The URL can be used to link to this page

Home My WebLink AboutStaff Report 397-10TO: HONORABLE CITY COUNCIL FROM: CITY MANAGER DEPARTMENT: UTILITIES DATE: . NOVEMBER 8, 2010 CMR: 397:10 REPORT TYPE: CONSENT SUBJECT: Utilities Advisory Commission Recommendation to Adopt a Resolution Approving the City of Palo Alto Utilities "2010 Procedures for Customer Identity and Credit Security" in Accordance with the Fair and Accurate Credit Transactions Act of2003 REQUEST The Utilities Advisory Commission (UAC) and staff recommend that the City Council adopt a resolution approving the City of Palo Alto Utilities (CPAU) "2010 Procedures for Customer Credit Security" (Procedures) to comply with regulations issued by the Federal Trade Commission in the Fair and Accurate Credit Transactions Act (FACT Act) of2003. EXECUTIVE SUMMARY In accordance with Federal regulations, CPAU has developed a program to protect customer identity and credit security. This is the second armual update since Council adopted the initial program Procedures in 2008, and includes a review of identity-related incidents and recommended changes to the Procedures since the last report to Council in 2009. BACKGRQUND FACT Act Federal regulations implementing the FACT Act require that every applicable financial institution or creditor develop and implement an identity theft prevention program for new and existing accounts to detect, prevent, and mitigate identity theft. A partial list of "creditors" includes "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies." Utilities are included because they provide consumer services in advance of payment. The FACT Act requirements apply to all entities that have "covered accounts." A "covered account" includes any consumer account that has a foreseeable risk of identity theft such as a monthly cell phone, credit card, or utility bill, and consumer account information including medical insurance, social security, or driver's license numbers. When the FACT Act was sigued into law, financial institutions and creditors faced a mandatory compliance deadline of November 1, 2008. Due to widespread confusion regarding the Act, CMR: 397:10 Pagelof6 especially regarding what types of businesses or entities were considered "creditors", the Federal Trade Commission repeatedly postponed the implementation deadline. The current mandatory compliance date is December 31, 2010. CP AU Procedures Council first adopted the "Procedures for Customer Credit Security" (Procedures) by resolution on September 15,2008 (CMR: 363:08). The initial 2008 version of the Procedures was based on the City's policies, procedures, and the Utilities Customer Information System (CIS), BANNER, in place at the time of adoption. On May 4, 2009, the City implemented a new SAP-based Customer Care and Service (CCS) information system. Implementation of CCS required a review of the business practices, policies and procedures for protecting consumer credit information in the areas of eustomer service, billing, and financial management. On September 2, 2009, Staff provided the UAC with a brief description of the two red flag incidents that occurred during the prior twelve month period, and proposed a 2009 update to the original 2008 Procedures. Council approved the 2009 changes on October 5, 2009 (CMR:390:09). 111is 2010 report provides a summary of CPA U red flag events during the last reporting period, October 2009 through September 2010, and proposes changes to the 2009 Procedures. DISCUSSION The FACT Act utilizes red flags to highlight areas of possible risk for identity theft. These red flags are defined as patterns, practices or specific activities that can indicate the possible existence of identity theft. The following provides a report of the red flag incidents over the past twelve months. Summary of Red Flag Incidents occurring during the last reporting period: • There have been no known external attempts to penetrate or compromise the Utilities Customer Care and Service (customer information) or the Utilities Customer E Service/My Utilities Account (online) systems. • The City's SAP Project Management Office (PMO) discovered that authorized users of the SAP Utilities Customer Care and Service system could access unmasked customer data tables containing Drivers License, Passport, Social Security, bank account and federal Tax Identification numbers through certain SAP query functions. The PMO disabled the query function access to the data tables within 24 hours. There was no public access to confidential data, any potential access was limited to authorized SAP users, and there was no indication that the query function had ever been used by authorized SAP system users to view the confidential data. Staff has requested that SAP provide a detailed list of all Utilities Customer Care and Service functions and transactions that can provide access to customer confidential data tables in order to refme the restrictions on access to the data. CMR: 397:10 Page20f6 • Two incidents occurred where a consumer wanted to use another individual's credit card to pay their Utilities account. Staff was unable to validate ownership of the credit card through independent contact with the card holder and refused to complete the credit card transaction. NOTE: When unauthorized credit card use to pay a Utilities bill is reported by the card holder to staff, staff immediately reports the incident to the Palo Alto Police Department's Identity Theft Unit for investigation and follow-up. • One incident occurred wherein the daily credit card slips were submitted for processing past the end-of-day deadline, but still provided on the operating day. To ensure proper security and handling of credit card slips, Customer Service Phone Center cash handling procedures were revised to improve the procedural checks and controls, to increase physical security of the credit card slips during the day by use of a keyed lockbox, to eliminate unneeded copies by the shredding of the consumer's copy of the credit card slip after telephone payments (unless the consumer requests that the credit card slip be mailed to their billing address), and to securc the credit card transaction on-line customer information system computer screen so it carmot be viewed by non-Customer Service staff. • On one occasion copies of efficiency program rebate documents including applications, worksheets and receipts were placed in recycling containers, rather than being shredded before recycling. To ensure proper disposal of customer-specific documents, new procedures have been created requiring the shredding of customer-specific documents and reports. There were no other red flag incidents during the last reporting period. Recommended 2010 Changes to the 2009 "Procedures for Customer Credit Security": The recommended text changes to the "2009 Procedures Rcsponding to Red Flags" are included in the draft "2010 Procedures for Customer Identity and Credit Security", and shown in italicized format. CMR: 397:10 Pagc30f6 Those changes include' Proposed 20 I 0 Change Section Purpose to the Procedures A name change is proposed from "Procedures for Customer 3,B,la Differentiates annual Credit Security" to "20 10 Procedures for Customer Identity and versions and increases Credit Security" to reflect the importance of, and emphasis on, fucus on identity theft identity theft as .well as credit security. prevention, It is proposed that the Procedures for Identity and Credit 3,B,lb Ensures consistency in Security be incorporated into the City of Palo Alto Policy and Utilities-related Policies Procedure 1-351UTL "Interim Guidelines and Procedures for and Procedures Protecting Confidential Utilities Information" (Rev. Dec 1997). A bonded, professional ~hredding company will be retained to 4,C,1 e Enhanced physical destroy all bulk documents containing customer information. security of confidential Documents awaiting bulk destruction will be kept in a locked information receptacle. Documents with red flag data, not being held for bulk destruction, will be shredded on-site, as soon as they are no longer needed by the staff member generating th" .. ~()cuments. A tirewall installed to proteci the SAP UCES portal "My 4,C,2d Eubauced electronic Utilities Account" shall be tested and maintained on an on-going security ofUtillties basis onlir1~ .. "ustomer portal Strict role defmitions, lintiting the potential of access or theft of 4,C,3a Oversight and control information via stolen password or City staff!D, will be of access by authorized maintained. Access to changes to customer accounts will be staff limited to the SIJt'~ific roles, reviewed and authorized quarterly. Individual or department access to Utilities customer account 4,C,3b Oversight and control data by non-Utilities City staffwiJI be reviewed and approved of access by authorized quarterly by the SAP Project Management Office (PMO) and statf CPAU management. Electronic access to selected Utilities customer account data by 4,C,3c Oversight and control non-Utilities City staff will be restricted to non-red flag data of access by authorized fields and tables. . staff --O;;....-~~~... ............ Confidential data included in correspondence submitted to the 4,C,3e Enhanced physical City shall be redacted before being made publicly available. i security of confidential i infonnation ........... -~ ....... ~---- To prevent unauthorized access to red flag data tables, the SAP 5,A,4a Oversight and control , query functions that had allowed CPAU statf access to non-. of access by authorized ~asked customer confidential data have been disabled. staff To prevent unauthorized access to red flag data in a covered 5,A,4b Enhanced electronic account, all electronic "screen shots" of monitor images security of Utilities red containing red flag data submitted to the IT Helpdesk by staff to flag data illustrate account problems will be stored in a secure electronic folder with staff access restricted by authorized SAP role. Access to the archived BANNER customer information 5,A,4c Oversight and control database will continue to be limited to staff having an of access by authorized authorized SAP role. To prevent unauthorized access to red flag staff data in an archived covered account, all red flag data bas been deleted in BANNER (prior Utilities Customer Infonnation System), including Social Security Numbers (SSN), and the ! confidential Customer Notes section has been deleted , Full Encryption of credit card numbers in SAP Production, 5,A,4d ! Enhanced electronic Testing and Development enviromnents is required. security of Utilities red flag data Utilities customer Social Security Numbers, Tax Identification 5,B,Id Enhanced electronic Numbers, credit card numbers and expiration and bank drafting security of Utilities red information will be masked on all three CCS and UCES flag data ~S<)~are Production, Test, and p~velopment platforms. CMR: 397:10 Page 4 of6 Incidents of possible customer identity tbeft shall be reported to tbe PAPD within 24 hours. Copies of customer credit card slips (when paid hy phone) shall be shredded, unless mailed to tbe customer at their request. Customer data