HomeMy WebLinkAboutMemo - Mail Packet - 2/27/2024 - Memorandum From Gretchen Stanford Re: 2023 Annual Report: Fort Collins Utilities Program To Detect, Prevent, And Mitigate Identity Theft
Utilities
electric · stormwater · wastewater · water
222 Laporte Ave.
PO Box 580
Fort Collins, CO 80522-0580
970.212.2900
V/TDD: 711
utilities@fcgov.com
fcgov.com/utilities
MEMORANDUM
DATE: February 12, 2024
TO: Mayor Arndt and City Councilmembers
THROUGH: Kelly DiMartino, City Manager
Tyler Marr, Acting Utilities Executive Director
Kevin Wilkins, Chief Information Officer
FROM: Gretchen Stanford, Utilities Deputy Director, Privacy Committee Senior Management
Representative
RE: 2023 Annual Report: Fort Collins Utilities Program to Detect, Prevent and
Mitigate Identity Theft
Bottom Line:
This memorandum functions as Fort Collins Utilities annual report to Council in accordance with
Resolution 2008-102. Utilities is obligated to adhere to the FACT Act (Fair and Accurate Credit
Transactions Act of 2003), which necessitates financial institutions establish guidelines to prevent
identity theft. In 2007, the FTC released the "Red Flags Rules," which dictate that creditors must
develop and implement a program to address the detection, prevention, and mitigation of identity theft,
as well as to submit an annual report to the board of directors regarding compliance. Utilities has
maintained an identity theft prevention program and provided annual reports, as a creditor under the
Red Flag Rules, since the Rules enforcement start date of December 31, 2010.
Background
City Council Resolution 2008-102 requires the annual Red Flags report to include the following
information:
The effectiveness of the Utilities Identity Theft Program in addressing the risk of
identity theft in connection with the opening or administration of “covered accounts.” As
defined by the Rules, covered accounts include any accounts offered or maintained
primarily for personal, family, or household purposes, that involve multiple payments or
transactions; and any other account offered or maintained for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the utility from identity
theft. Per this definition, all City utility accounts are considered covered accounts.
The effectiveness of the Utilities Program policies and procedures in addressing the risk
of identity theft in connection with service provider agreements.
Significant incidents involving identity theft and management’s response.
Recommendations for material changes to the Program.
DocuSign Envelope ID: 3E6E1C8E-441F-4591-AECE-33B2A87CE65B
In 2023, there were no reports of identity theft. The following incidents were documented and required
follow-up; however, staff ultimately verified there were no Red Flags compliance issues involving the
customer(s):
On one occasion, bills were incorrectly mailed to two builders. To prevent such
occurrences in the future, the Customer Service Representative (CSR) received additional
guidance and coaching.
On another occasion, an email exchange occurred between a commercial customer and
a CSR, which contained credit card details and accounts. The CSR and the customer were
reminded that confidential information should not be shared through email.
In two incidents, property management companies received utility bills that did not
belong to them. Coaching was provided to the CSRs.
On multiple occasions, an individual attempted to assume the identity of a different
customer. In all cases, the CSR refrained from disclosing any details or granting access to
the account. Both the Police Department and the customer were duly informed, and a
police investigation is ongoing.
A CSR, who had been responsible for verifying customers' identities, stopped doing so
for several months. Appropriate personnel action was taken.
Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation
to “covered accounts”, and it continues to fine-tune business practices as they relate to identity theft.
In 2023, Utilities:
Maintained the Compliance Specialist Position: This person is accountable for
ensuring compliance with regulatory obligations to prevent breaches of data and privacy
legislation involving Fort Collins Utilities. Furthermore, the staff member is responsible for
supervising the execution, upkeep, and compliance with guidelines and protocols that
address the accessibility, utilization, and management of utility customer data.
Updated the Identity Theft Policies & Procedures: The detailed privacy policy was
updated to include verifying identity when handling customer accounts, administering
agreements with service providers who have access to data, and handling breaches of
security or red flags.
Updated Privacy Policy Training and Adherence: Utilities staff are required to
obtain annual interactive e-learning for staff on data privacy and compliance.
Collaborated on Cybersecurity: Utilities continued to collaborate with applicable
City colleagues to address the Utilities electronic infrastructure and whether it meets or
exceeds applicable security requirements and best practices.
Evaluated “Red Flags” and Trends: Red Flags were evaluated regularly throughout
the year to determine the need for business process improvements.
The Privacy Committee is not aware of any noteworthy instances of identity theft since the approval of
the Plan in October 2008 and does not currently have any suggestions for significant alterations to the
Program. In 2024, Utilities remains committed to upholding these policies and meeting all regulatory
obligations to identify, prevent, and lessen the impact of identity theft, which includes maintaining
currently successful Program practices.
DocuSign Envelope ID: 3E6E1C8E-441F-4591-AECE-33B2A87CE65B
CC: Lori Clements, Senior Manager, Customer Support and Privacy Officer
Cyril Vidergar, Assistant City Attorney
Carrie Daggett, City Attorney
Brook Weaver, Compliance Specialist
DocuSign Envelope ID: 3E6E1C8E-441F-4591-AECE-33B2A87CE65B