The URL can be used to link to this page

Home My WebLink About2009 04 27 Consent 201 Resolution 2009-28 Identity Theft Detection/Prevention ProgramCOMMISSION AGENDA ITEM 201 A~ri127, 2009 Special Meeting INFORMATIONAL CONSENT X PUBLIC HEARING REGULAR MGR~~ /DEPT 1Cd Authorization REQUEST: The City Manager and Finance Department Is Requesting That the City Commission Adopt Resolution 2009-28 Establishing an Identity Theft Detection and Prevention Program. PURPOSE: The purpose of this item is to receive Commission approval for Resolution 2009-28 to establish an identity theft detection and prevention program. CONSIDERATIONS: A ruling known as the `Identity Theft Red Flags Regulation' was jointly issued by the Federal Trade Commission, Office of Thrift Supervision and several other governing agencies; implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT ACT) and is effective on May 1, 2009. The Identity Theft Red Flags Regulation requires financial institutions that extend credit to their customers to develop and implement a written Identity Theft Program to detect, prevent and diminish identity theft in connection with opening of certain accounts or certain existing accounts. The attached policy contains guidance to City employees on how to protect our citizen's private information. The program will be reviewed throughout the year by the Privacy Committee, which is established by this Resolution, all incidents will be reported and reviewed as required by the program. Annually a report will be presented to the Commission on the status of the program including any reported incidences during the year. The attached policy-has been reviewed by the City Attorney. RECOMMENDATIONS: The Finance Department recommends approval of Resolution No. 2009-28. ATTACHMENTS: Resolution No. 2009-28 COMMISSION ACTION: RESOLUTION N0.2009-28 A RESOLUTION OF THE CITY COMMISSION OF THE CITY OF WINTER SPRINGS, SEMINOLE COUNTY, FLORIDA ADOPTING THE CITY'S IDENTITY THEFT DETECTION AND PREVENTION PROGRAM; ADOPTING RELATED FORMS FOR REPORTING AND TRACKING POSSIBLE OCCURRENCES OF IDENTITY THEFT; PROVIDING FOR THE REPEAL OF PRIOR INCONSISTENT RESOLUTIONS, SEVERABILITY AND AN EFFECTIVE DATE. WHEREAS, the City is granted the authority, under § 2(b), Art. VIII of the State Constitution, to exercise any power for municipal purposes, except when expressly prohibited by law; and WHEREAS, the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1581 et. seq., was amended in 2003 in an attempt to improve the accuracy of consumer reports and to help prevent identity theft; and WHEREAS, the amendments to the FCRA require creditors such as utilities to develop and implement a written Identity Theft Prevention Program to detect "red flags" and to respond appropriately to said red flags in an effort to prevent and mitigate identity theft; and WHEREAS, compliance with the FCRA amendments is required no later than May 1, 2009; and WHEREAS, the City Commission desires to adopt the City's Identity Theft Detection and Prevention Program consistent with the requirements of the FCRA as set forth herein; and WHEREAS, City Commission deems that this Resolution is in the best interests of the public health, safety, and welfare of the citizens of Winter Springs. NOW, THEREFORE, BE IT DULY RESOLVED BY THE CITY COMMISSION OF THE CITY OF WINTER SPRINGS, SEMINOLE COUNTY, FLORIDA, THAT: Section 1. Incorporation of Recitals. The foregoing recitals are deemed true and correct and are hereby fully incorporated herein by reference. Section 2. Adoption of Identit~Theft Detection and Prevention Program. The City Commission of the City of Winter Springs hereby adopts the City of Winter Springs Identity Theft Detection and Prevention Program and forms as set forth in Exhibit "A," attached hereto and fully City of Winter Springs Resolution No. 2009-28 Page 1 of 2 incorporated herein by this reference. The City Manager is hereby authorized to approve minor modifications to the Program and forms, as needed. Section 3. 5everability. If any section, subsection, sentence, clause, phrase, word, or portion of this Resolution is for any reason held invalid or unconstitutional by a court of competent jurisdiction, whether for substantive or procedural reasons, such portion shall be deemed a separate, distinct, and independent provision, and such holding shall not affect the validity of the remaining portions of this Resolution. Section 4. Repeal of Prior Inconsistent Resolutions. All prior resolutions or parts of resolutions in conflict herewith are hereby repealed to the extent of the conflict. Section 5. Effective Date. This Resolution shall become effective on May 1, 2009. ADOPTED by the City Commission of the City of Winter Springs, Florida, in a regular meeting assembled on this day of , 2009. JOHN F. BUSH, Mayor ATTEST: ANDREA LORENZO-LUACES, City Clerk Approved as to legal form and sufficiency for the City of Winter Springs only: ANTHONY A. GARGANESE, City Attorney City of Winter Springs Resolution No. 2009-28 Page 2 of 2 ~~ ~~` ~~ City of Winter Springs IDENTITY THEFT DETECTION AND PREVENTION PROGRAM In compliance with the Federal FACTAct (2003) Identity Theft Red Flag Ruling TABLE OF CONTENTS