printouts, reports, efficiency applications, worksheets, receipts, and bills generated in the IT Test or ., Development systems,,,,ill~e shredded .... -~'" : To ensure proper security and handling of credit card slips, i Customer Service Phone Center staff will use a keyed lockbox for storage. .. .............. I To secure credit card transactions, the computer terminal used ! for credit card transaction payment processing in the Custom er : Service Phone Center will be secured so it cannot be viewed by • non-Customer Service staff. CPAU wlil contInue to recommend res1dent1al and commerc!al deposits policies to Council which utilize tbe provisions of the California Public Utilities Code, allowing each utility to establish accounts and furnish service based solely upon the 5,B,3a 5,B,4b 5,B,4c 5,B,4d i I 5,B,4e 4,C,4b Enhanced security of red flag data Enhanced physical security of confidential information Enhanced physical security of confidential information Enhanced physical security of confidential infonnation Enhanced physical security of confidential information Mamtams current status. Identifies process for Utilities deposit poliCies. I credi~{).rt~iness of the applicant as de .... term~~inCi"ed ..... bL.::th"e=utJ"-·I"i"+.. -;-+_~~_ +;-;--:-:-;----,,----1 CPAU will not utilize commercially available consumer credit 4,C,4c Maintains current reports to establish deposits. Section 311 of the FACT Act status. Eliminates a red requires a creditor to provide consumers witb a risk-based flag requirement pricing notice when, based in whole or in part of the consumer's without increasing risk credit report the creditor grants extends or otberwise provides 10 tbe Utilities , , credit to the consumer on "material terms that are materially less favorable tban the most favorable terms it grants to a substantial ~Q!!.~S?-g .. ~f its other custo~.ers. " ___ I Otber Departments in the City, wishing to have online access to 5,D,la Enhanced physical and Utilities customer account information to determine residency, electronic security of verilY program applicability, determine dates for permitting, Utilities red flag data etc., will be restricted in their ability to view customer red flag data, and will not be able to make changes to the data in the system. Other Departments in the City, wishing to have "hard copy" 5,D,2a Enhanced physical reports of Utilities customer information will be unable to have security of confidential printouts containilljt~l1stomer red flag information. information Employees of Green Waste Recovery shall be permitted 5,D,3a Restricts red flag data electronic access to the Utilities CCS system pursuant to the to staff witb autborized contract with tbe City for solid waste services. roles. Codifies customer identity theft prevention requirements by Green Waste staff having access to Utilities red flag billing information. BOARD/COMMISSION REVIEW AND RECOMMENDATIONS The UAC reviewed the Procedures at its October 6, 2010 meeting. The commissioners asked about procedures for protecting sensitive data and credit card numbers from being downloaded and lost or stolen. Staff responded that credit card data is stored on secured servers, with restricted access, encryption at the table level, and firewalls. And, although the City does retain credit card numbers for future audit and verification purposes, that information, via a secure encryption key, is accessible by only three city staff members, and credit card seeurity numbers CMR: 10 Page 50f6 are not retained. The UAC voted 7-0 to recommend Council approval of the changes to update the Procedures as shown in Attachment B. In response to UAC concerns about potential loss or theft of Utilities customer data, IT, the SAP Program Management Office, and Utilities still will ensure that SAP cyber-security remains an ongoing area of concern. A combination of technical and procedural precautions will be enforced to ensure protection of stored data through selective masking and encryption. Security protocols for access control, secure transmission of confidential customer information, and use of tbird party non-disclosure agreements will continue to be reviewed and enhanced by staff and SAP consultants with security expertise. RESOURCE IMPACT The impact on CP AU operating or capital budgets from implementing the FACT Act identity and credit security program have not been material. Costs to implement the "2010 Procedures for Customer Identity and Credit Security" are included in the Utilities Operating Budget, or the Technology Fund Operating and Capital Budgets for maintenance and enhancement of SAP Utilities Customer E-Service and Customer Care and Service systems. Expense arising from future expansion of the CPAU identity and credit security program, or Procedures, beyond the requirements of the FACT Act will be included in future operating or Capital Improvement Project budgets. ENVIRONMENTAL REVIEW Council's approval of the procedures does not constitute a project under the California Environmental Quality Act pursuant to California Public Resources Code Section 21065; therefore, no environmental assessment is required. ATTACHMENTS A. Resolution of the Council of the City of Palo Alto B. Proposed "2010 Procedures for Customer Identity and Credit Security" C. Utilities Advisory Commission Memorandum, dated October 6, 2010: Staff Recommendation that Utilities Advisory Commission Recommend Council Adoption of a Resolution Approving Changes to the City of Palo Alto Utilities 2009 "Procedures for Customer Credit Security" in Accordance with the Fair and Accurate Credit Transactions Act of2003 D. Excerpted Minutes from the October 6~== Advisory Commission Meeting PREPARED BY: _ _ ..-:== TO ZENNE DEPARTMENT APPROVAL: CITY MANAGER APPROVAL: CMR: 397:10 Assistant Director, Customer Support Services /L~Jt VALE~~~' -=G----- Director of Utilities ;1 Page 6 of6 ATTACHMENT A NOT YET APPROVED RESOLUTION NO. RESOLUTION OF THE COUNCIL OF THE CITY OF PALO ALTO APPROVING THE CITY OF PALO ALTO UTILITIES "2010 PROCEDURES FOR CUSTOMER IDENTITY AND CREDITY SECURITY" CHANGBS TO THE CUSTOMER CRBDIT SECURITY PROGRAM IN COMPLIAJ>!CE ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 Of 2003 WHEREAS, tfle-_Federal Trade Commission (FTC) ~regulations under the Fair and Accurate Credit Transmissions Act (FACT Act) requires entities which affect consumer credit to evaluate and possibly create a formal program to detect, prevent, and mitigate identity theft before December 31, 2010; and WHEREAS, a public utility is considered to offer or maintain accounts covered under the FACT Act; and WHEREAS, the City of Palo Alto Utilities (CPAU) has conducted a risk assessment to determine whether the accounts it 'maintains are subjcct to a reasonably foreseeable risk of identity theft, including a review of (1) the methods used to open accounts, (2) the methods of accessing accounts, and (3) previous experienees with identity theftf-~and WHEREAS, CPAU has identified relevant "red flags" defined as patterns, practices or specific activities that indicate the possible existence of identity theft; and WHEREAS, Council approved CPAUl-first formal FACT Act compliant program on September 15,2008, and approved an update to the program on October 5, 2009; and WHEREAS, CPAU has reviewed its processes for opening, maintaining and accessing covered accounts during the last twelve months; and WHEREAS, there have been no known successful cases of atteIllj3ts at unauthorized access to customer identity and account information; and WHEREAS, CPAU identified new processes for immediate incolJloration in the "2010 Procedures for Customer Identity and Credit Securitv" and presented them to the Utilities Advisory Commission (UAC) on October 6,),010; and WHERB,\S, CPAU has iEleffiified Hew I3ro eesses fer iFl'lfficdiate iHe0fj30ratioH iH the 2909 "Proeeal:lfe&'fer Customer Credit Seeul'ity" aj3j3rs'Ied 13y Cemeil eli 06t~F 5, 2009. NOW, THEREFORE, the Council of the City of Palo Alto does RESOLVE as follows: I 101025 dm 6051391 NOT YET APPROVED SECTION 1. The Council hereby approves the ehanges Ie the attached "2010 Procedures for Customer Identity and Credit Security" whieh is alse ffitaehed te the memeranclurn frem staffte the Utilities Advisery Cemmissien, dated Oeteber e, 2919 . SECTION 2. The Council finds that the adoption of this resolution does not constitute a project under Section 21065 of the California Environmental Quality Act and the CEQA Guidelines and, therefore, no environment assessment is required. INTRODUCED AND PASSED: AYES: NOES: ABSENT: ABSTENTIONS: ATTEST: City Clerk Mayor APPROVED AS TO FORM: APPROVED: I Senior Deputy City Attorney City Manager Director of Utilities Director of Administrative Services I 101025 dm 6051391 ATTACHMENTB DRAFT City of Palo Alto Utilities "2010 Procedures for Customer Identity and Credit Security" Proposed Changes are Italicized Proposed Effective Date: November 8, 2010 DRAFT Proposed Effective Date: November 1,2010 Page 10f14 SECTION l. 2. 3. 4. 5. 2010 Procedures for Customer Identity and Credit Security Policy Statement Utilities Identity and Credit Theft Prevention Program A. Definitions B. The Red Flag Rule C. Identity and Credit Theft Program Adoption (the Procedures) D. Requirements of the Procedures Administration of the Procedures for Customer Identity and Credit Security A. Palo Alto City Council B. Director of Utilities C. Executive Leadership Team Customer Identity and Credit Information, Systems and Access A. Classification of Information B. Utilities Customer Information Systems C. Identity and Credit Information Access Identification, Detection, Response and Mitigation of Red Flags A. Customer Service B. Billing and Payment C. Credit and Collection D. Other City Departments Proposed Effective Date: November I, 2010 PAGE 3 4 6 7 10 Page 2 of 14 1. Policy Statement The City of Palo Alto shall ensure that proprietary and confidential Utilities customer information is secure from identity theft as required by law and business praeticc. The Fair Credit Reporting Aet, 15 United States Code, Section 1681 et. seq., was amended to include the Fair and Accurate Credit Transactions Act of2003 (publie Law 108-159), hereinafter referred to as the FACT Aet. The FACT Act requires those businesses and organizations which can affect consumer credit to create a formal program to detect, prevent, respond and mitigate potential identity theft before December 31, 2010. Proposed Effective Date: November 1,2010 Page 3 of 14 2. Utilities Identity and Credit Theft Prevention Program The Fair and Accurate Credit Transaction Act of 2003 (FACT Act) requires those entities which can affect consumer credit to create a formal identity theft prevention program to detect, prevent and mitigate identity theft before December 31, 2010. A. Definitions The "Red Flag Rule" is a set of United States federal regulations that require eertain businesses and organizations identified as "creditors" to develop and implement documented plans to protect consumers from identity theft. "Identity theft' means a fraud committed using the identifying information of another person. A "creditor" is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or eontinuation of credit; or any assignee of an original ereditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. A "covered account" is either: an account primarily for personal, family, or household purposes; that involves or is designed to penni! multiple payments or transactions, such as a credit card account, mortgage loan, car loan, margin account, cell phone accOlmt, utility account, checking account, or savings account; or any other account for which there is a reasonably foreseeable risk to customers or creditor from identity theft. An "Identity Theft Report" alleges an identity theft; is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service; and, subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. B. Red Flag Rule There are a total of twenty-six individual red flags comprising the Red Flag Rule, with five categories of common red flags: 1. Alerts, notifications, and warnings from a credit reporting company, including address discrepancies. 