Loading...
HomeMy WebLinkAboutCOUNCIL - AGENDA ITEM - 10/21/2008 - RESOLUTION 2008-102 APPROVING AND ADOPTING AN IDEN i ITEM NUMBER: 25 AGENDA ITEM SUMMARY DATE: October 21, 2008 FORT COLLINS CITY COUNCIL STAFF: Brian Janonis Terri Bryant Patty Bigner SUBJECT Resolution 2008-102 Approving and Adopting an Identity Theft Prevention Program of the City's Utilities for the Detection, Prevention and Mitigation of Identity Theft. RECOMMENDATION Staff recommends adoption of the Resolution. FINANCIAL IMPACT The financial impact of implementation will be minimal to the Utilities operations. EXECUTIVE SUMMARY Under the revision to the FACT Act 2003 (Fair and Accurate Credit Transactions Act),each utility is required to have policies and procedures in place by November 1,2008 which meet the standards outlined by Federal Agencies including the Federal Trade Commission. There are a number of red flags or potential warnings of identity theft included in current legislation. Portions of these occur more frequently in utilities than others. The role of the Council acting as the City's Board of Directors is to grant initial approval of the Identity Theft Program plan before implementation and annual report review. The program includes the following: • Establish a Privacy Committee and a Privacy Officer • Conduct a Needs Assessment • Develop an Annual Program Report • Develop and Implement Policies and Procedures • Employee Training—2 Hours in First Year BACKGROUND The FACT Act (2003) was passed to set standards for guarding customer information. On November 1, 2007, the red flags were added to hold businesses accountable for the prevention, detection and mitigation of identity theft. Utilities are included in the red flag legislation because we maintain on going accounts primarily for personal, family or household purposes, the accounts i October 21, 2008 -2- Item No. 25 are designed to accept multiple payments,and utilities are the site for a large portion of identity theft crime in the United States. The Fort Collins Utilities is responsible for developing an identity theft prevention program to protect our customers' personal information. The FACT Act outlines a requirement to detect, prevent, and mitigate identity theft. Utilities staff have begun the process of establishing and implementing written policies and procedures,conducting needs assessments,and training employees. A Privacy Committee has been established as required to comply with the FACT Act and administer the program. A Privacy Officer has been designated and assigned the responsibilities of coordinating audit studies and review patterns of incidents. The Privacy Committee members and Privacy Officer are included in the attachments along with the program and implementation outline. ATTACHMENTS 1. Privacy Committee. 2. Timeline for Implementation. i ATTACHMENT FORT COLLINS UNTILITIES IDENTITY THEFT PROGRAM PRIVACY COMMITTEE OCTOBER, 2008 I. Privacy Committee Department Role Employee Job Title Privacy Officer Coordinates audit studies and reviews Lori Clements- Customer Support pattern of incidents Grote Manager Senior Supplying resources to establish proactive Customer and Management identity theft program Patty Bigner Employee Relations Manager Accounting Billing,Collections,expert in flow of Terri Bryant Finance and Budget ry funds Manager Information Data and network security Matt Scheetz Database Analyst Technology Human Resources Personnel information/Identity theft Deb Human Resources training Mossbur h Partner Customer Day to day processes in opening new Lead Customer Service Services accounts and monitoring activity on Vicky Peil Representative existing accounts Legal Reviews red flag compliance and Identity Jenny Assistant City Attorney Theft program I Lo ezfilkins Law Enforcement Investigative and advisory support for TBD Identity Theft Program II. Responsibilities of Committee Members 1. Complete components of needs assessment 2. Design and develop assigned policies and procedures 3. Program evaluation 4. Updates 5. Employee training 6. Periodic "walk-through" to assess compliance and look for strategies to enhance prevention, identification and mitigation of red flags. 7. Lead quarterly review of"significant events." ■ Incident/patterns (near misses) 8. Preparation of reports of program effectiveness: • Focus on outcomes ■ Highlight the steps/precautions used ■ City Council—annual report review � . . . . ATTACHMENT 2 ) \ Q .( ( °'} � e 00 \ \ \ ( ] k k k l § v % \ § � 2 / k to / m _ . ) � A § / ® d / § ° / a / / z § ) 2 \ \ ? ) { & ! a 2 \ b J * ) \ / .d 2 z \ \ RESOLUTION 2008-102 OF THE COUNCIL OF THE CITY OF FORT COLLINS APPROVING AND ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM OF THE CITY'S UTILITIES FOR THE DETECTION, PREVENTION AND MITIGATION OF IDENTITY THEFT WHEREAS, the Fair and Accurate Credit Transactions Act of 2003 (the "Act") requires several federal agencies including the Federal Trade Commission to establish guidelines for use by creditors regarding identity theft prevention; and WHEREAS, on November 9, 2007, the Federal Trade Commission published final rules, set forth in 16 CFR Part 681, (the "Red Flags Rules") requiring that creditors create and implement a program to address the detection, prevention and mitigation of identity theft; and WHEREAS, the City's utility enterprises (the "Utilities") are "creditors" and carry "covered accounts" for Utilities customers as those terms are defined in the Red Flags Rules; and WHEREAS, the Utilities staff has prepared a program to address the detection, prevention and mitigation of identity theft for Utilities covered accounts attached and marked as Exhibit "A" (the "Identity Theft Program") and intends to implement such program in compliance with the Red Flags Rules; and WHEREAS, the Red Flags Rules require Utilities staff to obtain the approval of the initial Identity Theft Program by the City Council; and WHEREAS, in Utilities staffs opinion, the Identity Theft Program meets the requirements of the Red Flags Rules and equips the Utilities with the necessary guidance to continue its efforts to detect, prevent and mitigate identity theft related to covered accounts and will hereafter be available to the public in the office of the City Clerk. