HomeMy WebLinkAboutStaff Report 390-09TO:
FROM:
DATE:
REPORT TYPE:
SUBJECT:
HONORABLE CITY COUNCIL
CITY MANAGER DEPARTMENT: UTILITIES
OCTOBER 5, 2009 CMR: 390:09
CONSENT
Utilities Advisory Commission Recommendation to Adopt a
Resolution Approving Changes to the City of Palo Alto Utilities
Procedures for Customer Credit Security in Accordance with the Fair
and Accurate Credit Transactions Act of 2003
RECOMMENDATION
The Utilities Advisory Commission (UAC) and staff recommend that the City Council adopt a
resolution approving changes to the City of Palo Alto Utilities (CP AU) "Procedures for
Customer Credit Security" to continue compliance with regulations issued by the Federal Trade
Commission in the Fair and Accurate Credit Transactions Act (FACT Act) of2003.
BACKGROUND
The FACT Act requires those entities affecting consumer credit to evaluate, and possibly create,
a formal program to identify, detect, mitigate and prevent identity theft. CPAU, as a municipal
utility, is a creditor and subject to the FACT Act rules. On July 29, 2009, the Federal Trade
Commission delayed enforcement of the FACT Act until November 1, 2009, to give business
entities additional time to determine if they must comply with the required provisions. As an
early implementer, Palo Alto remains at the forefront with this program.
A CPAU program (the Program) to protect customer credit information was adopted by the City
Council on September 15, 2008, with a resolution approving the Utilities Department
"Procedures for Customer Credit Security" (Attachment B: "Procedures"), and appointing the
Director of Utilities to provide day-to-day oversight over the Program. The Director is to report
on the Program annually to Council. This report will serve as the required annual report to
Council on FACT Act program compliance.
DISCUSSION
On May 4, 2009, the City implemented a new SAP-based Utilities Customer Information System
(CIS). Since the May 4 implementation, there have been no known internal or external attempts
to penetrate or compromise the new SAP-CIS.
CMR: 390:09 Page 1 of3
Summary of Incidents since Program Adoption in September 2008
• There was one incident where the California Driver License number of one customer was
included in the name line in a postal mailing to that customer. New procedures have been
established to prevent recurrence of this type of event, and Section V-5, page 9, of the
Draft 2009 "Procedures for Customer Credit Security" has been updated to reflect the
changes. The affected customer's account is being monitored to ensure that there are no
further breaches resulting from this incident.
• There was one incident where a customer used another person's credit card to pay a
Utilities bill. The incident was reported to CP AU by the person whose card was used.
CPAU immediately reported the incident to the Palo Alto Police Department's Identity
Theft Unit for investigation and follow-up. This procedure has been codified in Section
V-5, page 9 of the Draft 2009 "Procedures for Customer Credit Security".
There have been no other incidents to report.
Recommended Program Refinements
Recommended changes to the Procedures resulting from incidents since program inception or the
implementation of the new CPAU Customer Information System are described in Attachment A:
Draft 2009 "Procedures for Customer Credit Security".
Recommended changes include:
• Securing internal and external access to the credit data in "BANNER" (the ten-year old
legacy CIS and predecessor to SAP-CIS);
• Updating the "Terms and Conditions" and "Frequently Asked Questions" sections
relating to cyber-security for customer access and use of the new online "My Utilities
Account" system (in beta test without full public access);
• Developing an annual "FACT Act" training program for Customer Service employees;
• Communicating Palo Alto resident identity theft reports and information between the
Utilities and Police Departments.
BOARD/COMMISSION REVIEW AND RECOMMENDATIONS
The UAC reviewed the Program at its September 2, 2009, meeting and voted 6-0 to recommend
Council approval of the changes to update the Procedures in Attachment A.
RESOURCE IMPACT
The impact on CP AU operating funds from implementing this Program has not been significant.
There has not been significant capital expense associated with either implementing or updating
this program. If a capital expense is identified, that expense will be included in the appropriate
Capital Improvement Project budget.
ENVIRONMENTAL REVIEW
Approval of this Program does not require review under the California Environmental Quality
Act (CEQA) because it does not meet the definition of a "project" pursuant to California Public
Resources Code Section 21065.