2. SuspiciouS documents that look like they have been altered or forged; or that the information or description does not match the applicant or customer. Proposed Effective Date: November I, 2010 Page 4 of14 3. Suspicious personal identifying information, including inconsistent data. 4. Suspicious account activity, including name changes, unauthorized charges or address changes for credits or refunds. 5. Notification by another source, including a customer, another victim of identity theft, a law enforcement authority, or other person regarding an account having an Identity heft Report completed, or other notice that an account may have been compromised by identity theft. C. Identity and Credit Theft Prevention Program Adoption (the Procedures) The City Council of Palo Alto adopted the Utilities Department formal identity theft prevention program, the "Procedures for Customer Credit Security" on September 3, 2008. The Procedures focus on red flags -defined as patterns, practices, or specific activities that indicate possible existence of identity theft on a covered account. On September 2, 2009, Staff provided the Utilities Advisory Commission (UAC) with a summary of red flag events that occurred during the prior twelve month reporting period, and proposed 2009 updates to the original 2008 Procedures. The UAC recommended that the Council approve the proposed changes to the 2008 Procedures. Couneil approved the 2009 ehanges on October 5, 2009 (CMR: 390:09). D. Requirements of the Procedures The Procedures were designed to: I. Identify red flags for covered accounts and incorporate those red flags into the program 2. Detect red flags that have been incorporated into the Proccdures 3. Respond appropriately to any red flags that are detected 4. Mitigate the occurrence of identity or credit theft 5. Ensure the Procedures are updated annually, to reflect the changes in identity or credit theft risk 6. Provide for administration and update of the Procedures with red flags identified and incorporated into specific operational and transactional policies . and procedures for City departments with access to confidential Utilities customer data. Proposed Effective Date: Novemher 1,2010 Page 5 of 14 3. Administration ofthe Identity and Credit Theft Procedures A. Palo Alto City Council The City Council shall review the "Procedures for Identity and Credit Security" (Procedures) annually, and adopt appropriate changes to meet the requirements of the FACT Aet. B. Director of Utilities The Director of Utilities shall oversee implementation of the Procedures in conformance with the FACT Act. Implementation of the Procedures will provide for specific responsibility of oversight, reports, and material changes to the Procedures. The Director shall submit an aunual report to the Utilities Advisory lAlmmission and City Council providing an update on the identification, detection, response and mitigation of Red Flag issues occurring during the reporting period, and recommending the business, organizational, and security changes to the Council necded to keep the Procedures eurrent. Recommended changes to the Procedures shall be based on experience with identification, detection, prevention and mitigation of identity and credit theft; changes in types of customer accounts offered; and, changes in business practices. I. For 20 I 0, there are two recommended Administrative changes proposed: a) A name change is proposed from "Procedures for Customer Credit Security" to "20iO Procedures for Customer identity and Credit Security" to reflect the importance of and emphasis on, identity theft as well as credit security. b) it is proposed that the 2010 Procedures for identity and Credit Security be incorporated into the City of Palo Alto Policy and Procedure i-35/UTL "interim Guidelines and Procedures for Protecting Confidential Utilities information n (Rev. Dec i997). C. Executive Leadership Team If potential or actual physical or electronic theft of customer identity or credit occurs, the Direetors of the Utilities, Administrative Services, and Public Works Departments shall work with the City Attorney, City Auditor and the Palo Alto Police Department, as appropriate, to mitigate the threat. Proposed Effective Date: November 1,2010 Page 6 of 14 4. Customer Identity and Credit Information, Systems and Access A. Classification ofInformation 1. Customer Identity Information Customer identity and credit information subject to theft includes name, address, account number, Social Security Number, spouse or secondary account holder identification, contact information, credit information, log-ins and passwords. 2. Customer Financial Information Customer financial information subject to theft includes payment history, deposit information, payment transaction records, extended payment arrangements, credit card numbers, voided check information, and bank account numbers. B. Utilities Customer Information Systems I. Historical Customer Identification and Financial Information Current and prior customer information resides in BANNER, the CPAU predecessor to SAP. This database has been retained for archival purposes, and this information could be subject to theft. 2. SAP Utilities Customer Care and E-Services On May 4, 2009, the City implemented a new SAP-based Utilities Customer Care and Service (U -CCS) information system. In March of 20 1 0, the Utilities Customer E-Service (UCES) system with the "My Utilities Account" (MUA) web portal was activated. Confidential Utilities Customer information is retained in the U-CCS and Utilities Customer E-Service (U-CES) online information system, and this information could be subject to theft. Implementation of the U -CCS requires ongoing review and modification of the business practices, policies and procedures for protecting consumer identity and credit information in Utilities Customer Service, Billing and Payment, Credit and Collection, and other City departments. Cyber-security precautions were created prior and subsequent to the implementation of the online customer e-service system. Cyber-security enhancements are also made on an ongoing basis to assure that access to customer identity and credit data is properly restricted to authorized staff. C. Identity and Credit Information Access 1. Securing Identity and Credit Information within the SAP Utilities Customer Care and Service (U-CCS) System Unique numbers are used to establish credit, manage customer account security, identity customers, and permit collection action after disconnection for non payment. This information is required under Utilities Rule and Regulations #4 Proposed Effective Date: November I, 2010 Page 7 of 14 "Application for Service." Refusal to provide the required information will terminate the CPAU "Application for Service" process. a. Upon opening, transferring or closing customer accounts, current customer billing procedures require the applicant (and spouse or secondary account holder if the account is opened in both names) to provide either hislher/their Social Security Numbers (SSN) or Driver's License Numbers (DLN). For residential customers, if the SSN or DLN is not available, the identification requirement defaults to the U.S. customer's passport number. These numbers will be masked except for the last four digits. b. For commercial customers, the required identification is the Tax Identification Numbers (TIN). TINs will be masked exeept for the last four digits. c. City staff access to customer Utilities information will be SAP role-specifie, allowing certain functions within the system to be accessible. Role assigmnents will be made based upon review and approval by the SAP Project Management Office (PMO), the Utilities Department, and the Administrative Services Department. Financial functions of particular roles include, but are not limited to: establishment and refund of deposits; billing adjustments; payment reversals; cancellation of bills; and write-off of outstanding balances. Roles and responsibilities will be reviewed quarterly by CPAU management and the PMO, with the intent to limit the number of staff having access to sensitive customer identity and financial data. d. Staff will review documents to ensure that only customer name, and correct mailing or service address, are displayed in any mail-merged documents or mailing labels. e. A bonded, professional shredding company will be retained to destroy all bulk documents containing customer billing information. Documents awaiting bulk destruction will be kept in a locked receptacle. Documents with red flag data, not being held for bulk destruction. will be shredded on site, as soon as they are no longer needed by the staff member generating the documents. f. All payment and operational transactions within each customer account will be monitored and tracked by the SAP internal audit function. g. Staff roles and authorizations for the unmasking and transmission of customer Social Security Numbers to the City's collection agency will be restricted and monitored. 2. Securing Identity and Credit Information within the SAP Utilities Customer E Service (U-CES) System In order to access account information online, customers must create a user name and password. These are controlled by the customer, and the Utilities Customer E-Service (U-CES) account is aceessed via the "My Utilities Account" (MUA) web portal. Customer accessible information includes: the name(s) on the account, billing and serviee addresses associated with the account, consumption data; meter reads; dates of service; charges; billing adjustments; and payment Proposed Effective Date: November 1, 2010 Page 8 of14 history. Customers can conduct a limited number of on-line transactions, including modifying their e-mail addresses, establishing or updating a phone number, and sending a customer note to CPAU staff regarding account information. The U-CES system permits the linking of all accounts for the same customer to a single customer-created user name and password; viewing and payment of bills online; printing of monthly bills via an online download; requesting a move-out, online self-enrollment in bank drafting; making single transaction credit card payments; communicating with CP AU staff via email, and reviev.'ing bank draft transactions. a. Failure by the authorized account-holder to designate alternative parties to access their account information (spouse, domesticate partner, or other third party) will restrict account access to either the customer, or court-ordered estate executor. b. The Terms and Conditions and Frequently Asked Questions sections for cyber-security, customer access, and use of the online My Utilities Account system will be updated immediately after changes are implemented. c. Notification of CPAU by the authorized aecount holder that their identity or credit information has been compromised or stolen will result in termination of external online aecess to the affected account until such time as the account can be re-established by the customer. d A firewall installed to protect the SAP UCES portal "My Utilities Account" shall be tested and maintained on an on-going basis. 