compliance Program Senior Advisor, and was informed that Information Stewards are embedded in the OUs to support the OU with compliance with records management. The OUs have an annual process to review and update their record inventory called “clean-up day(s)” or week, depending on the OU. OUs are also responsible for making Information Governance aware of any changes to regulations or business processes that may impact the current retention period.

4. Inspect evidence that SCE records are retained and disposed of in compliance with record retention policies.

4.a. Reviewed the 2018 Records Clean up and Records Disposition Report Status Tracking and noted that SCE tracks the record clean up status by OU, which includes tracking of physical clean-up, electronic clean-up and records disposition reports. The tracker lists the OUs that completed records clean-up days in 2018.

4.b. Reviewed the 2018 Information Technology Disposition Review Report and noted that records eligible for destruction were approved and destroyed. The report was completed consistent with Company policy.

5. Inspect evidence that SCE destroys documents that are no longer necessary or when the appropriate retention policy ends.

5.a. Reviewed the Information Technology Disposition Report and noted it contains a well-organized list of retained documents and that a review is performed to approve documents for destruction.

5.b. Reviewed a Third Party Destruction Certificate and noted the date, work order and item code are listed to certify all documents that are destroyed.

A53


CPUC Rule 5 Rule description Data disclosure:

Covered entities shall not disclose to any third party more Covered Information than is reasonably necessary or as authorized by the Commission to carry out on behalf of the covered entity a specific Primary Purpose identified in the Notice required under section 2 or for a specific Secondary Purpose authorized by the customer.

c


1. Understand SCE’s privacy policies to assess whether they:

— describe the practices related to sharing personal information (if applicable) with third parties and the reasons for information sharing,

— identify third parties or classes of third parties to whom personal information is disclosed.

1.a. Reviewed the online Privacy Notice and noted that SCE describes Energy Usage Information as “detailed electrical consumption data (of less than 60-minute intervals) obtained through SCE’s Advanced Metering Infrastructure” and, when associated with any information that could reasonably identify a customer, is protected as a type of Personal Information. As such, SCE informs customers that Personal Information will only be disclosed to third parties for certain purposes identified in the Privacy Notice and in cases when prior and written customer consent has been obtained through a CISR Form (Authorization to Receive Customer Information or Act on a Customer’s Behalf), or in a special circumstance as previously noted. In addition, SCE notes that third party contractors are “require[d] to have policies and procedures to protect [our] Customer’s Energy Usage Information from being disclosed.” The reasons for sharing information include:

— Third Parties under Contract with SCE to provide the essential services;

— Third Parties under Contract by the CPUC with whom SCE must share your Energy Usage Information or when the CPUC issues an order directing SCE to do so;

— When governmental agencies use, collect, and store Energy Usage Information to perform energy efficiency, energy evaluation, or other specified services, or have obtained a CPUC Order or Resolution directing SCE to disclose your Energy Usage Information;

— Required by law, such as to comply with a warrant, subpoena, or similar legal process;

A54



— Good faith disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud;

— Ordered by the CPUC, or governmental agencies with a statutory duty that necessitates access to the data they request when legally entitled to such information; and

— Eligible academic researchers, local government entities, state and federal agencies authorized to receive Energy Usage Information through the Energy Data Request Program (EDRP).

1.b. Reviewed the Protecting Personal Information Procedure, available to employees on SCE’s intranet, and noted that it includes guidelines stating, "each employee is responsible for ensuring that Personal Information in their control is handled in accordance with this procedure and all applicable legal and regulatory requirements.” We noted that for providing Personal Information to Third Parties, the “Edison Representative shall ensure the Supplier has an executed contract with the Company, with the appropriate exhibit(s), that allows access to Personal Information.”

1.c. Reviewed a list of 17 third parties identified as having access to Covered Information during 2018 and noted that the count matches the number of third parties reported in the Company’s 2018 Annual Privacy Report submitted to the CPUC.

1.d. The 2018 Annual Privacy Report discloses three types of authorized third parties accessing Covered Information: (1) Customer Authorized, (2) Vendors Under Contract, and (3) Energy Data Centers.

1.e. Reviewed the Privacy Compliance Program Manual, available to all SCE employees via the intranet, and noted that Southern California Edison (“SCE”) will not share customer information with third parties unless it occurs under one of the authorized disclosure methods listed in the “Disclosure of Information to a Third Party” section in the SCE Privacy Notice. It also includes language requiring employee and contractor compliance to all SCE Privacy Compliance Program and Records Management policies and procedures, as well as applicable laws and regulations. Additionally, third parties are further subjected to their contractual requirements as well as the SCE Supplier Code of Conduct.

A55



1.f. Reviewed Supplier Code of Conduct and noted SCE instructs Third Parties that Edison resources, including the use of Covered Information, are only to be used for “legitimate Edison business purposes”.

1.g. Reviewed the Green Button – Third Party Connection information page, publicly available at https://www.sce.com/partners/partnerships/thirdpartylandingpage, and noted third parties are required to register by creating a User ID and Password, providing the organizations Taxpayer Identification Number, accepting SCE’s Terms & Conditions, and performing a connectivity test for the date transmission via Electronic Data Interchange (EDI.)

1.h. Reviewed SCE’s Targeted Covered Information Employee Privacy Training, provided to employees with access to Covered Information, and noted specific training content that described SCE’s policies regarding the handling and sharing of Covered Information, and noted the training provided specific references to SCE policies concerning the handling, storage, use and disclosure of Covered Information.

1.i. Reviewed Privacy FAQs available to all SCE Employees via the intranet and noted guidance for employees receiving a request for Covered Information, they are first instructed to identify if the requesting party is permitted to receive the information. For Third Parties, the document notes the Third Party contract must contain either the Edison Personal Information or Security Incident Response Provision exhibit as part of their contract. If one of these exhibits are not included, the employee is instructed to not share any Covered Information and contact the Edison HelpLine or reach out to Supply Management.

1.j. Met with Business Analysts, Customer & Operational Services, and noted that SCE only shares customer information with third parties with prior customer written consent through the Green Button and CISR process for both residential and commercial accounts. A customer has the option to provide Personal Information access authorization through the CISR Form for a specific period up to a maximum of 3 years. The customer must determine in the CISR Form the type of information shared. Upon receiving and verifying the information on the customer-signed CISR Form, SCE discloses the requested information to the third party via email to the email address noted on the CISR Form.

A56



1.k. Reviewed the CISR Form and noted that customers must provide written authorization to SCE to allow a third party to receive customer information or act on the customer’s behalf. This information is verified manually against the CSS system to validate customer request prior to fulfilling the information request.

1.l. Reviewed the Service Agreement procurement templates for CCA and ESP Third Parties (Electrical Service Provider Service Agreement and Community Choice Aggregator Service Agreement). We noted the contracts require nondisclosure of Confidential Customer Information without SCE’s consent unless any governmental, judicial or regulatory authority is requiring such Confidential Information pursuant to any applicable law, regulation, ruling, or order.

1.m. Informed by Advisor, Account Management, that no CCA or ESP service agreements were executed in 2018.

A57


CPUC RULE 6 Use And Disclosure Limitation


CPUC Rule 6 Rule description Disclosures to third parties –

(1) Initial disclosures by an electrical corporation: An electrical corporation may disclose Covered Information without customer consent to a third party acting under contract with the Commission for the purpose of providing services authorized pursuant to an order or resolution of the Commission or to a governmental entity for the purpose of providing energy efficiency or energy efficiency evaluation services pursuant to an order or resolution of the Commission. An electrical corporation may disclose Covered Information to a third party without customer consent a. when explicitly ordered to do so by the Commission; or b. for a Primary Purpose being carried out under contract with and on behalf of the electrical corporation disclosing the data; provided that the covered entity disclosing the data shall, by contract, require the third party to agree to access, collect, store, use, and disclose the Covered Information under policies, practices and notification requirements no less protective than those under which the covered entity itself operates as required under this rule, unless otherwise directed by the Commission.

(2) Subsequent disclosures: Any entity that receives Covered Information derived initially from a covered entity may disclose such Covered Information to another entity without customer consent for a Primary Purpose, provided that SCE disclosing the Covered Information shall, by contract, require SCE receiving the Covered Information to use the Covered Information only for such Primary Purpose and to agree to store, use, and disclose the Covered Information under policies, practices and notification requirements no less protective than those under which the covered entity from which the Covered Information was initially derived operates as required by this rule, unless otherwise directed by the Commission.

(3) Terminating disclosures to entities failing to comply with their privacy assurances: When a covered entity discloses Covered Information to a third party under this subsection 6(c), it shall specify by contract, unless otherwise ordered by the Commission, that it shall be considered a material breach if the third party engages in a pattern or practice of accessing, storing, using or disclosing the Covered Information in violation of the third party’s contractual obligations to handle the Covered Information under policies no less protective than those under which the covered entity from which the Covered Information was initially derived operates in compliance with this rule.

If a covered entity disclosing Covered Information for a Primary Purpose being carried out under contract with and on behalf of SCE disclosing the data finds that a third party contractor to which it disclosed Covered Information is engaged in a pattern or practice of accessing, storing, using or

c(1)-(3)

A58


disclosing Covered Information in violation of the third party’s contractual obligations related to handling Covered Information, the disclosing entity shall promptly cease disclosing Covered Information to such third party.

If a covered entity disclosing Covered Information to a Commission-authorized or customer-authorized third party receives a customer complaint about the third party’s misuse of data or other violation of the privacy rules, the disclosing entity shall, upon customer request or at the Commission’s direction, promptly cease disclosing that customer’s information to such third party. The disclosing entity shall notify the Commission of any such complaints or suspected violations.


1. Understand SCE’s privacy policies to assess whether they:

— describe the practices related to sharing personal information (if applicable) with third parties and the reasons for information sharing,

— identify third parties or classes of third parties to whom personal information is disclosed.

1.a. See Rule 5c Audit Test Results.

2. Assess whether SCE informs customers that personal information is disclosed to third parties only for the purposes (a) identified in the Privacy Notice, and (b) for which the individual has provided implicit or explicit consent, or as specifically allowed or required by law or regulation before data is disclosed to third parties.

2.a. Reviewed the Privacy Notice and noted that SCE informs customers it may share Personal Information with third parties for essential services, i.e., purposes of operating the utility system. The Privacy Notice specifies that SCE does not use Personal Information for purposes beyond those listed in the Privacy Notice, and that SCE does not share Personal Information with third parties without the customers’ prior written consent. In addition, it indicates that:

Customers may authorize any third party to have access to their SCE provided information by submitting a CISR Form granting such access or through the Green Button Connect program.