CMR: 390:09 Page 2 of3
ATTACHMENTS
A. Resolution of the Council of the City of Palo Alto
B. Draft Utilities "2009 Procedures for Customer Credit Security"
C. Adopted Utilities 2008 "Procedures for Customer Credit Security"
D. Utilities Advisory Commission Memorandum, dated September 2,2009: Staff
Recommendation that Utilities Advisory Commission Recommend Council Adoption of a
Resolution Approving Changes to the City of Palo Alto Utilities Procedures for Customer
Credit Security in Accordance with the Fair and Accurate Credit Transactions Act of 2003
E. Excerpted Minutes from the September 2, 2009, Utilities Advisory Commission Meeting
PREPARED BY: ~/
Assistant Director, Customer Support Services
DEPARTMENT APPROVAL:
CITY MANAGER APPROVAL:
CMR: 390:09 Page 3 of3
ATTACHMENT A
NOT YET APPROVED
Resolution No. ---Resolution of the Council of the City of Palo Alto Approving
Changes to the City of Palo Alto Utilities Procedures for
Customer Credit Security in Accordance with the Fair and
Accurate Credit Transactions Act of 2003
WHEREAS, Federal Trade Commission (FTC) regulations under the Fair and
Accurate Credit Transactions Act (FACT Act) require entities which affect consumer credit to
evaluate and possibly create a formal program to detect, prevent, and mitigate identity theft by
November 1, 2009; and
WHEREAS, a public utility is considered to offer or maintain accounts covered
under the FACT Act; and
WHEREAS, in 2008 the City of Palo Alto Utilities (CPAU) conducted a risk
assessment to determine whether the accounts it maintains are subject to a reasonably
foreseeable risk of identity theft, including a review of (1) the methods used to open accounts,
(2) the methods of accessing accounts, and (3) previous experiences with identity theft: and
WHEREAS, as part of the risk assessment, CP AU identified relevant "red flags"
defined as patterns, practices or specific activities that indicate the possible existence of identity
theft and created a set of "Procedures for Customer Credit Security" ("Security Procedures");
and
WHEREAS, Council adopted CPAU's Security Procedures via Resolution No. 8857
on September 15, 2008, and appointed the Director of Utilities to provide day to day oversight
and report on the Security Procedures annually to Council; and
WHEREAS, CPAU reviewed its processes for opening, maintaining and accessing
covered accounts during the last twelve months and identified new processes for immediate
incorporation in the Security Procedures; and
WHEREAS, CP AU presented the updated Security Procedures and annual report to
the Utilities Advisory Commission (UAC) on September 2, 2009 and to Council on October 5,
2009; and
NOW, THEREFORE, the Council of the City of Palo Alto does RESOLVE as
follows:
SECTION 1. The Council hereby approves the changes to the attached "Procedures
for Customer Credit Security" in compliance with the FACT Act.
1
090930 syn 6050968
NOT YET APPROVED
SECTION 2. The Council finds that the adoption of this resolution does not
constitute a project under Section 21065 of the California Environmental Quality Act and the
CEQA Guidelines and, therefore, no environmental assessment is required.
INTRODUCED AND PASSED:
AYES:
NOES:
ABSENT:
ABSTENTIONS:
ATTEST:
City Clerk
APPROVED AS TO FORM:
Deputy City Attorney
090930 syn 6050968
2
Mayor
APPROVED:
City Manager
Director of Utilities
Director of Administrative
Services
ATTACHMENT B
DRAFT
City of Palo Alto Utilities
Procedures for Customer Credit Security
In Accordance with the
Fair and Accurate Credit Transactions Act of 2003
Approved by the City Council September 15,2008
Updated: (Proposed) September 14, 2009
1
INDEX
SECTION TITLE Page
I. Background 3
II. Red Flags Defined 4
III. Red Flag Detection 5
IV. Current Procedures Responding to Red Flags 6
V. 2009 Update of the FACT Act Procedures 8
VI. Program Updates and Administration 10
2
I. Background
A. Purpose
The Federal Trade Commission rule under the Fair and Accurate Credit
TransactiorOAct of 2003 required those entities which affect consumer credit to
evaluate, and possibly create, a formal program to detect, prevent and mitigate
identity theft before November 1,2008. The Act focuses on "red flags" -defined
as patterns, practices, or specific activities that indicate possible existence of
identity theft on a covered account.
