Loading...
HomeMy WebLinkAboutItem #05 Approval of Ocoee Idenity Theft Detection and Prevention Program I FOLEY FOLEY & LARDNER LLP ATTORNEYS AT LAW AGENDA ITEM COVER SHEET Meeting Date: May 5, 2009 Item # 5 Contact Name: Contact Number: . Paul E. Rosenthal, City Attorney Reviewed By: Department Director: City Manager: wanNJ;l~ Subject: Ocoee Identity Theft Detection and Prevention Program Background Summary: The FACT Act was signed into law on December 4, 2003 in an attempt to improve the accuracy of customer reports and to help prevent identity theft. "Red Flag" rules implementing the FACT Act were issued on November 9, 2007. The Red Flag rules require municipal utilities to develop and implement a written Identity Theft Prevention Program to detect, prevent and diminish identity theft in connection with the opening of certain accounts and certain existing accounts. Compliance was initially required by November 1, 2008 and extended to May 1, 2009. Issue: Should the City Commission accept the Ocoee Identity Theft Detection and Prevention Program (May 2009) in compliance with the Federal FACT Act and direct staff to implement the Program? Recommendations It is respectfully recommended that the City Commission accept the Ocoee Identity Theft Detection and Prevention Program (May 2009) in compliance with the Federal FACT Act and direct staff to implement the Program. Attachments: City of Ocoee Identity Theft Detection and Prevention Program, May 2009. Financial Impact: Additional background investigations may be required at a nominal cost to the City. !U 300846.1 Type of Item: o Public Hearing o Ordinance First Reading o Ordinance First Reading o Resolution xxD Commission Approval o Discussion & Direction For Clerk's Deal Use: xxD Consent Agenda o Public Hearing o Regular Agenda o Original Document/Contract Attached for Execution by City Clerk o Original Document/Contract Held by Department for Execution Reviewed by City Attorney Paul E. Rosen~ ) Reviewed by Finance De~ Wanda Horton Y- Reviewed by ( 1) Cathy Sills & Bnan ass Y1 J"'-. o N/A o N/A o N/A ~_1300846.1 -FOLEY FOLEY & LARDNER LLP ATTORNEYS AT LAW MEMORANDUM CLlENT.MATTER NUMBER 020377.0107 TO: The Honorable Mayor and City Commissioners FROM: Paul E. Rosenthal, Esq., City Attorney DATE: April 27, 2009 RE: Ocoee Identity Theft Detection and Prevention Program Staff Re~ ISSUE Should the City Commission accept the Ocoee Identity Theft Detection and Prevention Program (May 2009) in compliance with the Federal FACT Act and direct staff to implement the Program? BACKGROUNDIDISCUSSION The Fair & Accurate Credit Transaction Act of2003 (FACT Act) was signed into law on December 4,2003. It amends the Fair Credit Reporting Act (FRCA) in an attempt to improve the accuracy of customer reports and to help prevent identity theft. "Red Flag" rules implementing the FACT Act were issued on November 9,2007. The Red Flag rules require financial institutions to develop and implement a written Identity Theft Prevention Program to detect, prevent and diminish identity theft in connection with the opening of certain accounts and certain existing accounts. Compliance was initially required by November 1, 2008 and extended to May 1, 2009. The FACT Act and Red Flag Rules are applicable to municipal utilities. City of Ocoee utility services which are subject to FACT Act are sewer, water, reuse (irrigation) and garbage services. As such, the City is required to implement an Identity Theft Detection and Prevention Program in order to safeguard personal information collected from utility customers and to assure that all efforts are being taken to prevent that information from being used in connection with identity theft. Attached hereto is the proposed Ocoee Identity Theft Detection and Prevention Program (May 2009). The Program has been drafted by the City Attorney in conjunction with City staff, including Cathy Sills, Brian Ross and Pam Brosonski. Staff reviewed the model program which was developed by the Florida Municipal Electric Association and programs developed by several other municipalities. The format template proposed by FMEA was utilized. The portions of these programs applicable to the City of Ocoee were incorporated into the proposed Program and modified based on the local factors. e.._ 1300846.1 The Program is intended to be dynamic in order to be responsive to the challenges associated with identity theft. A staff level Privacy Working Group is being formed to implement and review the Program. The Privacy Working Group will be chaired by the Utility Customer Service Supervisor who is also being designated as the City's Privacy Officer for purposes of the FACT Act. Other members of the Privacy Working Group will come from Finance, Human Resources and Information Systems. The City Attorney will provide the Group with advise as needed. An annual report will be prepared and presented to the City Manager with recommendations for changes in the Ocoee Identity Theft Detection and Prevention Program. The City Manager will review and approve any changes in the Program. 11._1300846.1 ORLA_1294412.2 CITY OF OCOEE IDENTITY THEFT DETECTION AND PREVENTION PROGRAM In compliance with the Federal FACT Act (2003) Identity Theft Red Flag Ruling May 2009 I. Table of Contents G en e ral IDf 0 rma ti 0 n ......................................................................................................... 