HomeMy WebLinkAboutItem #05 Approval of Ocoee Idenity Theft Detection and Prevention Program
I FOLEY
FOLEY & LARDNER LLP
ATTORNEYS AT LAW
AGENDA ITEM COVER SHEET
Meeting Date: May 5, 2009
Item # 5
Contact Name:
Contact Number: .
Paul E. Rosenthal,
City Attorney
Reviewed By:
Department Director:
City Manager:
wanNJ;l~
Subject: Ocoee Identity Theft Detection and Prevention Program
Background Summary:
The FACT Act was signed into law on December 4, 2003 in an attempt to improve the accuracy of
customer reports and to help prevent identity theft. "Red Flag" rules implementing the FACT Act
were issued on November 9, 2007. The Red Flag rules require municipal utilities to develop and
implement a written Identity Theft Prevention Program to detect, prevent and diminish identity theft
in connection with the opening of certain accounts and certain existing accounts. Compliance was
initially required by November 1, 2008 and extended to May 1, 2009.
Issue:
Should the City Commission accept the Ocoee Identity Theft Detection and Prevention Program
(May 2009) in compliance with the Federal FACT Act and direct staff to implement the Program?
Recommendations
It is respectfully recommended that the City Commission accept the Ocoee Identity Theft Detection
and Prevention Program (May 2009) in compliance with the Federal FACT Act and direct staff to
implement the Program.
Attachments:
City of Ocoee Identity Theft Detection and Prevention Program, May 2009.
Financial Impact:
Additional background investigations may be required at a nominal cost to the City.
!U 300846.1
Type of Item:
o Public Hearing
o Ordinance First Reading
o Ordinance First Reading
o Resolution
xxD Commission Approval
o Discussion & Direction
For Clerk's Deal Use:
xxD Consent Agenda
o Public Hearing
o Regular Agenda
o Original Document/Contract Attached for Execution by City Clerk
o Original Document/Contract Held by Department for Execution
Reviewed by City Attorney Paul E. Rosen~ )
Reviewed by Finance De~ Wanda Horton Y-
Reviewed by ( 1) Cathy Sills & Bnan ass Y1 J"'-.
o N/A
o N/A
o N/A
~_1300846.1
-FOLEY
FOLEY & LARDNER LLP
ATTORNEYS AT LAW
MEMORANDUM
CLlENT.MATTER NUMBER
020377.0107
TO:
The Honorable Mayor and City Commissioners
FROM:
Paul E. Rosenthal, Esq., City Attorney
DATE:
April 27, 2009
RE:
Ocoee Identity Theft Detection and Prevention Program
Staff Re~
ISSUE
Should the City Commission accept the Ocoee Identity Theft Detection and Prevention Program (May 2009) in
compliance with the Federal FACT Act and direct staff to implement the Program?
BACKGROUNDIDISCUSSION
The Fair & Accurate Credit Transaction Act of2003 (FACT Act) was signed into law on December 4,2003. It
amends the Fair Credit Reporting Act (FRCA) in an attempt to improve the accuracy of customer reports and to
help prevent identity theft. "Red Flag" rules implementing the FACT Act were issued on November 9,2007.
The Red Flag rules require financial institutions to develop and implement a written Identity Theft Prevention
Program to detect, prevent and diminish identity theft in connection with the opening of certain accounts and
certain existing accounts. Compliance was initially required by November 1, 2008 and extended to May 1,
2009.
The FACT Act and Red Flag Rules are applicable to municipal utilities. City of Ocoee utility services which
are subject to FACT Act are sewer, water, reuse (irrigation) and garbage services. As such, the City is required
to implement an Identity Theft Detection and Prevention Program in order to safeguard personal information
collected from utility customers and to assure that all efforts are being taken to prevent that information from
being used in connection with identity theft.
Attached hereto is the proposed Ocoee Identity Theft Detection and Prevention Program (May 2009). The
Program has been drafted by the City Attorney in conjunction with City staff, including Cathy Sills, Brian Ross
and Pam Brosonski. Staff reviewed the model program which was developed by the Florida Municipal Electric
Association and programs developed by several other municipalities. The format template proposed by FMEA
was utilized. The portions of these programs applicable to the City of Ocoee were incorporated into the
proposed Program and modified based on the local factors.
e.._ 1300846.1
The Program is intended to be dynamic in order to be responsive to the challenges associated with identity theft.