SCE may disclose Personal Information, including Customer Energy Usage Data, information under the following circumstances:

A59



— Third parties under contract with SCE to provide essential services;

— Third parties under Contract by the CPUC with whom SCE must share your Energy Usage Information or when the CPUC issues an order directing SCE to do so;

— When governmental agencies use, collect, and store Energy Usage Information to perform energy efficiency, energy evaluation, or other specified services, or have obtained a CPUC Order or Resolution directing SCE to disclose your Energy Usage Information;

— Required by law, such as to comply with a warrant, subpoena, or similar legal process;

— Good faith disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud;

— Ordered by the CPUC, or governmental agencies with a statutory duty that necessitates access to the data they request when legally entitled to such information; and

— Eligible academic researchers, local government entities, state and federal agencies authorized to receive Energy Usage Information through the Energy Data Request Program (EDRP).

2.b. Reviewed the Authorization to Receive Customer Information Or Act Upon A Customer’s Behalf (or CISR Form) and noted that by completing the form the customer explicitly authorizes a third party to request and receive the customer’s data such as billing history, account information, and usage data (up to a maximum of most recent 12-months). The customer must specify whether this is a one-time authorization, one-year authorization, or determine an expiration date limited to maximum three years. The form also collects the third party’s information, such as the entity’s name and telephone number. By completing the form, the customer must check box stating that the customer "understands that [he/she] may cancel this authorization at any time by submitting a written request." A sample completed CISR Form was reviewed for evidence on consistency with this process and noted no Exceptions.

2.c. Reviewed the Green Button Connect information page, publicly available at www.sce.com/wps/portal/home/partners/partnerships/thirdpartylandingp

A60



age/, and noted that customers with a My Account login and SmartMeter connected to the network can choose to share up to 13 months of electric usage data with selected third parties. Third parties must register with this program with a unique User ID, Password, and Taxpayer Identification Number, as well as pass a Connectivity Test and accept SCE’s Terms and Conditions for the program.

3. Assess whether SCE communicates specific instructions for handling personal information and the consequences of improper disclosure to the third party prior to disclosing the information.

3.a. Reviewed the Policy on Information Security, Cybersecurity and Privacy (Supplier Cyber Policy) and noted that it is Third Party’s obligation to (i) implement and maintain appropriate measures to protect Edison’s Computing Systems from unauthorized access or use and all Edison Data from accidental or unauthorized access, acquisition, disclosure, use, modification, loss, damage, or destruction, and to secure its own electronic network and systems, and Edison’s Data from internal and external security threats; (ii) continually review and revise those measures to address new or ongoing risks and to implement industry best practices and legal requirements regarding cybersecurity and privacy;

Third party’s security measures to safeguard Edison’s Computing Systems and Edison Data in its possession, custody, or control shall be no less rigorous than industry cybersecurity and privacy best practices.

Third party shall provide its personnel with privacy and information security training before providing such personnel access to Edison’s Computing Systems or Edison Data and at least annually thereafter. Third Party shall maintain employee completion reports and make such completion reports available to Edison upon Edison’s written request. Third Party shall review the contents of the security and privacy awareness and training program at least annually to ensure it is updated and reflects current, relevant security information.

3.b. Reviewed Supplier Code of Conduct and noted that SCE informs third parties that access of SCE information must be limited to performance of legitimate SCE business purposes. In addition, information shared by SCE must be handled in accordance with applicable legal and regulatory requirement, including federal and state regulations, such as California’s

A61



Privacy Laws, Massachusetts’ Data Protection Law, or the CPUC Smart Grid Data Privacy Regulation.

3.c. Reviewed templates for service agreements with ESPs, and Community Choice Aggregators (CCAs) who provide energy to SCE’s Customers and have access to Covered Information and noted that these third parties must sign service agreements with the Company, which define roles and responsibilities of both parties, including provisions with mandatory safeguards around customer information.

3.d. Met with Senior Manager, Customer Contact Center, and were informed that customers must be authenticated before access is authorized by using their account information (i.e. Social security number, account member, service ID, etc.).

3.e. Listened to a sample of customer calls received at the Irwindale Customer Contact Center and observed that customers were authenticated prior to accessing their account consistent with SCE policy.

3.f. Met with Advisor, Account Management, and were informed that the 6 CCA and 17 ESPs had CPUC approved certification prior to entering into a service agreement with SCE. Approvals to work with SCE were completed electronically through SCE.com. Once a service agreement is established, transfer of customer billing information to these third parties is done through the secured EDI process, subject to a signed EDI Trading Partner Agreement as noted in the Direct Access ESP Handbook.

3.g. Reviewed the Direct Access ESP Handbook, available publicly on SCE.com, and noted CCAs and ESPs are required to submit completed CISR Forms prior to SCE disclosing any customer Covered Information.

4. Understand whether third party contracting documentation is consistent with the SCE’s policies and procedures.

4.a. Reviewed SCE’s Privacy Policy and noted that Personal Information may be shared externally with “…Third parties whose contract with the Company contains the appropriate exhibit that covers the protection of Personal Information”

4.b. Reviewed the Supplier Code of Conduct and noted that SCE requires the following of third parties:

A62



— “Safeguard and protect information, including personal information, covered by privacy laws and/or restricted by Edison. Third parties must ensure that information covered by privacy laws is handled in accordance with all applicable legal and regulatory requirements, including federal and state regulations, such as California Privacy laws, or the California Public Utilities Commission’s Smart Grid Data Privacy regulation.”

— “Protect Edison information from unauthorized use or disclosure and notify Edison in accordance with the terms of the contract if there is an unauthorized use or disclosure of Edison information. If not otherwise specified in the contract, notification must be made by calling the Edison HelpLine at 1-800-877-7089.”

— “If granted access to Edison’s information systems, ensure the security of any such systems and comply with all applicable information security policies and procedures”

4.c. Reviewed SCE’s Cybersecurity Policy, available publicly at SCE.com https://www.sce.com/cyberpolicy, and noted that SCE requires third parties to “implement a formalized information security incident management program (the “Security Incident Management Program”). The program shall describe how the organization will report incidents internally and to affected external parties. It shall also identify Supplier’s incident response team (the “Supplier Incident Response Team”) and define their roles and responsibilities.”

4.d. Reviewed the Master Services Agreement (MSA) contract template used by SCE for third parties with access to Covered Information or EPI (Edison Personal Information) dated August 15, 2018 and noted the template requires third parties to comply with applicable laws relating to protection of customer Confidential Information and shall not use SCE’s Customer Information for their own benefits, or disclose Confidential Information to a third party. Contracted parties are required to sign a non-disclosure certificate to certify understanding of protecting Confidential Information. The following language are excerpts from the MSA surrounding protection of Confidential Information:

— “The Receiving Party agrees that it shall not use, disclose, reproduce, distribute, reverse engineer, or otherwise misappropriate Disclosing

A63

https://www.sce.com/cyberpolicy



Party’s Confidential Information and shall take no action that may cause, or fail to take any action to prevent causing, any Confidential Information to lose its character as Confidential Information. The Receiving Party’s protective measures shall include the degree of care that the Receiving Party utilizes to protect its own trade secrets and confidential information of a similar nature, which shall be no less than reasonable care. Contractor shall comply with the additional requirements of the Cyber Policy for all Information Systems accessing, using, or storing Edison Data in electronic or digital form and all Edison Data accessed, received, or maintained by Contractor. Each Party shall inform its respective Authorized Parties of the confidentiality obligations under the Agreement. Each Party will be responsible for any breach of the Agreement by its Authorized Parties. The requirements of Section 9 and its subsections extend to Confidential Information created by Contractor for Edison as a Deliverable.”

— “All Confidential Information shall be and remain the property of the Disclosing Party. Nothing in the Agreement shall be construed as obligating the Parties to disclose their Confidential Information, or as granting to or conferring on Receiving Party, expressly or by implication, any rights, title or license in or to Confidential Information, except the right of use in accordance with the terms of the Agreement. Upon written request by the Disclosing Party, the Receiving Party shall destroy or return to Disclosing Party all the Disclosing Party’s Confidential Information…”

— “In the event of any reasonably suspected disclosure or loss of, or inability to account for, any of Disclosing Party’s Confidential Information, Receiving Party shall promptly and at its own expense: (1) notify Disclosing Party in writing; (2) take such actions as may be necessary or reasonably requested by Disclosing Party to minimize the breach; and (3) cooperate in all reasonable respects with Disclosing Party to minimize the breach and any damage resulting therefrom.”

4.e. Reviewed Supplier Cyber Policy exhibit that is used by SCE for third parties with access to Covered Information or EPI (Edison Personal

A64



Information) dated June 17, 2017 and was utilized during the Covered Period and noted that it provides the cybersecurity and privacy procedures third parties must implement on or before the effective date of any Purchase Order involving Special Conditions and maintain as long as Third Party has access to Edison’s Computing Systems or access to, possession, custody, or control of Edison Data. The following language are excerpts from the Supplier Cyber Policy:

— “It is Supplier’s obligation to (i) implement and maintain appropriate measures to protect Edison’s Computing Systems from unauthorized access or use and all Edison Data from accidental or unauthorized access, acquisition, disclosure, use, modification, loss, damage, or destruction, and to secure its own electronic network and systems, and Edison’s Data from internal and external security threats; (ii) continually review and revise those measures to address new or ongoing risks and to implement industry best practices and legal requirements regarding cybersecurity and privacy; and (iii) to cooperate with Edison in its efforts to minimize risks to Edison’s Computing Systems and Edison Data and reduce the impact of any unauthorized access to the Edison’s Computing Systems, or disclosure or unauthorized use of Edison Data.”

— “Supplier’s security measures to safeguard Edison’s Computing Systems and Edison Data in its possession, custody, or control shall be no less rigorous than industry cybersecurity and privacy best practices.”

— “Supplier shall provide its personnel with privacy and information security training before providing such personnel access to Edison’s Computing Systems or Edison Data and at least annually thereafter. Supplier shall maintain employee completion reports and make such completion reports available to Edison upon Edison’s written request. Supplier shall review the contents of the security and privacy awareness and training program at least annually to ensure it is updated and reflects current, relevant security information.”

— “Supplier shall use codes of conduct, ethics policies or confidentiality agreements to ensure employee awareness with Supplier’s information security and privacy policies and procedures.”

A65



— “Supplier shall assess and track cybersecurity and privacy risk associated with Subcontractors or its service providers with access to Edison’s Computing Systems or Edison Data and shall take all commercially reasonable actions to promptly remediate these risks.”

— “Supplier shall not permit access to Edison’s Computing Systems or transmit, access, use, or store Edison Data outside the United States without the prior written permission of Edison’s Vice-President for Information Technology or the Director of Cybersecurity.”

5. Inspect sample evidence of acknowledgments/certifications from third parties regarding compliance with SCE’s data privacy policies.

5.a. Obtained and inspected a contract of a third party that has access to Covered Information that was executed during the Covered Period. The third party agreement contained a section on the safeguarding of Confidential Information and that the receiving party shall return or destroy Confidential Information upon request of the disclosing party or upon termination or expiration of the Agreement. In addition, the Agreement requires that the third party comply with Client's Supplier Cyber Policy. The sampled contract included data privacy and confidentiality provisions consistent with SCE’s data privacy policies.

