Backup Documents 04/28/2009 Item #16C 2
ORIGINAL DOCUMENTS CHECKLIST & ROUTING SLIP 16 C'. 2
TO ACCOMPANY ALL ORIGINAL DOCUMENTS SENT TO
THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE
Print on pink papcr. Attach to original documcnt. Original documents should bc hand delivered to thc Board Officc. Thc completed routing slip and original
documcnts arc to bc forwardcd to the Board Ortlcc only after the Board has taken action on the item.)
ROUTING SLIP
eomplete routing lines # I through #4 as appropriate for additional signatures, dates, and/or information needed. If the document is already complete with the
exce tion of the Chairman's si nature, draw a line throu h routin lines # I throuh #4, com lete the checklist, and forward to Sue Filson (line #5).
Route to Addressee(s) Office Initials Date
(List in routin order)
1.
2.
--
-'
--
PRIMARY CONTACT INFORMATION
(The primary contact is the holder of the original document pending BCC approval. Normally the primary contact is the person who created/prepared the executive
summary. Primary contact information is needed in the event one of the addressees above, including Sue Filson, need to contact staff for additional or missing
information. All original documents needing the Bel' Chairman's signature are to be delivered to the Bec ofTiee only after the BCC has acted to approve the
item.)
.---....-
Name of Primary Staff Joe Bellone Phone Number 252-2350
Contact
Agenda Date Item was April 28, 2009 Agenda Item Number 16C2
Approved by the BCC
Type of Document Executive Summary and eollier eounty Number of Original 1
Attached Water-Sewer District Identity Theft Documents Attached
Prevention Program
3.
-"'
-
.----
--
--
Adopt a Resolution amending Schedule Six of Appendix A to Section Four of the Collier County Ordinance No. 2006-27, the Collier County
Water-Sewer District Uniform Billing, Operating And Regulatory Standards Ordinance. This amendment corrects scrivener's error and includes
a proposed rate for the late payment charge and the vehicle over meter charge; and provides for an effective date of October 1,2008 for Schedule
Six of Appendix A of the Ordinance.
5. Executive Manager
Board of County Commissioners
Yes
(Initial)
N/ A (Not
A licable)
6. Minutes and Records
Clerk of Court's Office
1)6
1)6
'J)c,
'])6
'3)6
tj)6
1.
INSTRUCTIONS & CHECKLIST
Initial the Yes column or mark "N/ A" in the Not Applicable column, whichever is
a ro riate.
Original document has been signed/initialed for legal sufficiency. (All documents to be
signed by the ehairman, with the exception of most letters, must be reviewed and signed
by the Office of the eounty Attorney. This includes signature pages from ordinances,
resolutions, etc. signed by the County Attorney's Office and signature pages from
contracts, agreements, etc. that have been fully executed by all parties except the BCC
Chairman and Clerk to the Board and ossibly State Officials.)
All handwritten strike-through and revisions have been initialed by the County Attorney's
Office and all other arties exce t the BCC ehairman and the Clerk to the Board
The Chairman's signature line date has been entered as the date ofBCC approval ofthe
document or the final ne >otiated contract date whichever is a licable.
"Sign here" tabs are placed on the appropriate pages indicating where the Chairman's
si nature and initials are re uired.
In most cases (some contracts are an exception), the original document and this routing slip
should be provided to Sue Filson in the Bce office within 24 hours of BCC approval.
Some documents are time sensitive and require forwarding to Tallahassee within a certain
time frame or the Bee's actions are nullified. Be aware of our deadlines!
The document was approved by the BCC on 4/28/2009 enter date) and all changes
made during the meeting have been incorporated in the attached document. The
Count Attorne 's Office has reviewed the chan es, if a licable.
I: Forms! County Forms! Bee Forms! Original Documents Routing Slip WWS Onginal 9.03.04. Revised 1.2605. Revised 2.24.05
2.
3.
4.
5.
6.
16C2
MEMORANDUM
Date:
April 29, 2009
To:
Joe Bellone, Operations Supervisor
Collier County Public Utilities Department
From:
Teresa Polaski, Deputy Clerk
Minutes & Records Department
Re:
Water-Sewer District Identity Theft Prevention Program
Enclosed please find one copy, as referenced above (Agenda Item #16C2)
adopted by the Board of County Commissioners on Tuesday, April_ 2009. The
original document is being retained for the record.
