The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 4/10/2018 - Memorandum From Lisa Rosintoski And Privacy Committee Senior Management Representatives Re: 2017 Annual Report:Utilities electric · stormwater · wastewater · water 222 Laporte Ave. PO Box 580 Fort Collins, CO 80522 970.221.6700 970.221.6619 – fax V/TDD 711 utilities@fcgov.com fcgov.com/utilities M E M O R A N D U M DATE: March 27, 2018 TO: Mayor Troxell and City Councilmembers FROM: Lisa Rosintoski, Utilities Customer Connections Manager, Privacy Committee Senior Management Representative THROUGH: Darin Atteberry, City Manager Jeff Mihelich, Deputy City Manager Kevin R. Gertig, Utilities Executive Director RE: 2017 Annual Report: Fort Collins Utilities’ Program to Detect, Prevent and Mitigate Identity Theft This memorandum serves as Fort Collins Utilities’ annual report to Council per Resolution 2008-102. The Utilities Privacy Committee is required to submit this report to its governing body by the Red Flags Rules, federal regulations effective as of December 31, 2010. The rules were promulgated as required by the Fair and Accurate Credit Transactions (FACT) Act of 2003 (Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 115). Background Resolution 2008-102 requires the annual update to include the following information:  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with the opening of “covered accounts” and with respect to existing covered accounts. As defined by the rules, “covered accounts” include any accounts offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the utility from identity theft. Per this definition, all utility accounts are “covered accounts.”  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with service provider agreements (the “Program”);  Significant incidents involving identity theft and management’s response; and  Recommendations for material changes to the Program. DocuSign Envelope ID: 33384BF1-A125-4FC0-8218-E0A29E773975 4/2/2018 4/2/2018 4/2/2018 4/4/2018 Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to covered accounts, and it continues to fine-tune its business practices as they relate to identity theft. In 2017, Utilities:  Followed Identity Theft Policies & Procedures: Detailed policies and procedures were maintained in 2017, which consisted of: o Verifying identity when handling customer accounts; o Auditing technical systems and handling data; o Administering agreements with City agencies and service providers who have access to data; and o Handling breaches of security or patterns of data use that suggest potential identity theft, i.e. “red flags”  Continued Video and In-Person Training: Utilities requires annual staff training on the Red Flags Rules and the Utilities’ Identity Theft Program.  Collaborated on Cybersecurity: The Privacy Committee continues to collaborate with applicable City staff and Platte River Power Authority colleagues to ensure that the Utility’s electronic infrastructure meets or exceeds all applicable security requirements and best practices.  Evaluated “Red Flags” and Trends: The Privacy Team meets regularly to review “red flags” (defined as patterns, practices, or specific activities that indicate the possible existence of identity theft) and evaluate the need for business process improvements. In 2017, there were no significant incidents. The following “red flags” were reported:  On five occasions, customers received another customer’s bill along with their own. Accounts were noted and bills were re-mailed correctly. Two bills were mailed to the incorrect address.  On four occasions, customer service staff (CSR) emailed account information to the incorrect email address. CSR noted accounts and resent the emails.  On one occasion, a property owner’s account numbers were shared with the buyer of the subject real property when transferring title and transitioning utility services.  On one occasion, customer data was emailed to employees of Streets and Municipal Court. Employees were advised to destroy the emails.  A Utilities’ contractor’s system has generated a few home energy reports for active service to previous residents. Contractor is addressing the issue. Utilities has contacted vendors and coached employees to address the errors. The Privacy Committee is unaware of any significant incidents of identity theft since the Program plan was approved in October 2008 and has no recommendations for material changes to the Program. DocuSign Envelope ID: 33384BF1-A125-4FC0-8218-E0A29E773975