I. General Information II. Purpose III. Scope IV. Responsibility V. Definitions VI. Privacy Committee VII. Policy and Procedures A. Red Flags Identification and Mitigation B. Data Security and Storage C. Internal Data Base Security D. Data Storage E. Disclosure of Personal Information F. Data Retention and Disposal G. Training Employees H. Handling Reports of Suspected Identity Theft I. Reports, Reviews and Updates for Policy Enforcement VIII. Identity Theft Prevention Program Incident Report Page 3 3 3 4 4 4 5 5 7 8 8 8 8 8 9 9 10 2 IDENTITY THEFT PROGRAM Effective date May 1, 2009 I. General Information A ruling known as the `Identity Theft Red Flags Regulation' was jointly issued by the Federal Trade Commission, Office of Thrift Supervision and several other governing agencies ("Agencies") implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT ACT) and is effective on May 1, 2009. The Identity Theft Red Flags Regulation requires financial institutions to develop and implement a written Identity Theft Program to detect, prevent and diminish identity theft in connection with opening of certain accounts or certain existing accounts. Under the regulation only those financial institutions that offer or maintain `covered accounts' must develop and implement a written program. A `covered account' is defined as (1) an account primarily used for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions and (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. The Agencies believe that accounts such as credit cards, mortgage loans, cell phone, utility, checking, automobile loans, and savings accounts are examples of accounts designed to permit multiple payments or transactions and also contain a reasonably foreseeable risk of identity theft. II. Purpose The goal of this policy is to ensure City of Winter Springs has an established written procedure to detect, prevent and mitigate identity theft and for security and storing of customers' personal information. City of Winter Springs recognizes the responsibility to safeguard customer's personal information during its collection, recording and handling within the work place. III. Sco e This policy applies to all city employees and service providers that have access to utility customers' personal information that is submitted in person, by fax, mail, email and over the Internet. Any part or whole of policies and procedures written and developed will be incorporated into the program where appropriate. This does not replace, but rather supplements, any of the City of Winter Springs' standing policies. 3 IV. Responsibility The City of Winter Springs must protect its customer data and implement policies and procedures that meet standards established by the Federal Trade Commission by May 1, 2009. Therefore, the City of Winter Springs will continually report and monitor the program's integrity, completeness, and deficiencies. Any oversight or patches to perfect the program will be reviewed and amended annually when necessary. V. Definitions A. Identity Theft: A fraud committed using the identifying information of another person. B. Red Flags: A pattern, practice or specific activity that indicates the possible risk of identity theft. C. Identifying Information: Any name or number that may be used alone or with any other information to identify a specific person; includes name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport and employer or tax identification number. VI. Privacy Committee The City of Winter Springs Privacy Committee was established to create, drive and monitor the program. A Privacy Officer functions as the head of the committee and reports to a member of Senior Management regarding the outcomes and needs of the Identity Theft Detection and Prevention Program. Position Role Controller Privacy Officer -Coordinates audit and reviews pattern of incidents. Ex ert in flow of funds. Finance Director Senior Management -supply recourses to establish roactive Identit Theft Program. Utility Billing Services Provides insight in day-to-day processes in opening new Mana er accounts and monitorin activit on existin accounts. Revenue Officer Provides insight in collection olicies and rocedures. Economic Crimes Investigator Provides insi ht re ardin identity theft. Information Technology Provides insight in data network security. Coordinator/Security Administrator VII. Policy and Procedures A. Red Flag Identification and Mitigation Policies All applications must be submitted by the responsible party; parents, siblings, or any other interested party cannot activate service on behalf of another person. Red Fla s Next Ste Miti ation Alert Presentation o Sus icious Documents Identification documents Ask customer to visit the Do not open the account. appear altered or forged issuing agency (i.e. DMV) and get an acceptable copy of the sus icious document. Photo/physical description Ask the customer to visit Do not open the account. does not match applicant. the issuing agency (i.e. DMV) and get an updated copy of the identification document. Other information on Ask the customer to If customer is unable to identification is inconsistent verify the inconsistent verify information, do not