If you should have any questions, please contact the Minutes and Records
Department at 252-8411.
Thank you.
Enclosure
EXECUTIVE SUMMARY
16C2
Recommendation to approve the Identity Theft Prevention Program for the Collier County
Water-Sewer District utility pursuant to a ruling by the Federal Trade Commission requiring
water utilities among financial entities that must have a written plan in place by May 1, 2009.
OBJECTIVE: That the Board of County Commissioners, Ex-Officio, the Governing Board of the
Collier County Water-Sewer District (Board), Approve the Identity Theft Prevention Program for
the Collier County Water-Sewer District utility.
CONSIDERATIONS: The Identity Theft Prevention Program, known as The Red Flag Rule,
requires any entity where there is a risk of identity theft, to develop and implement an Identity Theft
Prevention Program. The primary purpose of the rule is to protect against the establishment of false
accounts and ensure existing accounts are not being manipulated. The program must include
reasonable policies and procedures for detecting, preventing and mitigating identity theft.
Staff developed the Identity Theft Prevention Program by following these steps:
· Assessed existing policies and procedures related to establishing new and changing existing
water-sewer utility accounts
· Identified measures (red flags) that may be used to detect attempts to establish fraudulent
accounts
· Developed new procedures and updated existing procedures to prevent establishment of
false accounts and for employees to implement if existing accounts are being manipulated
. Trained staff on the program's policies and procedures
Staff benchmarked programs being established by other utilities in Florida. Actions taken will meet
the intent of the Red Flag Rule. Many of the elements ofthe program are reinforcements to existing
CMA procedures, including Code of Ethics 5311, End User Computing 5405 and Media Reuse or
Replacement 5908. Some of the technical guidelines in the program are in process of being
implemented, utilizing internal IT staff expertise and external resources. Staff will review and
update the program annually with senior management and address any material matters related to
the program's effectiveness and recommendations for changes if appropriate.
LEGAL CONSIDERATIONS: This item has been reviewed and approved by the County
Attorney's Office, is not quasi-judicial and requires no ex parte disclosure, requires only a majority
vote for approval, and is otherwise legally sufficient for Board action.-SRT
FISCAL IMPACT: There is no associated Fiscal Impact.
GROWTH MANAGEMENT IMPACT: There is no associated Growth Management Impact.
RECOMMENDATION: That the Board of County Commissioners, Ex-Officio, the Governing
Board of the Collier County Water-Sewer District, approve the Identity Theft Prevention Program
for the Collier County Water-Sewer District utility pursuant to a ruling by the Federal Trade
Commission requiring water utilities among financial entities that must have a written plan in place
by May 1,2009.
16C2
PREPARED BY: Joe Bellone, Manager Utility Billing and Customer Service, Public Utilities
Division
16C2
~
Identity Theft Prevention Program For
Collier County Water-Sewer District
3301 Tamiami Trail East
Naples, Florida 34112
November 1,2008
Collier County Water-Sewer District Identity Theft Prevention Program
This Plan is intended to identify red flags that will alert our employees when new or existing
accounts are opened using false information, protect against the establishment of false accounts,
methods to ensure existing accounts were not opened using false information, and measures to
respond to such events.
Contact Information:
The Senior Management Person responsible for this plan is:
Name: Thomas G. Wides
Title: Director, Financial Operations
Phone number: (239) 252-2553
The Governing Body Members of the Utility are:
The Board of Collier County Commissioner, as ex-officio, the Board of the Collier County
Water-Sewer District:
1. Commissioner Donna Fiala
2. Commissioner Fred Coyle
3. Commissioner Frank. Halas
4. Commissioner Tom Henning
5. Commissioner Jim Coletta
CCWSD - Identity Theft Prevention Program
Page I of?
16C2
~
Risk Assessment
The Collier County Water-Sewer District has conducted an internal risk assessment to evaluate
how at risk the current procedures are at allowing customers to create a fraudulent account and
evaluate if current (existing) accounts are being manipulated. This risk assessment evaluated
procedures for opening new accounts and the methods used to access the account information.