B. Requirements
The program must:
1) Identify "red flags" for covered accounts and incorporate those "red flags"
into the program;
2) Detect "red flags" that have been incorporated into the Program;
3) Respond appropriately to any "red flags" that are detected to prevent and
mitigate identity theft;
4) Ensure the Program is updated periodically, to reflect changes in identity theft
risk to customers or the creditor;
5) Provide for administration of the program.
C. Covered Accounts
The FACT Act regulations apply to all businesses that have "covered accounts".
A "covered account" includes any account for which there is a foreseeable risk of
identity theft. Utilities are specifically included in the FACT Act.
D. Summary
The following procedures describe what "red flags" are, CPAU "red flag"
detection program, how we respond to identified "red flags," and provision for the
on-going administration of the program.
3
II. "Red Flags" Defined
A. Red Flags
"Red flags" are defined as patterns, practices or specific activities that indicate the
possible existence of identity theft.
Some of the identified red flags that are particularly pertinent in the Utilities lines
of business are:
• Inclusion of a fraud or active duty alert with a consumer report;
• Notification by a consumer reporting agency of a credit freeze in response
to a request for a consumer report;
• Documents provided for identification that appear to have been altered or
forged;
• Suspicious personal identifying infonnation including failure to provide
all required personal identifying infonnation;
• Notification of unauthorized charges in connection with a customer's
account;
• Notification by a customer, a victim of identity theft, a law enforcement
authority, or any other person that it has opened a fraudulent account for a
person engaged in identity theft;
B. Customer Information and Red Flags
Customer identifying infonnation is retained in the customer infonnation system
(CIS), and this infonnation could be subject to theft.
4
III. "Red Flag" Detection
A. Detection
Red flags that require either freezing of an account or further research into the
customer account to determine if identity theft has occurred include:
• Notices from banking institutions of unauthorized charges to an account,
• Notices from consumer reporting agencies on customer credit freezes,
• Unverified bank information provided for bank draft payments of utilities
bills, and,
• Customer failure to provide either a Social Security Number, Driver's
License Number, or Passport Number as required by CP AU Rule and
Regulation 4 "Application for Service".
Existing customers may also self-report instances of identity theft or compromise
of credit security.
B. Response
If any of these "red flags" occur when the customer applies for CPAU service,
service will not be established.
Contact with CPAU by an appropriate law enforcement agency on behalf of a
CP AU customer, or self-report by an existing CP AU customer reporting an
incident of identity or credit theft, will require CP AU management to freeze
access to the customer account information, initiate a review of the identities of
staff members previously accessing the account information, and verify the
appropriateness of that access.
5
IV. Current Procedures Responding to "Red Flags"
A. Current Procedures
There are Utilities procedures already in place to protect customers' identities and
credit information from theft. Procedures will apply during the opening,
transferring or closing of customer accounts. They also will apply as customer
accounts and associated records are accessed. Still others apply during the billing
of accounts and collection of payments. Additionally, some of the procedures that
apply are initiated by Utilities staff, while others apply when customers access
their own account information.
1) Masking of Customer Identity
Upon opening, transferring or closing customer accounts, current
customer billing procedures require the applicant (and spouse, if
the account is opened in both names) to provide either hislher/their
Social Security Numbers (SSN) or Driver's License Numbers
(DLN). For residential customers, if the SSN or DLN is not
available, the identification requirement defaults to the U.S.
customer's passport number. For commercial customers, the
required identification is the Tax Identification Numbers (TIN).
All SSN and TIN are masked except for the last four digits. These
unique numbers are used to establish credit, manage customer
account security, maintain customer communication and collection
action after default. This information is required under Utilities
Rule and Regulations 4 "Application for Service." Refusal to
provide the required information will terminate the CP AU
"application for service" process.
