Data security and privacy lifecycle management

The data lifecycle is the progression of stages in which a piece of information may exist between its original creation and final destruction. Itron defines these phases as collecting, storing, accessing, sharing, transmitting, and destroying. This section describes Itron's policy for protecting data at each stage of the lifecycle

Policy and procedures

The data handling protections outlined in this section apply to electronic Information only. Sensitive information is customer or Itron data classified as Internal, Confidential, or Restricted Use. Public (non-sensitive) information does not require any protection from disclosure, but appropriate precautions are taken to protect original (source) data from unauthorized modification.

Collecting

Data collection is minimized to only the amount needed to successfully deliver the specific business benefit of a customer’s licensed applications. As the sensitivity of the data element increases, collecting the element requires more scrutiny, and more security measures are applied.

DI feature data is collected from Itron-certified agents, running on Itron-certified devices, and transmitting over Itron-certified networks. The exception is whenever data is transmitted using the device’s Wi-Fi radio to a 2030.5 device or over a consumer’s router to the Itron Cloud Receiver.

Storing

  • Store information in repositories that cannot be accessed by unauthorized individuals.

  • Physical media is stored in locked drawers and cabinets when not in use.

  • Data is encrypted at rest where reasonable to do so, preferably using technologies like whole disk encryption that is native to the operating system. Restricted Use data is always be encrypted at rest, and endpoint devices use native disk encryption where available regardless of the types of data present.

  • Limit the number of copies of data to the minimum possible and do not retain longer than needed.

  • Portable media (CD-ROMs, USB drives) are not used to store Restricted Use or customer data. When required, the department maintains an inventory of the media until it is erased and/or destroyed.

Access and sharing

Apply the principle of least privilege to all data: Grant access and share data only as needed for an individual or system to perform a required function. Increase scrutiny of these controls as the sensitivity of the data increases. Ensure processes are in place to immediately remove access upon change in affiliation of any individual.

Transmitting

  • Avoid printing Restricted Use data unless absolutely necessary.

  • Use care when printing to ensure the paper copies are not left unattended on printers.

  • Ensure mailings are addressed carefully and sent in sealed envelopes.

  • Encryption is used during transmission whenever possible. All sensitive information is encrypted in transit where it is reasonable to do so using VPN, TLS, or similar technologies.

  • Encryption in transit is strongly recommended for Confidential data and required for Restricted Use data.

  • Avoid transmitting Restricted Use data via email by sharing files or folders from BU cloud services instead, such as OneDrive, SharePoint, and Teams. Google Workspace applications, including those provided through business units, are not used with Restricted Use data.

  • Avoid faxing Restricted Use data unless necessary.

  • Use care to ensure the paper copies are not left unattended when using fax machines.

Destroying

Destroy paper media using a cross-cut shredder or similar appropriate technology and then recycle or discard.

Printers, computers, and mobile devices may contain hard drives that are properly erased prior to leaving control (for example, returned to the vendor, sent to surplus, donated, or disposed of). Dispose of drives using an approved media destruction service.