with information given on the information with open the account. application. supporting documentation such as marriage license or social security card. Information in utility records Inform the customer of It may be appropriate to is inconsistent with the discrepancy and ask notify law enforcement if a information provided. the customer to verify the customer who is able to Example: signature on file inconsistent information verify his identity to you does not match signature on with supporting believes his signature has license. documentation. been previously forged in connection with identity theft. Application looks altered or Ask the customer to fill Do not open the account forged or destroyed and out another application in unless you are able to verify reassembled. the office and verify all the information on the sus icious information. a plication. Lease submitted for proof of Ask the customer to Do not open the account residency appears to be supply an unaltered lease unless you are able to verify altered or forged. with the Landlord's the residency requirement. si nature notarized. Red Fla s Next Ste Miti ation Alert Sus icious Personal Identi in In ormation Applicant fails to provide Inform the customer of the Do not open the account all personal identification requirements to open an unless you are able to verify requested. account and direction for the identity with other types obtaining this of acceptable documentation. documentation. Payments are made in a Contact the customer. Close inactive accounts manner associated with after a reasonable period of fraud. For example: time. deposit or initial payment is made and no payments are made thereafter. Mail sent to customer is Contact the customer to If you are able to verify the repeatedly returned. verify the correct billing correct address and then address. change the address on file, no further action should be necess Notification of a Add all charges back to the Notify law enforcement chargeback received from account. the bank due to fraudulent activity. New account requested Ask customer to provide a Require all new accounts to immediately after government issued photo present a government disconnection for I.D. for identification issued photo I.D. prior to nonpayment. purposes. opening an account. Applications submitted by fax, email or mail need to include a copy of a government issued I.D. and a notarized form affirming the identification. No account will be started prior to this proof of identification. Red Fla s Next Ste Miti ation Alert Customer notifies utility Verify the identity of the If you are able to verify the that they are not receiving customer and then verify correct address and then their bill. the correct address. change the address on file, no further action should be necessary. Utility is notified of Ask the customer to supply Notify law enforcement unauthorized charges or documentation regarding transactions in connection the possible identity theft with a customer's account. such as an affidavit or olice re ort. Utility is notified by law Follow the instructions of Depending on what law officials or others that they law officials. enforcement asks you to do, have opened a fraudulent you may close or closely account for a person monitor the account. en a ed in identit theft. B. Data Security and Storage 1) Various Cisco Devices are deployed and used to protect against intentional or accidental intrusion into the city's data network. The Florida Department of Law Enforcement conducts periodic audits of the city-network design and security practices to ensure they meet the Criminal Justice Information Services (CJIS) policy. The Information Technology Manager coordinates objective, third-party network-intrusion testing for the city network on a periodic basis. 2) All Information Technology employees are subject to a full background check by the city Human Resources Department and the City of Winter Springs Police Department. All employees who function in the Information Technology Department are required to pass afingerprint-based background check submitted through the City of Winter Springs' Police Department, Seminole County Sheriff's Office (SCSO) and Florida Department of Law Enforcement. 3) The Network Administrator provides the initial password for each employee to access the system. The employee is required to create a unique individual password. In our efforts to provide the City of Winter Springs with a secure network, the Information Technology Department has adopted the use of strong passwords and account lockout. Password and account lockout settings are designed to protect user accounts and data by minimizing the threat of brute force guessing of user account passwords. Employees are required to change their password every ninety (90) days. The system will permit three sign-on attempts, and then will disable the password. Upon termination, employee accounts are immediately disabled. 