2) Customer Security Access to Customer Accounts and Records
Currently, in order to access account information online, customers
must create a user name and password. These are controlled by the
customer and account information is accessed via the "My Utilities
Account" (MUA) web portal. Information to which customers
have access includes: the name on the account, address associated
with the account, consumption data; meter reads; dates of service;
charges; billing adjustments; and payments. Customers can also
conduct a limited number of on-line transactions, including
modifying their e-mail addresses, establishing or updating a phone
number, and sending a customer note to CPAU staff regarding
account information. The MUA portal is undergoing revision as
part of the overall SAP upgrade of the Customer Information
System (SAP-CIS). Failure by the authorized account-holder to
designate alternative parties to access their account information
(spouse, domesticate partner, or other third-party) will restrict
account access to the customer or court-ordered estate executor.
6
3) City Staff Access to Customer Accounts and Records
Currently, City staff access is role-specific, and depending on the
role, only certain functions within the customer information system
can be accessed following access review, recommendation and
approval by both Utilities Department and Administrative Services
Department staff. These roles and functions include, but are not
limited to: establishment and refund of deposits; billing
adjustments; payment reversals; cancellation of bills; and write-off
of outstanding balances.
4) Billing and Collection
Currently, customers choosing to pay by bank draft submit voided
checks which are kept in a locked cabinet with access restricted to
the Manager, Customer Service and Meter Reading, and the
Customer Service Specialist-Lead, and maintained in accordance
with the City'S Records Retention Policy. Customer security
deposits are manually established and tracked. Receipts produced
for credit card payments only contain the last four digits of the
credit card, and as an added precaution, expiration date
information is not included on the receipt. While it is not a
requirement, as a precautionary measure, customer data and reports
are shredded before being discarded.
7
v. 2009 Update of the FACT Act Procedures
On May 4,2009, the New SAP-CIS went "live." The new system carried over
many of the security measures from the prior system and added new
enhancements to identify, detect, prevent and mitigate identity and credit security
risks. Proposed changes to the Procedures include:
1) Masking or Security of Customer Identity (PREVENT)
Customer identity through the Social Security Number, is masked
from view of system users except for the last four digits. SAP-CIS
contains flexibility in developing user roles, which allows tighter
restrictions than the previous system on which users will have
access to identify and financial information.
2) Customer Security Access to Accounts and Records (DETECT,
PREVENT)
a) The online "My Utilities Account" system has been beta-
tested and is incorporating design enhancements prior to
release to the general Utilities-customer public. When
released for general public use, the online services under the
SAP-CIS will allow customers to better manage their own
accounts as a secondary flagging system for anything that
might be amiss.
b) The SAP-CIS will: permit the linking of all accounts for the
same customer to a single customer-created user name and
password; permit viewing and payment of bills online;
permit printing of monthly bills via an online download;
permit self-service move-out requests and online self-
enrollment in bank drafting; and permit monthly audits of
bank drafting activities.
3) City Staff Security Access to Accounts and Records (DETECT,
PREVENT)
a) Stricter role definitions, limiting the potential of wholesale
theft of information via stolen password or City staff ID,
have been established under the SAP-CIS. Access to
changes to customer accounts will be limited to the customer
service role. Other functional areas in the City will only have
the ability to view customer accounts, but will not be able to
make changes, an additional security in the system.
Additionally, the SAP-CIS will enable the creation of records
and audit trails of reversed transactions, and will create an
enhanced audit trail and record of customer refund and
refund checks as a more refined tool for monitoring account
8
activity. This audit trail function requires keeping customer
credit card information, but the information has been secured
by full encryption.
b) The Utilities customer credit card information has been
encrypted in conformance with Payment Card Industry (PCI)
Standards. Utilities customer credit card information is not
stored on the same server that houses the portal that
customers use to access their account data. Access to the
data table holding the encrypted credit card numbers is only
available to employees granted the proper "role". The
approving authority for assigning this particular "role" is
restricted to a joint Utilities/Administrative Services
committee serving as the Utilities SAP "Project Management
Office (PMO)". Activation of the "role" for access to the
encrypted data table is restricted to three Information
Technology staff members who are responsible for data
management of the Utilities SAP system, and who take
direction from the PMO (but are not part of the PMO). Once
access to the encrypted data table is approved by the PMO,
and then activated, only an expert programmer familiar with
the SAP programming language and the encryption protocol
can un-encrypt the data. Thus, access to the credit card data is
protected by three levels of security. For quality control
purposes, all access to the table containing the encrypted data
is continuously monitored and tracked by the SAP-CIS audit
function.