3. Non-Utilities City Staff Access to Customer Red Flag Data a. Strict role definitions. limiting the potential of access or thefi of iriformation via stolen password or City staff ID, will be maintained Access to changes to customer accounts will be limited to the specijic roles, reviewed and authorized quarterly. b. Individual or department access to Utilities customer account data by non Utilities City staff will be reviewed and approved quarterly by the SAP Project Management Office (P MO) and CPA U management. c. Electronic access to selected Utilities customer account data by non-Utilities City staffwil/ be restricted to non-redflag datafields and tables. d. Audit trails will be kept for financial transactions within the U-CCS and U CES systems and include, but not be limited to, reversed transactions, account credits and refunds, and physical refund checks. e. COnfidential data included in correspondence submitted to the City shall be redacted before being made publicly available. Proposed Effective Date: November 1,2010 Page 9 ofl4 5. Identification, Detection, Response and Mitigation of Red Flags The 2009 Procedures for Customer Credit Security are already in place to protect customer identity and credit information from theft. Some of the Procedures that apply are initiated by CPAU staff, while others apply when customers aecess their own account information. The "Procedures" are utilized during the opening, aecess, billing and collection of payments, and the transfer or closing of customer accounts. They also apply as customer accounts and associated records are internally accessed. Any identitication, detection or awareness by CP AU of a Red Flag incident would result in an investigative response and mitigation effort on the part of Utilities, and may include contact with an appropriate law enforcement agency on behalf of a CPAU customer, or self-reporting by an existing CPAU customer. CPAU will determine whether to freeze access to the customer account information, or initiate a review of staff access of account information to verif'y the appropriateness of that access. A. CUSTOMER SERVICE 1. Identifying Red Flags a) To validate the identity of the prospective covered account holder, a Utilities accoUllt will not be opened, changed or closed without submittal of the Red Flag data required to determine the identity of the account holder. Customer failure to provide a Social Security Number, Driver's License Number, Tax Identification Number, or Passport Number will tenninate the accoUllt initiation process. • Utilities Rule and Regulation 4, "Application for Service" b) Utilities Customer Service, Credit and Collection, and Billing staffs will inelude the Proeedures for Identity and Credit Security in their Policies and Proeedures. • Utilities Customer Support Services Division Requirement c) Utilities Customer Service, Credit and Collection, and Billing staffs will conduct a1l1lual training in the Procedures for all staff members. • Utilities Customer Support Services Division Requirement 2. Detecting Red Flags a) To prevent unauthorized access to a Covered Account, a Utilities account will be subject to investigation and frozen for transactions in the event of presentation of suspicious documents for program application or discounts, determination of a compromised customer password, notices from banking institutions of unauthorized charges to an aecount, and/or notices from consumer reporting agencies on customer credit freezes. • City Policy and Procedure 1-35/UfL, "Interim Guidelines and Procedures for Protecting Confidential Utilities Information" • Utilities Customer Service Requirement Proposed Effective Date: November I, 201 0 Page 100f14 3. Responding to Red Flags a) Customer reports of identity or credit card theft provided to Customer Service will be routed to the Palo Alto Police Department's Identity Theft Section for completion ofthe Identity Theft Report Form. Customers contacting the P APD to report an incident of identity or credit card theft will be routed to Customer Service, so that the customer's Covered Account Red Flag data can be secured. • Utilities Customer Service Requirement 4. Mitigating Red Flags a) To prevent unauthorized access to red flag data tables, the SAP query functions that had allowed CPA U staff access to non-masked customer confidential data have been disabled. b) To prevent unauthorized access to red flag data in a covered account, all electronic "screen shots" of monitor images containing red flag data submitted to the IT Helpdesk by staff to illustrate account problems will be stored in a secure electronic folder with stqfJ access restricted by authorized SAP role. • Business Requirement • SAP Project Management Office (PMO) Requirement c) Access to the archived BANNER customer information database will continue to be limited to staff having an authorized SAP role. To prevent unauthorized access to Red Flag data in an archived Covered Account, all Red Flag data has been deleted in BANNE'R (prior Utilities Customer Information System), including Social Security Numbers (SSN), and the confidential Customer Notes section has been deleted. d) Full Encryption of credit card numbers in SAP Production, Testing and Development environments is required • Business Requirement • SAP Project Management Office (PMO) Requirement B. BILLING AND PAYMENT Customers may self-report instances of identity or credit theft; notice may be made by law enforcement agencies of identity or credit theft; inaccurate infonnation may be provided by customers for bank draft payments of Utilities bills; reports may be received of compromised internal credit card security; reports may be received of compromised internal checking account (bank draft) security; and reports may be received of compromised extema1 third-party payment vendor security (reported by customer or vendor). 1. Identifying Red Flags The Utilities customer credit card infonnation has been encrypted in confonnance with Payment Card Industry (PCI) Standards. a) Utilities customer credit card infonnation will not be stored on the same server that houses the portal that customers use to access their account data. Proposed Elfective Date: November 1,2010 Page 11 of 14 b) Activation of the "role" for access to the encrypted data table will be restricted to three Information Technology staff members who are responsible for data management of the Utilities SAP system, and who take direction from the PMO (but are not part of the PMO). Once access to the encrypted data table is approved by the PMO, and then activated, only an expert programmer familiar with the SAP programming language and the encryption protocol will be authorized to decrypt the data. Thus, access to the credit card data will be protected by three levels of security. c) For quality control purposes, all access to the table containing the encrypted data will be continuously monitored and tracked by the SAP audit function. d) Utilities customer Social Security Numbers, Tax Identification Numbers, credit card numbers and expiration and bank drafting information will be masked on all three CCS and UCES software production, test, and development platforms. e) Customers choosing to pay by bank draft will submit voided checks which are kept in a locked cabinet with access restricted to the Manager, Customer Service and Meter Reading, and the Customer Service Specialist-Lead, and maintained in accordance with the City's Records Retention Policy. • Business Requirement • SAP Project Management Office (PMO) Requirement 2. Detecting Red Flags a) Receipts produced for credit card payments only contain the last four digits of the credit card, and as an added precaution, expiration date information is not included on the receipt. • City of Palo Alto Cash Handling Procedures • Utilities Customer Service Desk Procedures 3. Responding to Red Flags Customer Service has worked with the PAPD to update the existing PAPD Identity Theft Report Form. This update includes the contact information for CPAU Customer Service and requests the individual completing the document to contact CPAU to report the identity or credit problem, so that the customer's Utilities account information can be secured. a) Incidents of possible customer identity theft shall be reported to the PAPD within 24 hours. • Utilities Customer Service Requirement 4. Mitigating Red Flags a) Verification of SAP credit card handling of encrypted storage, masked display and access tracking will be provided to the City Auditor. • Project Management Office (PMO) Requirement b) Copies of customer credit card slips (when paid by phone) shall be shredded, unless mailed to the customer at their request. Proposed Effective Date: November 1,2010 Page 12 of 14 c) Customer data printouts, reports, ejJiciencyapplications, worksheets, receipts, and bills generated in the IT Test or Development systems, will be shredded. d) To ensure proper security and handling of credit card slips, Customer Service Phone Center staff will use a keyed lockbox for storage. e) To secure credit card transactions, the computer terminal used for credit card transaction payment processing in the Customer Service Phone Center will be secured so it cannot be viewed by non-Customer Service staff. • Business Requirement • SAP Project Management Officc (PMO) Reql!irement C, CREDIT A1\1) COLLECTION I. IdentifYing Red Flags Identification of Rcd Flag events in the Credit and Collections process will include: a) Failure to internally pursue payment of outstanding debt on a covered account b) Failure by Collection Agcncy to pursue outstanding debt on a covered account c) Change in billing address for reimbursement of deposits or payment credits without a change in service address. • Utilities Credit and Collection/Bad Debt Proccss 2. Mitigating Red Flags a) Customer security deposits will be manually and electronically established and tracked. b) CPAU will continue to recommend residential and commercial deposits policies to Council which utilize the provisions of the California Public Utilities Code, allowing each utility to establish accounts and furnish service based solely upon the crediMorthiness of the applicant as determined by the utility. c) CPAU will not utilize commercially available consumer credit reports to establish deposits. Section 311 of the FACT Act requires a creditor to provide consumers with a risk-based pricing notice when, based in whole or in part of the consumer's credit report, the creditor grants, extends or otherwise provides credit to the consumer on "material terms that are materially less favorable than the most favorable terms it grants to a substantial portion of its other customers. " • Utilities Credit and Collection/Bad Debt Procedures D. OTHER CITY DEPARTMENTS 1. Identifying Red Flags a) Other Departments in the City, wishing to have online access to Utilities customer account information to determine residency, verify program applicability, determine dates for permitting, etc., will be Proposed Effective Date: "l'ovember 1, 2010 Page 13 ofl4 {end} restricted in their ability to view customer Red Flag data, and will not be able to make changes to the data in the system. 