Using this information the utility was able to identify red flags that were appropriate to prevent
identity theft:
CJ New accounts opened In Person
CJ New accounts opened via Telephone
CJ New accounts opened via Fax
CJ New accounts opened via Web
CJ Account information accessed In Person
CJ Account information accessed via Telephone (Person)
CJ Account information is accessed via Telephone (Automated)
CJ Account information is accessed via Web Site
CJ Identity theft occurred in the past from someone falsely opening a utility account
New Accounts Protection
The Collier County Uniform Billing, Operating and Regulatory Standards Ordinance,
number 2001-73, as amended, Section 1.2 D 1 requires all accounts be established in the
name of the property owner. Application Forms have been redesigned to include relevant
property owner information and security questions to ensure new accounts are opened in
accordance with legally recorded documents. Procedures are being developed to tie owner's
names in the District's billing system to the Public Records annually.
Account Information Access
Customers are required to show valid identification when they appear in person at the Utility
Billing and Customer Service lobby for payments and changes to their accounts. Customers
must have their eleven (11) digit account number available to access their account.
Procedures are being developed to require Personal Identification Numbers (PINs), in
addition to the account number, to access accounts on-line for payment and account changes.
Detection (Red Flags):
The Collier County Water-Sewer District adopts the following red flags to detect potential fraud.
These are not intended to be all-inclusive and other suspicious activity may be investigated as
necessary:
CJ
CJ
Deferred pay plan requests are reviewed and approved only by Customer Service
Supervisor and Accounting Supervisor.
Inconsistent activity patterns indicated by:
o Recent and significant increase in volume of inquiries
o Unusual number of recent deferred pay plan applications
o A material or frequent change in payment methods
CCWSD - Identity Theft Prevention Program
Page 2 of7
16C2
~
o Accounts closed for cause or abuse
o Identification documents appear to be altered
o Photo and physical description do not match appearance of applicant
o Other information is inconsistent with information provided by applicant
o Other information provided by applicant is inconsistent with information on file
o Application appears altered or destroyed and reassembled
o Personal information provided by applicant does not match other sources of
information (e.g. Ownership information contained in the Property Appraiser's
website or in the Minutes and Records of the Clerk of Courts of Collier County)
o Information provided is associated with known fraudulent activity (e.g. address or
phone number provided is same as that of a fraudulent application)
o Information commonly associated with fraudulent activity is provided by applicant
(e.g. address that is a post office box, non-working phone number or associated
with answering service/pager)
o Address or telephone # is the same as that of other customer at utility
o Customer fails to provide all information requested
o Personal information provided is inconsistent with information on file for a
customer
o Applicant cannot provide information requested beyond what could commonly be
found in a purse or wallet
o Identity theft is reported or discovered
Response
o Customers who have selected the automatic bank draft payment method are
notified via phone or letter if current consumption will cause larger than normal
bank draft payment
o Requests for deferred pay plans are reviewed and approved by multiple internal
revenue supervIsors
o Meters locked for non-payment are reported to internal management daily
o Ask customer for additional documentation or for permission to continue bank
draft
o Notify internal manager: Any utility employee who becomes aware of a
suspected or actual fraudulent use of a customer or potential customers identity
must notify their immediate supervisor
o Do not open the account if the information supplied on the application for service
does not match information on the Collier County Property Appraiser's website or
in the Minutes and Records of the Clerk of Courts of Collier County
o Lock the customer's meter for non-payment and notify the customer via outbound
call
o The Uniform Billing, Operating and Regulatory Standards Ordinance 2001-73, as
amended, Section 1.2 D 3 requires change of address for billing purposes must be
by letter, email or District change of address form. Section 1.2 D 4 provides for
duplicate utility bills if payment is from someone other than the property owner.
CCWSD - Identity Theft Prevention Program
Page 3 of7
16C2
~
Personal Information Security Procedures:
The Collier County Water-Sewer District adopts the following security procedures:
1. Paper documents, files, and electronic media containing secure information will be stored
in locked file cabinets. File cabinets will be stored in a secured office facility.
2. Only specially identified employees with a legitimate need will have keys to the room
and cabinet.
3. Files containing personally identifiable information are kept in locked file cabinets except
when an employee is working on the file.
4. Employees will not leave sensitive papers out on their desks when they are away from
their workstations.