A staff level Privacy Working Group is being formed to implement and review the Program. The Privacy
Working Group will be chaired by the Utility Customer Service Supervisor who is also being designated as the
City's Privacy Officer for purposes of the FACT Act. Other members of the Privacy Working Group will come
from Finance, Human Resources and Information Systems. The City Attorney will provide the Group with
advise as needed. An annual report will be prepared and presented to the City Manager with recommendations
for changes in the Ocoee Identity Theft Detection and Prevention Program. The City Manager will review and
approve any changes in the Program.
11._1300846.1
ORLA_1294412.2
CITY OF OCOEE
IDENTITY THEFT DETECTION AND
PREVENTION PROGRAM
In compliance with the Federal FACT Act (2003)
Identity Theft Red Flag Ruling
May 2009
I.
Table of Contents
G en e ral IDf 0 rma ti 0 n ......................................................................................................... 3
II.
Pu rp 0 se........................................................................................................................... .... 3
III.
S co pe............................................................................................................................ ....... 3
IV.
Res p 0 os i bill ty .................................................................................................................... 4
V.
Defini ti 0 os ............................... ... ....................................... ................................................. 4
VI.
Privacy Working G ro up........... ..................................................................... ................... 4
VII. Policy
A.
B.
c.
D.
E.
F.
G.
H.
I.
J.
ORLA_1294412.2
an d P roced ures ...................................................................................................... 5
Red Flag Identification and Mitigation Policies................................................. 5
D etectin g Red Fla gs .... .......................................................................................... 8
Handling a Breach in Security ............................................................................. 9
Disclosure of P erso nal Info rmatio n ................ .................. ..... .............................. 9
Data Retention and Disposal.... ....................... ............................... ................. ..... 9
T rainin g an d Scree nin g ........................................................................................ 9
Handling Reports of Suspected Identity Theft................................................... 9
Victim Record Req uest ........................................................................... ....... ..... 10
Data Security and Storage.................................................................................. 10
Reports, Reviews and Updates for Policy Enforcement.................................. 11
IDENTITY THEFT DETECTION
AND PREVENTION PROGRAM
Effective date: May 1, 2009
I. General Information
The Fair & Accurate Credit Transaction Act of2003 (FACT Act) was signed into law on
December 4,2003. It amends the Fair Credit Reporting Act (FRCA) in an attempt to improve
the accuracy of customer reports and to help prevent identity theft.
Several federal agencies were charged with jointly issuing rules and guidelines implementing the
new law. The agencies issued final rules, known as "Red Flag" rules, on November 9,2007.
The Red Flag rules require financial institutions to develop and implement a written Identity
Theft Prevention Program to detect, prevent and diminish identity theft in connection with the
opening of certain accounts and certain existing accounts. Compliance is required by November
1, 2008 and extended to May 1, 2009.
Under the Red Flag rules, financial institutions that offer or maintain "covered accounts" must
develop and implement a written program. A "covered account" is defined as (1) an account
primarily used for personal, family, or household purposes, that involves or is designed to permit
multiple payments or transaction; and (2) any other account for which there is a reasonably
foreseeable risk to customers or the safety and soundness of the financial institution or creditor
from identity theft.
Accounts such as credit cards, mortgage loans, cell phone, utility, checking, automobile loans,
and savings accounts are examples Of accounts designed to permit multiple payments or
transactions and also contain a reasonably foreseeable risk of identity theft. Given the City's
provision of sewer, water, reuse (irrigation) and garbage services (collectively, "utility services")
and the methods by which it bills and collects payments from its customers receiving one or
more of these utility services, the City ofOcoee is required to comply with the Red Flag rules.
II. Purpose
The goal of this policy is to prevent identity theft. The City of Ocoee recognizes the
responsibility to safeguard customer's personal information during its collection, recording and
handling within all City of Ocoee branches and workplace. The purpose of this policy is to create
an Identity Theft Detection and Prevention Program utilizing guides set forth in the FACT Act
(2003).
III. Scope
This policy applies to all City employees and service providers that have access to utility
customer's personal information that is submitted in person, by fax, mail, email and over the
internet. This Policy does not replace, but rather supplements, any of the City of Ocoee' s
existing policies.