7 C. Internal Data Base Security System administrator passwords are known only to the Information Technology staff and are not divulged to any person outside the Information Technology Division. D. Data Storage System administrator passwords are known only to the Information Technology staff and are not divulged to any person outside the Information Technology Division. E. Disclosure of Personal Information 1) Information is used as a means of identification, for internal verification, administrative purposes and for debt collection purposes. 2) The City of Winter Springs falls under the Public Records Law and all records are open to inspection. Chapter 119, Florida Statutes, commonly known as Florida's "Public Records Law," provides information on public records in Florida, including policies, definitions, exemptions, general information on records access, inspection, examination and duplication of records. Florida's public records laws are very broad, and most documents and records are available to the public. However, the laws do provide specified exceptions such as social security numbers. F. Data Retention and Disposal Records are disposed of in accordance with state and federal law, including the local records retention schedule issued by the State of Florida General Records Schedule for State and Local Government Agencies and Public Utilities. Documents with sensitive information are disposed by shredding. G. Training Employees A copy of the Identity Theft Detection and Prevention Program will be given to all utility billing customer service division employees. Initial training sessions will be set up to help the employee identify "red flags" and explain the policies and procedures. The Identity Theft Program will be included in the initial training of all new employees within the City of Winter Springs Utility Billing Customer Service Division. H. Handling Reports of Suspected Identity Theft A zero tolerance policy is in effect for all fraudulent transactions within the City of Winter Springs Utility Billing Customer Service Division. Once written notification and verification is received of fraudulent activity from a customer, banking institution or collection agency, the Utility Billing Division employee will: 1) Proceed with notating and taking corrective actions on the account; and, 2) Gather all pertinent information that is available and immediately contact the appropriate law enforcement agency to initiate a criminal investigation. I. Reports, Reviews and Updates for Policy Enforcement The Controller will conduct annual review of the current policy and report any fraudulent activity to the Finance Director. The City Manager will approve any recommended changes in policy. An annual report reviewing all incidents, program revisions and goals will be submitted to the City Commission. 9 City of Winter Springs Identity Theft Prevention Program Incident Report Date Prepared by It is the policy of the City of Winter Springs to provide an Identity Theft Prevention Program for customers and employees. The purpose of this report is to promote continued evaluation of effectiveness of current policies and procedures in compliance with the FACTAct (2003). This document will be used to drive recommendations for changes to the program due to evolving risk and methods of theft. Committee Members: Controller Finance Director Utility Billing Services Manager Revenue Officer Information Technology Coordinator/Security Administrator Describe strengths of the program: Describe areas of improvement of the program: Committee Signatures: (Name) (Title) (Date) (Name) (Title) (Date) (Name) (Title) (Date) (Name) (Title) (Date) 10 Identity Theft Prevention Program Incident Report Date Incident/"Significant Event" Management Response, Mitigation 11 RESOLUTION NO. 2009-28 A RESOLUTION OF THE CITY COMMISSION OF THE CITY OF WINTER SPRINGS, SEMINOLE COUNTY, FLORIDA ADOPTING THE CITY'S IDENTITY THEFT DETECTION AND PREVENTION PROGRAM; ADOPTING RELATED FORMS FOR REPORTING AND TRACKING POSSIBLE OCCURRENCES OF IDENTITY THEFT; PROVIDING FOR THE REPEAL OF PRIOR INCONSISTENT RESOLUTIONS, SEVERABILITY AND AN EFFECTIVE DATE. WHEREAS, the City is granted the authority, under § 2(b), Art. VIII of the State Constitution, to exercise any power for municipal purposes, except when expressly prohibited by law; and WHEREAS, the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1581 et. seq., was amended in 2003 in an attempt to improve the accuracy of consumer reports and to help prevent identity theft; and WHEREAS, the amendments to the FCRA require creditors such as utilities to develop and implement a written Identity Theft Prevention Program to detect "red flags" and to respond appropriately to said red flags in an effort to prevent and mitigate identity theft; and WHEREAS, compliance with the FCRA amendments is required no later than May 1, 2009; and WHEREAS, the City Commission desires to adopt the City's Identity Theft Detection and Prevention Program consistent with the requirements of the FCRA as set forth herein; and WHEREAS, City Commission deems that this Resolution is in the best interests of the public health, safety, and welfare of the citizens of Winter Springs. NOW, THEREFORE, BE IT DULY RESOLVED BY THE CITY COMMISSION OF THE CITY OF WINTER SPRINGS, SEMINOLE COUNTY, FLORIDA, THAT: Section 1. Incorporation of Recitals. The foregoing recitals are deemed true and correct and are hereby fully