The URL can be used to link to this page

Home My WebLink AboutStaff Report 6231 City of Palo Alto (ID # 6231) City Council Staff Report Report Type: Consent Calendar Meeting Date: 2/8/2016 City of Palo Alto Page 1 Summary Title: 2016 Update of the Utilities 2010 Procedures for Customer Identity and Credit Security Title: Staff Recommendation That the City Council Adopt a Resolution Approving the “2016 Procedures for Customer Identity and Credit Security” From: City Manager Lead Department: Utilities RECOMMENDED MOTION Staff recommends that Council consider the following motion: The Council hereby adopts a resolution approving the Utilities Department’s “2016 Procedures for Customer Identity and Credit Security”. RECOMMENDATION Staff recommends that Council adopt a resolution approving the “2016 Procedures for Customer Identity and Credit Security” (the Procedures). EXECUTIVE SUMMARY Since the original adoption of the Procedures in 2008, and subsequent updates reflecting changes to Utilities business practices after implementation of SAP in 2009, there have not been any verified instances of CPAU customer identity or theft of credit information, or substantive changes required to the Procedures The proposed 2016 update to the 2010 Procedures:  Appoints the City Manager (rather than Council) as the Administrator of the Identity and Credit Security Program (Program) and the Procedures for Customer Identity and Credit Security (Procedures);  Authorizes the Administrator (rather than Council) to be responsible for oversight, development, implementation, reporting, and future revisions of the Program and Procedures; and,  Authorizes the Administrator to coordinate the data security provisions of the Program and Procedures with the Information Technology Department’s requirements for the Information Security Policy and Information Privacy Policy. City of Palo Alto Page 2 DISCUSSION There are multiple state and federal mandates supporting cybersecurity, identity theft protection and response, and consumer credit security. Enacted over the past several years, they target business and consumer data, financial infrastructure, data access, online and physical controls, staff training, security breaches, incident management and organizational compliance. The City of Palo Alto adopted a formal program for customer identity and credit theft protection in 2008 ((Procedures). These guidelines and actions were designed to correspond with the patterns, practices or specific identity and credit security activities identified by the “Fair and Accurate Credit Transactions Act of 2003” (FACT Act) that could indicate the possible existence of CPAU customer identity theft. The purpose of the FACT Act legislation was to provide consumers with additional tools to fight the growing crimes of identity and credit theft. The FACT Act required City of Palo Alto Utilities Department (CPAU) to create a formal program for the identification, detection, response and mitigation of specific business practices (or “red flags”) that could indicate an instance of identity theft impacting CPAU customers. CPAU complies with the requirements of the FACT Act, because it continues to qualify as a “creditor” under federal regulations (service in advance of payment). The proposed reassignment of duties better reflects the administrative and operational nature of the required responsibilities. While retaining interdepartmental checks and balances and citywide consistency, delegation of responsibility clarifies roles and facilities program modification may be needed to address future threats. NEXT STEPS The City Manager will assume administration of the Procedures, and staff will continue to review CPAU business processes report compliance with FACT Act requirements, and incorporate improvements for customer identity and credit security into future updates of the Procedures. RESOURCE IMPACT There is no impact on Utilities sales, revenues or budgets. POLICY IMPLICATIONS Adoption by Resolution will update the “2010 Procedures for Customer Identity and Credit Security,” and delegate future oversight and administrative functions for the “2016 Procedures” to the City Manager. City of Palo Alto Page 3 ENVIRONMENTAL REVIEW Council’s adoption of a resolution updating the Procedures does not meet the definition of a project, pursuant to Section 21065 of the California Environmental Quality Act, thus no environmental review is required. Attachments:  Attachment A: Draft 2016 Procedures for Customer Identity and Credit Security - CLEAN Version (PDF)  Attachment B: Draft 2016 Procedures for Customer Identity and Credit Security - REDLINED Version (PDF)  Attachment C: Draft Resolution Adopting the 2016 Procedures for Identity and Credit Security (PDF) P a g e | 1 Proposed Effective Date: February 8, 2016 City of Palo Alto Utilities DRAFT 2016 Procedures for Customer Identity and Credit Security ATTACHMENT A P a g e | 2 Proposed Effective Date: February 8, 2016 2016 Procedures for Customer Identity and Credit Security SECTION PAGE 1. Policy Statement 3 2. Utilities Identity and Credit Theft Prevention 4 A. Definitions 4 B. The Red Flag Rule 4 C. Identity and Credit Theft Program