3
ORLA_1294412.2
IV. ResDonsibilitv
The City of Ocoee must protect its customer data and implement policies and procedures that
meet standards established by the Federal Trade Commission by May 1,2009. Thereafter, the
City ofOcoee will continually report and monitor the program's integrity, completeness and
deficiencies. The Privacy Working Group, as established herein, will review the program
annually and amend policy when necessary.
V. Definitions
1) Identity Theft: A fraud committed using the identifying information of another
person. This fraudulent activity may include opening utility accounts with
counterfeit checks, using stolen identification for setting up new accounts or
gaining access to the victim's accounts with the intent of using services under the
name of someone else in order to avoid payments of services delivered by the
City of Ocoee.
2) Red Flags: A pattern, practice, or specific activity that indicates the possible risk
of identity theft.
3) Identifying Information: Any name or number that may be used alone or with any
other information to identify a specific person; includes name, social security
number, address, date of birth, official state or government issued driver's license
or identification number, alien registration number, government passport and
employer or tax identification number.
VI. Privacy Workinl! GrouD
A City ofOcoee Privacy Working Group is established by this Policy to create, drive and
monitor the Identity Theft Detection and Prevention Program. A Privacy Officer functions as the
head of the Working Group and reports to a member of Senior Management regarding the
outcomes and needs of the Identity Theft Detection and Prevention Program. The functions of
the Privacy Working Group is a staff level function.
The Privacy Working Group consists of the following:
4
ORLA_1294412.2
Position Role
Customer Service Supervisor Privacy Officer - Coordinates audit and
reviews pattern of incidents. Expert in flow
of funds.
Finance Director or designee Senior Management - supplying resources to
establish proactive Identity Theft Program.
Human Resources Director or designee Personnel Information; Identity Theft
Training.
Information Systems Manager or designee Data and Network Security; Expert in
SCADAlnetwork administration
VII. Policy and Procedures
A. Red Flag Identification and Mitigation Policies
Alerts
Credit Card declined
Tell the customer about the alert
and ask the customer to contact
the Credit Reporting Agency or
Credit Card Cornpany to resolve
the issue
Notice of address discrepancy Ask the customer to verify the
(i.e., credit card address; address with supporting
address on check) documentation
Unusual patterns in activity - Contact customer for verification
consumption on closed
account
Require other form of payment
or different credit card. If
customer cannot provide, do not
open the account
If the customer is able to verify
address, open the account and
make changes to the billing
system if necessary. Otherwise,
do not open the account.
Terminate services and pull
meter
Contact customer for verification Accept other forms of
payments. After 2 bounced
checks, change to cash only
account.
If information cannot be
verified, terminate account
Unusual patterns in activity--
multiple returned checks;
credit card bounces
Presentation of Suspicious Documents
Identification documents
appear altered or forged.
Ask the customer to visit the
(DMV) and get an acceptable
5
ORLA_1294412.2
Do not open account
Photo/physical description
does not match applicant.
Other infonnation on
identification is inconsistent
infonnation given from
applicant
Infonnation in utility records
is inconsistent with
infonnation provided.
Example: signature in file
does not match signature on
license
Application looks altered or
forged or destroyed and
reassembled.
fonn of identification
Ask the customer to visit the
(DMV) and get an acceptable
fonn of identification
Ask the customer to verify the
inconsistent infonnation with
supporting documentation such
as birth certificate or marriage
license
Inform the customer of the
discrepancy and ask the customer
to verify the inconsistent
infonnation with supporting
documentation
Ask the customer to fill out
another application in the office
and verify all suspicious
infonnation
Suspicious Personal Identifying Information
Identification is inconsistent
with external source such as:
. Address vs. Address on
Lease
.
Identification is inconsistent
with external source such as:
. Social security number
not issued.
ORLA_1294412.2
Ask the customer to contact
Landlord for verification of
address
Ask the customer to verify
infonnation with supporting
documentation such as social
security card and driver's license
Ask the customer to contact a
Social Security representative to
obtain number; or have the
account opened in someone
else's name who has a social
6
Do not open account
If customer is able to verify
infonnation, no further action
should be necessary;
If customer is unable to verify
infonnation, do not open the
account.
It may be appropriate to notify
law enforcement if a customer
who is able to verify his
identity to you believes his
signature has been previously
forged in connection with
identity theft.
Do not open the account unless
you are able to verify the
infonnation on the application
If the customer is able to verify
address, open the account.
