Agenda 04/28/2009 Item #16C 2
!'Acsnda Item ~~o. 16C2
~ April 28, 2009
Page 1 of 11
EXECUTIVE SUMMARY
Recommendation to approve the Identity Theft Prevention Program for the Collier County
Water-Sewer District utility pursuant to a ruling by the Federal Trade Commission requiring
water utilities among financial entities that must have a written plan in place by May I, 2009.
OBJECTIVE: That the Board of County Commissioners. Ex-Officio, the Goveming Board of the
Collier County Water-Sewer District (Board), Approve the Idcntity Theft Prevention Program for
the Collier County Water-Sewer District utility,
CONSIDERATIONS: The identity Theft Prevention Program, known as The Red Flag Rule,
requires any entity where there is a risk of identity theft, to develop and implement an Identity Theft
Prevention Program, The primary purpose of the rule is to protcct against the establishment of false
accounts and ensure existing accounts are not bcing manipulated. The program must include
reasonable policies and procedures for detecting, preventing and mitigating identity theft,
-
Staff developed the Identity Theft Prevention Program by following these steps:
. Assessed existing policies and procedures related to establishing new and changing existing
water-sewer utility accounts
. Identified measures (red flags) that may be used to detect attempts to cstablish fraudulent
accounts
. Developed new procedures and updated existing procedures to prcvent establishment of
false accounts and for employees to implement if existing accounts are being manipulated
. Trained staff on the program's policies and procedures
Staffbenchmarked programs being established by other utilitics in Florida, Actions taken will meet
the intent of the Red Flag Rule, Many of the elements of the program arc reinforcements to existing
CMA procedures, including Code of Ethics 531], End User Computing 5405 and Media Reuse or
Replacement 5908, Some of the tcchnical guidelines in the program are in process of being
implemented, utilizing intemal IT statl expertise and external rcsources, Staff will review and
update the program annually with senior management and address any material matters related to
the program's effectiveness and recommendations for changes if appropriate,
LEGAL CONSIDERATIONS: This item has been reviewed and approved by the County
Attorney's Office, is not quasi-judicial and requires no ex parte disclosure, requires only a majority
vote for approval, and is otherwise legally sufficient for Board action,-SRT
FISCAL IMPACT: There is no associated Fiscal Impact.
GROWTH MANAGEMENT IMPACT: Therc is no associated Growth Management Impact.
RECOMMENDATION: That the Board of County Commissioners, Ex-Officio, the Goveming
Board of the Collier County Water-Sewer District. approve the Identity Theft Prevention Program
for the Collier County Water-Sewer District utility pursuant to a ruling by the Federal Trade
COln.rnission requiring ,vater utilities arnong financial entities that 111USt have a 'Nf1tten plan in place
by May 1,2009.
-,
,\'-~;, I ,." /__
PREPARED BY: Joe Bellone. 'v1anager Utility Billing and Customer Service, Public Utilities
Division
H
I c1t:;~ I UI L
'ICiC2
2 ~.Hf0
of
COLLIER COUNTY
BOAED OF COUNTY COIViI..~!SSfO!<=RS
Item Number:
lc.C2
Item Summary:
ReCOil1mendetion to approve the ld':'ntlty Ttleft Pre\I'?:liIOn Program for the Collier County
\Nater-Sewer District utility pu"suant to a ruling by tne Federal Trade Commission requiring
water utilities among finanCial entitF3s that mU2,j have a vmtten pian in pla:-.e by May 1, 2CD9.
Meeting Date:
4/28/2009 90Q:00 ,6JJ1
Approved By
Joseph Bc~lco:e
,..".....,..,~_.I;~~" c:"..."....,;""P
....r-''','-'u..",,''' .......,..,..... .,~....,.