Adoption 5 (Procedures) D. Requirements of the Procedures 5 3. Administration of the Procedures for Customer Identity and Credit Security 6 4. Customer Identity and Credit Information, Systems and Access 7 A. Classification of Information B. Utilities Customer Information Systems 7 C. Identity and Credit Information Access 8 5. Identification, Detection, Response and Mitigation of Red Flags 10 A. Customer Service 10 B. Billing and Payment 11 C. Credit and Collection 13 D. Other City Departments 14 End P a g e | 3 Proposed Effective Date: February 8, 2016 1. Policy Statement The City of Palo Alto shall ensure that proprietary and confidential Utilities customer information is secure from identity theft as required by law and business practice. The Fair Credit Reporting Act, 15 United States Code, Section 1681 ET. seq., was amended to include the Fair and Accurate Credit Transactions Act of 2003 (Public Law 108-159), hereinafter referred to as the FACT Act. The FACT Act requires those businesses and organizations which can affect consumer credit to create a formal program to detect, prevent, respond and mitigate potential identity theft before December 31, 2010. P a g e | 4 Proposed Effective Date: February 8, 2016 2. Utilities Identity and Credit Theft Prevention The Fair and Accurate Credit Transaction Act of 2003 (FACT Act) requires those entities which can affect consumer credit to create a formal identity theft prevention program to detect, prevent and mitigate identity theft before December 31, 2010. A. Definitions The “Red Flag Rule” is a set of United States federal regulations that require certain businesses and organizations identified as “creditors” to develop and implement documented plans to protect consumers from identity theft. “Identity theft' means a fraud committed using the identifying information of another person. A “creditor” is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. A "covered account" is either: an account primarily for personal, family, or household purposes; that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, car loan, margin account, cell phone account, utility account, checking account, or savings account; or any other account for which there is a reasonably foreseeable risk to customers or creditor from identity theft. An “Identity Theft Report” alleges an identity theft; is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service; and, subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. B. Red Flag Rule There are a total of twenty-six individual red flags comprising the Red Flag Rule, with five categories of common red flags: P a g e | 5 Proposed Effective Date: February 8, 2016 1. Alerts, notifications, and warnings from a credit reporting company, including address discrepancies. 2. Suspicious documents that look like they have been altered or forged, or that the information or description does not match the applicant or customer. 3. Suspicious personal identifying information, including inconsistent data. 4. Suspicious account activity, including name changes, unauthorized charges or address changes for credits or refunds. 5. Notification by another source, including a customer, another victim of identity theft, a law enforcement authority, or other person regarding an account having an Identity heft Report completed, or other notice that an account may have been compromised by identity theft. C. Identity and Credit Theft Program Adoption (Procedures) The City Council of Palo Alto adopted the Utilities Department formal identity and credit theft prevention program entitled “Procedures for Customer Credit Security” (Procedures) on September 3, 2008. The Procedures focus on red flags -defined as patterns, practices, or specific activities that indicate possible existence of identity theft on a covered account. D. Requirements of the Procedures The Procedures were designed to: 1. Identify red flags for covered accounts and incorporate those red flags into the Procedures 2. Detect red flags that have been incorporated into the Procedures 3. Respond appropriately to any red flags that are detected 4. Mitigate the occurrence of identity or credit theft 5. Ensure the Procedures are updated annually, to reflect the changes in identity or credit theft risk 6. Provide for administration and update of the Procedures with red flags identified and incorporated into specific operational and transactional policies and procedures for City departments with access to confidential Utilities customer data. P a g e | 6 Proposed Effective Date: February 8, 2016 3. Administration of the Procedures for Customer Identity and Credit Security The Palo Alto City Council shall provide for the continued administration of the Procedures. This includes: 1. Approval of the initial written Procedures by Council; 2. Designating the City Manager as Administrator for oversight, development, implementation and administration of the Procedures; 3. As Administrator for the Procedures, the City Manager shall, pursuant to 12 CFR Sec. 41.90 of the FACT Act: a. assign specific responsibility for the implementation of the Procedures; review annual reports prepared by staff regarding Utilities compliance