2. Detecting Red Flags a) Other Departments in the City, wishing to have "hard copy" reports of Utilities customer information will be unable to have printouts containing customer Red Flag information. 3. Responding to Red Flags a) Employees of Green Waste Recovery shall be permitted electronic access to the Utilities CCS system pursuant to the contract with the City for solid waste services. Proposed Effective Date: November 1,2010 Page 14 ofl4 TO: FROM: DATE: SUBJECT: REOUEST ATTACHMENT C , j' MEMORANDUM UTILITIES ADVISORY COMMISSION UTILITIES DEPARTMENT OCTOBER 6, 2010 STAFF RECOMMENDATION THAT UTILITIES ADVISORY COMMISSION RECOMMEND COUNCIL ADOPTION OF A RESOLUTION APPROVING CHANGES TO THE CITY OF PALO ALTO UTILITIES 2009 "PROCEDURES FOR CUSTOMER CREDIT SECURITY" IN ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 Staff requests that the Utilities Advisory Commission (UAC) recommend that the City Council adopt a resolution to approve the proposed 2010 changes to' the City of Palo Alto Utilities (CPAU) 2009 "Procedures for Customer Credit Security" (Procedures) to comply with regulations issued by the Federal Trade Commission in the Fair and Accurate Credit Transactions Act (FACT) of2003. EXECUTIVE SUMMARY The Federal Trade Commission and other federal agencies have issued regulations requiring applicable financial institutions and creditors to develop and implement an identity theft prevention program, as part of the FACT Act. CPAU, as a municipal utility, is defmed as a "creditor" subject to the requirements of the FACT Act, since it provides consumer goods or services first, and requires payment later. The FACT Act requires that a creditor put a consumer identity theft prevention program in place by December 31, 2010. The program must have procedures that address the identification, detection, response, and mitigation to business patterns, practices, or specific activities -or "Red Flags" - that could indicate an instance of identity theft. The FACT Act requires periodic updates of the Procedures to reflect changes in risks of identity theft to consumers or the creditor. Although CPAU identifies and implements security changes on an ongoing basis, a full update of the Procedures is presented annually to the UAC and requests recommendation to the Council for adoption. This report to the Utilities Advisory Commission (UAC) provides the annual review of possible identity theft-related incidents during the last reporting period, and describes the changes proposed to the 2009 "Procedures." Page 1 of 19 BACKGROUND FACT Act Federal regulations concerning the FACT Act include the requirement that every applicable financial institution or creditor develop and implement an identity theft prevention program for new and existing accounts to detect, prevent, and mitigate identity theft. A partial list of "creditors" include: "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility (such as CPAU, which provides consumer services in advance of payment) and telecommunications companies." The FACT Act requirements apply to an entities that have "covered aceounts." A "covered account" includes any consumer account that has a foreseeable risk of identity theft such as a monthly cell phone, credit card, or utility bill, and consumer account infonnation such as medical insurance, social security, or driver's license numbers. When the FACT Act was signed into law, financial institutions and creditors faced a mandatory compliance deadline of November 1, 2008. Due to widespread confusion regarding the Act, especially regarding what types of businesses or entities were considered "creditors", the Federal Trade Commission repeatedly postponed the implementation deadline. The current mandatory compliance date is December 31, 2010. CPAU Procedures Council first adopted the "Procedures for Customer Credit Security" (Procedures) by resolution on September 15, 2008 (CMR: 363:08). The initial 2008 version of the Procedures was based on the City's policies, procedures, and the Utilities Customer Infonnation System (CIS), BANNER, in place at the time of adoption. On May 4,2009, the City implemented a new SAP·based Customer Care and Service (CCS) infonnation system. Implementation of CCS required a review of the business practices, policies and procedures for protecting consumer credit infonnation in the areas of customer service, billing, and financial management. On September 2, 2009, Staff provided the UAC with a summary of red flag events during the prior twelve month period and proposed a 2009 update to the original 2008 Procedures. The UAC recommended that the Council approve the proposed changes to the 2008 Procedures. Council approved the 2009 changes on October 5, 2009 (CMR:390:09). In March of 2010, the Utilities Customer E·Service (UCES) system with the "My Utilities Account" (MUA) web portal was activated. Cyber-security precautions were designed and implemented for the consumer online systems. This 2010 report provides a summary of CPA U red flag events during the last reporting period, October 2009 through September 2010, and proposes changes to the 2009 Procedures. DISCUSSION The FACT Act utilizes red flags to highlight areas of possible risk for identity theft. These red flags are defined as patterns, practices or specific activities that can indicate the possible existence of identity theft. The following provides the report of the "red flag incidents over the past twelve months. Page 2 of19 Summary of Red Flag Incidents during the last reponing period: • There have been no known external attempts to penetrate or compromise the Utilities Customer Care and Service (customer information) or the Utilities Customer E ServicelMy Utilities Account (online) systems. • The City's SAP Project Management Office (PMO) discovered that authorized users of the SAP Utilities Customer Care and Service system could access unmasked customer data tables containing Drivers License, Passport, Social Security, bank account and federal Tax Identification numbers through certain SAP query functions. The PMO disabled the query function access to the data tables within 24 hours. There was no public access to confidential data, any potential access was limited to authorized SAP users, and there was no indication that the query function had ever been used by authorized SAP system users to view the confidential data. Staff has requested that SAP provide a detailed list of all Utilities Customer Care and Service functions and transactions that can access customer confidential data tables in order to refine the restrictions on access to the data. • Two incidents occurred where a consumer wanted to use another individual's credit card to pay their Utilities account. Staff was unable to validate ownership of the credit card through independent contact with the card holder and refused to complete the credit card transaction. NOTE: When unauthorized credit card use to pay a Utilities bill is reported by the card holder to staff, staffimmediately reports the incident to the Palo Alto Police Department's Identity Theft Unit for investigation and follow-up. • One incident occurred wherein the daily credit card slips were submitted for processing past the end-of-day deadline, but still provided on the operating day. To ensure proper security and handling of credit card slips, Customer Service Phone Center cash handling procedures were revised to improve the procedural checks and controls, to increase physical security of the credit card slips during the day by use of a keyed lockbox, to eliminate unneeded copies by the shredding of the eonsumer's copy of the credit eard slip after telephone payments (unless the consumer requests that the credit card slip be mailed to their billing address), and to secure the credit card transaction on-line customer information system computer screen so it cannot be viewed by non-Customer Service staff. • Copies of efficiency program rebate documents including applications, worksheets and receipts were being recycled, rather than shredded before recycling. To ensure proper disposal of customer-specific documents, new procedures have been created requiring the shredding of customer-specific documents and reports. There were no other red flag incidents during the last reporting period. Page 3 of19 Recommended 2010 Changes to the 2009 "Procedures for Customer Credit Security": The recommended text changes to the "2009 Procedures Responding to Red Flags" are included in the draft "Proposed Update of the 2010 Procedures", and shown in italicized format. Those changes include: Proposed 2010 Change to the Procedures i A name change is proposed from "Procedures for Customer : Credit Security" to "20 I 0 Procedures for Customer Identity and i Credit Security" to reflect the importance of, and emphasis on, • identity theft as well as eredit security. i It is propnsed that the Procedures for Identity and Credit i Security be incorpnrated into the City of Palo Alto Policy and Procedure l-35/uTL "Interim Guidelines and Procedures for Protecting Confidential Utilities Information" (Rev. Dec 1997). A bonded, professional shredding company will be retained to destroy all bulk documents containing customer information. Documents awaiting bulk destruction will be kept in a locked receptacle. Documents with red flag data, not being held for bulk destruction, will be shredded on-site, as soon as they are no longer needed by the staff member generating the documents. i A frrewall installed to protect the SAP UCES pnrtal "My i i Utilities Account" shall be tested and maintained on an on-going i basis Strict role definitions, limiting the potential of access or theft of infonnation via stolen password or City staffID, will be maintained. Access to changes to customer accounts wi!1 be limited to the specific roles reviewed and authorized Quarterlv. Individual or department acress to Utilities customer account data by non-Utilities City staff will be reviewed and approved quarterly by the SAP Project Management Office (PMO) and CPAU management. Electronic access to selected Utilities customer account data by non-Utilities City slaffwill be restricted to non-red flag data fields and tables. Confidential data included in correspondence submitted to the City shall be redacted before being made publicly available. To prevent unauthorized access to red flag data tables, the SAP query functions that had allowed CPAU staff access to non masked customer confidential data have been disabled. To prevent unauthorized access to red flag data in a covered account j all electronic hscreen shots" of monitor images containing red flag data submitted to the IT Helpdesk by staff to illustrate account problems will be stored in a secure electronic folder with staff access restricted by authorized SAP role. Access to the archived BANNER customer infonnation database will continue to be limited to staff having an authorized SAP role. To prevent unauthorized access to red flag data in an archived covered account, all red flag data has been deleted in BANNER (prior Utilities Customer lnfonnation System), including Social Security Numbers (SSN), and the confidential Customer Notes section has been deleted Full Encryption of credit card numbers in SAP Production Section Purpose 3,8, I a Differentiates annual versions and increases focus on identity theft prevention. 