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF FORT COLLINS that upon review and consideration of the Identity Theft Program prepared by Utilities staff, the Council hereby finds that such a program is in the best interests of the City of Fort Collins and hereby approves and adopts said program. Passed and adopted at a regular meeting of the Council of the City of Fort Collins this 21 st day of October A.D. 2008. Mayor ATTEST: City Clerk i EXHIBIT "A" City of Fort Collins Utilities Identity Theft Prevention Program October,2008 Purpose To establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program in compliance with Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Definitions Identity theft means fraud committed or attempted using the identifying information of another person without authority. A covered account means: 1. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts and savings accounts; and 2. Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. A red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft. The Program The City of Fort Collins Utilities establishes an Identity Theft Prevention Program to detect,prevent and mitigate identity theft. The Program shall include reasonable policies and procedures to: 1. Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program; 2. Detect red flags that have been incorporated into the Program; 3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and 1 i EXHIBIT "A" 4. Ensure the Program is updated periodically to reflect changes to risks to customers and to the safety and soundness of the creditor from identity theft. The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks. Administration of the Program 1. The Utilities Executive Director shall be responsible for the development, implementation, oversight and continued administration of the Program. 2. The Program shall train staff, as necessary, to effectively implement the Program; and 3. The Program shall exercise appropriate and effective oversight of service provider arrangements. Identification of Relevant Red Flags 1. The Program shall include relevant red flags from the following categories as appropriate: a. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; b. The presentation of suspicious documents; c. The presentation of suspicious personal identifying information; d. The unusual use of, or other suspicious activity related to, a covered account; and e. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts. 2. The Program shall consider the following risk factors in identifying relevant red flags for covered accounts as appropriate: a. The types of covered accounts offered or maintained; b. The methods provided to open covered accounts; c. The methods provided to access covered accounts; and d. Its previous experience with identity theft. 3. The Program shall incorporate relevant red flags from sources such as: a. Incidents of identity theft previously experienced; b. Methods of identity theft that reflect changes in risk; and c. Applicable supervisory guidance. 2 EXHIBIT "A" Detection of Red Flags The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by: 1. Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and 2. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts. Response The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed. Appropriate responses may include: 1. Monitor a covered account for evidence of identity theft; 2. Contact the customer; 3. Change any passwords, security codes or other security devices that permit access to a covered account; 4. Reopen a covered account with a new account number; 5. Not open a new covered account; 6. Close an existing covered account; 7. Notify law enforcement; or 8. Determine no response is warranted under the particular circumstances. Updating the Program The Program shall be updated periodically to reflect changes in risks to customers or to the safety and soundness of the utility from identity theft based on factors such as: 1. The experiences of the utility with identity theft; 2. Changes in methods of identity theft; 3. Changes in methods to detect,prevent and mitigate identity theft; 4. Changes in the types of accounts that the utility offers and maintains. Oversight of the Program 1. Oversight of the Program shall include: a. Assignment of specific responsibility for implementation of the Program; b. Review of reports prepared by staff regarding compliance; and c. Approval of material changes to the Program as necessary to address changing risks of identity theft. 3 EXHIBIT "A" 2. Reports shall be prepared as follows: a. Staff responsible for development, implementation and administration of the Program shall report to the City Council at least annually on compliance by the utility with the Program. b. The report shall address material matters related to the Program and evaluate issues such as: i. The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; ii. Service provider agreements; iii. Significant incidents involving identity theft and management's response; and iv. Recommendations for material changes to the Program. Oversight of Service Provider Arrangements The utility shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the utility engages a service provider to perform an activity in connection with one or more covered accounts. Duties Regarding Address Discrepancies The utility shall develop policies and procedures designed to enable the utility to form reasonable belief that a credit report relates to the consumer for whom it was requested if the utility receives a notice of address discrepancy from a nationwide consumer reporting agency indicating the address given by the consumer differs from the address contained in the consumer report. The utility may reasonably confirm that an address is accurate by any of the following means: 1. Verification of the address with the consumer; 2. Review of the utility's records; 3. Verification of the address through third-party sources; or 4. Other reasonable means. If an accurate address is confirmed, the utility shall furnish the consumer's address to the nationwide consumer reporting agency from which it received the notice of address discrepancy if: 1. The utility establishes a continuing relationship with the consumer; and 2. The utility, regularly and in the ordinary course of business, furnishes information to the consumer reporting agency. 4