5.b. Inspected a sample executed Supplier Attestation of Security and Privacy of Covered Information that requires the third party to attest that the third party has complied with the “Management of Information Security” and “Employee Policies: Security and Privacy Awareness and Training” of the Supplier Cyber Policy.

5.c. Reviewed templates of the ESPs, and CCAs, and noted that they must sign service agreements with the Company, defining roles and responsibilities of both parties, including mandatory safeguards around Covered Information. SCE also mandates nondisclosure of Confidential Information (including Covered Information). No new ESP or CCA contracts were executed in 2018.

6. Assess whether SCE has a process in place to review contract compliance for third parties accessing or receiving Covered Information.

6.a. Met with Senior Manager, Customer & Operational Services, and were informed that SCE Supply Management manages a Supplier Periodic Review Program that includes a process for classifying and ranking active third parties by risk. The active supply base is classified, ranked and the highest ranked third parties are then reviewed periodically. The Supplier Periodic Review Program is designed as a component of

A66



ongoing performance measures for incumbent third parties to mitigate risk and safeguard the integrity of the Supply Chain.

6.b. Informed by Supply Chain Advisor that an Edison's Representative is designated to manage contract administration related tasks.

6.c. Additionally, the Supply Chain Advisor provided information that SCE contracts with a third party that provides a risk classification tool which measures a company’s cybersecurity health for cyber high-impact work. In the supply chain, the tool helps minimize risk mitigation requirements, and increases the depth of risk assessments performed by IT Cyber. IT Cyber determined a threshold score that a third party must maintain. SCE tracks this score and if the third party’s score falls under the threshold score, then IT Cyber will perform additional assessment activities of the third party.

6.d. Reviewed the Supplier Periodic Review Program internal guideline and noted that it is designed as a component of ongoing performance measures for incumbent third parties to mitigate risk and safeguard the integrity of the Supply Chain. The Supply Management Principal Manager will identify third parties for inclusion in the Supplier Periodic Review Program based on an internal assessment of business needs. It is noted that escalation process is in place where the appropriate team member will notify a Supply Management Manager, for third parties who do not respond or fail to provide requested information after two attempts. The Manager or his/her designee will contact the third party directly for requested information. If the third party does not respond after repeated attempts, a management decision will be made on next steps.

6.e. Reviewed a sample Vendor In-take Form (commonly referred to in SCE as "Supplier Questionnaire") that is housed in SCE's Supplier information module, which each prospective third party seeking to do business with SCE needs to complete. Third party responses are kept within the third party's profile and can be accessed by SCE Supply Management personnel for reference.

6.f. Reviewed a sample Vendor Assessment and noted that a score was assessed based on the following assessment categories: insurance, quality and performance, safety and financial assessment.

A67


CPUC Rule 6 Rule description Secondary purposes:

No covered entity shall use or disclose Covered Information for any Secondary Purpose without obtaining the customer’s prior, express, written authorization for each type of Secondary Purpose. This authorization is not required when information is—

(1) provided pursuant to a legal process as described in 4(c) above;

(2) provided in situations of imminent threat to life or property as described in 4(d) above; or

(3) authorized by the Commission pursuant to its jurisdiction and control.

d(1)-(3)


1. Assess whether SCE engages in Secondary Purposes, and assess if procedures are in place to:

— notify individuals and obtain their consent prior to disclosing personal information to a third party for purposes not identified in the Privacy Notice,

— document whether SCE has notified the individual and received the individual’s consent,

— monitor that personal information is being provided to third parties only for uses specified in the Privacy Notice.

1.a. Met with Privacy Compliance Program Senior Advisor and were informed that SCE does not disclose Covered Information for secondary purposes unless authorized by the customer.

1.b. Met with members of the Customer & Operational Services, and were informed that SCE requires customer consent prior to disclosure of Covered Information to third parties, which would be documented through a completed and signed CISR form.

1.c. Reviewed the Privacy Notice and noted that SCE informs customers the Company may share Energy Usage information with third parties for purposes of providing customers with services and operating the utility system. The Privacy Notice specifies that SCE limits the type and amount of Energy Usage Information shared with third parties to that which is reasonably necessary for the third party to accomplish the purpose for which it needs access to the Customers Energy Usage Information.

1.d. Reviewed an internal policy addressing third party data requests, which is a document intended for all employees, and noted that SCE informs employees that a signed CISR form from the customer of record must be received in order for any Covered Information to be released to a third party.

1.e. Met with members of the Customer & Operational Services, and were informed that they receive Covered Information requests electronically or through fax or mail. The form is validated for accuracy and completeness prior to disclosing information to a third party. The team monitors the requests to check that information is being provided for the uses

A68



specified in the forms. Informed that during the Covered Period there were no instances of non-compliance with the CISR process occurred. In addition, monthly audits are conducted to verify that information is being provided to third parties consistent with what was authorized by the customer on the CISR form.

2. Assess whether SCE has secondary use authorization forms customers sign to authorize use of Covered Information for secondary uses.

2.a. See 6c(1) - (3) Test Results.

3. Inspect evidence that customer consent authorizing use of Covered Information for Secondary Purposes is documented.

3.a. Met with Business Analysts, Customer & Operational Services, and noted that the Third Party desk receives CISR Forms via email to [email protected], or via mail and fax. These CISR Forms are filed in SCE’s internal Office 365 system as well as a Shared File Storage drive.

A69


CPUC Rule 6 Rule description Customer authorization:

(1) Authorization. Separate authorization by each customer must be obtained for all disclosures of Covered Information except as otherwise provided for herein.

(2) Revocation. Customers have the right to revoke, at any time, any previously granted authorization.

(3) Opportunity to Revoke. The consent of a residential customer shall continue without expiration, but an entity receiving information pursuant to a residential customer’s authorization shall contact the customer, at least annually, to inform the customer of the authorization granted and to provide an opportunity for revocation. The consent of a non-residential customer shall continue in the same way, but an entity receiving information pursuant to a non-residential customer’s authorization shall contact the customer, to inform the customer of the authorization granted and to provide an opportunity for revocation either upon the termination of the contract, or annually if there is no contract.

e(1)-(3)


1. Assess whether customers receive the Privacy Notice and must provide separate authorization if information is being used for a new Secondary Purpose.

1.a. See CPUC Rule 5c for Test Results.

2. Understand how customers are notified of their right to revoke any previously granted authorization and the process to do so.

2.a. Reviewed Ways to Access and Share Your Usage Data on SCE’s web page (https://www.sce.com/residential/rebates-savings/budget-assistant-and-you/Share-My-Data) and noted that customers can cancel authorization through this page or any time through their My Account page.

2.b. Reviewed the CISR Form and noted that in order to complete the form, customers must provide explicit consent and sign acknowledgement clause that states “[the Customer] understands that [he/she] may cancel this authorization at any time by submitting a written request."

2.c. Met with members of Customer & Operational Services and were informed that customers have access through their SCE ‘My Account’ site to electronically authorize, manage, and revoke access to third parties.

A70


CPUC Rule 6 Rule description Parity:

Covered entities shall permit customers to cancel authorization for any Secondary Purpose of their Covered Information by the same mechanism initially used to grant authorization.

f


1. Assess whether SCE has a process in place to allow customers to cancel authorization for any Secondary Purposes.

1.a. Reviewed the CISR Form and noted the customers must check a box to agree that they understand they “may cancel the authorization at any time by submitting a written request.”

A71


CPUC Rule 6 Rule description Availability of aggregated usage data:

Covered entities shall permit the use of aggregated usage data that is removed of all PII to be used for analysis, reporting or program management provided that the release of that data does not disclose or reveal specific Covered Information because of the size of the group, rate classification, or nature of the information.

g


1. Assess whether SCE’s Privacy Notice or internal policies address the use of aggregate information.

1.a. Examined the Privacy Notice and noted that the use of aggregate non-Personal Information is included in the Privacy Notice and states the following:

a. “Periodically, we may aggregate your Energy Usage Information with that of others in various formats so your Energy Usage Information becomes anonymous and cannot personally identify you. We use the information for various analysis, reporting and program management purposes, including to analyze rates and rate structures, comply with regulations, such a posting aggregated usage information by zip code on our website, evaluate energy usage demand needs, and determine potential growth within a geographic area. This aggregated information is not considered Personal or Energy Usage Information and may be shared with third parties we do business with.”

1.b. Reviewed Privacy Compliance Program Manual and noted that SCE may de-identify and anonymize information for the purposes of research, resource planning, or trend analysis.

2. Assess whether SCE has a procedure in place to help ensure aggregate information does not disclose or reveal specific Covered Information.

2.a. Met with Privacy Compliance Program Senior Advisor and were informed that data aggregation rules are embedded in multiple areas. Requests are reviewed by the Privacy team to help ensure they are appropriate and in compliance with Company policies including data aggregation

2.b. Reviewed the Privacy Compliance Program Manual and noted that it recommends that for de-identified information the code, algorithm or other key should be maintained in a separate system, with appropriate controls in place to prevent unauthorized access to the re-identified information; or the data elements should not be linkable, via public records or other reasonably available external records, in order to re-identity the data. Additionally, the code, algorithm or other key must only be provided to an authorized employee with a legitimate business reason.

A72



Moreover, SCE recommends using anonymized information as the preferred method for system testing or training, since anonymized information is information that has been de-identified and there is no code or other association for re-identification.

2.c. Reviewed the Third Party Data Request Program Fact Sheet for Local Governments, available publicly on SCE.com https://www.sce.com/sites/default/files/inline-files/EDRP%2BFact%2BSheet%2Bfor%2BLocal%2BGovernments.pdf, and noted that SCE offers two options:

a. Option 1: Aggregation:

i. 15/20 Aggregation Rule for Residential, Commercial, and Agricultural Energy Consumption Data - For each customer class, data set must meet the following rules: Contain at least 15 customers, no single customer makes up more than 20% of the total energy consumption, and data must be aggregated either monthly, quarterly, or annually.

ii. 5/25 Aggregation Rule for Industrial Energy Consumption Data - For the industrial customer class, data set must meet the following rules: Contain at least 5 customers, no single customer makes up more than 25% of the total energy consumption, data must be aggregated either monthly, quarterly, or annually.

b. Option 2: Anonymization

i. 100/10 Anonymization Rule for Residential, Commercial, Agricultural, or Industrial Energy Consumption Data and Local governments may also request anonymized service account level data which must meet the following rules: Contain at least 100 service accounts for each customer class, no single service account can make up more than 10% of the total energy consumption for that customer class, data must be aggregated either monthly, quarterly, or annually, data must be removed of all information that can be used to identify a customer.