3 ,B,l b Ensures consistency in Utilities-related Policies and Procedures 4,C,le Enhanced physical seeurity of confidential information 4,C,2d i Enhaneed electronic i security ofUtilities online customer portal 4,C,3a Oversight and contrul of access by authorized staff 4,C,3b Oversight and control of access by authorized staff 4, C,3c Oversight and control of aecess by authorized staff 4,C,3e Enhanced physical se<lurity of confidential infonnation 5,A,4a Oversight and control of access by authorized staff 5,A,4b Enhanced electronic security of Utilities red flag data 5,A,4c Oversight and control of access by authorized staff 5,A,4d Enhanced electronic Page 4 of19 Testing and Development enviromnents is required. security of Utilities red flag data Utilities customer Social Security Numbers, Tax Identification 5,B,ld Enhanced electronic Numbers, credit card numbers and expiration and bank drafting security of Utilities red information will be masked on all three CCS and UCES flag data software Production, Test, and Development platforms. Incidents of possible customer identity theft shall be reported to 5,B,3a Enhanced security of the PAPD within 24 hours. red flag data Copies of customer credit card slips (when paid by phone) shall 5,B,4b Enhanced physical be shredded, unless mailed to the customer at their request. security of confidential information Customer data printouts, reports, efficiency applications, 5,B,4c Enhanced physical worksheets, receipts, and bills generated in the IT Test or security of confidential Development systems, will be shredded. information To ensure proper security and handling of credit card slips, 5,B,4d Enhanced physical Customer Service Phone Center staff will use a keyed lockbox security of confidential for storage. information To secure credit card transactions, the computer terminal used 5,B,4e Enhanced physical for credit card transaction payment processing in the Customer security of confidential Service Phone Center will be secured so it cannot be viewed by information non-Customer Service staff. CPAU will continue to recommend residential and commercial 4,C,4b Maintains current deposits policies to Council which utilize the provisions of the status. Identifies California Public Utilities Code, allowing each utility to process for Utilities establish accounts and furnish service based solely upon the deposit policies. creditworthiness of the applicant as determined by the utility. CPAU will not utilize commercially available consumer credit 4,C,4c Maintains current reports to establish deposits. Section 311 of the FACT Act status. Eliminates a red requires a creditor to provide consumers with a risk-based flag requirement pricing notice when, based in whole or in part of the consumer's without increasing risk credit report, the creditor grants, extends or otherwise provides to the Utilities. credit to the consumer on "material terms that are materially less favorable than the most favorable terms it grants to a substantial portion of its other customers." Other Departments in the City, wishing to have online access to 5,D,la Enhanced physical and Utilities customer account information to determine residency, electronic security of verifY program applicability, determine dates for permitting, Utilities red flag data etc., will be restricted in their ability to view customer red flag data, and will not be able to make changes to the data in the system. . Other Departments in the City, wishing to have "hard copy" 5,D,2a Enhanced physical reports of Utilities customer information will be unable to have security of confidential printouts containing customer red flag information. information Employees of Green Waste Recovery shall be permitted 5,o,3a Restricts red flag data electronic access to the Utilities CCS system pursuant to the to staff with authorized contract with the City for solid waste services. roles. Codifies customer identity theft prevention requirements by Green Waste staff having access to . Utilities red flag billing information. Page 5 of 19 RESOURCE IMPACT Costs to implement the "2010 Procedures for Customer Identity and Credit Security" are included in the Utilities Operating Budget, or the Technology Fund Operating and Capital Budgets for maintenance and enhancement of the SAP Utilities Customer E-Service and Customer Care and Service systems. ENVIROl'lMENTAL REVIEW The program does not constitute a project under the California Enviromnental Quality Act pursuant to California Public Resources Code Section 21065; therefore, no enviromnental assessment is required. ATTACHMENT A: Proposed "2010 ProcedUres for Customer Identity and Credit Security" PREPARED BY: DEPARTMENT HEAD: TOM AUZENNE Assistant Director, Customer Support Services VALERIE O. FONG Director of Utilities Page 6 of19 Attachment A DRAFT City of Palo. Alto Utilities "2010 Procedures for Customer Identity and Credit Security" Proposed Changes are Italicized in Red Proposed Effective Date: November 1, 2010 DRAFT Page 7 ofl9 SECTION 1. 2. 3. 4. 5. 2010 Procedures for Customer Identity and Credit Security Policy Statement Utilities Identity and Credit Theft Prevention Program A. Definitions B. The Red Flag Rule C. Identity and Credit Theft Program Adoption (the Procedures) D. Requirements of the Procedures Administration of the Procedures for Customer Identity and Credit Security A. Palo Alto City Council B. Director of Utilities C. Executive Leadership Team Customer Identity and Credit Information, Systems and Access A. Classification of Information B. Utilities Customer Information Systems C. Identity and Credit Information Access Identification, Detection, Response and Mitigation of Red Flags A. Customer Service B. Billing and Payment C. Credit and Collection D. Other City Departments PAGE 3 4 6 7 10 Page 8 of 19 1. Policy Statement The City of Palo Alto shall ensure that proprietary and confidential Utilities customer information is secure from identity theft as required by law and business practice. The Fair Credit Reporting Act, 15 United States Code, Section 1681 et. seq., was amended to include the Fair and Accurate Credit Transactions Act of2003 (Public Law 108-159), hereinafter referred to as the FACT Act. The FACT Act requires those businesses and organizations which can affect consumer credit to create a formal program to detect, prevent, respond and mitigate potential identity theft before December 31, 2010. Page 9 of19 Utilities Identity and Credit Theft Prevention Program The Fair and Accurate Credit Transaction Act of 2003 (FACT Act) requires those entities which can affect consumer credit to create a formal identity theft prevention program to detect, prevent and mitigate identity theft before December 31, 2010. A. Defmitions The "Red Flag Rule" is a set of United States federal regulations that· require certain businesses and organizations identified as "creditors" to develop and implement documented plans to protect consumers from identity theft. . "Identity theft' means a fraud committed using the identifYing information of another' person. A "creditor" is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assiguee ofan original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. A "covered account" is either: an account primarily for personal, family, or household purposes; that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, car loan, margin account, cell phone account, utility account, checking account, or savings account; or any other account for which there is a reasonably foreseeable risk to customers or creditor from identity theft. An "Identity Theft Report" alleges an identity theft; is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service; and, subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. B. Red Flag Rule There are a total of twenty-six individual red flags comprising the Red Flag Rule, with five categories of common red flags: L Alerts, notifications, and wdl'nings from a credit reporting company, including address discrepancies. 2. Suspicious documents that look like they have been altered or forged, or that the information or description does not match the applicant or customer. 3. Suspicious personal identifYing information, including inconsistent data. 4. Suspicious account activity, including name changes, unauthorized charges or address changes for credits or refunds. 