3 II. Pu rp 0 se........................................................................................................................... .... 3 III. S co pe............................................................................................................................ ....... 3 IV. Res p 0 os i bill ty .................................................................................................................... 4 V. Defini ti 0 os ............................... ... ....................................... ................................................. 4 VI. Privacy Working G ro up........... ..................................................................... ................... 4 VII. Policy A. B. c. D. E. F. G. H. I. J. ORLA_1294412.2 an d P roced ures ...................................................................................................... 5 Red Flag Identification and Mitigation Policies................................................. 5 D etectin g Red Fla gs .... .......................................................................................... 8 Handling a Breach in Security ............................................................................. 9 Disclosure of P erso nal Info rmatio n ................ .................. ..... .............................. 9 Data Retention and Disposal.... ....................... ............................... ................. ..... 9 T rainin g an d Scree nin g ........................................................................................ 9 Handling Reports of Suspected Identity Theft................................................... 9 Victim Record Req uest ........................................................................... ....... ..... 10 Data Security and Storage.................................................................................. 10 Reports, Reviews and Updates for Policy Enforcement.................................. 11 IDENTITY THEFT DETECTION AND PREVENTION PROGRAM Effective date: May 1, 2009 I. General Information The Fair & Accurate Credit Transaction Act of2003 (FACT Act) was signed into law on December 4,2003. It amends the Fair Credit Reporting Act (FRCA) in an attempt to improve the accuracy of customer reports and to help prevent identity theft. Several federal agencies were charged with jointly issuing rules and guidelines implementing the new law. The agencies issued final rules, known as "Red Flag" rules, on November 9,2007. The Red Flag rules require financial institutions to develop and implement a written Identity Theft Prevention Program to detect, prevent and diminish identity theft in connection with the opening of certain accounts and certain existing accounts. Compliance is required by November 1, 2008 and extended to May 1, 2009. Under the Red Flag rules, financial institutions that offer or maintain "covered accounts" must develop and implement a written program. A "covered account" is defined as (1) an account primarily used for personal, family, or household purposes, that involves or is designed to permit multiple payments or transaction; and (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Accounts such as credit cards, mortgage loans, cell phone, utility, checking, automobile loans, and savings accounts are examples Of accounts designed to permit multiple payments or transactions and also contain a reasonably foreseeable risk of identity theft. Given the City's provision of sewer, water, reuse (irrigation) and garbage services (collectively, "utility services") and the methods by which it bills and collects payments from its customers receiving one or more of these utility services, the City ofOcoee is required to comply with the Red Flag rules. II. Purpose The goal of this policy is to prevent identity theft. The City of Ocoee recognizes the responsibility to safeguard customer's personal information during its collection, recording and handling within all City of Ocoee branches and workplace. The purpose of this policy is to create an Identity Theft Detection and Prevention Program utilizing guides set forth in the FACT Act (2003). III. Scope This policy applies to all City employees and service providers that have access to utility customer's personal information that is submitted in person, by fax, mail, email and over the internet. This Policy does not replace, but rather supplements, any of the City of Ocoee' s existing policies. 3 ORLA_1294412.2 IV. ResDonsibilitv The City of Ocoee must protect its customer data and implement policies and procedures that meet standards established by the Federal Trade Commission by May 1,2009. Thereafter, the City ofOcoee will continually report and monitor the program's integrity, completeness and deficiencies. The Privacy Working Group, as established herein, will review the program annually and amend policy when necessary. V. Definitions 1) Identity Theft: A fraud committed using the identifying information of another person. This fraudulent activity may include opening utility accounts with counterfeit checks, using stolen identification for setting up new accounts or gaining access to the victim's accounts with the intent of using services under the name of someone else in order to avoid payments of services delivered by the City of Ocoee. 