4) Enhanced Billing and Collection Security Procedures (IDENTIFY,
PREVENT, MITIGATE)
a) Documents containing customer information are now
shredded.
b) Payment transactions within the customer account are
monitored and tracked.
c) Staff roles and authorizations for the unmasking and
transmission of customer Social Security Numbers to the
City's Collection Agency are restricted.
d) The SAP-CIS will automatically create a trail of every
customer account and financial transaction to permit better
identification of any red flags.
5) Sales and Marketing Security Procedures (PREVENT)
New procedures have been implemented which requires staff
review of data tables for merged documents to ensure that only
customer name and mailing or service address, are displayed in
any mail-merged documents or mailing labels.
9
A.
VI. Program Updates and Administration
Oversight of the Utilities "Procedures for Customer Credit Security" requires
assigning specific responsibility for oversight, reports, and approving material
changes in the procedures.
Material changes in the program shall be based on experience with identity theft;
changes in methods of identity theft, changes in methods to detect, prevent, and
mitigate identity theft, changes in types of accounts offered, and changes in
business arrangements.
The Utilities Manager and Meter Reading, shall ensure that updated "Procedures
for Customer Credit Security" are included in the Customer Service
Representatives Training Manual and that customer-contact staff are provided
with tools that can be used to assist customers who have experienced identity or
credit theft.
B. Role of Director of Utilities
The Director of Utilities is responsible for oversight over program
implementation. The Director of Utilities shall work with appropriate staff to
ensure day-to-day oversight over security of customer credit information in
conformance with the FACT Act.
In the event there is any indication of physical or electronic threat to customer
credit information or identity security, the Director of Utilities shall work with the
Information Technology Division, the City Attorney's Office, and the Palo Alto
Police Department as appropriate to eliminate the threat.
The Director of Utilities shall submit a report at least annually to the Council,
updating the Council on any material changes in the procedures, any customer
credit security threats or actual theft of customer credit information.
C. Role of Council
The Council shall review reports submitted and consider and approve appropriate
material changes to the program.
10
ATTACHMENTC
City of Palo Alto Utilities
Procedures for Customer Credit Security
In Accordance with the
Fair and Accurate Credit Transactions Act of 2003
Approved by the City Council September 15,2008
CPAULogo City of Palo Alto Logo
Background
The Federal Trade Commission rule under the Fair and Accurate Credit Transaction Act
requires entities which affect consumer credit to evaluate and possibly create a formal
program to detect, prevent and mitigate identity theft before November 1, 2008. The Act
focuses on "red flags" defined as patterns, practices, or specific activities that indicate
possible existence of identity theft on a covered account.
The pro gram must:
1) Identify red flags for covered accounts and incorporate those red flags into the
program;
2) Detect red flags that have been incorporated into the Program;
3) Respond appropriately to any red flags that are detected to prevent and mitigate
identity theft;
4) Ensure the Program is updated periodically, to reflect changes in identity theft
risk to customers or the creditor;
5) Provide for administration of the program.
This section describes what red flags are, our red flag detection program, how best to
respond to any identified red flags, and on-going administration of the program.
What are Red Flags?
"Red flags" are defined as patterns, practices or specific activities that indicate the
possible existence of identity theft. Some of the identified red flags that are
particularly pertinent in the Utilities lines of business are:
• Inclusion of a fraud or active duty alert with a consumer report;
• Notification by a consumer reporting agency of a credit freeze in response
to a request for a consumer report;
• Documents provided for identification that appear to have been altered or
forged;
• Suspicious personal identifying information including failure to provide
all required personal identifying information;
• Notification of unauthorized charges in connection with a customer's
account;
• Notification by a customer, a victim of identity theft, a law enforcement
authority, or any other person that it has opened a fraudulent account for a
person engaged in identity theft;
A number of other red flags are identified for creditors that extend credit to customers for
services that can be used anywhere such as through credit cards or cell phones. Some of
the red flags which deal with illegal use of available credit for cash advances, use of an
account in a manner that is not consistent with established patterns of activity on the
account, a fictitious address, or failure to meet "challenge questions" used in
authenticating customer information are directly suited to other types of services such as
credit card or cell phone services, but are not necessarily a major risk for utilities
services. In the case of utilities accounts, service is to a specific address and the service
itself is not easily transferred (except by physical and illegal connection, constituting
theft of service, but not necessarily identity theft) to another address.