D~tc
Public Utilities
Publlc Utmties Operations
:t25f2009 8:38 ,t',M
Approvt~d R~'
Peter Lund
Operatlor:s Analyst
D2.le
Public Utilities
Public Vlmtles Operations
3/25;'2009 fL35 /-..M
i\pproved B)'
Teresa Riesen
Revenue Manager
Date
Public Utilities
uses
3f2i/2009 i:40 AM
Approved By
Jeff Klatzkow
County Attorney
D,~~e
County Attorney
County Attorney Office
3/27/20094:05 PM
.\pproHd B~'
Thomas Wides
Oper3t~ons Director
Date
PubHc L'tifities
P:..:bl~c Utilities Opcr:1ti:ms
4:'2/20093:49 I.M
Appron'd By
Barry Axelrod
Information Technology Director
Date
Administrative Services
lnforma~ion Technology
4i2./20D9 10:2:4 AM
Approved By
James W. Delany
Public Uti:ities Administrator
Date
Pubtic UU:itjes
?ublic UtiUties A:lm:njstrati~n
4/2/2009 2:20 PM
Approved By
orviS Coordinator
OMS Coordinator
Date
Couoty f\i~anager's Office
Office of Management & Budget
4f3f2009 B~34 AM
ApproH'd By
Randy Greenwald
Man:!gem2rlt/Budget Ana!yst
Date
County Manager's Office
Office of M:H:~gemHlt R. Budget
4/3':2Q09 3:24 PM
Appro,,'cd By
Scott R. T0ach
,~,ssistant County ;\ttcmey
~I~ite
COUii':)' Attorney
County A:tom9Y Otfb~
4/14/200912:47 PM
Approved By
Leo E. Oehs. Jr.
Deputy COL!rtty ~vianager
Date
30ard of COU:lty
County Managcr'~:; Office
.:',/18120099:37 t,f,~
::':J~;,miS'3i:Jnt:1'5
1<1':;-':"':' 1..11...:.
!"c
c,
".:' L
;-
'Iem i ,)0. '! C)C2
':'P~ii ::'[~ 2~}09
~ ~;:t;1i ~.1
- -
Identity Theft Prevention Program For
Collier County Water-Sewer District
3301 Tamiami Trail East
Naples, Florida 34112
November 1, 2008
Collier County Water-Sewer District Identity Theft Prevention Program
This Plan is intended to identify red flags that will alert our employees when new or existing
accounts are opened using false information, protect against the establishment of false accounts,
methods to ensure existing accounts were not opened using false information, and measures to
respond to such events,
Contact Information:
The Senior Management Person responsible for this plan is:
Name: Thomas G, Wides
Title: Director, Financial Operations
Phone number: (239) 252-2553
The Governing Body Members of the Utility are:
The Board of Collier County Commissioner, as ex-officio, the Board of the Collier County
Water-Sewer District:
I, Commissioner Donna Fiala
2. Commissioner Fred Coyle
3, Commissioner Frank Halas
4. Commissioner Tom Henning
5. Commissioner Jim Coletta
CCWSD - Identity Theft Prevention Progrum
Page 1 of7
:;L~iT' No Ij____
~i;\~;ii,.~:Sc ~?C!
~'
Risk Assessment
The Collier County Water-Sewer District has conducted an internal risk assessment to evaluate
how at risk the current procedures are at allowing customers to create a fraudulent account and
evaluate if current (existing) accounts are being manipulated, This risk assessment evaluated
procedures for opening new accounts and thc methods used to access the account informatiolL
Using this information the utility was able to identify red flags that were appropriate to prevent
identity theft:
u New accoW1ts opened In Person
u New accounts opened via Telephonc
IJ New accounts opened via Fax
u New accounts opened via Web
u Account information accessed In Person
IJ Account infonnation accessed via Telephone (Person)
u Account information is accessed via Telephone (Automated)
o Account information is accessed via Web Site
o Identity theft occurred in the past from someone falsely opening a utility acCOllDt
New Accounts Protection
The Collier County Uniform Billing, Operating and Regulatory Standards Ordinance.
munber 2001-73, as amended, Section 1.2 D 1 requires all accounts be established in the
name of the property owner, Application Forms have been redesigned to include relevant
property owner information and security questions to ensure new accounts are opened in
accordance with legally recorded documents, Procedures a.re being developed to tie owner's
names in the District's billing system to the Public Records annually,
Account Information Access
Customers are required to show valid identification when they appear in person at the Utility
Billing and Customer Service lobby for payments and changes to their accounts, Customers
must have their eleven (II) digit account number available to access their account.