incorporated herein by reference. Section 2. Adoption of Identity Theft Detection and Prevention Program. The City Commission of the City of Winter Springs hereby adopts the City of Winter Springs IdentityTheft Detection and Prevention Program and forms as set forth in Exhibit "A," attached hereto and fully City of Winter Springs Resolution No. 2009-28 Page 1 of 2 incorporated herein by this reference. The City Manager is hereby authorized to approve minor modifications to the Program and forms, as needed. Section 3. Severability. If any section, subsection, sentence, clause, phrase, word, or portion of this Resolution is for any reason held invalid or unconstitutional by a court of competent jurisdiction, whether for substantive or procedural reasons, such portion shall be deemed a separate, distinct, and independent provision, and such holding shall not affect the validity of the remaining portions of this Resolution. Section 4. Repeal of Prior Inconsistent Resolutions. All prior resolutions or parts of resolutions in conflict herewith are hereby repealed to the extent of the conflict. Section 5. Effective Date. This Resolution shall become effective on May 1, 2009. ADOPTED by the City Commission of the City of Winter Springs, Florida, in a regular meeting assembled on this 27thday of April , 2009. A LORENZO-LUACES, City Clerk ' JOHN F. BUSH, Mayor - Y a Approved as to legal form and sufficiency for the City of Winter Springs only: ANTHONY A. GARGANESE, City Attorney City of Winter Springs Resolution No. 2009-28 Page 2 of 2 City of Winter Springs IDENTITY THEFT DETECTION AND PREVENTION PROGRAM In compliance with the Federal FACTAct (2003) Identity Theft Red Flag Ruling TABLE OF CONTENTS 1. General Information II. Purpose III. Scope IV. Responsibility V. Definitions VI. Privacy Committee VII. Policy and Procedures A. Red Flags Identification and Mitigation B. Data Security and Storage C. Internal Data Base Security D. Data Storage E. Disclosure of Personal Information F. Data Retention and Disposal G. Training Employees H. Handling Reports of Suspected Identity Theft I. Reports, Reviews and Updates for Policy Enforcement VIII. Identity Theft Prevention Program Incident Report Page 3 3 3 4 4 4 5 5 7 8 8 8 8 8 9 9 10 2 IDENTITY THEFT PROGRAM Effective date May 1, 2009 1. General Information A ruling known as the `Identity Theft Red Flags Regulation' was jointly issued by the Federal Trade Commission, Office of Thrift Supervision and several other governing agencies ("Agencies") implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT ACT) and is effective on May 1, 2009. The Identity Theft Red Flags Regulation requires financial institutions to develop and implement a written Identity Theft Program to detect, prevent and diminish identity theft in connection with opening of certain accounts or certain existing accounts. Under the regulation only those financial institutions that offer or maintain `covered accounts' must develop and implement a written program. A `covered account' is defined as (1) an account primarily used for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions and (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. The Agencies believe that accounts such utility, checking, automobile loans, and designed to permit multiple payments or foreseeable risk of identity theft. as credit cards, mortgage loans, cell phone, savings accounts are examples of accounts transactions and also contain a reasonably H. Purpose The goal of this policy is to ensure City of Winter Springs has an established written procedure to detect, prevent and mitigate identity theft and for security and storing of customers' personal information. City of Winter Springs recognizes the responsibility to safeguard customer's personal information during its collection, recording and handling within the work place. III. Scope This policy applies to all city employees and service providers that have access to utility customers' personal information that is submitted in person, by fax, mail, email and over the internet. Any part or whole of policies and procedures written and developed will be incorporated into the program where appropriate. This does not replace, but rather supplements, any of the City of Winter Springs' standing policies. IV. Responsibility The City of Winter Springs must protect its customer data and implement policies and procedures that meet standards established by the Federal Trade Commission by May 1, 2009. Therefore, the City of Winter Springs will continually report and monitor the program's integrity, completeness, and deficiencies. Any oversight or patches to perfect the program will be reviewed and amended annually when necessary. V. Defmitions A. Identity Theft: A fraud committed using the identifying information of another person. B. Red Flags: A pattern, practice or specific activity that indicates the possible risk of identity theft. C. Identifying Information: Any name or number that may be used alone or with any other information to identify a specific person; includes name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport and employer or tax identification number. VI. Privacy Committee The City of