A73



2.d. Met with Senior Manager, Regulatory Affairs, and were informed that requests for aggregate billing data include various precautions to protect the identity of individual customers:

a. identifiable information is removed from any data feed

b. large customer data is aggregated by rate code and zip code

c. for zip codes with fewer than 100 customers, the customer data is combined with another zip code

2.e. Inspected correspondences of an aggregate data request that was received and processed by the Load Research team and noted that information that was to be provided was at a climate zone profile level and there was no direct correlation to any specific customer meters.

2.f. Met with Project Manager, Transmission & Distribution, and were informed that Transmissions and Distributions will typically only distribute anonymized/aggregate data in response to requests from Academics unless there is a specific reason not to. The Manager will work with the Privacy Compliance Program Senior Advisor to validate the request and ensure the appropriate consent forms are completed prior to distribution.

A74


CPUC RULE 7 Data Quality and Integrity


CPUC Rule 7 Rule description Covered entities shall ensure that Covered Information they collect, store, use, and disclose is reasonably accurate and complete or otherwise compliant with applicable rules and tariffs regarding the quality of energy usage data.


1. Assess whether SCE’s privacy policies address the quality of Covered Information and other Customer PII.

1.a. Reviewed SCE’s Employee Code of Conduct and noted SCE employees must always complete and document their work accurately and in accordance with all internal controls and processes as a part of SCE’s commitment to the public.

1.b. Reviewed SCE’s Privacy Program Compliance Program Manual and noted that OUs are required to periodically validate and make enhancements for the protection, integrity, and availability of all records.

1.c. Reviewed SCE’s Supplier Code of Conduct and noted that third parties are required to maintain "accurate records” and protect Personal Information. It indicates that “In addition, SCE requires third parties to (1) Maintain accurate financial and operational records, (2) Maintain, retain, and dispose of business records associated with work for SCE in accordance with all applicable legal and contractual obligations, (3) notify SCE immediately regarding any request from a third party for Edison information, unless prohibited by law, (4) Third parties must ensure that information covered by privacy laws is handled in accordance with all applicable legal and regulatory requirements, including federal and state regulations, such as California Privacy laws, or the California Public Utilities Commission’s Smart Grid Data Privacy regulation, (5) Protect Edison information from unauthorized use or disclosure and notify Edison in accordance with the terms of the contract if there is an unauthorized use or disclosure of Edison information”.

1.d. Reviewed the Protecting Personal Information Procedure policy available to employees on the SCE intranet and noted that information used by employees for third parties must be accurate and SCE shall only provide the Covered Information reasonably necessary for third parties to

A75



complete their work. In addition, the document indicates Covered Information must be protected from unauthorized access, loss and misuse.

1.e. Reviewed the Records Management Policy and noted that there is a specific section dedicated to records quality. It states “records shall be complete, up to date and accurate so that they can be relied on to support business activities and decisions.”

2. Inspect sample communication to customers to assess whether SCE policies include customer data integrity.

2.a. Reviewed the Privacy Notice and noted that in order to use SCE.com’s My Account features, customers are required to voluntarily provide and maintain their Personal Information with SCE. The document also prompts customers to contact SCE should there be any changes and updates to their information at:

Telephone: 1-800-655-4555 (Residential) or 1-800-990-7788 (Business)

Web: [email protected] (added to the May 2019 update to the Privacy Notice)

Mail: Southern California Edison

Attn: Chief Ethics and Compliance Officer

Post Office Box 800

Rosemead, CA 91770

2.b. Reviewed the My Account Online Services Terms and Conditions, available publicly on SCE.com, and noted that the document states it is the customer’s responsibility to ensure that their contact info and other required information is current, accurate, and updated promptly.

2.c. Listened to sample customer calls at the SCE Customer Contact Center in Irwindale, CA, and noted that SCE Energy Advisors prompted customers to validate and / or complete their user information that is on record with SCE.

3. Assess whether procedures are in place that:

3.a. Reviewed the Privacy Compliance Program Manual and noted SCE OUs are instructed to only collect, store, use, or disclose only as much

A76

mailto:[email protected]



— edit and validate personal information as it is collected, created, maintained, and updated,

— specify when the personal information is no longer valid.

customer Covered Information as is necessary and relevant to the project or system.

3.b. Reviewed the Records Management Policy available to all employees via the intranet and noted that employees are instructed to retain records as long as necessary for legal, regulatory and operational purposes. The policy also indicates to dispose records in accordance with applicable retention schedules.

3.c. Met with Senior Manager, Customer Contact Center, and listened in on sample calls, and noted that SCE Energy Advisors authenticated customers during the call intake process. The process included validation of customer account information on file, such as name, phone number and address among others. Customers are prompted to edit and update their information on file during their calls to the Contact Center. Customers are also instructed that they can make edits online using the My Account portal.

3.d. Met with Senior Supervisors, Credit & Payment Services, and conducted a walk-through of the Center processes. Noted that the department has data minimization policies and procedures for disposal of confidential customer information and its destruction when the information is no longer valid. Policies and procedures include:

— Only Credit Risk and Credit and Payment Services employees have access to the office. Access to the parking lot and building is controlled via employee key card, gates and monitored with security cameras.

— Nightly walkthroughs by Supervisors are performed prior to the closing of the facility to validate no Personal Information is left on desks or printers.

— Not displaying, printing, or otherwise accessing any Personal Information that is not essential in order to performing a business-related task or job function.

— All Personal Information that is not in immediate use is stored in locked file cabinets. When disposing of Personal Information, documents are either shredded immediately or placed in a locked

A77



shred bin. Shredders are located at each printer in the facility as well as shred bins for larger files.

— Office printer and fax machine require key card scan before printing documents.

3.e. Met with Director, EIX Risk Management, and noted that customer data privacy and security are areas assessed and considered in SCE’s yearly internal annual risk assessment.

4. Inspect sample evidence to assess whether procedures are in place to safeguard personal information is sufficiently relevant for the purposes for which it is to be used and to minimize the possibility that inappropriate information is used to make business decisions about the individual.

4.a. Reviewed the Privacy Compliance Program Manual and noted SCE informs its employees to limit the amount of Personal Information to the least amount necessary to conduct an OU’s work, and that if the OU does not need the data, it must not be collected. This is both a risk-reduction strategy as well as an operations consideration. The document notes that if previously collected Personal Information serves no current business purpose, then the Personal Information shall no longer be collected, and a disposition strategy must be assessed with the Privacy Compliance Program Senior Advisor.

4.b. Reviewed the Records Management policy available to employees on the intranet and noted that employees with access to Covered Information are instructed that documents containing Personal Information must be securely stored and destroyed. The policy state that violations of the procedure may result in disciplinary action, up to and including termination of employment and civil or criminal liability.

4.c. Met with Project Manager, Transmission & Distribution, and Senior Manager, Regulatory Affairs, and noted that when working with or providing Covered Information either internally at SCE and when responding to data requests, data analysts review the data request for reasonableness, and redact all unnecessary information. The data provided is reviewed by managers in order to ensure the information is both relevant to the request and all other information is appropriately redacted. Moreover, Cybersecurity performs an assessment on the third parties to get clearance to share customer data. In this way, only approved third parties are used. Third parties are also required to sign NDAs prior to performing work, and to provide proof of destruction for the SCE data they were provided when finished.

A78


CPUC RULE 8 Data Security Overall assessment result Exception noted:

Current SCE security standards do not require all systems containing Covered Information to routinely undergo security risk assessments unless they are subject to a major upgrade or enhancement. This can result in systems going an extended period of time without an updated risk assessment if they do not trigger the formal requirement per the existing standard.

CPUC Rule Rule description Generally:

Covered entities shall implement reasonable administrative, technical, and physical safeguards to protect Covered Information from unauthorized access, destruction, use, modification, or disclosure.

a


1. Assess whether SCE has documented policies addressing security provisions for Covered Information:

— Risk assessment and treatment

— Security policy

— Organization of information Security

— Asset management

— Human resources security

— Physical and environmental security

— Communications and operations management

— Access control

1.a. Per inquiry of relevant stakeholders and inspection of documentation provided it was noted that the following cybersecurity policies/procedures/standards /guidelines are in place to address security provisions for SCE, including Covered Information:

1.b. Risk Assessment and Treatment – Continuous threat and vulnerability identification and remediation is performed by the Cybersecurity and IT Compliance groups. The threat and vulnerability identification and remediation process is formally documented within the Cybersecurity Administrative Standard.

1.c. Security Policy – The Physical Security and Cybersecurity Policy is in place and accessible to all SCE employees. Additional supporting information security policies (e.g. acceptable use policy), standards, procedures, and guidelines are also available.

1.d. Information Security Organization – Formal Cybersecurity and IT Compliance groups are in place to perform governance activities and adhere to standards, perform risk assessments to help maintain the risk register, provide governance over the Vulnerability Assessment program, perform inquiries with various parts of the business to vet compliance with standards, and perform a standards exception process.

A79



— Information systems acquisition, development, and maintenance

— Information security incident management

— Business continuity management

— Compliance

1.e. Asset Management – Per inspection of the Cybersecurity Administrative Standard, a process and procedure is in place to manage hardware, software, and system assets. This process includes physical and logical security required for each asset, and the proper disposal of assets.

1.f. Human Resources Security – The Privacy Policy describes how all employees should handle any confidential or personal information. Additionally, the Cybersecurity Administrative Standard requires all third party employees that will have access to SCE systems to undergo a background verification check by the third party.

1.g. Physical and Environmental Security – Requirements are formally documented in the Physical Security and Cybersecurity Policy and environmental safeguards were confirmed during walkthroughs of key sites.

1.h. Communications and Operations Management – Encryption, network, remote access, and access control requirements are each formally documented in the Cybersecurity Administrative Standard.

1.i. Access Control – Requirements are formally documented in the Cybersecurity Administrative Standard.

1.j. Information Systems Acquisition, Development, and Maintenance (SDLC) – Requirements are formally documented in the Cybersecurity Administrative Standard.

1.k. Information Security Incident Management – Policies have been formally documented in the Privacy Incident Response Policy, the Cybersecurity Administrative Standard, and the Physical Security and Cybersecurity Policy.

1.l. Business Continuity Management and Disaster Recovery – Requirements are formally documented in the Cybersecurity Administrative Standard.

1.m. Compliance – Requirements for compliance with applicable privacy legislation and regulations are formally documented in the Privacy Policy.

2. Assess whether SCE privacy policies and procedures cover protection of electronic and print media containing Covered

2.a. Reviewed the Classification and Access Procedure and noted that Covered Information is classified as Confidential.

A80



Information from unauthorized access, destruction, use modification or disclosure.

2.b. Reviewed the Cybersecurity Administrative Standard, and noted that there are formal policies around accessing, using, modifying, and disclosing print and electronic data.

2.c. Reviewed the Protecting Personal Information Procedure and noted that there are formal procedures in place for the handling and storage of print and electronic data.

2.d. See CPUC Rule 8a Assessment Test Procedure 8 for details.

