Legal News & Analysis – Asia Pacific – Australia – TMT

Lumo Energy fined for failing to meet information system security requirements.

What You Need To Know.

• Lumo Energy has paid an infringement penalty of AUD 20k issued by the AER for allowing unauthorised persons to have access to AEMO’s MSATS system. 
• The AER found that access to Lumo Energy’s market systems webpage being password protected was not in itself secure and did not mean that access was “restricted to secured, dedicated servers” as required.

What You Need To Do

• Review your IT network to ensure it is sufficiently secure and complies with AEMO’s market management system access procedures, and in particular the market system security requirements. 
• Ensure that any changes to your IT network which modify access to AEMO’s electricity market systems are made in accordance with the market management systems access procedures. 

The AER has fined Lumo Energy for failing to meet information system security requirements in accordance with the National Electricity Rules (Rules). The AER’s investigation report provides that an infringement notice was issued to Lumo Energy on 19 May 2014 alleging it had enabled unauthorised access to AEMO’s MSATS system from February 2012 to December 2013. This penalty was paid by Lumo Energy on 21 May 2014. The investigation report and related documents can be found on the AER’s website here. 

Market Management System Access 

The National Electricity Market (NEM) is operated through its market systems, which includes the MSATS system. This system is administered by AEMO and facilitates the transfer of customers and settlement processes in the NEM. The MSATS system also holds data relating to each connection point in the NEM.

Access to the MSATS system is governed by AEMO’s Electricity Market Management Systems Access Policy and Procedure (found here). These procedures govern access to MSATS to ensure that access to the market management systems are secure and minimise inappropriate access to confidential market information. Significant to this investigation:

• unregistered private / IP addresses must not be visible to MSATS; and 
• participants must ensure that traffic from the internet and their internal networks is isolated from their connection to MSATS.

Under clause 3.19(c) of the Rules, registered participants must comply with these procedures. This provision is a civil penalty provision allowing the AER to issue an infringement notice (penalty of AUD 20k) or court ordered penalty (up to AUD 100k). 

Lumo Energy’s Conduct 

Lumo Energy made changes to its IT network in February 2012 to provide third parties (engaged to provide customer acquisition services) access to MSATS through a password protected website. Access was also limited to certain IP addresses. Further changes were made to Lumo Energy’s IT network, specifically its firewall settings, in August 2012 to address access problems experienced by the service provider.

After discussions with AEMO in December 2013, Lumo Energy disabled its password protected website providing access to MSATS. 

The AER’s Response 

The AER examined Lumo Energy’s conduct following notification of the breach by AEMO to the AER (as required under clause 3.19(e) of the Rules). Following further clarification from Lumo Energy, the AER formed the view that Lumo Energy had breached clause 3.19(c) of the Rules by allowing:

• unauthorised IP addresses to be exposed to MSATS; and 
• the transmission of unencrypted MSATS data over the public internet.

The AER found that the potential for Lumo Energy’s IT network to allow for unencrypted MSATS data over the public internet was contrary to the requirement to ensure that access to MSATS remains “restricted to secured, dedicated servers”. The AER further found that a password protection mechanism did not in itself fulfil this requirement. 

In deciding an appropriate enforcement response, the AER formed the view that Lumo Energy’s breach could have compromised the security of market systems, materially affecting the NEM’s transfer and settlement processes. However, the AER also noted that Lumo Energy was fully cooperative throughout the inquiry process and displayed commitment to resolving the issue. Taking these factors into account, the AER chose to serve one infringement notice with a penalty of AUD 20k to Lumo Energy for failing to comply with the relevant access procedures.

For further information, please contact:

Paul Newman, Partner, Ashurst 
[email protected]

Liza Carver, Partner, Ashurst 
[email protected]

Peter Limbers, Partner, Ashurst  
[email protected] 

Joy Hooker, Ashurst  
[email protected]

Teresa Scott, Ashurst 
[email protected]

Ashurst TMT Practice Profile in Australia