However, customer identifying information is retained in the customer information
system, and this information could be subject to theft. Those red flags that deal with theft
of such customer information are of greater relevance to the customer information system
maintained by the City of Palo Alto and are listed above.
Red Flag Detection
Question: do we ever request consumer reports on our customers including businesses??
Notices from banking institutions of unauthorized charges to an account, notices from
consumer reporting agencies on customer credit freezes, unverified bank information
provided for bank draft payments of utilities bills, and customer failure to provide either a
Social Security Number, Driver's License Number, or U. S. Passport Number are all red
flags that require either freezing of an account or further research into the customer
account to determine if identity theft has occurred. If any of these red flags occur at
customer initiation of service, service will not be established.
Response to Red Flags
Current Procedures
Currently, procedures are in place to protect customers' identities from theft. Some of
the procedures apply during the opening, transferring or closing of customer accounts.
Others apply as customer accounts and associated records are accessed. Still others apply
. during the billing of accounts and collection of payments. Additionally, some of the
procedures that apply are initiated by Utilities staff, while others apply when customers
access their own account information.
• Masking of Customer Identity
Upon opening, transferring or closing customer accounts, current customer
billing procedures require the applicant (and spouse if account is in both
names) to provide either hislher/their Social Security Numbers (SSN) or
Driver's License Numbers (DLN). For residential customers, if the SSN or
DLN is not available, identification requirement defaults to the U.S. Passport
Number. For commercial customers, the required identification is the Tax
Identification numbers. All SSN and Tax Identification numbers are masked
except for the last four digits.
• Security Access to Customer Accounts and Records
Customer Access:
Currently, in order to access account information online, customers must
create a user name and password. These are controlled by the customer and
account information is accessed via the "My Utilities Account" web portal.
Information to which customers have access includes: the name on the
account, address associated with the account, consumption data, meter reads,
dates of service, charges, billing adjustments and payments. Customers can
also conduct a limited number of on-line transactions including modifying
their e-mail addresses, establishing or updating a phone number, and sending
a customer note to CPAU staff regarding account information.
City Staff Access:
Currently, City staff access is role-specific, and depending on the role, only
certain functions within the customer information system can be accessed
following access review and approval by the Utilities Customer Service
Manager.KevinlAnthony ... can you please provide one or two examples of
how this works today, and how access will be more strictly defined under
SAP??
• Billing and Collection
Currently, customers choosing to pay by bank draft submit voided checks
which are kept in a locked cabinet and maintained in accordance with the
City's Records Retention Policy. Customer security deposits are manually
established and tracked. Receipts produced for credit card payments only
contain the last four digits of the credit card, and as an added precaution,
expiration date information is not included on the receipt. While not a
requirement, as a precautionary measure, customer information is typically
shredded before being discarded.
FACT Act Procedure Updates
Enhancements to current customer identity security procedures will either be
implemented immediately, or will be enabled in the new SAP-based customer
information system (SAP-CIS) scheduled to go online in 2009.
• Enhanced Masking or Security of Customer Identity
Customer identity will continue to be masked except for the last four digits.
SAP-CIS will contain greater flexibility in developing user roles, which will
allow tighter restrictions on which users will have access to information such
as "business partner" (including spouse) information.
• Enhanced Security Access to Customer Accounts and Records
Customer Access:
Enhanced online services under the SAP-CIS will allow customers to better
manage their own accounts as a secondary flagging system for anything that
might be amiss. The SAP-CIS will permit the linking of all accounts for the
same customer to a single customer-created user name and password; permit
viewing and payment of bills online; permit printing of monthly bills via an
online download; permit self-service move-out requests and online self-
emollment in bank drafting; and permit monthly audits of bank drafting
activities.