Winter Springs Privacy Committee was established to create, drive and monitor the program. A Privacy Officer functions as the head of the committee and reports to a member of Senior Management regarding the outcomes and needs of the Identity Theft Detection and Prevention Program. Position Role Controller Privacy Officer - Coordinates audit and reviews pattern of incidents. Expert in flow of funds. Finance Director Senior Management - supply recourses to establish proactive Identity Theft Program. Utility Billing Services Provides insight in day-to-day processes in opening new Manager accounts and monitoring activity on existing accounts. Revenue Officer Provides insight in collection policies and procedures. Economic Crimes Investigator Provides insight regarding identity theft. Information Technology Provides insight in data network security. Coordinator/Security Administrator 4 VII. Policy and Procedures A. Red Flag Identification and Mitigation Policies All applications must be submitted by the responsible party; parents, siblings, or any other interested party cannot activate service on behalf of another person. Red Flags Alert Presentation of Susp Identification documents appear altered or forged Photo/physical description does not match applicant. Next Documents Ask customer to visit the issuing agency (i.e. DMV) and get an acceptable copy of the suspicious document. Other information on identification is inconsistent with information given on the application. Information in utility records is inconsistent with information provided. Example: signature on file does not match signature on license. Application looks altered or forged or destroyed and reassembled. Lease submitted for proof of residency appears to be altered or forged. Ask the customer to visit the issuing agency (i.e. DMV) and get an updated copy of the identification document. Ask the customer to verify the inconsistent information with supporting documentation such as marriage license or social security card. Inform the customer of the discrepancy and ask the customer to verify the inconsistent information with supporting documentation. Ask the customer to fill out another application in the office and verify all suspicious information. Ask the customer to supply an unaltered lease with the Landlord's notarized. Do not open the account. Do not open the account. If customer is unable to verify information, do not open the account. It may be appropriate to notify law enforcement if a customer who is able to verify his identity to you believes his signature has been previously forged in connection with identity theft. Do not open the account unless you are able to verify the information on the Do not open the account unless you are able to verify the residency requirement. 5 Red Flags Next Ste Mitigation Alert Suspicious Personal Ides Applicant fails to provide all personal identification requested. Payments are made in a manner associated with fraud. For example: deposit or initial payment is made and no payments are made thereafter. Mail sent to customer is repeatedly returned. Notification of a chargeback received from the bank due to fraudulent Inform the customer of the requirements to open an account and direction for obtaining this documentation. Contact the customer. Contact the customer to verify the correct billing address. Do not open the account unless you are able to verify the identity with other types of acceptable documentation. Close inactive accounts after a reasonable period of time. New account requested immediately after disconnection for nonpayment. If you are able to verify the correct address and then change the address on file, no further action should be Add all charges back to the I Notify law enforcement account. Ask customer to provide a government issued photo I.D. for identification purposes. Require all new accounts to present a government issued photo I.D. prior to opening an account. Applications submitted by fax, email or mail need to include-a copy of a government issued I.D. and a notarized form affirming the identification. No account will be started prior to this proof of identification. 6 Red Flags Next Ste Mitigation Alert e Customer notifies utility Verify the identity of the If you are able to verify the that they are not receiving customer and then verify correct address and then their bill. the correct address. change the address on file, no further action should be necessary. Utility is notified of Ask the customer to supply Notify law enforcement unauthorized charges or documentation regarding transactions in connection the possible identity theft with a customer's account. such as an affidavit or police report. Utility is notified by law Follow the instructions of Depending on what law officials or others that they law officials. enforcement asks you to do, have opened a fraudulent you may close or closely account for a person monitor the account. engaged in identitheft. B. Data Security and Storage 1) Various Cisco Devices are deployed and used to protect against intentional or accidental intrusion into the city's data network. The Florida Department of Law Enforcement conducts periodic audits of the city-network design and security practices to ensure they meet the Criminal Justice Information Services (CJIS) policy. The Information Technology Manager coordinates objective, third-party network-intrusion testing for the city network on a periodic basis. 