The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 2/18/2020 - Memorandum From Lisa Rosintoski Re: 2019 Annual Report: Fort Collins Utilities Program To Detect, Prevent And Mitigate Identity TheftUtilities electric · stormwater · wastewater · water 222 Laporte Ave. PO Box 580 Fort Collins, CO 80522-0580 970.212.2900 V/TDD: 711 utilities@fcgov.com fcgov.com/utilities MEMORANDUM DATE: February 13, 2020 TO: Mayor Troxell and Councilmembers FROM: Lisa Rosintoski, Utilities Deputy Director, Customer Connections Privacy Committee Senior Management Representative THROUGH: Darin Atteberry, City Manager Jeff Mihelich, Deputy City Manager Kevin R. Gertig, Utilities Executive Director RE: 2019 Annual Report: Fort Collins Utilities’ Program to Detect, Prevent and Mitigate Identity Theft This memorandum serves as Fort Collins Utilities’ annual report to Council per Resolution 2008-102. Bottom Line: In 2019, there were no reports of identity theft. The following incidents were documented and required follow-up that verified no Red-Flags compliance issues:  On 9 occasions, customers received another customer’s bill along with their own. Accounts were noted and bills were re-mailed correctly. The mailing vendor was contacted for a process audit. One customer contacted Utilities concerned, and staff advised we contacted the bill print service to audit and resolve in writing.  On 9 occasions, bills were mailed to the incorrect address by the post office. Accounts were noted and bills were resent. Customers were reminded to not open mail that is not addressed to them. No incidents from customers reported to Utilities.  On 1 occasion, the Customer Service Representative (CSR) emailed account information to the incorrect email address. CSR put notes into the impacted account in the event there was an issue. No incident was reported from customer.  On 5 occasions, the customer provided incorrect contact information or did not update their contact information. Billing information was sent to the wrong email or residential address. CSRs obtained updated contact information from customer and updated the system. No incidents from customers reported to Utilities. Utilities implemented improvements through seven activities to manage protection of customer information. DocuSign Envelope ID: 92195940-6C46-4E96-849D-5DF62DB7067F 2/5/2020 2/5/2020 2/8/2020 2/10/2020 Background The Utilities Privacy Committee is required to submit this report to its governing body by the Red Flags Rules, federal regulations effective as of December 31, 2010. The rules were promulgated as required by the Fair and Accurate Credit Transactions (FACT) Act of 2003 (Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 115). Resolution 2008-102 requires the annual update to include the following information:  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with the opening of “covered accounts” and with respect to existing covered accounts. As defines by the rules, “covered accounts” include any accounts offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the utility from identity theft. Per this definition, all utility accounts are “covered accounts.”  The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with service provider agreements:  Significant incidents involving identity theft and management’s response; and  Recommendations for material changes to the Program. Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to covered accounts, and it continues to fine-tune its business practices as they relate to identity theft. In 2019, Utilities:  Created a Compliance Specialist Position: A new position was created and filled in 2019. The Compliance Specialist is responsible to ensure adherence with regulatory requirements to prevent violations of data and privacy laws. Additionally, this position is responsible for overseeing the implementation, maintenance of, and adherence to policies and procedures covering the access, use and handling of customer information.  Followed Identity Theft Policies & Procedures: Detailed policies and procedures were updated in 2019, which consisted of: o Inclusion of the Federal Law 47 U.S.C. § 222 for telecommunications carriers which prevents unauthorized disclosure of Customer Proprietary Network Information (CPNI); o Verifying identity when handling customer accounts; o Auditing technical systems and handling data; o Administering agreements with service providers who have access to data; and o Handling breaches of security or “red flags.”  Continued Video and In-Person Training: Utilities requires annual staff training on the Red Flags Rules and the Utilities’ Identity Theft Program. The training was updated in 2018 to be an interactive, e-learning module that was implemented in 2019.  Provided Mandatory NINJIO Video training: NINJIO videos offer cybersecurity awareness training via engaging learning videos. IT assigns a monthly NINJIO video to all Utilities staff to DocuSign Envelope ID: 92195940-6C46-4E96-849D-5DF62DB7067F empower employees to become aware of cyberthreats. Completion of training is tied to system access.  Training Adherence: Procedures were implemented in 2019 to ensure staff obtain all mandatory trainings.  Collaborated on Cybersecurity: Utilities continues to collaborate with applicable City staff and Platte River Power Authority colleagues to ensure that the utility’s electronic infrastructure meets or exceeds all applicable security requirements and best practices.  Evaluated “Red Flags” and Trends: “Red Flags” (defined as patterns, practices, or specific activities that indicate the possible existence of identity theft) are evaluated regularly to determine the need for business process improvements. The Privacy Committee is unaware of any significant incidents of identity theft since the plan was approved in October 2008 and has no recommendations for substantial material changes to the program at this time. In 2019, Utilities applied these policies and procedures to broadband services and in 2020 will continue to ensure adherence with these policies and all regulatory requirements to detect, prevent and mitigate identity theft. Cc: Cyril Vidergar, Assistant City Attorney Carrie Daggett, City Attorney Jen Barna, Sr Analyst, IT Security Lori Clements, Sr Manager, Customer Support Brook Weaver, Specialist, Customer Support DocuSign Envelope ID: 92195940-6C46-4E96-849D-5DF62DB7067F