5. Notification by another source, including a customer, another victim of identity theft, a law enforcement authority, or other person regarding an account having an Identity Page 10 of19 heft Report completed, or other notice that an account may have been compromised by identity theft. C. Identity and Credit Theft Prevention Program Adoption (the Procedures) The City Council of Palo Alto adopted the Utilities Department formal identity theft prevention program, the "Procedures for Customer Credit Security" on September 3, 2008. The Procedures focus on red flags -defined as patterns, practices, or specific activities that indicate possible existence of identity theft on a covered account. On September 2, 2009, Staff provided the Utilities Advisory Commission (UAC) with a summary of red flag events that occurred during the prior twelve month reporting period, and proposed 2009 updates to the original 2008 Procedures. The UAC recommended that the Council approve the proposed changes to the 2008 Procedures. Council approved the 2009 changes on October 5, 2009 (CMR: 390:09). D. Requirements ofthe Procedures The Procedures were designed to: 1. IdentifY red flags for covered accounts and incorporate those red flags into the program 2. Detect red flags that have been incorporated into the Procedures 3. Respond appropriately to any red flags that are detected 4. Mitigate the occurrence of identity or credit theft 5. Ensure the Procedures are updated annually, to reflect the changes in identity or credit theft risk 6. Provide for administration and update of the Procedures with red flags identified and incorporated into specific operational and transactional policies and procedures for City departments with access to confidential Utilities customer data. Page 11 ofl9 3. Administration of the Identity and Credit Theft Procedures A. Palo Alto City Council The City Council shall review the "Procedures for Identity and Credit Security" (Procedures) annually, and adopt appropriate changes to meet the requirements of the FACT Act. B. Director of Utilities The Director of Utilities shall oversee implementation of the Procedures in conformance with the FACT Act. Implementation of the Procedures will provide for specific responsibility of oversight, reports, and material changes to the Procedures. The Director shall submit an annual report to the Utilities Advisory Commission and City Council providing an update on the identification, detection, response and mitigation of Red Flag issues occurring during the reporting period, and recommending the business, organizational, and security changes to the Council needed to keep the Procedures current. Recommended changes to the Procedures shall be based on experience with identification, detection, prevention and mitigation of identity and credit theft; changes in types of customer accounts offered; and, changes in business practices. I. For 2010, there are two recommended Administrative changes proposed: a) A name change is proposed from "Procedures for Customer Credit Security '.' to "2010 Proceduresfor Customer Identity and Credit Security" 10 r~flect the importance of, and emphasis on. identity th~ft as well as credit security. b) It is proposed that the 2010 Procedures for Identity and Credit Security be incorporated into the Cily of Palo Allo Policy and Procedure 1-35/UTL "Interim Guidelines and Procedures for Protecting Confidential Utilities InjiJ~mation '.' (Rev. Dec 1997). C. Executive Leadership Team If potential or actual physical or electronic theft of customer identity or credit occurs, the Directors of the Utilities, Administrative Services, and Public Works Departments shall work with the City Attorney, City Auditor and the Palo Alto Police Department, as appropriate, to mitigate the threat. Page 12 of 19 4. Customer Identity and Credit Information, Systems and Access A. Classification of Infonnation I. Customer Identity Infonnation Customer identity and credit infonnation subject to theft includes name, address, account number, Social Security Number, spouse or secondary account holder identification, contact infonnation, credit infonnation, log-ins and passwords. 2. Customer Financial Infonnation Customer financial information subject to theft includes payment history, deposit information, payment transaction records, extended payment arrangements, credit card numbers, voided check infonnation, and bank account numbers. B. Utilities Customer Infonnation Systems 1. Historical Customer Identification and Financial Infonnation Current and prior customer infonnation resides in BANNER, the CPAU predecessor to SAP. This database has been retained for archival purposes, and this infonnation could be subject to theft. 2. SAP Utilities Customer Care and E-Services On May 4, 2009, the City implemented a new SAP-based Utilities Customer Care and Service (U-CCS) infonnation system. In March of2010, the Utilities Customer E-Service (UCES) system with the "My Utilities Account" (MUA) web portal was activated. Confidential Utilities Customer infonnation is retained in the U-CCS and Utilities Customer E-Service (U -CES) online infonnation system, and this infonnation could be subject to theft. Implementation ofthe U-CCS requires ongoing review and modification of the business practices, policies and procedures for protecting consumer identity and credit infonnation in Utilities Customer Service, Billing and Payment, Credit and Collection, and other City departments. Cyber-security precautions were created prior and subsequent to the implementation of the online customer e-service system. Cyber-security enhancements are also made on an ongoing basis to assure that access to customer identity and credit data is properly restricted to authorized staff. C. Identity and Credit Infonnation Access I. Securing Identity and Credit Infonnation within the SAP Utilities Customer Care and Service (U-CCS) System Unique numbers are used to establish credit, manage customer account security, identify customers, and permit collection action after disconnection for non-payment. This infonnation is required under Utilities Rule and Regulations #4 "Application for Service." Refusal to provide the required infonnation will terminate the CPAU "Application for Service" process. Page 13 of19 a. Upon opening, transferring or closing customer accounts, current customer billing procedures require the applicant (and spouse or secondary account holder if the account is opened in both names) to provide either hislher/their Social Security Numbers (SSN) or Driver's License Numbers (DLN). For residential customers, if the SSN or DLN is not available, the identification requirement defaults to the U.S. customer's passport number. These numbers will be masked except for the last four digits. b. For commercial customers, the required identification is the Tax Identification Numbers (TIN). TINs will be masked except for the last four digits. c. City staff access to customer Utilities information will be SAP role-specific, allowing certain functions within the system to be accessible. Role assignments will be made based upon review and approval by the SAP Project Management Office (PMO), the Utilities Department, and the Administrative Services Department. Financial functions of particular roles include, but are not limited to: establishment and refund of deposits; billing adjustments; payment reversals; cancellation of bills; and write-off of outstanding balances. Roles and responsibilities will be reviewed quarterly by CPAU management and the PMO, with the intent to limit the number of staff having access to sensitive customer identity and financial data. d. Staff will review documents to ensure that only customer name, and correct mailing or service address, are displayed in any mail-merged documents or mailing labels. e. A bonded, professional shredding company will be retained to destroy all bulk documents containing customer billing information. Documents awaiting bulk destruction will be kept in a locked receptacle. Documents with red flag data, not being held for bulk destruction, will be shredded on-site, as soon as they are no longer needed by the staffmember generating the documents. f. All payment and operational transactions within each customer account will be monitored and tracked by the SAP internal audit function. g. Staff roles and authorizations for the unmasking and transmission of customer Social Security Numbers to the City's collection agency will be restricted and monitored. 2. Securing Identity and Credit Information within the SAP Utilities Customer E-Service (U-CES) System In order to access account information online, customers must create a user name and password. These are controlled by the customer, and the Utilities Customer E-Service (U-CES) account is accessed via the "My Utilities Account" (MUA) web portal. Customer accessible information includes: the name(s) on the account, billing and service addresses associated with the account, consumption data; meter reads; dates of service; charges; billing adjustments; and payment history. Customers can conduct a limited number of on-line transactions, including modifying their e-mail addresses, establishing or updating a phone number, and sending a customer note to CPAU staff regarding account information. The U-CES system permits the linking of all accounts for the same customer to a single customer-created user name and password; viewing and payment of bills online; printing of monthly bills via an online download; requesting a move-out, online self-enrollment in bank drafting; making single-transaction credit card payments; communicating with CPAU staff via email, and reviewing baI;lk draft transactions. Page 14 of 19 a. Failure by the authorized account-holder to designate alternative parties to access their account information (spouse, domesticate partner, or other third-party) will restrict account aC,cess to either the customer, or court-ordered estate executor. b. The Terms and Conditions and Frequently Asked Questions sections for cyber security, customer access, and use of the online My Utilities Account system will be updated innnediately after changes are implemented. c. Notification of CPAU by the authorized account holder that their identity or credit information has been compromised or stolen will result in termination of external online access to the affected account until such time as the account can be re established by the customer. d. A firewall installed to protect Ihe SAP UCES portal '?vfy Utilities Account" shall be lested and maintained on an on-going basis. 3. Non-Utilities City Staff Access to Customer Red Flag Data a. Strict role definitions, limiting the potential of access or theft of il?formation via siolen password or City staff ID, will be maintained. Access to cFwnges to customer accounts will be limited to the specific roles. reviewed and authorized quarterly, b. Individual or department access to Utilities customer account data by non-Utilities City staff will be reviewed and approved quarterly by the SAP Project Management Office (PAlO) and CPA U management. c. Electronic access to selected Utilities customer account data by n()n-Utilities City stqffwill be restricfed to non-red/lag data fields and tables. d. Audit trails will be kept for fmancial transactions within the U-CCS and U-CES systems and include, but not be limited to, reversed transactions, account credits and refunds, and physical refund checks. e. C()nfidential data included in correspondence submitted t() the City shall be redacted before being made publicly available. 