City Staff Access:
Stricter role definitions, limiting the potential of wholesale theft of
information via stolen password or City staff ID, will be allowed under the
SAP-CIS. Access to changes to customer accounts will be limited to the
customer service role. Other areas (Accounting) will only have the ability to
view customer accounts, but will not be able to make changes, an additional
security in the system. Additionally, the SAP-CIS will enable the creation of
records and audit trails of reversed transactions, and will create an enhanced
audit trail and record of customer refund and refund checks as a more refined
tool for monitoring account activity.
• Enhanced Billing and Collection Security Procedures
Enhancement for immediate implementation: The required shredding of all
customer account documents prior to disposal.
In parallel with the development of the SAP-based CIS system, the Customer
Services Manager is directing a review of the creditworthiness policies and is
evaluating FICO scoring systems to determine their applicability to CP AU's
customer creditworthiness assessments. Implementation of the new
creditworthiness procedures is scheduled to coincide with the implementation
of the SAP-based CIS replacement project in 2009.
Additionally, when the SAP-CIS is implemented in 2009, customer bank
account information will be masked in the system, and access to unmasked
information will be restricted to one or two users through "Role Definition"
and authorization
The SAP-CIS will automatically create a trail of every customer account and
financial transaction to permit better identification of any red flags. The SAP-
CIS will not store credit card information, reducing one of the theft targets.
Program Updates and Administration
Oversight of the program involves assigning specific responsibility for oversight,
reviewing reports, and approving material changes in the program.
Material changes in the program shall be based on experience with identity theft; changes
in methods of identity theft, changes in methods to detect, prevent, and mitigate identity
theft, changes in types of accounts offered, and changes in business arrangements.
The Director of Utilities shall be responsible for oversight over program implementation.
The Director of Utilities shall work with the Assistant Director of Customer Support
Services and the Customer Services Manager to ensure day-to-day oversight over
security of customer credit information in conformance with the FACT Act.
In the event there is any indication of physical or electronic threat to customer credit
information or identity security, the Director of Utilities shall work with the Information
Technology Division, the City Attorney's Office, and the Palo Alto Police Department as
appropriate to eliminate the threat.
The Director of Utilities shall submit a report at least annually to the Council, updating
the Council on any material changes in the program, any customer credit security threats
or actual theft of customer credit information.
The Council shall review reports submitted and consider and approve appropriate
material changes to the program.
The Customer Services Manager shall ensure updated versions of the program are
included in the Customer Service Representatives Training Manual.
TO:
FROM:
DATE:
SUBJECT:
REQUEST
ATTACHMENTD
4
MEMORANDUM
UTILITIES ADVISORY COMMISSION
UTILITIES DEPARTMENT
SEPTEMBER 2, 2009
STAFF RECOMMENDATION THAT UTILITIES ADVISORY
COMMISSION RECOMMEND COUNCIL ADOPTION OF A
RESOLUTION APPROVING CHANGES TO THE CITY OF PALO
ALTO UTILITIES PROCEDURES FOR CUSTOMER CREDIT
SECURITY IN ACCORDANCE WITH THE FAIR AND
ACCURATE CREDIT TRANSACTIONS ACT OF 2003
Staff requests that the Utilities Advisory Commission recommend that the City Council adopt a
resolution approving changes to the City of Palo Alto Utilities (CPAU) "Procedures for
Customer Credit Security" to comply with regulations issued by the Federal Trade Commission
in the Fair and Accurate Credit Transactions Act (FACT Act) of2003.
BACKGROUND
The FACT Act requires entities which can affect consumer credit to evaluate and possibly create
a formal program to identify, detect, mitigate and prevent identity theft. CPAU, as a municipal
utility, is a creditor and subject to the FACT Act rules. A CPAU program to protect customer
identification and credit information was adopted by the City Council on September 3, 2008,
with a resolution approving the Utilities Department "Procedures for Customer Credit Security"
(Procedures), and appointing the Director of Utilities to provide day-to-day oversight over the
program. A staff report to Council on program compliance with the FACT Act is required
annually.
DISCUSSION
This Memorandum will serve as the basis for the required annual report to Council on program
compliance with the FACT Act. Recommended changes to the Procedures resulting from any
incidents since program inception or the new CP AU Customer Information System are included
in Attachment A.