2) Red Flags: A pattern, practice, or specific activity that indicates the possible risk of identity theft. 3) Identifying Information: Any name or number that may be used alone or with any other information to identify a specific person; includes name, social security number, address, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport and employer or tax identification number. VI. Privacy Workinl! GrouD A City ofOcoee Privacy Working Group is established by this Policy to create, drive and monitor the Identity Theft Detection and Prevention Program. A Privacy Officer functions as the head of the Working Group and reports to a member of Senior Management regarding the outcomes and needs of the Identity Theft Detection and Prevention Program. The functions of the Privacy Working Group is a staff level function. The Privacy Working Group consists of the following: 4 ORLA_1294412.2 Position Role Customer Service Supervisor Privacy Officer - Coordinates audit and reviews pattern of incidents. Expert in flow of funds. Finance Director or designee Senior Management - supplying resources to establish proactive Identity Theft Program. Human Resources Director or designee Personnel Information; Identity Theft Training. Information Systems Manager or designee Data and Network Security; Expert in SCADAlnetwork administration VII. Policy and Procedures A. Red Flag Identification and Mitigation Policies Alerts Credit Card declined Tell the customer about the alert and ask the customer to contact the Credit Reporting Agency or Credit Card Cornpany to resolve the issue Notice of address discrepancy Ask the customer to verify the (i.e., credit card address; address with supporting address on check) documentation Unusual patterns in activity - Contact customer for verification consumption on closed account Require other form of payment or different credit card. If customer cannot provide, do not open the account If the customer is able to verify address, open the account and make changes to the billing system if necessary. Otherwise, do not open the account. Terminate services and pull meter Contact customer for verification Accept other forms of payments. After 2 bounced checks, change to cash only account. If information cannot be verified, terminate account Unusual patterns in activity-- multiple returned checks; credit card bounces Presentation of Suspicious Documents Identification documents appear altered or forged. Ask the customer to visit the (DMV) and get an acceptable 5 ORLA_1294412.2 Do not open account Photo/physical description does not match applicant. Other infonnation on identification is inconsistent infonnation given from applicant Infonnation in utility records is inconsistent with infonnation provided. Example: signature in file does not match signature on license Application looks altered or forged or destroyed and reassembled. fonn of identification Ask the customer to visit the (DMV) and get an acceptable fonn of identification Ask the customer to verify the inconsistent infonnation with supporting documentation such as birth certificate or marriage license Inform the customer of the discrepancy and ask the customer to verify the inconsistent infonnation with supporting documentation Ask the customer to fill out another application in the office and verify all suspicious infonnation Suspicious Personal Identifying Information Identification is inconsistent with external source such as: . Address vs. Address on Lease . Identification is inconsistent with external source such as: . Social security number not issued. ORLA_1294412.2 Ask the customer to contact Landlord for verification of address Ask the customer to verify infonnation with supporting documentation such as social security card and driver's license Ask the customer to contact a Social Security representative to obtain number; or have the account opened in someone else's name who has a social 6 Do not open account If customer is able to verify infonnation, no further action should be necessary; If customer is unable to verify infonnation, do not open the account. It may be appropriate to notify law enforcement if a customer who is able to verify his identity to you believes his signature has been previously forged in connection with identity theft. Do not open the account unless you are able to verify the infonnation on the application If the customer is able to verify address, open the account. Otherwise, do not open the account If the customer is able to verify infonnation, no further action should be necessary Do not open the account without a social security number. [Note: City does not verify social security numbers as they are used for collection purposes only] Identification is known to be associated with fraudulent activity: · The Address is fictitious, a prison or a mail drop on application. The Address is the same address as that submitted by other persons opening an account. Applicant fails to provide all personal ID requested. Change of billing address is followed by request for adding additional properties to the account (or shortly following the notification of a change in address, the utility receives a request for the addition of authorized users on the account). Lease submitted