with the provisions of the FACT Act; 4. Having Utilities staff coordinate the data security provisions of the Procedures with the Information Technology Department’s requirements for the Information Security Policy and Information Privacy Policy; 5. Train staff, as necessary, to effectively implement the Procedures; 6. Exercise appropriate and effective oversight of service provider arrangements; and 7. Approve material changes to the Procedures as necessary to address changing identity and credit theft risk (Section 6(a) (3)). If actual physical or electronic theft of customer identity or credit occurs, the Directors of the Utilities, Information Technology, and Administrative Services Departments shall work with the City Manager’s Office, City Attorney, City Auditor and the Palo Alto Police Department, as appropriate, to mitigate the threat. P a g e | 7 Proposed Effective Date: February 8, 2016 4. Customer Identity and Credit Information, Systems and Access A. Classification of Information 1. Customer Identity Information Customer identity and credit information subject to theft includes name, address, account number, Social Security Number, spouse or secondary account holder identification, contact information, credit information, log-ins and passwords. 2. Customer Financial Information Customer financial information subject to theft includes payment history, deposit information, payment transaction records, extended payment arrangements, credit card numbers, voided check information, and bank account numbers. B. Utilities Customer Information Systems 1. Historical Customer Identification and Financial Information Current and prior customer information resides in BANNER, the CPAU predecessor to SAP. This database has been retained for archival purposes, and this information could be subject to theft. 2. SAP Utilities Customer Care and E-Services On May 4, 2009, the City implemented a new SAP-based Utilities Customer Care and Service (U-CCS) information system. In March of 2010, the Utilities Customer E-Service (UCES) system with the “My Utilities Account” (MUA) web portal was activated. Confidential Utilities Customer information is retained in the U-CCS and Utilities Customer E- Service (U-CES) online information system, and this information could be subject to theft. Implementation of the U-CCS requires ongoing review and modification of the business practices, policies and procedures for protecting consumer identity and credit information in Utilities Customer Service, Billing and Payment, Credit and Collection, and other City departments. Cyber-security precautions were created prior and subsequent to the implementation of the online customer e-service system. Cyber-security enhancements are also made on an ongoing basis to assure that access to customer identity and credit data is properly restricted to authorized staff. P a g e | 8 Proposed Effective Date: February 8, 2016 C. Identity and Credit Information Access 1. Securing Identity and Credit Information within the SAP Utilities Customer Care and Service (U-CCS) System a. Unique numbers are used to establish credit, manage customer account security, identify customers, and permit collection action after disconnection for non-payment. This information is required under Utilities Rule and Regulations #4 “Application for Service.” Refusal to provide the required information will terminate the CPAU “Application for Service” process. b. Upon opening, transferring or closing customer accounts, current customer billing procedures require the applicant (and spouse or secondary account holder if the account is opened in both names) to provide either his/her/their Social Security Numbers (SSN) or Driver’s License Numbers (DLN). For residential customers, if the SSN or DLN is not available, the identification requirement defaults to the U.S. customer’s passport number. These numbers will be masked except for the last four digits. c. For commercial customers, the required identification is the Tax Identification Numbers (TIN). TINs will be masked except for the last four digits. d. City staff access to customer Utilities information will be SAP role-specific, allowing certain functions within the system to be accessible. Role assignments will be made based upon review and approval by the SAP Project Management Office (PMO), the Utilities Department, and the Administrative Services Department. Financial functions of particular roles include, but are not limited to: establishment and refund of deposits; billing adjustments; payment reversals; cancellation of bills; and write-off of outstanding balances. Roles and responsibilities will be reviewed quarterly by CPAU management and the PMO, with the intent to limit the number of staff having access to sensitive customer identity and financial data. e. Staff will review documents to ensure that only customer name, and correct mailing or service address, are displayed in any mail-merged documents or mailing labels. f. A bonded, professional shredding company will be retained to destroy all bulk documents containing customer billing information. Documents awaiting bulk destruction will be kept in a locked receptacle. Documents with red flag data, not being held for bulk destruction, will be shredded on- site, as soon as they are no longer needed by the staff member generating the documents. g. All payment and operational transactions within each customer account will be monitored and tracked by the SAP internal audit function. P a g e | 9 Proposed Effective Date: February 8, 2016 h. Staff roles and authorizations for the unmasking and transmission of customer Social Security Numbers to the City’s collection agency will be restricted and monitored. 