The FACT Act utilizes a variety of "red flags" to highlight areas of possible risk for identity
theft. These "red flags" are defined as patterns, practices or specific activities that can indicate
Page 1 of3
the possible existence of identity theft. The "red flags" most relevant to CP AU are identified in
Attachment A, "City of Palo Alto Utilities Procedures for Customer Credit Security", Section II-
A, page 4, in the "2009 Update of the FACT Act Procedures."
Summary of "Red Flag" Incidents since Program Adoption in September 2008
• Since adoption of the Procedures, there have been no known external attempts to
penetrate or compromise the Utilities CIS.
• There was one incident where the California Driver License number of one customer was
included in the name line in a postal mailing to that customer. New procedures have been
established to prevent recurrence of this type of event, and Section V -5, page 9, of the
"2009 Update of the FACT Act Procedures" has been updated to reflect the changes. The
affected customer's account is being monitored to ensure that there are no further
breaches resulting from this incident.
• There was one incident where a customer used another person's credit card to pay a
Utilities bill. The incident was reported to CP AU by the person whose card was used.
CPAU immediately reported the incident to the Palo Alto Police Department's Identity
Theft Unit for investigation and follow-up. This procedure has been codified in Section
V -6, page 9 of the "2009 Update of the FACT Act Procedures".
There have been no other incidents to report.
Summary of Recommended Program Changes
The 2008 version of the Procedures was based on the City's policies, procedures, and Utilities
Customer Information System (CIS) in place at the time of adoption. On May 4, 2009, the City
implemented a new SAP-based Utilities Customer Information System (CIS). Since the May 4,
implementation, there have been no known internal or external attempts to penetrate or
compromise the new SAP-CIS.
Implementation of the SAP-CIS required a review of the business practices, policies and
procedures for protecting customer credit information in the areas of customer service, billing,
financial management and online services. Recommended changes to CP AU's "Procedures for
Customer Credit Security" include:
• Securing internal and external access to the data in "BANNER" (the ten-year old
predecessor to SAP-CIS);
• Updating the "Terms and Conditions" and "Frequently Asked Questions" sections
relating to cyber-security for customer access and use of the online "My Utilities
Account" system;
• Developing an annual FACT Act training presentation for employees;
• Communicating Palo Alto resident identity theft reports between the Utilities and the
Police Departments.
Attachment A updates the "Procedures for Customer Credit Security" with the recommended
changes for implementation in 2009-10. Proposed changes are shown in redline/strikeout format.
RESOURCE IMPACT
Costs to implement the CP AU "Procedures for Customer Credit Security" program are included
in the operating or capital budgets for the support of the new SAP Customer Information System.
Page 2 of3
ENVIRONMENTAL REVIEW
The program does not constitute a project under the California Environmental Quality Act
pursuant to California Public Resources Code Section 21065; therefore, no environmental
assessment is required.
ATTACHMENT
A: Draft Utilities "2009 Procedures for Customer Credit Security"
PREP ARED BY:
DEP ARTMENT HEAD:
TOM AUZENNE
Assistant Director, Customer Support Services
VALERIE O. FONG
Director of Utilities
Page 3 of3
ATTACHMENTE
Excerpt from Draft Minutes of September 2, 2009, UAC Meeting
ITEM 4: ACTION ITEM: Staff Recommendation that Utilities Advisory Commission Recommend Council
Adoption of a Resolution Approving Changes to the City of Palo Alto Utilities Procedures for Customer
Credit Security in Accordance with the Fair and Accurate Credit Transactions Act of 2003
Assistant Director Tom Auzenne said that he was available to answer any questions the UAC might have
about the FACT Act or the report. Vice Chair Waldfogel questioned whether the City's procedure could be
considered to be a best management practice. Auzenne responded that it could. This process in Palo Alto
is a work in process, based on research with many other agencies. Waldfogel then questioned whether
NCPA has a reference policy for Palo Alto to use. Director Fong responded that NCPA does not have such
a policy for comparison, and that NCPA's customers are other utilities, including the City, and not direct
consumers.
ACTION: Commissioner Eglash moved the staff recommendation to recommend Council approve changes
to procedures in accordance with the FACT Act. Commissioner Foster seconded the motion. The motion
passed unanimously (6-0).