The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 1/24/2023 - 6 - Memorandum From Gretchen Stanford Re: 2022 Annual Report: Fort Collins Utilities’ Program To Detect, Prevent And Mitigate Identity Theft Utilities electric · stormwater · wastewater · water 222 Laporte Ave. PO Box 580 Fort Collins, CO 80522-0580 970.212.2900 V/TDD: 711 utilities@fcgov.com fcgov.com/utilities MEMORANDUM DATE: January 11, 2023 TO: Mayor Arndt and City Councilmembers THROUGH: Kelly DiMartino, City Manager Kevin Wilkins, Chief Information Officer Tyler Marr, Deputy City Manager Kendall Minor, Utilities Executive Director FROM: Gretchen Stanford, Utilities Deputy Director, Customer Connections Privacy Committee Senior Management Representative RE: 2022 Annual Report: Fort Collins Utilities’ Program to Detect, Prevent and Mitigate Identity Theft Bottom Line: This memorandum serves as Fort Collins Utilities’ annual report to Council per Resolution 2008-102. In 2022, there were no reports of identity theft. The following incidents were documented and required follow-up, and staff ultimately verified there were no Red Flags compliance issues involving the customer(s):  On one occasion, a customer received another new customer’s activation notice, which included the account number. The CSR was provided coaching to double check the account before sending any information. The account was noted, monitored, and no identity theft incidents from the customer were reported to Utilities.  On three occasions, a customer received another customer’s physical bill. Utilities Billing Supervisor was notified. These incidents occurred because the bills got stuck together when the mailing vendor prepared the documents. No identity theft incident from the customer was reported to Utilities.  On one occasion, a customer’s account number was inadvertently provided to a property management company. The CSR was provided coaching to ensure better knowledge on the privacy policies. No identity theft incidents from the customers were reported to Utilities.  On one occasion, a customer received another customer’s physical bill because the customer who previously lived at the residence did not notify Utilities that he had moved. The customer now residing at the residence was educated to open only mail expressly addressed to her. No incidents were reported from the customer who moved. DocuSign Envelope ID: 904E0CA4-F314-4BAB-B28B-31C8E71212FE Background The Utilities Privacy Committee is required to submit this report to its governing body by the federal Red Flags Rules, effective as of December 31, 2010. The rules were promulgated as required by the Fair and Accurate Credit Transactions (FACT) Act of 2003 (Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 115) to require utilities and service providers holding customer financial information to adopt policies to detect and prevent identify theft. City Council Resolution 2008-102 requires the annual Red Flags report (regarding patterns, practices, or specific activities that indicate the possible existence of identity theft) to include the following information:  The effectiveness of the Utilities’ Identity Theft Program in addressing the risk of identity theft in connection with the opening of “covered accounts” and with respect to existing covered accounts. As defines by the rules, “covered accounts” include any accounts offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the utility from identity theft. Per this definition, all utility accounts are “covered accounts;”  The effectiveness of the Utilities policies and procedures in addressing the risk of identity theft in connection with service provider agreements;  Significant incidents involving identity theft and management’s response; and  Recommendations for material changes to the Program. Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to covered accounts, and it continues to fine-tune its business practices as they relate to identity theft. In 2022, Utilities:  Compliance Specialist: This individual is responsible to ensure adherence with regulatory requirements in order to prevent violations of data and privacy laws. Additionally, the employee is responsible for overseeing the implementation, maintenance of, and adherence to policies and procedures covering the access, use and handling of customer information.  Followed Identity Theft Policies & Procedures: Detailed policies and procedures were maintained in 2022, which consist of: o Inclusion of the Federal Law 47 U.S.C. § 222 for telecommunications carriers which prevents unauthorized disclosure of Customer Proprietary Network Information (CPNI); o Verifying identity when handling customer accounts. o Administering agreements with service providers who have access to data; and o Handling breaches of security or “red flags.” DocuSign Envelope ID: 904E0CA4-F314-4BAB-B28B-31C8E71212FE  Continued Video and In-Person Training: Utilities required annual interactive e-learning for staff on the Red Flags Rules and the Utilities’ Identity Theft Program.  Provided Mandatory Cybersecurity Video Training: Knowb4 videos coordinated through City IT offered cybersecurity awareness training via engaging learning videos. IT assigned a monthly video training to all Utilities staff to empower employees to become aware of cyber threats. Completion of training continued to be tied to system access.  Training Adherence: Procedures were maintained to ensure all Utilities staff obtain required training.  Collaborated on Cybersecurity: Utilities continued to collaborate with applicable colleagues to address the Utility’s electronic infrastructure and whether it meets or exceeds applicable security requirements and best practices.  Evaluated “Red Flags” and Trends: “Red Flags” (defined as patterns, practices, or specific activities that indicate the possible existence of identity theft) were evaluated regularly throughout the year to determine the need for business process improvements. The Privacy Committee is unaware of any significant incidents of identity theft since the Plan was approved in October 2008 and has no recommendations for substantial material changes to the Program at this time. In 2023, Utilities continues to ensure adherence with these policies and all regulatory requirements to detect, prevent and mitigate identity theft, including efforts to maintain the practices listed above. CC: Lori Clements, Senior Manager, Customer Support and Privacy Officer Cyril Vidergar, Assistant City Attorney Carrie Daggett, City Attorney Tammi Pusheck, Sr. Analyst, Administration (City Privacy and Records Manager) DocuSign Envelope ID: 904E0CA4-F314-4BAB-B28B-31C8E71212FE