5. Identification, Detection, Response and Mitigation of Red Flags The 2009 Procedures for Customer Credit Security are already in place to protect customer identity and credit information from theft. Some of the Procedures that apply are initiated by CPAU staff, while others apply when customers access their own account information. The "Procedures" are utilized during the opening, access, billing and collection of payments, and the transfer or closing of customer accounts. They also apply as customer accounts and associated records are internally accessed. Any identification, detection or awareness by CP AU of a Red Flag incident would result in an investigative response and mitigation effort on the part of Utilities, and may include contact with Page 15 of 19 an appropriate law enforcement agency on behalf of a CPAU customer, or self-reporting by an existing CPAU customer. CPAU will determine whether to freeze access to the customer account information, or initiate a review of staff access of account information to verify the appropriateness of that access. A. CUSTOMER SERVICE 1. Identifying Red Flags a) To validate the identity of the prospective covered account holder, a Utilities account will not be opened, changed or closed without submittal of the Red Flag data required to determine the identity of the account holder. Customer failure to provide a Social Security Number, Driver's License Number, Tax Identification Number, or Passport Number will terminate the account initiation process. • Utilities Rule and Regulation 4, "Application for Service" b) Utilities Customer Service, Credit and Collection, and Billing staffs will include the Procedures for Identity and Credit Security in their Policies and Procedures. • Utilities Customer Support Services Division Requirement c) Utilities Customer Service, Credit and Collection, and Billing staffs will conduct annual training in the Procedures for all staff members. • Utilities Customer Support Services Division Requirement 2. Detecting Red Flags a) To prevent unauthorized access to a Covered Account, a Utilities account will be subject to investigation and frozen for transactions in the event of presentation of suspicious documents for program application or discounts, determination of a compromised customer password, notices from banking institutions of unauthorized charges to an account, andlor notices from consumer reporting agencies on customer credit freezes. • City Policy and Procedure 1-35IUTL, "Interim Guidelines and Procedures for Protecting Confidential Utilities Information" ,. Utilities Customer Service Requirement 3. Responding to Red Flags a) Customer reports of identity or credit card theft provided to Customer Service will be routed to the Palo Alto Police Department's Identity Theft Section for completion of the Identity Theft Report Form. Customers contacting the P APD to report an incident of identity or credit card theft will be routed to Customer Service, so that the customer's Covered Account Red 'Flag data can be secured. • Utilities Customer Service Requirement 4. Mitigating Red Flags a) To prevent ummthorized access to red/lag data tables, the SAP query functions that had allowed CPA U staff access to non-masked customer cO'1fidential data have been disabled b) To prevent unauthori::ed access to redflag data in a covered account, all electronic "-vereen shots ,. of monitor images containing redjlag data submitted to the IT Helpdesk by staflto illustrate account problems will be Page 160f 19 stored in a secure electronic/older with staff access restricted by authorized SAP role. • Business Requirement • SAP Project Management Office (PMO) Requirement c) Access to the archived BANNER customer information database will continue to be limited 10 stqflhaving an authorized SAP role. To prevent unauthorized access 10 Red Flag data in an archived Covered Account, all Red Flag data has been deleted in BAlvWER (jJrior Utilities Customer I'lformation System), including Social Security Numbers (SSN), and the confidential Customer Notes section has been deleted. d) . Full Encryption of credit card numbers in SAP Production, Testing and Development environments is required. • Business Requirement • SAP Project Management Office (PMO) Requirement B. BILLING AND PAYMENT Customers may self-report instances of identity or credit theft; notice may be made by law enforcement agencies of identity or credit theft; inaccurate information may be provided by customers for bank draft payments of Utilities bills; reports may be received of compromised internal credit card security; reports may be received of compromised internal checking account (bank draft) security; and reports may be received of compromised external third-party payment vendor security (reported by customer or vendor), 1. Identifying Red Flags The Utilities customer credit card information has been encrypted in conformance with Payment Card Industry (PCI) Standards. a) Utilities customer credit card information will not be stored on the same server that houses the portal that customers use to access their account data. b) Activation of the "role" for access to the encrypted data table will be restricted to three Information Technology staff members who are responsible for data management of the Utilities SAP system, and who take direction from the PMO (but are not part of the PMO), Once access to the encrypted data table is approved by the PMO, and then activated, only an expert programmer fumiliar with the SAP programming language and the encryption protocol will be authorized to decrypt the data. Thus, access to the credit card data will be protected by three levels of security. c) For quality control purposes, all access to the table containing the encrypted data will be continuously monitored and tracked by the SAP audit function. d) Utilities customer Social Security Numbers, Tax Identification Numbers, credit card numbers and expiration and b(rnk drafiing i"formation will be masked on all three CCS and UCE'S software production, lest, and development platforms. e) . Customers choosing to pay by bank draft will submit voided checks which are kept in a locked cabinet with access restricted to the Manager, Customer Service and Meter Reading, and the Customer Service Specialist-Lead, and maintained in accordance with the City's Records Retention Policy. Page 17 of19 • Business Requirement • SAP Project Management Office (PMO) Requirement 2. Detecting Red Flags a) Receipts produced for credit card payments only contain the last four digits of the credit card, and as an added precaution, expiration date information is not included on the receipt. • City ofPaIo Alto Cash Handling Procedures • Utilities Customer Service Desk Procedures 3. Responding to Red Flags Customer Service has worked with the P APD to update the existing P APD Identity Theft Report Form. This update includes the contact information for CPAU Customer Service and requests the individual completing the document to contact CPAU to report the identity or credit problem, so that the customer's Utilities account information can be secured. a) Incidents of possible customer identity theft shall be reported to the l? AP D within 2-1 hours. • Utilities Customer Service Requirement 4. Mitigating Red Flags a) Verification of SAP credit card handling of encrypted storage, masked display and access tracking will be provided to the City Auditor. • Project Management Office (PMO) Requirement b) Copies of customer credit card slips (when paid by phone) shall be shredded, unless mailed to the customer at their request. c) Customer data printouts, report.~, efficiency applications, worksheets, receipts, and bills generated in the II Test or Development systems. will be shredded. d) To ensure proper security and handling of credit card slips, Customer Service Phone Center staflwill use a keyed lockbox for storage. e) To secure credit. card transactions. the computer terminal used.for credit card transaction payment processing in the Customer Service Phone Center will be secured so it cannot be viewed by non-Customer Service staff. • Business Requirement • SAP Project Management Office (PMO) Requirement C. CREDIT AND COLLECTION 1. Identifying Red Flags Identification of Red Flag events in the Credit and Collections process will include: a) Failure to internally pursue payment of outstanding debt on a covered account b) Failure by Colleetion Agency to pursue outstanding debt on a covered account c) Change in billing address for reimbursement of deposits or payment credits without a change in service address. • Utilities Credit and CollectionlBad Debt Process 2. Mitigating Red Flags a) Customer security deposits will be manually and electronically established and tracked. b) CPAU will contini.e to recommend residential and commercial deposits policies to Council which utilize tbe provisions of the California Public Page 18 of19 Utilities Code, allmving each utilily 10 establish accounts and furnish service based solely upon the creditworthiness of the applicant as determined by the utility. c) CPA U will not utili4 e commercially available consumer credit reports 10 establish deposit,~. Section 311 of the FACT Act requires a creditor to provide consumers with a risk-based pricing notice when, based in whole or in part of the consumer '05 credit report, the creditor grant.~, extel1d~ or otherwise provides credil to the consumer on "material terms that are materially less favorable than the most favorable terms it grants to a substantial portion of its other customers, " • . Utilities Credit and CollectionIBad Debt Procedures D, OTHER CITY DEPARTMElvTS {end) 1. IdentifjJing Red Flags oj Other Departments in the City, Wishing to have online access to Utilities customer account information to determine residency, verifY program applicability, determine datesfor permitting, etc., will be restricted in their ability to view clIstomer Red Flag data, and will not be able to make changes to the data in the .system. 2. Detecting Red Flags a) Other Departments in the City, 1;Jishing to have "hard copy" reports of Utilities customer tnformation will be unable 10 have printouts containing customer Red Flag ififormation. 3. Re,ljJonding to Red Flags aJ Employees of Green Waste Recovery shall be permitted electronic access to the Utilities CC'I system pursuant to the contract with the Cityfbr solid waste sen'ices, Page 19 of19 ATTACHMENT D EXCERPTED DRAFT MINUTES OF UTILITIES ADVISORY COMMISSION Meeting of October 6, 2010 NEW BUSINESS ITEM 1: ACTION: Update of 2009 FACT Act 2003 Procedures Assistant Director Tom Auzenne summarized the report, which requested that the UAC recommend that Council approve the proposed 2010 changes to the CPAU 2009 "Procedures for Customer Credit Security" (Procedures) to comply with Federal Trede Commission regulations for the "Fair and Accurate Credit Transactions (FACT) Act of 2003.' All covered business and organizational entities, including utilities, must comply with this federal legislation by 12131/2010. Originally adopted by Council in 2008, the Procedures identify the actions taken by CPAU to identify, detect. respond to, and mitigate specific activities that could indicate an instance of identity or credit theft. Each year, instances where customer identity or credit security could have been compromised are identified, CPAU responses and mitigation measures are described, and future enhancements to the Procedures are proposed. Commissioner Eglash asked about procedures for protecting sensitive data and credit card numbers, Staff responded that "Red Flag Data" is only stored on secured servers (not on laptops), with restricted access, encryption and fire walls. Further, the City does retain credit card numbers, but these are onty avaitable to three city personnel and the credit card security numbers are not retained. ACTION: Commissioner Foster moved, and Commissioner Cook seconded, that the UAC recommend that the City Council adopt a resolution to approve the proposed 2010 changes to the City of Palo Alto Utilities (CPAU) 2009 "Procedures for Customer Credit SecuritY' (Procedures) to comply with regulations issued by the Federal Trade Commission in the Fair and Accurate Credit Transactions Act (FACT) of 2003. The motion passed unanimously (7-0).