3. Assess whether a management procedure exists to monitor compliance with the security provisions in the policy and instances of noncompliance are identified and remediated.

3.a. Reviewed the Cyber Risk Management policy and noted that it provides guidelines for monitoring compliance of security provisions through inquiries with business units, risk assessments, vulnerability scanning, and the use of DLP and Anti-virus tools.

4. Review evidence of SCE providing customers with the Privacy Notice on the security mechanisms used by SCE to protect their Covered Information.

4.a. Reviewed the Privacy Notice that is available on SCE.com and provided in the customer welcome package and noted that it addresses the security mechanisms used by SCE to protect Covered Information.

5. Review evidence that SCE’s policies on Data Security are communicated to internal employees and contractors who have access to Covered Information.

5.a. Reviewed the Physical Security and Cybersecurity Policy and the Data Protection Standard and noted that it is published on the SCE intranet site, which is accessible by all SCE employees, and that it provides employees with guidance on the data privacy policy for SCE.

5.b. Met with Information Technology Senior Advisor and noted that the cybersecurity policies referenced by the Cybersecurity Team are available to employees and contractors via the internal portal.

6. Assess whether a management procedure is in place to monitor whether SCE manages its security program to help ensure

6.a. Met with Information Technology Manager and Senior Advisor and noted that program managers contact the Cyber Team at the beginning of a project. They work to see what type of data is involved based on the security requirements, (project adheres to cybersecurity standards published by SCE). Testing is performed to ensure cybersecurity standards are implemented, and a system cannot be put into production

Current SCE security standards do not require all systems containing Covered Information to routinely undergo

A81



the protection of Covered Information.

without formal approval from the Cyber and IT Compliance teams. For noncompliance, if a project did not incorporate the necessary cybersecurity functionality, a remediation report is generated. Any exceptions require approval from senior management.

6.b. Met with Information Technology Senior Advisor and noted that SCE changed to a new vulnerability scanning tool in 2018. Also noted that vulnerability scanning occurs twice weekly with continuous monitoring on all business critical systems. Other scan schedules may occur for legacy and non-critical systems. The various asset owners and operational teams are responsible for patching and remediation of vulnerabilities and for reporting remediation actions to management.

6.c. Reviewed the IT Checklist template and noted that the program manager must complete prior to beginning a project to determine if Cybersecurity needs to be involved. The checklist determines if outside parties will be involved, types of information within the system, etc.

6.d. Reviewed a vulnerability scan report with Information Technology Senior Advisor. Monthly reports are presented to management that include a dashboard showing high-level statistics of the vulnerabilities found. The reports also provide the results from various views (i.e. External, Internal). The report provides detailed information for each vulnerability including the risk ranking from the vulnerability scanning tool, date and time discovered, and system identifying information.

security risk assessments unless they are subject to a major upgrade or enhancement. This can result in systems going an extended period of time without an updated risk assessment if they do not trigger the formal requirement per the existing standard.

7. Review SCE’s relevant policies to assess if SCE incorporates security into their SDLC.

7.a. See CPUC Rule 8a. Assessment Test Procedure 6a.

7.b. Reviewed the Cybersecurity Administrative Standard and noted that all applications must comply with secure development standards, and all of the cybersecurity policies and standards. Requirements include secure coding practices, code reviews, threat modeling, vulnerability scans, and cryptographic solutions.

7.c. Reviewed evidence of several Risk Assessment Reports, Vulnerability Scan Reports and Code Scan Reports from sample systems and noted that security is incorporated into the SDLC.

8. Assess whether SCE uses appropriate facility entry controls

8.a. Performed a walkthrough of a Data Center, a Customer Contact Center, Bill Support Credit Collections Center, and a Customer Service Center

A82



to limit and monitor physical access to systems and locations where Covered Information is processed and stored.

and noted that physical access controls differ from a restricted area vs. non-restricted areas, specifically in the following ways:

— Access is controlled by badge access readers to restricted areas

— Covered Information is locked in cabinets when not in use or at the end of shifts

— All locations have security guards at entry points with turnstile-like badge readers and use visitor log sheets at the guard’s desk to document guests coming into the facility

8.a. Observed the following physical controls to protect personal information during the Data Center, Customer Contact Center, Bill Support Credit Collections Center, and Customer Service Center walkthroughs:

— Access control readers at front entrance and restricted areas

— Visitor log

— Escorted access to restricted areas

— Video monitoring

— Clean desk/Clear screen policy

— Masked personal information on computers

— Workstation screen locks for when employees step away from their desks

9. Assess whether SCE has implemented procedures for protecting Covered Information including controls for physically securing all media.

9.a. Reviewed the Protecting Personal Information procedure and noted that there are procedures in place for protecting Covered Information, including controls for physically securing all media. These include controls for handling and storage of print and electronic data.

9.b. Reviewed the Cybersecurity Administrative Standard, and noted that there are formal policies around accessing, using, modifying, and disclosing print and electronic data.

9.c. See CPUC Rule 8a Assessment Test Procedure 8 for details.

10. Inspect whether physical records containing Covered Information are stored in locked cabinets or

10.a. Validated through onsite walkthroughs of key sites that store Covered Information that physical access to records containing Covered Information is controlled through locked cabinets or locked rooms.

A83



rooms restricting unauthorized access.

10.b. See CPUC Rule 8a Assessment Test Procedure 8 for details.

11. Inquire of SCE’s personnel to gain an understanding of the logical control procedures in place to prevent unauthorized access to Covered Information.

11.a. Reviewed the Cybersecurity Administrative Standard and noted that formal procedures are in place to help ensure authorized access and prevent unauthorized access.

11.b. Inquired of SCE system owners for the systems handling Covered Information and were informed that access controls are in place on all systems and that a process is in place requiring management review and approval before access is provisioned. Access controls include processes to grant access, periodic reviews of granted access and termination of access.

12. Inspect evidence that logical controls are in place to prevent unauthorized access to Covered Information including user access provisioning and deprovisioning.

12.a. Reviewed the System Profile Questionnaires provided for each of the in-scope systems and noted that role based access controls are in place to prevent unauthorized access to the systems.

12.b. Met with Information Technology Senior Manager and noted that access management processes are in place that require access requests and management approval prior to access being provisioned, and that processes for deprovisioning to remove access where it is no longer required are in place.

13. Review SCE’s relevant policies to assess if physical controls are in place protecting Covered Information.

13.a. Reviewed the Physical Security and Cybersecurity Policy and noted that controls around the physical protection of Covered Information and around visitors entering areas where Covered Information is stored are in place.

13.b. Validated through walkthroughs of key sites that store Covered Information that the physical access controls consistent with the Physical Security and Cybersecurity Policy are in place.

14. Inquire of SCE’s personnel to gain an understanding of the controls protecting physical access to systems storing Covered Information.

14.a. See CPUC Rule 8a Assessment Test Procedures 8 and 13.

A84



15. Inspect evidence that physical access to sites and systems storing Covered Information is monitored and restricted.

15.a. See CPUC Rule 8a Assessment Test Procedures 8 and 13.

16. Review SCE’s relevant policies to assess if environmental controls are in place.

16.a. See CPUC Rule 8a Assessment Test Procedure 1.

17. Inquire of SCE’s personnel to gain an understanding of the environmental controls to protect systems storing Covered Information from natural disasters and environmental disasters (such as fire or flooding).

17.a. Per inquiry and observation during the Data Center site walkthrough, it was confirmed that there are several environmental controls to protect systems storing Covered Information from natural disasters including:

— Backup generators and 4 UPS in place that are tested weekly

— Fire suppression system with 30,000 gallon water tank

— Temperature regulation system

— Earthquake braces on server racks

— Power management system that allows control of the flow of electricity down to individual outlets

— Full redundancy between primary and backup datacenters

18. Assess whether SCE has the ability to transfer data to third parties using secure channels.

18.a. Reviewed the System Profile Questionnaires and noted that most in-scope applications do not send any Covered Information to third parties. Those that do use company approved secure channels to transfer data.

18.b. Met with Information Technology Senior Advisor and noted that SCE has approved tools for secure data transfers with third parties. An exception process is also in place if a different tool or method is necessary which requires Cybersecurity and Data Owner review and approval, and that a contract must exist with the third party.

18.c. Reviewed the Protecting Personal Information Procedure and noted that there are guidelines for sending confidential information to third parties. “E-mails containing Personal Information, permitted to be sent outside the Company’s e-mail system, shall be classified as “confidential” and protected using Company approved encryption technology or another secured method.”

A85



18.d. Observed emails sent from the Customer Contact Center and noted that emails containing Covered or Confidential Information are encrypted.

19. Assess whether SCE has deployed an automated tool on network perimeters that monitors for Customer PII, keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel.

19.a. A Data Loss Prevention (DLP) tool is deployed on the SCE network and endpoints and is configured to monitor all data crossing the network boundary.

19.b. The DLP tool is configured to monitor the contents of all emails and files sent across the network, including all email attachments using custom made policies which search for specific types of sensitive data.

19.c. The DLP tool is configured to detect, block, log and alert for data exfiltration attempts.

19.d. All data exfiltration attempts are logged in the DLP tool logging database.

20. Assess whether SCE has deployed an automated tool on workstations that monitors for Customer PII, keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data to removable media and block such transfers while alerting information security personnel.

20.a. The DLP tool is deployed on all SCE workstations and is configured to monitor all data being saved on removable media devices.

20.b. Potential data exfiltration events are logged in the DLP tool log and reviewed by the Information Security team daily. Incidents are followed up on by the Information Security Monitoring Team and tracked in the ticketing system until resolved if it is a true positive incident.

21. Assess whether SCE has controls in place so that users cannot disable and modify security products or services.

21.a. Per inquiry of Information Technology Senior Advisor, it was noted that updates and configurations for end-user device security tools are centrally managed and deployed by the Cybersecurity Team. End-users do not have the requisite authorization or passwords required to perform any modifications to security products, services, or tools.

22. Assess whether SCE officials understand the current threat landscape and potential threats

22.a. Met with Information Technology Senior Advisor and noted that threat management is a process that is performed using a combination of tools and procedures. Additionally, the Cybersecurity Team performs risk assessments on all third parties to determine if they are safe to work

A86



to the organization by leveraging multiple threat feeds.

with. BitSight scores are used to help determine the depth of the risk assessment performed.

22.b. Met with Information Technology Senior Manager and noted that risk management activities are performed on all systems and applications used. Risk assessments are performed on all projects and there are regular security checkpoints as part of the SDLC where the Cybersecurity Team is involved.

22.c. Met with Information Technology Manager and noted that a SIEM tool is in place and that all network and security devices provide logs to the SIEM tool for analysis and alerting based on defined use cases.

22.d. Met with Information Technology Senior Advisor and noted that continuous vulnerability scans are performed on all assets, and that vulnerability scanning tools are integrated with core directories and cybersecurity tools to ensure all assets are identified and scanned for vulnerabilities.