2) All Information Technology employees are subject to a full background check by the city-Human Resources Department and the City of Winter Springs Police Department. All employees who function in the Information Technology Department are required to pass a fingerprint-based background check submitted through the City of Winter Springs' Police Department, Seminole County Sheriffs Office (SCSO) and Florida Department of Law Enforcement. 3) The Network Administrator provides the initial password for each employee to access the system. The employee is required to create a unique individual password. In our efforts to provide the City of Winter Springs with a secure network, the Information Technology Department has adopted the use of strong passwords and account lockout. Password and account lockout settings are designed to protect user accounts and data by minimizing the threat of brute force guessing of user account passwords. Employees are required to change their password every ninety (90) days. The system will permit three sign-on attempts, and then will disable the password. Upon termination, employee accounts are immediately disabled. C. Internal Data Base Security System administrator passwords are known only to the Information Technology staff and are not divulged to any person outside the Information Technology Division. D. Data Storage System administrator passwords are known only to the Information Technology staff and are not divulged to any person outside the Information Technology Division. E. Disclosure of Personal Information 1) Information is used as a means of identification, for internal verification, administrative purposes and for debt collection purposes. 2) The City of Winter Springs falls under the Public Records Law and all records are open to inspection. Chapter 119, Florida Statutes, commonly known as Florida's "Public Records Law," provides information on public records in Florida, including policies, definitions, exemptions, general information on records access, inspection, examination and duplication of records. Florida's public records laws are very broad, and most documents and records are available to the public. However, the laws do provide specified exceptions such as social security numbers. F. Data Retention and Disposal Records are disposed of in accordance with state and federal law, including the local records retention schedule issued by the State of Florida General Records Schedule for State and Local Government Agencies and Public Utilities. Documents with sensitive information are disposed by shredding. G. Training Employees A copy of the Identity Theft Detection and Prevention Program will be given to all utility billing customer service division employees. Initial training sessions will be set up to help the employee identify "red flags" and explain the policies and procedures. The Identity Theft Program will be included in the initial training of all new employees within the City of Winter Springs Utility Billing Customer Service Division. H. Handling Reports of Suspected Identity Theft A zero tolerance policy is in effect for all fraudulent transactions within the City of Winter Springs Utility Billing Customer Service Division. Once written notification and verification is received of fraudulent activity from a customer, banking institution or collection agency, the Utility Billing Division employee will: 1) Proceed with notating and taking corrective actions on the account; and, 2) Gather all pertinent information that is available and immediately contact the appropriate law enforcement agency to initiate a criminal investigation. I. Reports, Reviews and Updates for Policy Enforcement The Controller will conduct annual review of the current policy and report any fraudulent activity to the Finance Director. The City Manager will approve any recommended changes in policy. An annual report reviewing all incidents, program revisions and goals will be submitted to the City Commission. 9 City of Winter Springs Identity Theft Prevention Program Incident Report Date Prepared by it is the policy of the City of Winter Springs to provide an Identity Theft Prevention Program for customers and employees. The purpose of this report is to promote continued evaluation of effectiveness of current policies and procedures in compliance with the FACTAct (2003). This document will be used to drive recommendations for changes to the program due to evolving risk and methods of theft. Committee Members: Controller Finance Director Utility Billing Services Manager Revenue Officer Information Technology Coordinator/Security Administrator Describe strengths of the program: Describe areas of improvement of the program: Committee Signatures: - ----------- - - (Name) (Tide) (Date) (Name) (Tide) (Date) (Name) (Title) (Date) (Name) (Title) (Date) 10 Identity Theft Prevention Program Incident Report Date Incidentr'Significant Event" Management Response Mitigation II