Otherwise, do not open the
account
If the customer is able to verify
infonnation, no further action
should be necessary
Do not open the account
without a social security
number. [Note: City does not
verify social security numbers
as they are used for collection
purposes only]
Identification is known to be
associated with fraudulent
activity:
· The Address is fictitious, a
prison or a mail drop on
application.
The Address is the same
address as that submitted by
other persons opening an
account.
Applicant fails to provide all
personal ID requested.
Change of billing address is
followed by request for
adding additional properties
to the account (or shortly
following the notification of a
change in address, the utility
receives a request for the
addition of authorized users
on the account).
Lease submitted for proof of
residency appears to be
altered or forged
Mail sent to customer is
repeatedly returned by Post
Office.
Customer notifies utility that
they are not receiving their
bill.
ORLA_1294412.2
security number.
Check to be sure that the
property is not associated with
rental property.
Address of customer rnust match
account address unless account
holder is a landlord with bill
being sent to a different address.
Inform the customer of the
requirements to open an account
and direct them to where they
can obtain this information -
DMV for driver's license
Advise that a new application
and new deposit is required.
Verify the identity of all persons
requesting address changes,
adding properties, or changing
authorized users
Ask the customer to supply an
unaltered lease with the
Landlord's signature notarized.
Contact the customer to verify
the correct billing address
Verify the identity of the
customer and then verify the
correct address. If problem
persists after verification, notify
post office.
7
Do not open the account if it is
not part of a rental group or
landlord with multiple
addresses
If the identification address is a
mail drop or prison address, get
another form of identification
that is current, possible Parole
Release Letter listing current
address
Do not open the account until
you are able to verify the
identification with other types
of acceptable documentation
If you are able to verify the
identity of the person making
the request, then no further
action should be necessary
Do not open the account unless
you are able to verify the
residency requirement.
If you are unable to verify the
correct address, close account.
If you are able to verify the
correct address, change the
address on file and no further
action is necessary
The utility is notified of
unauthorized access or
transactions in connection
with a customer's account.
Ask the customer to supply Notify law enforcement
documentation regarding the
possible identity theft such as an
Affidavit or Police Report
Notice of Theft
Utility is notified by law
officials or others, that it has
opened a fraudulent account
for a person engaged in
identity theft.
Follow the instructions of law
officials
You may be asked to terminate
or closely monitor the account
B. Detecting Red Flags
1) New Accounts. In order to detect any of the Red Flags identified above
associated with the opening of a new account, City personnel will take the
following steps to obtain and verify the identity of the person opening the
account:
a. Require certain identifying information such as name, residential or business
address, principal place of business for an entity, driver's license or other
identification (i.e., local business license);
b. Verify the customer's identity (for instance, review a driver's license or other
identification card);
c. Review documentation showing the existence of a business entity (i.e., local
business license); and
d. Independently contact the customer.
2) Existing Accounts. In order to detect any of the Red Flags identified above for
an existing account, City personnel will take the following steps to monitor
transactions with an account:
a. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
b. Verify the validity of requests to change billing addresses; and
c. Verify changes in banking information given for billing and payment purposes.
d. Independently contact the customer.
8
ORLA_1294412.2
c. Handling a Breach in Security
To prevent identity theft by City employees, limit exposure of secured information by creating a
professional standard. Implement a "need to know" policy with all confidential information.
Train management to recognize signs of employee theft including sifting through waste
receptacles, downloading excessive amounts of customer information, using secured terminals
without authorization, etc.
D. Disclosure of Personal Information
1) Information is used as a means of identification, for internal verification,
administrative purposes, and for debt collection purposes.
2) The City of Ocoee falls under the Public Records Law and all records are open to
inspection. Chapter 119, Florida Statutes, commonly known as Florida's "Public
Records Law," provides information on public records in Florida, including
policies, definitions, exemptions, general information on records access,
inspection, examination and duplication of records. Florida's public records laws
are very broad, and most documents and records are available to the public.
However, the laws do provide specified exceptions such as social security
numbers.
E. Data Retention and Disposal
Records are disposed of in accordance with state and federallaw, including the local records
retention schedule issued by the State of Florida General Records Schedule for State and Local
Government Agencies and Public Utilities. Documents with sensitive information are disposed
by shredding.
F. Training and Screening
A copy of the Identity Theft Detection and Prevention Program will be given to all Customer
Service Employees. Initial training sessions will be set up to help the employee identify "red
flags" and explain the policies and procedures. The Identity Theft Program will be included in
the initial training of all new employees.