for proof of residency appears to be altered or forged Mail sent to customer is repeatedly returned by Post Office. Customer notifies utility that they are not receiving their bill. ORLA_1294412.2 security number. Check to be sure that the property is not associated with rental property. Address of customer rnust match account address unless account holder is a landlord with bill being sent to a different address. Inform the customer of the requirements to open an account and direct them to where they can obtain this information - DMV for driver's license Advise that a new application and new deposit is required. Verify the identity of all persons requesting address changes, adding properties, or changing authorized users Ask the customer to supply an unaltered lease with the Landlord's signature notarized. Contact the customer to verify the correct billing address Verify the identity of the customer and then verify the correct address. If problem persists after verification, notify post office. 7 Do not open the account if it is not part of a rental group or landlord with multiple addresses If the identification address is a mail drop or prison address, get another form of identification that is current, possible Parole Release Letter listing current address Do not open the account until you are able to verify the identification with other types of acceptable documentation If you are able to verify the identity of the person making the request, then no further action should be necessary Do not open the account unless you are able to verify the residency requirement. If you are unable to verify the correct address, close account. If you are able to verify the correct address, change the address on file and no further action is necessary The utility is notified of unauthorized access or transactions in connection with a customer's account. Ask the customer to supply Notify law enforcement documentation regarding the possible identity theft such as an Affidavit or Police Report Notice of Theft Utility is notified by law officials or others, that it has opened a fraudulent account for a person engaged in identity theft. Follow the instructions of law officials You may be asked to terminate or closely monitor the account B. Detecting Red Flags 1) New Accounts. In order to detect any of the Red Flags identified above associated with the opening of a new account, City personnel will take the following steps to obtain and verify the identity of the person opening the account: a. Require certain identifying information such as name, residential or business address, principal place of business for an entity, driver's license or other identification (i.e., local business license); b. Verify the customer's identity (for instance, review a driver's license or other identification card); c. Review documentation showing the existence of a business entity (i.e., local business license); and d. Independently contact the customer. 2) Existing Accounts. In order to detect any of the Red Flags identified above for an existing account, City personnel will take the following steps to monitor transactions with an account: a. Verify the identification of customers if they request information (in person, via telephone, via facsimile, via email); b. Verify the validity of requests to change billing addresses; and c. Verify changes in banking information given for billing and payment purposes. d. Independently contact the customer. 8 ORLA_1294412.2 c. Handling a Breach in Security To prevent identity theft by City employees, limit exposure of secured information by creating a professional standard. Implement a "need to know" policy with all confidential information. Train management to recognize signs of employee theft including sifting through waste receptacles, downloading excessive amounts of customer information, using secured terminals without authorization, etc. D. Disclosure of Personal Information 1) Information is used as a means of identification, for internal verification, administrative purposes, and for debt collection purposes. 2) The City of Ocoee falls under the Public Records Law and all records are open to inspection. Chapter 119, Florida Statutes, commonly known as Florida's "Public Records Law," provides information on public records in Florida, including policies, definitions, exemptions, general information on records access, inspection, examination and duplication of records. Florida's public records laws are very broad, and most documents and records are available to the public. However, the laws do provide specified exceptions such as social security numbers. E. Data Retention and Disposal Records are disposed of in accordance with state and federallaw, including the local records retention schedule issued by the State of Florida General Records Schedule for State and Local Government Agencies and Public Utilities. Documents with sensitive information are disposed by shredding. F. Training and Screening A copy of the Identity Theft Detection and Prevention Program will be given to all Customer Service Employees. Initial training sessions will be set up to help the employee identify "red flags" and explain the policies and procedures. The Identity Theft Program will be included in the initial training of all new employees. All employees undergo a background check conducted by the Human Resources Department prior to hiring. Employees are assigned security levels which limit access to sensitive data. The System Administrator provides the initial password for each employee to access the system. The Finance Department activates passwords for access to customer information based on assigned security level. G. Handling Reports of Suspected Identity Theft When the customer suspects Identity Theft, they must notify the City in writing. The City should make copy of customer's photo ID and attach it to the police report along with the written notification and send all to the Privacy Officer. 