Green buildings generate large quantities of data. In an age when many have opinions about Edward Snowden’s disclosures, foreign state sponsored hacking, and Uber’s massive customer data hack, most people have not considered matters of data protection from their real estate, green building or otherwise.
The topic is too broad to comprehensively address in a brief blog post, so this post will consider, within the realm of green building, what a business needs to know about protecting people’s personal information, no matter where the data is processed, stored or sent, even outside the four walls of the building, as may often be the case when it is transmitted over the Internet.
There is no single comprehensive federal data privacy law in the United States. There are a panoply of federal laws within discreet silos, including significantly: The Health Insurance Portability and Accountability Act (HIPAA), The Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transaction Act (FACTA), and the like. And there is some form of privacy law in at least 48 states (but not Alabama and South Dakota), including by way of example the California’s groundbreaking 2003 Data Security Breach Reporting Law, but most of those are reactive, that is most laws in the U.S. establish requirements for a business after a data breach.
The European Union has gone in another direction with the 2016 General Data Protection Regulation, applicable as of May 2018, updating and modernizing the principles enshrined in the 1995 Data Protection Directive which guarantee individual privacy rights in one’s personal data including “the right to be forgotten.” The EU law is not only mandatory of all doing business in EU countries, but is excellent guidance for any U.S. business seeking to mitigate the risk associated with data protection.
Because the U.S. does not have an omnibus data protection law, the EU data protection regime has become the de facto standard.
But make no mistake, privacy enforcement in the U.S. is more aggressive and punitive than anywhere else in the world, including the EU. Substantial financial penalties have been recovered by the Federal Trade Commission and the 50 state attorneys general, not to mention in private civil actions.
So there are implications for owners and operators of green buildings. But the largest owner of green buildings (also the owner of the most LEED certified buildings) the Department of Defense has largely taken itself out of this discussion with a waiver that provides,
Department of Defense prohibits the sharing of metered data with private entities, such as USGBC. Therefore, DoD sustainable proponents have brokered this waiver with USGBC, allowing DoD to continue to utilize LEED without compromising data. This waiver is specific for LEED Version 4.0. The similar waiver for LEED v2009 is still in effect ..
And the power utilities protect themselves from liability related to data. A common provision in a utility Written Consent To Release Confidential Customer Usage Related Information, is
I hereby release, hold harmless, and indemnify Utility from any liability, claims, demands, causes of action, damages, or expenses, including attorneys’ fees, resulting from: 1) any release of information pursuant to this Authorization; 2) the unauthorized use of this information by the Authorized Party; and 3) any actions taken by the Authorized Party pursuant to this Authorization.
It is the unsophisticated who will encounter legal issues and be left holding the bag.
A properly drafted green building lease may contain a provision substantially like,
Landlord shall provide to Tenant reports for the amount of electricity, natural gas and fuel oil (where applicable) consumed at the building broken down by utility type, energy unit usage (e.g., kWh, therms or ccf, gallons), cost per month for each energy source for the duration of the Lease, including a limited license to use the Landlord’s data for nonpecuniary purposes. Unless disclosure is prohibited by state or local law or if data is not available or is confidential, ..
.. Irrespective of any other provision contained herein, the above described exchange of data shall be as an accommodation only, to the maximum extent permitted by law AS – IS without representation or warranty of any kind or type, and use of the data is at the risk of the party using it.
Some data transmission is involuntary. There are a number of mandatory energy benchmarking reporting laws requiring large buildings in a dozen or so U.S. cities to report data to the local government. Many of those local laws are poorly drafted and do not insulate the reporting parties from liability for errors, harmless or otherwise.
Others collect building data. ARC Skoru collects lots of data stored in servers throughout the world and its services agreement contains language found in similar green building rating system agreements, often including data not actually owned by the party submitting it,
You hereby grant GBCI and the GBCI Affiliates and subcontractors a perpetual, non-exclusive, royalty-free, fully paid-up and irrevocable license to access, view, reproduce and otherwise use all Project Information submitted to GBCI, including all copyrighted materials, tradenames and other proprietary information, for the purposes of assessing the Project.
And building automation systems not only create and collect data but use it to control mechanical and electrical systems, and today the standard is contracts that license the use of data over separated computer systems from the building available Internet provider. It may seem unlikely that a hacker would attack an environmental control handled lighting/ shading system, but proprietary and building occupant personal data may be accessible from that network.
Additionally, with the advent of the Internet Of Things, smart device manufacturers and providers often control data, and even claim to own it, including a large number of power utilities that claim smart meter data as theirs; not only in commercial buildings but also homes.
Much of this post has been about energy data, but water data is notoriously unreliable and simply bad across the country. A claim pending against a major U.S. city with more than 400,000 water customers alleges that more than 38% of billings (which are based on water usage) in that city are wrong. There is little if any accountability for junk data from government water systems.
And this subject involves more than simply the USGBC Minimum Program Requirement for 5 years of energy and water use data reporting. LEED projects gather a broad breadth of data from individuals occupying buildings including Occupant Comfort Surveys and Occupant Commuting Surveys; all which personal data has to be protected.
When claims are made, including for negligent misrepresentation, by a buyer against a seller that data is not accurate, who is responsible largely depends upon the writings. In one widely discussed claim, a tenant reported ‘bad’ utility data to its landlord when the public utility mixed up accounts being uploaded to an ENERGYSTAR account, and the landlord provided the whole building ENERGYSTAR report to the prospective purchaser, who only after buying the building discovered the very large underreporting of electricity costs.
Contract documents involving real estate must now prescribe who owns the building data. This is an issue in the GBCI Change Of Ownership Agreement which terminates all rights to data provided by the seller and transfers all rights to the buyer, and also the obligation to continue to report energy and water usage data to GBCI. That Agreement and more should be part of every contract of sale for a LEED project.
Private sector commercial leases now, in most instances, have provisions describing who owns the data or has a license to use it or in some instances to require it be held confidential and not released. For example, when the DoD is a tenant within a building the building owner must also not report data for the remainder of the building and several other federal government civilian instrumentalities impose similar restrictions.
However, it is key that data protection strategies encourage innovation and use of data, not the opposite. Strategies for data protection in contract documents must become an essential term incentivizing businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data. With well drafted protection provisions in contracts, businesses will mitigate risk and have effective tools to create technological and organizational solutions, including to monetize that data.
The fix is very easy. All LEED surveys and other data collection vehicles should promote techniques such as anonymization (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data, while allowing the aggregation of data that can be valuable.
There is a robust cyber security insurance market designed to mitigate losses from a variety of cyber incidents, including data breaches, but such carries with it a dollar cost and does not necessarily encourage the implementation of best practices for self-protection.
Data is often described as the currency of today’s digital economy. Collected, analyzed and moved across the globe, personal data has acquired enormous economic significance. By strengthening green building standards of data protection, owners of real estate will mitigate risk while creating business opportunities and increasing dollar values, all while saving the planet.