23. Assess whether SCE scans source code for bugs and vulnerabilities before moving it into production.

23.a. Reviewed the Cybersecurity Administrative Standard and noted that code reviews and code security testing are required as part of the development phase of a system or application. Additionally, security vulnerability scans must occur and all risks ranked as moderate or higher must be remediated prior to the deployment of a new or upgraded system into production.

23.b. Reviewed the System Profile Questionnaires provided for each of the in-scope systems and inquired of system owners for supplemental information.

24. Assess whether SCE’s development/test environments are separate from the production environment, with access control in place to enforce the separation.

24.a. Reviewed the Cybersecurity Administrative Standard and noted that development activities must be performed in a separate non-production environment, and that production systems are not to be used for development purposes.

24.b. Reviewed supporting documentation for 3 sample systems and noted that the development and test environments are logically separated from the production environment.

A87



24.c. Development tools, components, and libraries are removed and passwords, tokens, and certificates are changed prior to a system being deployed into production.

24.d. Per inquiry of Information Technology Senior Manager, it was noted that any changes to systems containing Covered Information require an approved change request and that developers to do not have the access required to move code from development to production.

25. Assess whether SCE does not use Production Covered Information for testing or development. Test data and accounts are removed before a production system becomes active.

25.a. Reviewed the Cybersecurity Administrative Standard and noted that all development activities must be performed in a separate, non-production environment. All development tools, components, and libraries are removed and passwords, tokens, and certificates are changed prior to a system being deployed into production. Additionally, it is stated that production data must not be used for application development or project quality assurance testing purposes.

25.b. Reviewed the Test Data Setup Process in Non Production Environment document and noted that when production data is migrated to non-production environments, specific tools and processes are in place to mask PII so that it is protected.

26. Assess whether SCE utilizes a Data Masking tool to limit access to and protect Covered Information and other PII.

26.a. Observed during the walkthrough of the Customer Contact Center that Social Security Numbers and Bank Numbers are masked on screens.

27. Assess whether SCE’s web applications use encryption when transmitting sensitive data across the network.

27.a. Reviewed the Cybersecurity Administrative Standard and noted that SCE prohibits the use of SSL and provides specific protocol requirements for encrypting all company communications.

27.b. Reviewed the System Profile Questionnaires provided for each of the in-scope systems and inquired of system owners for supplemental information.

28. Assess whether SCE has implemented an Intrusion Detection system within the environment to detect and

28.a. Reviewed the Cybersecurity Administrative Standard and noted that SCE requires a network based IDS/IPS tool on internet facing networks to monitor, analyze, and block attacks.

A88



generate log messages detailing events.

28.b. Met with Information Technology Senior Manager and Data Center Senior Advisor and confirmed that SCE has an IDS/IPS tool in place to detect, block, and blacklist malicious network traffic. Additionally, it was noted that the IDS/IPS tool feeds into the SIEM tool for logging, monitoring, and alerting.

29. Assess whether SCE has implemented an Intrusion Prevention system within the environment to detect events and reject packets.

29.a. See CPUC Rule 8a Assessment Test Procedure 28.

30. Assess whether SCE allows only limited access to network resource to vendors and third parties.

30.a. Reviewed the Cybersecurity Administrative Standard and noted that all third parties requiring access to SCE facilities or computing systems must complete the SCE onboarding process, use company provide computing systems for access, comply with SCE’s Acceptable Use Policy, and complete SCE Security trainings.

30.b. Met with Information Technology Senior Manager and noted that third parties must go through the onboarding process which includes an assessment from the Cybersecurity Team, NDA forms, and access approval requests. SCE has rules defined that allows them to limit third party access to only the systems necessary for the third party to complete their work.

31. Assess whether SCE has a formal process for approving and assessing all network connections and changes to the firewall and router configurations.

31.a. Met with Information Technology Senior Manager and Senior Advisor and it was noted that there is a formal process in place for approving network connections and changes to firewall and router configurations. The operational teams will run the day-to-day, but when changes to the network, firewall, or router are needed a change request is issued to the Cybersecurity Team who reviews, approves, and fulfills the change request as appropriate.

31.b. Reviewed the CRQ Template and noted that the change requests have a unique identifier, are able to provide specific information about the change to be made including the potential impact and show the required approval steps.

A89



32. Assess whether SCE’s firewall performs stateful inspection (dynamic packet filtering) to restrict network access.

32.a. Met with Information Technology Senior Manager and it was noted that a firewall is used to protect SCE’s network and restrict access. The firewall uses stateful inspection (dynamic packet filtering) to block unauthorized network traffic.

33. Assess whether SCE has implemented a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

33.a. Reviewed the Cybersecurity Administrative Standard and noted that the use of a DMZ is required to manage communications between Company networks and all other networks and the internet and to limit inbound traffic.

33.b. Met with Information Technology Senior Manager, and it was noted that a DMZ is in place which holds SCE’s public facing systems and components. The DMZ has security mechanisms in place including a perimeter firewall, web application firewall, and Intrusion Prevention System to help secure the DMZ.

33.c. An additional firewall is in place between the DMZ and the SCE internal networks. See CPUC Rule 8 Assessment Test Procedure 32 for details.

A90


CPUC Rule 8 Rule description

Notification of breach:

A covered Third Party shall notify the covered electrical/gas corporation that is the source of the covered data within one week of the detection of a breach. Upon a breach affecting 1,000 or more customers, whether by a covered electrical/gas corporation or by a covered Third Party, the covered electrical/gas corporation shall notify the Commission’s Executive Director of security breaches of Covered Information within two weeks of the detection of a breach or within one week of notification by a covered Third Party of such a breach. Upon request by the Commission, electrical/gas corporations shall notify the Commission’s Executive Director of security breaches of Covered Information.

b


1. Assess whether SCE has documented incident response and breach management procedures in place including roles and responsibilities, testing and training, incident classification and logging, remediation, and program updates.

1.a. Reviewed the Cybersecurity Administrative Standard and noted that there is a section that specifically covers the need for incident response plans, what they must cover, reporting procedures, and training needs.

1.b. Met with Information Technology Program Manager and noted that the IT Incident Response Plan is owned and regularly updated by him, including a final review of the plan at the end of each year.

1.c. Reviewed the IT Incident Response Plan and noted that it specifies roles and responsibilities, incident classification, logging, remediation, and program updates. Additionally, it includes examples of similar events to aid in the classification of new events.

1.d. Reviewed the Privacy Incident Response Procedure (2016) and noted the steps and procedures in place in the event of a privacy-related incident. Ethics & Compliance owns of the privacy incident response process and will consult with the impacted OU.

2. Assess whether SCE’s management has adequately reviewed the incident review process in place.

2.a. Reviewed CPUC Smart Grid Data Privacy Decision Requirements Tracking sheet and noted that the Privacy Compliance Program Senior Advisor is responsible for implementing controls associated with data incidents involving customer Covered Information and taking appropriate steps in the event of a data breach. The control went into effect starting 7/29/2011.

2.b. Reviewed the Privacy Incident Response Procedure (2016) and noted the steps and procedures in place in the event of a privacy-related incident. Ethics & Compliance owns of the privacy incident response process and will consult with the impacted OU.

A91



2.c. Reviewed the IT Incident Response Plan and noted that it includes steps for identifying if a gap in detection exists and creating a “lessons learned” report to build upon the experience and be more effective in future incidents.

3. Assess whether SCE can perform forensic analysis in the instance of a Covered Information data incident.

3.a. Met with Information Technology Manager and noted that SCE has a team of individuals as part of the Security Operations Center that are regularly trained in forensic analysis tools and procedures including keeping a detailed chain of custody.

3.b. A separate forensics room with limited access is used to keep and analyze forensic evidence when necessary.

3.c. Reviewed the IT Incident Response Plan and noted that it includes steps for identifying if a gap in detection exists and creating a “lessons learned” report to build upon the experience and be more effective in future incidents.

4. Inspect sample evidence of breach incidents for the last 12 months.

4.a. Reviewed SCE’s 2018 Annual Privacy Report submitted to the CPUC and noted a single event affecting one of SCE’s business customers who has three accounts. The Annual Privacy Report included a description of the incident, the involved parties, and additional incident details.

4.b. Reviewed Internal Breach Details for 2018 and noted that SCE tracks the details of each incident including dates, a summary description, and whether it is a reportable privacy incident in accordance with both the CA Breach Laws and CPUC Smart Grid decision. Noted that there was one privacy breach involving Covered Information in 2018 affecting SCE’s business customer (noted in 4.a) on October 19, 2018.

A92


CPUC Rule 8 Rule description Annual report of breaches:

In addition, electrical corporations shall file an annual report with the Commission’s Executive Director, commencing with the calendar year 2012, that is due within 120 days of the end of the calendar year and notifies the Commission of all security breaches within the calendar year affecting Covered Information, whether by the covered electrical corporation or by a third party.

c


1. Assess whether SCE tracks the reporting requirement and assigns responsibility and accountability to the appropriate departments.

1.a. Met with Privacy Compliance Program Senior Advisor, and Senior Attorney, Legal Department, and were informed that as part of the Privacy Compliance Program, the Privacy Compliance and the Legal Department teams are involved in monitoring compliance requirements from the CPUC through direct contact from the CPUC, industry trade groups, and interaction with other utilities. Compliance and reporting requirements are input by the Privacy Compliance Program Senior Advisor and approved by the Legal Department via the ECMS system. The Privacy Compliance Program Senior Advisor determines the OU leader (principal manager or above) to be assigned to develop the control. The OU leader then identifies the appropriate control owner/s, who are identified in the system and are tasked to build the control. Once built, the control is routed for approval by the OU leader.

1.b. Reviewed Internal Breach Details for 2018 and noted that SCE tracks the details of each incident including dates, a summary description, and whether it is a reportable privacy incident in accordance with both the CA Breach Laws and CPUC Smart Grid decision. Noted that there was one privacy breach involving Covered Information in 2018 affecting one of SCE’s Business Customer accounts on October 19, 2018.

2. Assess whether SCE filed its Annual Report to the CPUC as required by the Privacy Decision.

2.a. Reviewed SCE’s 2018 Annual Privacy Report and noted that it was submitted to the CPUC on April 30, 2019. The report identified one privacy breach affecting one customer within the 2018 calendar year. There were no reported privacy breaches affecting 1,000 or more customers.

A93


CPUC RULE 9 Accountability and Auditing Overall assessment result No exceptions noted.