All employees undergo a background check conducted by the Human Resources Department
prior to hiring. Employees are assigned security levels which limit access to sensitive data. The
System Administrator provides the initial password for each employee to access the system.
The Finance Department activates passwords for access to customer information based on
assigned security level.
G. Handling Reports of Suspected Identity Theft
When the customer suspects Identity Theft, they must notify the City in writing. The City should
make copy of customer's photo ID and attach it to the police report along with the written
notification and send all to the Privacy Officer.
9
ORLA_ 1294412.2
../' Close or block account.
../' Place an alert on location master and notify Customer Service of the situation.
../' IT IS CRITICAL THAT NO INFORMATION BE GIVEN DIRECTLY TO THE
CUSTOMER UNTIL THE INVESTIGATION IS COMPLETE. The Privacy Officer
will determine the course of action at this point.
H. Victim Record Request
Under the FACT Act, identity theft victims are entitled to a copy of the application or other
business transaction records relating to their identity theft free of charge. Utilities must provide
these records within 30 days or sooner of receipt of the victim's request. Businesses must also
provide these records to any law enforcement agency which the victim authorizes.
Before providing the records to the victim, the City must ask victims for:
a. Proof of identity, which may be a government-issued ID card, the same type of
information the identity thief used to open or access the account, or the type of
information the business is currently requesting from applicants or customers; and
b. A police report and a completed affidavit, which may be either the FTC Identity
Theft Affidavit or the business's own affidavit.
I. Data Security and Storage
a. The IS Manager may conduct audits on a quarterly basis.
b. All Information Systems employees are subjected to a background check by the
city Human Resources Division. In addition, all IS employees are also required to
pass a finger print based background check submitted through the Ocoee Police
Department. All employees performing functions of a system administrator are
subjected to a 59 states background check through the Ocoee Police Department.
c. Employees are assigned security levels which limit access to sensitive data. The
System Administrator provides the initial password for each employee to access
the system. The employee is required to create a unique individual password. In
our efforts to provide the City of Ocoee with a secure network, the Information
Systems Department has adopted the use of strong passwords and account
lockout. Password and account lockout settings are designed to protect password
accounts and data by minimizing the threat of brute force guessing of user
account passwords. Employees are required to change their password every ninety
(90) days. The system will permit three sign-on attempts, and then will disable
the password. Only the System Administrator can reissue another password.
Upon termination, employee passwords are immediately disabled. Additionally,
City password policy prevents the reuse of passwords.
d. All City staff, upon written request of the Department Director, are provided a
unique user ID and password with access to perform their normal work duties.
10
ORLA_1294412.2
System administrators are also each provided an additional and unique user ID
and password with administrator privileges to be used only when performing
administrative tasks. No passwords are to be shared.
e. American Data Group, as the provider of the City's financial software, has a user
ID and password which permits them access to administer the financial
applications and data. The vendor's user ID and remote access are disabled
unless other arrangements are made with Information Technology. Such
arrangements are for a certain time frame for which access will be enabled and
then automatically disabled upon the end of the prearranged time period.
J. Reports, Reviews and Updates for Policy Enforcement
The Customer Service Supervisor will conduct an annual review of the current policy and report
any fraudulent activity to the Finance Director. The Finance Director will review any
recommended changes in policy and make a recommendation to the City Manager. An annual
report reviewing all incidents, program revisions and goals will be submitted to City Manager.
The City Manager will review and approve any changes to the Program.
11
ORLA_1294412.2
City of Ocoee
Identity Theft Prevention & Detection Program Incident Report
Date
Prepared by
It is the policy of the City of Ocoee to provide an Identity Theft Prevention Program for
customers and employees. The purpose of this report is to promote continued evaluation of
effectiveness of current policies and procedures in compliance with the FACT Act (2003). This
document will be used to drive recommendations for changes to the program due to evolving risk
and methods of theft.
Committee Members:
Describe current strengths of the program:
Describe areas of improvement:
12
ORLA_1294412.2
Committee Signatures
ORLA_1294412.2
(Title)
(Title)
(Title)
(Title)
13
(Date)
(Date)
(Date)
(Date)
Date Incident / "Significant Event" Management Mitigation
Response
14
ORLA_1294412.2
15
ORLA_1294412.2