5. Employees will secure files when leaving their work areas.
6. Employees utilize secured screen savers on their computers when leaving their work
areas.
7. Employees lock file cabinets when leaving their work areas.
8. No visitor will be given any entry codes or allowed unescorted access to the office.
9. Passwords to employees's computers will not be shared or posted near workstations.
10. Password-activated screen savers will be used to lock employee computers after a period
of inactivity.
11. When installing new software, immediately change vendor-supplied default passwords.
12. Sensitive consumer data will not be stored on any computer with an Internet connection.
13. Sensitive information that is sent to third parties over public networks will be encrypted.
14. Anti-virus and anti-spyware programs will be run on individual computers and on servers
daily.
15. When sensitive data is received or transmitted, secure connections will be used.
16. Computer passwords will be required.
17. User names and passwords will be different.
CCWSD - Identity Theft Prevention Program
Page 4 of 7
16C 2
~
18. Passwords will be changed quarterly.
19. Laptops are stored in a secured office facility.
20. Laptop users will not store sensitive customer information on their C-Drive.
21. Employees will never leave a laptop visible in a car, at a hotel luggage stand, or packed
in checked luggage.
22. If a laptop must be left in a vehicle, it is locked in a trunk.
23. The computer network will have a firewall where your network connects to the Internet.
24. Any wireless network in use is secured.
25. Maintain centrallog files of security-related information to monitor activity on your
network.
26. Employees will log out of the In-Hance billing application when they leave for lunch and
at the end of the business day.
27. Monitor incoming traffic for signs of a data breach.
28. Monitor outgoing traffic for signs of a data breach.
29. Implement a breach response plan.
30. Check references or do background checks before hiring employees who will have access
to sensitive data.
31. Newly hired employees will be fingerprinted.
32. New employees sign an agreement to follow your company's confidentiality and security
standards.
33. Access to customer's personal identify information is limited to employees with a "need
to know."
34. Procedures exist for making sure that workers who leave your employ or transfer to
another part of the company no longer have access to sensitive information.
35. Implement a regular schedule of employee training.
36. Employees will be alert to attempts at phone phishing.
37. Employees are required to notify department management immediately if there is a
potential security breach, such as a lost or stolen laptop or security card.
CCWSD - Identity Theft Prevention Program
Page 5 of7
~C2
38. Employees who violate security policy are subjected to discipline, up to, and including,
dismissal in accordance with CMA 5311 (Code of Ethics) and CMA 5405 (End User
Computing).
39. Service providers notify you of any security incidents they experience, even if the
incidents may not have led to an actual compromise of our data.
40. Paper records containing secure information will be shredded before being placed into the
trash.
41. Paper shredders will be available at administrative assistant's desk in the office.
42. Any data storage media will be disposed of by shredding, punching holes in, or
incineration, or any appropriate means as defined by CMA 5908 (Media Reuse or
Replacement Policy).
CCWSD - Identity Theft Prevention Program
Page 6 of7
16C2
~
A report will be prepared annually and submitted to the above named senior management or
governing body to include matter related to the program, the effectiveness of the policies
and procedures, the oversight and effectiveness of any third party billing and account
establishment entities, a swnmary of any identify theft incidents and the response to the
incident, and recommendations for substantial changes to the program, if any. Appropriate
employees have been trained on the contents and procedures of this Identity Theft
Prevention Program.
Identity Theft Prevention Program Review and Approval:
This plan has been reviewed and adopted by the Board of County Commissioners of
Collier County, Florida, as Ex-Officio the Governing Board of the Water-Sewer District on this
28th day of April, 2009.
'1'1,,/
"
ATTEST:, BOARD OF COUNTY COMMISSIONERS
'", "~', .' L :~'t . ..1>'.'"
UMGHT E. BRQC,K, CLERK OF COLLIER COUNTY, FLORIDA, AS EX-OFFICIO THE.
. . ,.,::,
>, '~[L GOVERNING BOARD OF THE WATER-SEWER DISTRICT
~Si.iteCIM"- , By: /L da
11 Qnatn 'Oft .Geputy Clerk
DONNA FIALA, CHAIRMAN
Approval as to form and legal
Sufficiency:
~ h?J~
Deputy County Attorney
CCWSD - Identity Theft Prevention Program
Page 7 00