(1) A utility must use reasonable security practices and procedures to safeguard all customer information within the utility's possession or control from unauthorized access or disclosure.

(2) A utility may only collect and retain customer information that is reasonably necessary for the utility to perform duties directly related to the utility's primary purpose unless the utility has first obtained the customer's written consent to collect and retain customer information for another purpose.

(3) A utility may disclose customer information without written customer consent to an affiliate, subsidiary, or parent organization only to the extent necessary for the utility to perform duties directly related to the utility's primary purpose. The utility must obtain the customer's written consent to disclose customer information to an affiliate, subsidiary, or parent organization for any other purpose.

(4) A utility may disclose customer information to third parties only to the extent necessary for the utility to perform duties directly related to the utility's primary purpose unless the utility has first obtained the customer's written consent to disclose customer information to third parties for other specified purposes. The utility must require all third parties to which it provides access to customer information to have policies, procedures, and technological safeguards in place to protect customer information that are no less stringent than the utility's own standards.

(5) A utility is ultimately responsible for safeguarding customer information. The utility must ensure that it has and enforces contractual obligations with third parties, affiliates, subsidiaries, and parent organizations that require such entities to have and comply with policies, procedures, and technological safeguards sufficient to prevent the misuse or improper or unauthorized disclosure of customer information.

(6) A utility may not sell customer information. A utility may not otherwise disclose customer information except as provided in this rule. A utility may not disclose customer information to its affiliates, subsidiaries, parent organization, or any other third party for the purposes of marketing services or product offerings to a customer who does not already subscribe to that service or product, unless the utility has first obtained the customer's written consent. The utility must maintain a record of each customer's written consent as required in subsection (9) of this section.

(7) Nothing in this rule may be construed to preclude the utility from complying with demands for customer information as required by law, such as through a warrant or subpoena.

(8) If a customer discloses or directs the utility to disclose customer information to a third party other than in response to a request or requirement of the utility, the utility will not be responsible for the security of that information or its use or misuse by that third party.

(9) The utility must retain the following information for each written consent a customer gives to the utility for disclosure of customer information:

(a) The date and customer confirmation of consent to disclose customer information;

(b) A list of the affiliates, subsidiaries, parent organizations, or third parties to which the customer has authorized the utility to disclose customer information;

(c) Information provided to the customer about how the customer can revoke consent; and

(d) Verification that the consenting customer's name, service address, and account number match the utility record for such account.

(10) Subject to agreements a customer has made with third parties, a customer has the right to revoke, at any time, any previously granted consent for the utility to disclose customer information in the future to an affiliate, subsidiary, parent organization, or third party for purposes that are not necessary for the utility to perform duties directly related to the utility's primary purpose. The utility may require that any such revocation not be effective until up to ten business days after the customer submits that revocation to the utility.

(11) The utility must post and maintain its privacy policy on its website in a prominent location.

(a) The utility must notify new customers how they can access a copy of the utility's privacy policy upon initiating utility service.

(b) Whenever the utility amends its privacy policy it must notify existing customers by whatever method the utility uses to transmit the customers' bills.

(c) The utility must provide a written copy of its privacy policy upon customer request.

(d) Any notice regarding the utility's privacy policy must include a customer service phone number and website address where customers can direct additional questions or obtain additional information.

(12) This section does not prevent disclosure of the essential terms and conditions of special contracts as provided in WAC 480-80-143 Special contracts for gas, electric, and water companies.

(13) This section does not prevent the utility or its approved third parties from inserting any marketing information into the customer's billing package.

(14) The utility must provide a user-friendly website interface through which customers may access their own account and usage information without charge. The utility may implement reasonable procedures to verify the customer's identity before providing access to customer account and usage information through this interface.

(15) The utility must make a reasonable effort to respond to requests from customers for their own account and usage information within ten business days of the customer request.

(16) The utility must ensure that the information it collects, stores, uses, and discloses is reasonably accurate and complete and otherwise complies with applicable rules and tariffs regarding the quality of energy usage data.

(17) Each customer must have the opportunity to dispute the accuracy or completeness of the customer account and usage information the utility has collected for that customer. The utility must provide adequate procedures for customers to dispute the accuracy of their customer account and usage information and to request appropriate corrections or amendments.

(18) The utility must take all reasonable steps to destroy, or arrange for the destruction of, customer information in accordance with the utility's data retention policies and practices.

(19) The utility must notify customers of any security breach involving disclosure of personal information as defined in RCW 19.255.010 in accordance with that statute. If a security breach involves disclosure of customer information other than personal information as defined in RCW 19.255.010, the utility shall notify customers and the commission as soon as practicable of the breach and the measures the utility is taking to remedy the breach. The utility must take all reasonable measures including, but not limited to, cooperating fully with law enforcement agencies, to recover lost information and prevent the loss of further customer information.

(20) The utility must review at least annually the type of customer information the utility has collected and ensure collection and retention of that information is reasonably necessary for the utility to perform duties directly related to the utility's primary purpose or other purpose to which the customer has consented to the utility collecting that information.

(21) The utility may collect and release aggregate data to the extent reasonably necessary for the utility to perform duties directly related to the utility's primary purpose. The utility may collect and release aggregate data on energy usage to the extent necessary to comply with legal requirements, or to facilitate voluntary efforts, to promote energy efficiency, conservation, or generating resource management. The utility must have sufficient policies, procedures, and safeguards in place to ensure that any release of aggregate data does not allow any specific customer or customer information to be identified.