The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 7/4/2017 - Memorandum From Lisa Rosintoski Re: 2016 Annual Report: Fort Collins Utilities� Program To Detect, Prevent And Mitigate Identity TheftUtilities electric · stormwater · wastewater · water 700 Wood Street PO Box 580 Fort Collins, CO 80522 970.221.6700 970.221.6619 – fax 970.224.6003 – TDD utilities@fcgov.com fcgov.com/utilities M E M O R A N D U M DATE: June 21, 2017 TO: Mayor Troxell and City Councilmembers THRU: Darin Atteberry, City Manager Kevin R. Gertig, Utilities Executive Director FROM: Lisa Rosintoski, Utilities Customer Connections Manager, Privacy Committee Senior Management Representative RE: 2016 Annual Report: Fort Collins Utilities’ Program to Detect, Prevent and Mitigate Identity Theft This memorandum serves as Fort Collins Utilities’ annual report to Council per Resolution 2008- 102. The Utilities Privacy Committee is required to submit this report to its governing body by the Red Flags Rules, federal regulations effective as of December 31, 2010. The rules were promulgated as required by the Fair and Accurate Credit Transactions (FACT) Act of 2003 (Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 115). Background Resolution 2008-102 requires the annual update to include the following information:  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with the opening of “covered accounts” and with respect to existing covered accounts. As defined by the rules, “covered accounts” include any accounts offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the utility from identity theft. Per this definition, all utility accounts are “covered accounts.”  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with service provider agreements;  Significant incidents involving identity theft and management’s response; and  Recommendations for material changes to the Program. DocuSign Envelope ID: F4B94F64-93AC-4362-BAA4-DF0323BEE0A9 Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to covered accounts, and it continues to fine-tune its business practices as they relate to identity theft. In 2016, Utilities:  Followed Identity Theft Policies & Procedures: Detailed policies and procedures were maintained in 2016, which consisted of: o Verifying identity when handling customer accounts; o Auditing technical systems and handling data; o Administering agreements with service providers who have access to data; and o Handling breeches of security or “red flags”  Continued Videotape and In-Person Training: Utilities requires annual staff training on the Red Flags Rules and the Utilities’ Identity Theft Program.  Collaborated on Cybersecurity: The Privacy Committee continues to collaborate with applicable City staff and Platte River Power Authority colleagues to ensure that the utility’s electronic infrastructure meets or exceeds all applicable security requirements and best practices.  Evaluated “Red Flags” and Trends: The Privacy Team meets regularly to review “red flags” (defined as patterns, practices, or specific activities that indicate the possible existence of identity theft) and evaluate the need for business process improvements. In 2016, there were no significant incidents. The following “red flags” were reported:  Service was fraudulently started in someone’s name. A police report was filed and a copy was provided to Utilities. Utilities stopped collecting charges from this individual.  City vendor dropped bills outside of our office. Vendor was notified and accounts were noted.  Customer received multiple bills along with her own. Accounts were noted and bills were re-mailed correctly.  Bill was mailed to incorrect address. Bill was returned and customer was contacted for correct address and bill was resent.  Customer Service Representative (CSR) emailed incorrect bill to customer. CSR noted accounts and resent the bill.  Customer was given incorrect account number, which was realized after signing up for electronic bill. Customer corrected account number on electronic bill and accounts were noted. Employees were coached to verify email and physical addresses and account information prior to sending/providing data. The Privacy Committee is unaware of any significant incidents of identity theft since the plan was approved in October 2008 and has no recommendations for material changes to the program. DocuSign Envelope ID: F4B94F64-93AC-4362-BAA4-DF0323BEE0A9