The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 03/25/2025 - Memorandum from Lori Clements re 2024 Annual Report: Fort Collins Utilities Program to Detect, Prevent, and Mitigate Identity Theft 1 Utilities electric · stormwater · wastewater · water . Fort Collins, CO 80522-0580 970.212.2900 V/TDD: 711 utilities@fcgov.com fcgov.com/utilities MEMORANDUM DATE: March 18, 2025 TO: Mayor and City Councilmembers THROUGH: Kelly DiMartino, City Manager Tyler Marr, Deputy City Manager Gretchen Stanford, Interim Chief Financial Officer FROM: Lori Clements, Utilities Senior Manager, Customer Support RE: 2024 Annual Report: Fort Collins Utilities Program to Detect, Prevent and Mitigate Identity Theft _______________________________________________________________________________ BOTTOM LINE This memorandum functions as Fort Collins Utilities’ annual report to Council in accordance with Resolution 2008-102. Utilities is obligated to adhere to the federal FACT Act (Fair and Accurate Credit Transactions Act of 2003), which directs financial institutions (including utilities) to establish guidelines to prevent identity theft. In 2007, the Federal Trade Commission released the "Red Flags Rules," which dictate that creditors must develop and implement a program to address the detection, prevention, and mitigation of identity theft, as well as to submit an annual report to the applicable board of directors regarding compliance, which in our case is Council. Since the Red Flags Rules enforcement start date of December 31, 2010, Fort Collins Utilities has maintained identity theft prevention policy and procedures, including annual reports. BACKGROUND City Council Resolution 2008-102 requires the annual Red Flags report to include the following information: • The effectiveness of the Utilities Identity Theft Program in addressing the risk of identity theft in connection with the opening or administration of “covered accounts.” As defined by the Rules, covered accounts include any accounts offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or Docusign Envelope ID: C3F411FE-3100-49DD-87A4-1B6FC2EF8BE9 2 to the safety and soundness of the utility from identity theft. Per this definition, all City utility accounts are considered covered accounts • The effectiveness of the Utilities Program policies and procedures in addressing the risk of identity theft in connection with service provider agreements • Significant incidents involving identity theft and management’s response. • Recommendations for material changes to the Program SUMMARY: Metrics related to red flags have been tracked since the implementation of the program to determine the effectiveness of the policies and procedures and improve compliance. Effectiveness of Policies and Procedures Annual online training for Utilities and Connexion staff is completed, along with communicating periodic updates to policies and procedures as needed. The privacy policy and procedures adequately address detecting and preventing identity theft. Service Provider Arrangements Contracts and agreements contain a provision that addresses the service provider's responsibility for security and confidentiality of customers’ personal and account information. Agreements prohibit service providers and their agents from using or disclosing any utility customer information, except as necessary to or consistent with providing the contracted or agreement services. Incidents Incidents and/or “red flags” are tracked and logged in a database to ensure better tracking and follow- up. Targeted communications, training and coaching is conducted to reinforce the policies and procedures as a result of 29 incidents in 2024 (see attached table). Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to “covered accounts,” and it continues to fine-tune business practices as they relate to identity theft. In 2024, Utilities: • Maintained the Compliance Specialist Position: This employee is accountable for ensuring compliance with regulatory obligations and supervising the execution, upkeep, and compliance with guidelines and protocols that address the accessibility, utilization, and management of utility customer data • Updated and maintained Privacy Policy training and adherence • Improved Tracking System: A new process for reporting, responding to and tracking incidents was implemented Docusign Envelope ID: C3F411FE-3100-49DD-87A4-1B6FC2EF8BE9 3 • Evaluated “Red Flags” and trends: Red Flags were evaluated regularly throughout the year to determine the need for business process improvements and/or training. • Collaborated on cybersecurity: Utilities continued to collaborate with applicable City colleagues to address this issue. • Collaborated with law enforcement: Utilities persist in their collaborative efforts with law enforcement agencies to guarantee that assistance is lawfully rendered whenever inquiries or issues emerge. The Privacy Committee is not aware of any noteworthy instances of identity theft since the approval of the Plan in October 2008 and does not currently have any suggestions for significant alterations to the program. In 2024, Utilities remains committed to upholding these policies and meeting all regulatory obligations to identify, prevent, and lessen the impact of identity theft, which includes maintaining currently successful program practices. CC: Yvette Lewis-Molock, Assistant City Attorney Carrie Daggett, City Attorney Brook Byers, Compliance Specialist Docusign Envelope ID: C3F411FE-3100-49DD-87A4-1B6FC2EF8BE9 2024 Red Flag Report Incidents Number of Incidents 17 Customer received another customer’s bill included with their bill. Notiﬁed Billing regarding incidents, veriﬁed addresses in system; reported incidents to mailing service; notated customers’ accounts about a customer's account, with the account number, in the Teams chat with employees who do not have access to the data. communication methods. bills and information for units that did not manage. documentation was sent. Coached the employee regarding sharing conﬁdential information and reminded them of our privacy rules for sharing information. Notiﬁcation received from a commercial customer stating that there was a cyberattack on their service provider. customers to notify them of the incident, asked them to set up additional passcodes on their accounts. Noted all accounts to not turn off utilities unless provided the additional passcode. name and email address are associated with an online account that does not belong to them. This access gave the customer access to other customers’ bills, which are protected. Provided ongoing training to ensure employees are sharing account information appropriately. Docusign Envelope ID: C3F411FE-3100-49DD-87A4-1B6FC2EF8BE9