CPUC Rule 9 Rule Description Availability:

Covered entities shall be accountable for complying with the requirements herein, and must make available to the Commission upon request or audit—

(1) the privacy notices that they provide to customers,

(2) their internal privacy and data security policies,

(3) the categories of agents, contractors and other third parties to which they disclose Covered Information for a Primary Purpose, the identities of agents, contractors and other third parties to which they disclose Covered Information for a Secondary Purpose, the purposes for which all such information is disclosed, indicating for each category of disclosure whether it is for a Primary Purpose or a Secondary Purpose. (A covered entity shall retain and make available to the Commission upon request information concerning who has received Covered Information from the covered entity.), and

(4) copies of any secondary-use authorization forms by which the covered party secures customer authorization for secondary uses of covered data.

a


1. Assess whether SCE has a process in place to provide the Commission with the Annual Privacy Report or any other requested documentation

1.a. Met with Privacy Compliance Program Senior Advisor and were informed that the Annual Privacy Report submitted to the CPUC covering the prior year is drafted in March and finalized by the April 30 submission deadline.

1.b. Observed evidence of the Company’s filing of the 2018 Annual Privacy Report for the Covered Period and noted that it was submitted to the CPUC on April 30, 2019.

A94


CPUC Rule 9 Rule description Customer complaints:

Covered entities shall provide customers with a process for reasonable access to Covered Information, for correction of inaccurate Covered Information, and for addressing customer complaints regarding Covered Information under these rules. b


1. Assess whether SCE provides notice to its customers on how they customers can contact the Company for inquiries, complaints or disputes related to their personal information.

1.a. Reviewed SCE’s Privacy Notice and noted that it includes contact information where customers can provide comments and concerns regarding the Privacy Notice. The contact information includes a mailing address directed to Chief Ethics & Compliance Officer, a Residential phone number (1-800-655-4555) and Business Customers phone number (1-800-990-7788). SCE updated the Privacy Notice to add an email address ([email protected]) during the assessment period.

1.b. Reviewed Annual Privacy Bill Insert and observed that SCE provides existing customers a link to the Privacy Notice on an annual basis.

1.c. Reviewed sample Welcome Emails sent to new Residential and Business Customers and observed that a link to SCE’s Privacy Notice is included in these emails.

2. Assess whether SCE has a documented process to receive customer disputes, complaints, and inquiries, addresses and resolve complaints, and communicate resolution back to the customer in a timely and satisfactory manner.

2.a. Reviewed the Consumer Affairs – Complaint Resolution - Confidential Treatment of Records Policy and noted that a process is in place governing the receipt and safeguarding of information related to a customer complaint throughout the resolution process.

2.b. Reviewed the Complaint Handing Process Flow and noted that SCE has a process to receive customer disputes, complaints and inquiries. A Business Analyst intakes the complaint and inputs it into SCE’s Complaint Tracking System and assigns to a Review Manager for handling. The Review Manager then conducts a review and determines next steps. The complaint is closed out after the Review Manager communicates the resolution to the customer.

2.c. Met with Senior Specialist, Regulatory Affairs, and were informed that customers can also bring complaints to SCE through the CPUC. Formal complaints go directly to the Law Department for response. Informal complaints are handled through Consumer Affairs, and the Company has 20 days to respond. The relevant Vice President will sign off on an

A95

mailto:[email protected]



informal complaint and then the Legal Department will officially file with the CPUC.

2.d. Met with Senior Advisor, Transmission & Distribution, and were informed that Consumer Affairs receives customer complaints via the CPUC through two means: (1) Customers file a formal complaint with the CPUC’s Consumer Affairs Branch Office which then sets up a conference including the CPUC-SCE-customer to discuss the customer’s complaint, and (2) customers file informal complaints with CPUC and the CPUC uploads it to CIMS. A SCE Consumer Affairs representative processes the complaint by logging into CIMS. They track the time it takes to resolve a complaint.

3. Assess whether SCE has a process to escalate disputes, complaints, and inquiries to help ensures resolution within a timely manner.

3.a. Met with Senior Advisor, Transmission & Distribution, and were informed that Consumer Affairs uses the Complaints Tracking System for complaint intake and to track complaint status including (1) Customer Name / Number, (2) complaint Number, (3) complaint Source, (4) complaint Class, category, and priority, and (5) root cause.

In addition, SCE has started tracking complaints that come via social media using Sprout Social, a social media management solution.

4. Inspect evidence that SCE tracks and resolves customer complaints consistent with SCE’s policies.

4.a. Reviewed a sample customer complaint received through an Executive Letter related to a telephone solicitation from a solar company. The customer believed that SCE sold her information. The complaint was assigned to a Consumer Affairs review manager who responded to the customer within 20 days and closed the complaint.

4.b. Reviewed four sample UMC Monthly Cycle time Reports during the Covered Period and noted that they showed the complaint resolution time for escalated complaints. At no time during the Covered Period was this time greater than 20 days.

4.c. Reviewed four sample daily Pending Reports during the Covered Period and noted that they showed the complaint resolution time for escalated complaints. At no time during the Covered Period was this time greater than 20 days.

A96



4.d. Reviewed the log of 2018 formal customer complaints filed with the CPUC and noted that the date, complainant, case number, decision number, resolution, and complaint reason were tracked for each complaint.

A97


CPUC Rule 9 Rule description Training:

Covered entities shall provide reasonable training to all employees and contractors who use, store or process Covered Information.

c


1. Review SCE’s documented privacy awareness program materials to identify personnel who handle and access Covered Information.

1.a. Reviewed SCE’s Organizational Chart and noted that it identifies Organizational Units (OUs) with Access to Covered Information. The following OUs have access to Covered Information as of December 2018: Audit Services, Customer Service, Financial & Operational Services, Information Technology, Legal, Power Supply, Regulatory Affairs (Load Research), and Transmission and Distribution (Advanced Technologies).

1.b. Reviewed a list of 17 third parties with access to Covered Information during 2018.

1.c. Met with Principal Manager and Senior Manager, Customer & Operational Services, and noted that during the third party onboarding process, the need for a contractor to access Personal Information is identified as a parameter for evaluating the risk of that contract. SCE utilizes a third party to obtain security ratings on its vendors and has a threshold score that it requires third parties to maintain.

2. Understand the awareness material and communications to SCE personnel to test how internal privacy policies are communicated to associates.

2.a. Reviewed SCE’s trainings, awareness programs and communications sent to employees with customer privacy content and noted that during the Covered Period, internal privacy policies were communicated through the enterprise wide Data Privacy Training and Targeted Covered Information Training, which is required from all SCE employees who access Covered Information. In addition, there were multiple communication efforts to SCE’s personnel regarding customer privacy, including the following:

a. Internal Communications:

i. Intranet Articles, an internal webpage, which hosts periodic articles concerning relevant data privacy and cybersecurity issues and training. An example from 2018 includes an article related to protecting your password.

A98



ii. Privacy Pros Yammer page, which is a page where SCE employees can get and share information on tips, techniques for privacy and cybersecurity.

iii. Posted fliers on data privacy and cybersecurity. An example from 2018 includes a flier that provided employees with tips on cybersecurity and how to protect their workplace.

iv. Digital screen video monitors located in several SCE offices are used to promote various initiatives and programs including those related to data privacy and cybersecurity.

b. Events and Programs:

i. Reviewed the 2018 Privacy Communications and Outreach tracking log which detailed over 40 individual privacy meetings, presentations, or open-invite events to provide information and awareness concerning privacy.

3. Understand SCE’s specific training materials to assess whether they adequately communicate/train employees on how to handle Covered Information. In addition, inspect that employees have completed these privacy and security training requirements.

3.a. Reviewed and viewed the Company’s Data Privacy Training and noted that it is an enterprise-wide training which is mandatory for all SCE management and employees. The training includes targeted guidance covering topics such as:

— The types of data that constitute Personal Information;

— Terminology;

— Security

3.b. Reviewed and viewed the Targeted Covered Information Training and noted that it is a training which is mandatory for all SCE management and employees with access to Covered Information. This training is triggered automatically by SCE’s compliance system for these employees. SCE includes Covered Information in its definition of Edison Personal Information (EPI). Managers are notified if their direct reports had not completed the training weeks prior to due date. The training includes targeted guidance covering topics such as:

a. Recognize what Personal Information is;

b. Understand SCE’s Privacy Policy, Privacy Notice & Procedure

A99



c. Know what is protected under the CPUC’s Smart Grid Privacy and Security Decision.

d. Understand the collection and sharing rules

e. Recognize Privacy Incidents and know how to report them

3.c. Reviewed the tracker for completion of training. Noted that employees have completed the training requirement for the Covered Period.

4. Inspect evidence that contractors have completed privacy and security training requirements (e.g., training logs, certifications of compliance, etc.).

4.a. Met with Privacy Compliance Program Senior Advisor and noted that all third parties that have access to Covered Information are delegated individual training responsibilities through the Supplier Cyber Policy, which is attached to each MSA when performing work.

4.b. Inspected a sample executed Supplier Attestation of Security and Privacy of Covered Information that requires the third party attest that the third party has complied with the “Management of Information Security” and “Employee Policies: Security and Privacy Awareness and Training” of the Supplier Cyber Policy.

5. Understand the privacy training required of third parties accessing Covered Information in order to test whether or not they are adequately equipped to handle Covered Information.

5.a. Reviewed the Supplier Cyber Policy and noted that it includes language on “Management of Information Security” and requires “Security and Privacy Awareness and Training.”

a. “Supplier shall maintain and update as necessary a comprehensive written information security program (the “Information Security Program”) that: (i) contains appropriate administrative, technical, and physical safeguards to protect Edison’s Computing Systems and Edison Data; (ii) complies with applicable laws and regulations and conforms to industry best practices; (iii) is reviewed and revised for adequacy and effectiveness at regular intervals (at least annually and whenever there is a material change in Supplier’s practices that may materially affect the security of Edison Data or Edison’s Computing Systems).”

b. “Supplier shall provide its personnel with privacy and information security training before providing such personnel access to Edison’s Computing Systems or Edison Data and at least annually thereafter. Supplier shall maintain employee completion reports and make such completion reports available to Edison upon Edison’s written request.

A100



Supplier shall review the contents of the security and privacy awareness and training program at least annually to ensure it is updated and reflects current, relevant security information.”

5.b. Met with Privacy Compliance Program Senior Advisor and were informed that the Targeted Covered Information Privacy Training was provided to users who have access or work with Covered Information including third parties.

5.c. Inspected a sample executed Supplier Attestation of Security and Privacy of Covered Information that requires the third party to attest that the third party has complied with the “Management of Information Security” and “Employee Policies: Security and Privacy Awareness and Training” of the Supplier Cyber Policy.

A101


CPUC Rule 9 Rule description Reporting requirements:

On an annual basis, each electrical/gas corporation shall disclose to the Commission as part of an annual report required by Rule 8.b, the following information:

(1) the number of authorized third parties accessing Covered Information,

(2) the number of non-compliances with this rule or with contractual provisions required by this rule experienced by the utility, and the number of customers affected by each non-compliance and a detailed description of each non-compliance.

e


1. Assess whether SCE tracks the reporting requirements and assigns responsibility and accountability to the appropriate departments.