9 ORLA_ 1294412.2 ../' Close or block account. ../' Place an alert on location master and notify Customer Service of the situation. ../' IT IS CRITICAL THAT NO INFORMATION BE GIVEN DIRECTLY TO THE CUSTOMER UNTIL THE INVESTIGATION IS COMPLETE. The Privacy Officer will determine the course of action at this point. H. Victim Record Request Under the FACT Act, identity theft victims are entitled to a copy of the application or other business transaction records relating to their identity theft free of charge. Utilities must provide these records within 30 days or sooner of receipt of the victim's request. Businesses must also provide these records to any law enforcement agency which the victim authorizes. Before providing the records to the victim, the City must ask victims for: a. Proof of identity, which may be a government-issued ID card, the same type of information the identity thief used to open or access the account, or the type of information the business is currently requesting from applicants or customers; and b. A police report and a completed affidavit, which may be either the FTC Identity Theft Affidavit or the business's own affidavit. I. Data Security and Storage a. The IS Manager may conduct audits on a quarterly basis. b. All Information Systems employees are subjected to a background check by the city Human Resources Division. In addition, all IS employees are also required to pass a finger print based background check submitted through the Ocoee Police Department. All employees performing functions of a system administrator are subjected to a 59 states background check through the Ocoee Police Department. c. Employees are assigned security levels which limit access to sensitive data. The System Administrator provides the initial password for each employee to access the system. The employee is required to create a unique individual password. In our efforts to provide the City of Ocoee with a secure network, the Information Systems Department has adopted the use of strong passwords and account lockout. Password and account lockout settings are designed to protect password accounts and data by minimizing the threat of brute force guessing of user account passwords. Employees are required to change their password every ninety (90) days. The system will permit three sign-on attempts, and then will disable the password. Only the System Administrator can reissue another password. Upon termination, employee passwords are immediately disabled. Additionally, City password policy prevents the reuse of passwords. d. All City staff, upon written request of the Department Director, are provided a unique user ID and password with access to perform their normal work duties. 10 ORLA_1294412.2 System administrators are also each provided an additional and unique user ID and password with administrator privileges to be used only when performing administrative tasks. No passwords are to be shared. e. American Data Group, as the provider of the City's financial software, has a user ID and password which permits them access to administer the financial applications and data. The vendor's user ID and remote access are disabled unless other arrangements are made with Information Technology. Such arrangements are for a certain time frame for which access will be enabled and then automatically disabled upon the end of the prearranged time period. J. Reports, Reviews and Updates for Policy Enforcement The Customer Service Supervisor will conduct an annual review of the current policy and report any fraudulent activity to the Finance Director. The Finance Director will review any recommended changes in policy and make a recommendation to the City Manager. An annual report reviewing all incidents, program revisions and goals will be submitted to City Manager. The City Manager will review and approve any changes to the Program. 11 ORLA_1294412.2 City of Ocoee Identity Theft Prevention & Detection Program Incident Report Date Prepared by It is the policy of the City of Ocoee to provide an Identity Theft Prevention Program for customers and employees. The purpose of this report is to promote continued evaluation of effectiveness of current policies and procedures in compliance with the FACT Act (2003). This document will be used to drive recommendations for changes to the program due to evolving risk and methods of theft. Committee Members: Describe current strengths of the program: Describe areas of improvement: 12 ORLA_1294412.2 Committee Signatures ORLA_1294412.2 (Title) (Title) (Title) (Title) 13 (Date) (Date) (Date) (Date) Date Incident / "Significant Event" Management Mitigation Response 14 ORLA_1294412.2 15 ORLA_1294412.2