Procedures are being developed to require Personal Identification Numbers (pINs), in
addition to thc account number, to access accounts on-line for payment and account changes,
Detection (Red Flags):
The Collier County Water-Sewer District adopts the following red flags to detect potential fraud,
These are not intended to be all-inclusive and other suspicious activity may be investigated as
necessary:
o Deferred pay pJa.'1 requests are reviewed and approved OflJy by Customer Service
Supervisor and Accounting Supervisor,
u Inconsistent activity patterns indicated by:
o Recent and significant increase in volume of inquiries
o Unusual TIlL.'TIber of recent deferred pay pla.Y} applications
o .A... material or frequent ch~nge in payment metnods
CCWSD - Identily Theft ftrvmtion Program
Pagc2of7
1:2:1\ i\(}. 1:3C2
:.~;.ii 28. 2JU9
~ -$ ~?Ci2,:7 ~f ',1
~
o Accounts closed for cause or abuse
IJ Identification documents appear to be altered
u Photo and physical description do not match appcarance of applicant
IJ Other information is inconsistent with information provided by applicant
IJ Other information provided by applicant is inconsistent with information on file
IJ Application appears altered or dcstroyed and reassembled
IJ Personal information provided by applicant does not match other sources of
information (e,g, Ownership information contained in the Property Appraiser's
website or in the Minutes and Records of thc Clerk of Courts of Collier County)
o Information provided is associated ""i.th knoVv'Il fraudulent activity (e.g. address or
phone numbcr provided is same as that of a fraudulent application)
IJ Information commonly associated with fraudulent activity is provided by applicant
(e,g, address that is a post office box, non-working phone number or associated
with answering service/pager)
IJ Address or telephone # is the same as that of other customer at utility
IJ Customer fails to provide all information requested
IJ Personal information provided is inconsistent with information on file for a
customer
IJ Applicant cannot provide infonnation requested beyond what could commonly bc
found in a purse Dr wallet
IJ Identity theft is reported or discovered
Response
IJ Customers who have selected the automatic bank draft payment method are
notified via phone or letter if current consumption will cause larger than nonnal
bank draft payment
IJ Requests for deferred pay plans are reviewed and approved by multiple internal
revenue supervisors
IJ Meters locked for non-payment are reported to internal management daily
IJ Ask customer for additional documentation or for permission to continue bank
draft
o Notify internal manager: Any utility employee who becomes aware of a
suspected or actual fraudulent use of a customer or potential customers identity
must notify their immediate supervisor
IJ Do not open the account if the information supplied on the application for service
does not match information on the Collier County Property Appraiser's website or
in the Minutes and Records of the Clerk of Courts of Collier County
C! Lock LlJ.e customer~s meter for non-payment and notify the customer via outoou..Tld
call
D The Uniform Billing, Operating and Regulatory Standards Ordinance 2001-73, as
amcnded, Section },2 D 3 requires change of address for billing purposes must be
by letter, email or District change of address form, Section 1.2 D 4 providcs for
duplicate utility bills if payment is !Tom someone other than the property owner.
CCWSD ~ Identity Theft Prevention Program
Page 3 of7
'"..,_., "'"
"--, I'.'",! ',,':.c.
:- ~ ';; ~'2 =':;,09
~","1,:;\ ,-.f -" 1
~~ ~~~' ,
Personal Information Security Procedures:
The Collier County Water-Sewer District adopts the following security procedures:
I, Paper documents, filcs, and elecuunic media containing secure information will be stored
in locked file cabinets, File cabinets will be stored in a secured office facility,
2, Only specially identified employees with a legitimate need will have keys to the room
and cabinet,
3, Files containing personally identifiable information are kept in locked file cabincts cxcept
when an employee is working on the file,
4, Employees will not leave sensitive papers out on their desks when they are away from
their workstations,
5, Employees will secure files when leaving their work areas.
6, Employees utilizc sccured screen savers on their computers when leaving their work
areas,
7, Employees lock me cabinets whcn Icaving their work areas,
8, No visitor will be givcn any entry codes or allowed unescorted access to the oflice,
9, Passwords to employees's computers will not be shared or posted near workstations,
10. Password-activated screen savers will be used to lock employee computers after a period
of inactivity,
11, \Vhen installing new software, immediately change vendor-supplied default passwords,
12. Sensitive consumer data 'Will not be stored on any computer with an Internet connection,
] 3, Scnsitive information that is sent to third parties over public networks will be encrypted,
14, Anti-virus and anti-spyware programs will be run on individual computers and on servers
daily.