1.a. Reviewed Privacy Compliance Program Manual and noted that in-take and implementation of all applicable privacy requirements from regulators is overseen by the Privacy Compliance Program in ECMS. The Legal Department provides the interpretation of the regulation to the Privacy Compliance Program Senior Advisor. The Privacy Compliance Program Senior Advisor will initiate control development to the appropriate Compliance Lead for assignment to the Control Owner to build the control. The Company assures auditing or reporting requirements (e.g., "Red Flags" and CPUC Smart Grid Data Privacy) are completed on time, with results provided to the Information Governance Principal Manager, Corporate Compliance and Information Governance Director and the EIX Chief Ethics and Compliance Officer & SCE Chief Compliance Officer.

1.b. Met with Privacy Compliance Program Senior Advisor, and Senior Attorney, Legal Department, and were informed that there are multiple channels and processes for addressing reporting requirements and department collaboration for SCE’s compliance:

— SCE’s Regulatory Affairs and the Legal department communicate with the CPUC.

— Privacy Compliance Program Senior Advisor and the Legal department work closely together in interpreting and monitoring compliance with regulatory requirements and assigning responsibility to the appropriate department/individuals.

— The Information Governance Principal Manager and the Corporate Compliance and Information Governance Director will be kept

A102



informed of new privacy regulations impacting the Company and associated implementation processes to comply with the regulation. New regulations and control assignment and description controls will be documented in Enterprise Compliance Management System (ECMS).

— Oversight, interpretation, and implementation of privacy regulations and associated controls are documented in the ECMS.

2. Assess whether SCE filed its Annual Report to the CPUC as required by the Privacy Decision.

2.a. Reviewed the Company’s 2018 Annual Privacy Report and noted that it was submitted to the CPUC on April 30, 2019 by the Director of Corporate Compliance & Information Governance. The report indicated:

— 174 customer authorized third parties to access Covered Information

— 17 third parties under contract by SCE accessing Covered Information

— 2 EDRP requests (Requests for Covered Information authorized under the “Energy Data Request Program” decision, D.14-05-016,)

— One instance of non-compliance with the Privacy Rules or with contractual provisions required by the Privacy Rules which become known to SCE through contact by a customer and one customer was affected.

A103


Appendix II – Abbreviations used in this report Abbreviation Full name

AICPA American Institute of Certified Public Accountants

AMI Advanced Metering Infrastructure

CCA Community Choice Aggregator

CEUD Customer Energy Usage Data

CIMS Claims Information Management System

CISR Authorization To Receive Customer Information or Act on a Customer’s Behalf

CPUC California Public Utilities Commission

DLP Data Loss Prevention

DMZ Demilitarized Zone

DR Disaster Recovery

ECMS Enterprise Compliance Management System

A104


Abbreviation Full name

EDI Electronic Data Interchange

ESP Electric Service Provider

EDRP Energy Data Request Program

ID Identification

IDS Intrusion Detection System

IPS Intrusion Prevention System

IT Information Technology

LEED Leadership in Energy and Environmental Design

NDA Non-Disclosure Agreement

OU Organizational Unit

PII Personally Identifiable Information

SCE Southern California Edison

SDLC System Development Lifecycle

SIEM Security Information and Event Management

UPS Uninterruptable Power Supply

A105


Appendix III – Stakeholders interviewed # Title Organizational Unit Date

1 Privacy Compliance Program Senior Advisor Ethics & Compliance 2/27/2019

2 Senior Attorney – Privacy Counsel Legal Department 2/27/2019

3 Senior Manager Regulatory Affairs 2/27/2019

4 Senior Specialist Regulatory Affairs 2/27/2019

5 Senior Manager Corporate Affairs 2/28/2019

6 Senior Manager Regulatory Affairs 2/28/2019

7 Senior Advisor Information Technology 3/13/2019

8 Senior Manager Information Technology 3/13/2019


10 Principal Manager Information Technology 3/13/2019

A106


# Title Organizational Unit Date

11 Program Manager Information Technology 3/14/2019


13 Manager Information Technology 3/14/2019


15 Senior Advisor Ethics & Compliance 3/20/2019

16 Senior Advisor Transmission & Distribution 3/20/2019

17 Senior Advisor Customer Programs & Services 3/20/2019

18 Manager Power Supply 3/21/2019

19 Senior Manager Customer & Operational Services 3/21/2019

20 Director EIX Risk Management Group 3/21/2019


22 Advisor Information Technology 3/28/2019

23 Manager Corporate Security 3/28/2019


25 Senior Manager Human Resources 4/4/2019

26 Advisor Account Management 4/4/2019

27 Senior Manager Customer Contact Center 4/15/2019

28 Business Analyst Billing Operations 4/15/2019

A107


# Title Organizational Unit Date

29 Manager Billing Operations 4/15/2019

30 Business Analyst Customer & Operational Services 4/15/2019

31 Business Analyst Customer & Operational Services 4/15/2019

32 Senior Supervisor Credit & Payment Services 4/15/2019

33 Senior Supervisor Customer & Operational Services 4/15/2019

34 Principal Manager Customer & Operational Services 4/16/2019

35 Senior Manager Legal Department 4/16/2019





40 Senior Advisor Data Center 4/16/2019

41 Senior Manager Customer & Operational Services 4/30/2019

42 Project Manager Customer & Operational Services 4/30/2019

43 Project Manager Transmission and Distribution 5/8/2019

44 VP, Chief Ethics and Compliance Officer Ethics & Compliance 6/11/2019

45 Director Ethics & Compliance 6/11/2019

A108

Contact us

Doron Rotman Managing Director 408-367-7607 [email protected]

Douglas Farrow Partner 213-955-8389 [email protected]

Chris Kypreos Director 415-963-5148 [email protected]

www.kpmg.com

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. NDPPS 883440

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

kpmg.com/socialmedia

A109

Appendix B

SCE 2015-2019 Safety Culture Transformation Roadmaps

Enterprise Safety Roadmap Initiatives, 2015

,

B1

Enterprise Safety Roadmap Initiatives, 2016

B2

Discussion GuideInitiatives

Focus Area Initiative Objective Timeline

Safety Roles & Responsibilities

1. Sustain leader andemployee adoption of safety roles and responsibilities

• Develop and implement a programmatic approach that encourages leaders and employees to demonstrate behaviors that reflect safety roles and responsibilities

Q3

Critical Risk Management

Pilot

2. Pilot a program to proactively reduce and manage critical risks, thereby reducing serious injuries and fatalities

• Pilot a critical risk management program in T&D and Generation for potential company‐wide rollout

Q3

Safety CultureRoadmap

3. Create an enterprise wide Safety Culture Roadmap

• Establish current culture status and identify future opportunities

• Develop a strategic roadmap to guide ongoing culture change efforts

Q2

2017 Enterprise Safety Roadmap

ENTERPRISE SAFETY ROADMAP

Ongoing Focus Programs

Program Focus Area Objective Timeline

Safety Recognition Program

Improve engagement in the Safety Recognition Program

• Develop and implement an engagement approach to improve employee and leader engagement in safety recognitions

Ongoing

Safety Observation Program

Improve effectiveness and engagement in the safety observation program

• Implement reporting, dashboards and feedback/evaluation loop

• Develop and implement an engagement approach to improve employee and leader engagement in safety observations

Ongoing

B3

2018 Safety Culture Improvement Plan

2017Q3 Q4

2018Q1 Q2 Q3 Q4

Safety Programs

Establish Effectiveness and Governance Criteria

Target Programs for Immediate Actions: Stop, Reset, Evolve

Enhance and Redesign Targeted Safety Programs

OP

ER

AT

ION

AL

IZE

CH

AN

GE

&

IM

PR

OV

EM

EN

TS

Talent Management Processes

Integrate Private Compliance Competencies and Behaviors for

Critical Talent

Integrate Private Compliance Conceptsinto Talent Management Processes

Measure and Evolve Behavioral Integration

Hazard Awareness & Risk Management

Implement Individual Contributor Cognitive Behavior Training

Implement Formalized Critical Risk Management and align Process to Support

Safe Worker Competencies

Ongoing Rollout of Cause Evaluation

Process

ASSESS SAFETY CULTURE REFLECT REASSESS CULTURE

Safety Governance & Structure

Assess Effectiveness of Current Structure

Optimize the Safety Organizational Structure Evaluate, Align & Evolve CDSPOptimize Safety Governance

Groups, Teams & Structure

1

2019Q1 Q2 Q3 Q4

PREPARE IMPLEMENT

Safety Leadership Implement tools to

facilitate ongoing leader engagement

Define Private Compliance

Competencies

Implement Safety Leadership Cognitive Behavior Training

Safety Measurement & Data Strategy

Implement Safety Measurement Data & Strategy

Define Safety Measurement &

Data Strategy

Socialize Trending and Predictive

Analytics Reports

Develop and Implement Continuous Improvement Process

Determine Data

Capabilities

Safety Communications Pilot & Streamline StrategyRedesign Safety Comm

Strategy Establish Governance and Align Safety Communications to Improve Message

Consistency and Impact

B4

2019 Safety Culture Transformation Roadmap Workstreams and Tactics

Safety Culture Engagement & Measurement

Edison Culture Initiatives • Partner with various enterprise culture initiatives to align initiatives and activities

Culture Engagement & Safety Program Sustainability

• Partner with Culture Congress to leverage safety roles and responsibilities to establish a core set of safety behaviors

• Create tailored OU engagement plans to sustain private compliance behaviors• Support leaders to ensure long-term accountability of engagement activities

Culture Measurement • Measure our progress towards private compliance to inform decision making• Determine impact of safety culture transformation on safety metrics

IBEW Partnership • Partner with IBEW to strengthen safety culture for represented employees and their direct leaders

Leadership & Talent Management

Culture Training & Training Sustainability

• Leverage safety culture training as the foundation to cultivate safe attitudes and behaviors• Enhance retention and application of safety culture training concepts

Hiring• Activate the Employee Value Proposition in the hiring process to attract candidates who share our values• Create Talent Evaluation Committee to screen candidates for the desired values using HireVue digital

interview platform. Initial scope: Planners, then operationalize and expand.

Employee Safety Assessment• Conduct validation studies to implement the Aon assessment for T&D individual contributors and

represented leads to hire and promote those who will align with our company values and strengthen our safety culture

Hazard Awareness &

Risk Management

Leader Field Engagement • Provide tools to support meaningful front line leader engagement with their teams

Tailboard • Improve hazard identification and mitigation by embedding safety culture concepts and a risk mitigation thinking in the tailboard process

Safety Predictive Model • Predict and mitigate risks by operationalizing the safety predictive model in the field

Risk-based Safety Program • Develop and implement a Risk Based Safety program to holistically address life altering and life threatening risks

1B5

Environmental Services, Audit, Ethics and Compliance, and … · Environmental Services, Audit,...

Documents

Transcript of Environmental Services, Audit, Ethics and Compliance, and … · Environmental Services, Audit,...