Protection of Customer Information

General

PES records will be secured using reasonable physical security methods such as locked doors and cabinets. Any confidential information shall remain on PES property at all times, except for official business or when the Chief Executive Officer authorizes removal. PES has systems in place that log and record access to, and activities within, sensitive areas and concerning confidential information. Only employees with
legitimate business needs will be granted access to company information and/or electronic data. Every employee permitted access to electronic data will be given an individual user account and will maintain a unique password. Furthermore, PES protects its electronic data and internal computer network through the use of firewalls, anti-virus software and other industry-accepted security mechanisms.

 

PES Sensitive Data Restrictions

Utility information related to strategic and operational activities, contingency or emergency response plans, security procedures or descriptions of utility property and/or infrastructure is confidential and shall not be disclosed except for legitimate business reasons.

 

Customer Sensitive Data Restrictions

All private customer information is confidential.  Private customer information includes, but is not limited to, social security and tax identification numbers, credit card and bank account information, passwords and access codes, credit scores and any information obtained through a credit reporting agency. Furthermore, PES will access customer credit information only for legitimate business reasons, and its internal procedures will comply with the guidelines of the Federal Fair Credit Reporting Act.

 

Customer utility consumption data and any information obtained through metering or other end-use equipment will only be used for legitimate PES business and operational purposes. No customer-specific information will be shared with or sold to a third-party for non-utility operational purposes except as required by law or unless directed to do so by the Customer. 

 

Legal Considerations

In general, PES will provide customer-specific information only to the customer of record listed on the account unless ordered to do otherwise by a court of competent jurisdiction, an authorized law enforcement official or when acting in compliance with Tennessee public records law (see Policy 2-27). Any customer-specific information that is protected through a court-ordered protection document is also confidential.

 

Customer Data Management Standards and Requirements

Changes to any PES customer account shall be processed according to standard operating procedures with suitable documentation retained for later verification. Adjustments or modifications to customer usage or payment data shall be reviewed and authorized by the Customer Service Manager or his/her designee.

All PES employees are prohibited from adjusting, modifying or in any way tampering with their own, their families’ or their friends’ utility usage of payment information.  

Any customer data housed within the PES Network Operations Center is considered private and is not the property of PES. Only authorized PES employees are permitted within the Network Operations Center, and all access to customer equipment or data must be logged and authorized by the customer.

Customer telephone records and call-related features are protected according to the requirements of the FCC’s Customer Proprietary Network Information rules. Therefore, no customer call detail information may be released during a customer-initiated telephone call except when the customer provides a verifiable password.  If the customer is unaware of his/her password, a PES employee may offer to call the customer back using the phone number listed on the account. Customers asking for call detail information in person must present a valid form of identification. Furthermore, PES will notify the customer of any changes to his/her telephone service. PES will not use customer proprietary network information for any marketing purposes, nor release the data to any third party or business affiliates for marketing purposes.

Any employee who is made aware of a security violation shall immediately notify his/her supervisor. Failure to comply with any of the above guidelines will be considered a breach of sensitive information security standards and will subject the employee to disciplinary action.