15, When sensitive data is received or transmitted, secure connections will be used.
16. Computer passwords will be required,
! 7. User names and passwords will be different.
CCWSD - ldcnlic}' TheE! ~vCIJlion Progrmn
Page 4 of7
ltS;;~i t>JC), C;C:
,L,pr^i' ::)j, 2:.lCJ
:>;;O,r,<:;. C; rlT
~~~~i'.
18, Passwords will bc changcd quarterly,
19, Laptops are stored in a secured office facility,
20. Laptop users will not store sensitive customer information on their C-Drive,
21, Employees will never leave a laptop visible in a car, at a hotel luggage stand, or packed
in checked luggage,
22. If a laptop must be left in a vehicle, it is locked in a trunk,
23, The computer network will have a firewall where your network connects to the Internet.
24, Any wireless network in use is secured,
25, Maintain central log files of security-related information to monitor activity on your
network,
26, Employees will log out of the In-Hance billing application when they leave for lunch and
at the end of the busincss day.
27, Monitor incoming traffic for signs of a data breach,
28, Monitor outgoing traffic for signs of a data breach.
29, Implement a breach response plan.
30, Check references or do background checks before hiring employees who will have access
to scnsitive data.
31, Newly hired employees will be fingerprinted,
32, New employees sign an agreement to follow your company's confidentiality and security
standards.
33. Access to customer's personal identify information is limited to employees with a "need
to know,"
34, Procedures exist for making sure that workers who leave your employ or transfer to
another part of the company no longer have access to sensitive information.
35. Implement a regular schedule of employee training,
36, Employees will be alert to attempts at phone phishing,
37, Employces arc required to notify department management immediately if there is a
potential security breach, such as a lost or stolen laptop or security card,
CCWSD. Identity Theft Prevention Program
Page 5 of7
;:: ,) f, ~
';!~
'~i:':2
:'J:J9
:Jf 1
- ~-
~~:t;
38, Employees who violate security policy are subjected to discipline, up to, and including,
dismissal in accordance with CMA 5311 (Code of Ethics) and CMA 5405 (End Uscr
Computing),
39. Service providers notify you of any security incidents they experience, even ifthc
incidcnts may not have led 10 an actual compromise of our data,
40. Paper records containing secure information will be shredded before being placed into the
trash,
41, Paper shredders will be available at administrative assistant's desk in the office,
42, Any data storage media will be disposed of by shredding, punching holes in, or
incineration, or any appropriate means as defined by CMA 5908 (Media Reuse or
Replacement Policy).
CCWSD - Identify Theft Prevention Program
Page 6 of7
I!(~m r\Jo. "i '3C
l\'pril :?::L :2:JC
~e.! cE::t; e<i 1
A report will be prepared annually and submitted to the above named senior management or
governing body to include matter related to the program, the effectiveness of the policies
and procedures, the oversight and effectiveness of any third party billing and account
establishment entities, a summary of any identifY theft incidents and the response to the
incident, and recommendations for substantial changes to the program, if any, Appropriate
employees have been traincd on the contents and procedures of this Identity Theft
Prevention Program,
Identity Theft Prevention Program Review and Approval:
This plan has been reviewed and adopted by the Board of County Commissioners of
Collicr County, Florida, as Ex-Officio the Governing Board of the Water-Sewer District on this
28th day of April, 2009,
A TrEST:
BOARD OF COUN1Y COMMISSIONERS
DWlGHT E, BROCK, CLERK
OF COLLIER COUNTY, FLORIDA, AS EX-OFFICIO THE
GOVERNING BOARD OF THE WATER-SEWER DISTRICT
, Deputy Clerk
By:
DONNA FIALA, CHAIRMAN
Approval as to fonn and legal
Sufficiency:
~W/~1
Deputy County Attorney
CCWSfl - Identity lb.cft PreventlOI1 t>rogram
Page 70f7