2. Securing Identity and Credit Information within the SAP Utilities Customer E- Service (U-CES) System In order to access account information online, customers must create a user name and password. These are controlled by the customer, and the Utilities Customer E-Service (U-CES) account is accessed via the “My Utilities Account” (MUA) web portal. Customer accessible information includes: the name(s) on the account, billing and service addresses associated with the account, consumption data; meter reads; dates of service; charges; billing adjustments; and payment history. Customers can conduct a limited number of on-line transactions, including modifying their e-mail addresses, establishing or updating a phone number, and sending a customer note to CPAU staff regarding account information. The U-CES system permits the linking of all accounts for the same customer to a single customer-created user name and password; viewing and payment of bills online; printing of monthly bills via an online download; requesting a move-out, online self-enrollment in bank drafting; making single- transaction credit card payments; communicating with CPAU staff via email, and reviewing bank draft transactions. a. Failure by the authorized account-holder to designate alternative parties to access their account information (spouse, domesticate partner, or other third-party) will restrict account access to either the customer, or court- ordered estate executor. b. The Terms and Conditions and Frequently Asked Questions sections for cyber-security, customer access, and use of the online My Utilities Account system will be updated immediately after changes are implemented. c. Notification of CPAU by the authorized account holder that their identity or credit information has been compromised or stolen will result in termination of external online access to the affected account until such time as the account can be re-established by the customer. d. A firewall installed to protect the SAP UCES portal “My Utilities Account” shall be tested and maintained on an on-going basis. 3. Non-Utilities City Staff Access to Customer Red Flag Data a. Strict role definitions, limiting the potential of access or theft of information via stolen password or City staff ID, will be maintained. Access to changes to customer accounts will be limited to the specific roles, reviewed and authorized quarterly. b. Individual or department access to Utilities customer account data by non- Utilities City staff will be reviewed and approved quarterly by the SAP Project Management Office (PMO) and CPAU management. P a g e | 10 Proposed Effective Date: February 8, 2016 c. Electronic access to selected Utilities customer account data by non-Utilities City staff will be restricted to non-red flag data fields and tables. d. Audit trails will be kept for financial transactions within the U-CCS and U-CES systems and include, but not be limited to, reversed transactions, account credits and refunds, and physical refund checks. e. Confidential data included in correspondence submitted to the City shall be redacted before being made publicly available. 5. Identification, Detection, Response and Mitigation of Red Flags The “Procedures for Customer Identity and Credit Security” are already in place to protect customer identity and credit information from theft. Some of the Procedures that apply are initiated by CPAU staff, while others apply when customers access their own account information. The “Procedures” are utilized during the opening, access, billing and collection of payments, and the transfer or closing of customer accounts. They also apply as customer accounts and associated records are internally accessed. Any identification, detection or awareness by CPAU of a Red Flag incident would result in an investigative response and mitigation effort on the part of Utilities, and may include contact with an appropriate law enforcement agency on behalf of a CPAU customer, or self-reporting by an existing CPAU customer. CPAU will determine whether to freeze access to the customer account information, or initiate a review of staff access of account information to verify the appropriateness of that access. A. Customer Service 1. Identifying Red Flags a) To validate the identity of the prospective covered account holder, a Utilities account will not be opened, changed or closed without submittal of the Red Flag data required to determine the identity of the account holder. Customer failure to provide a Social Security Number, Driver’s License Number, Tax Identification Number, or Passport Number will terminate the account initiation process.  Utilities Rule and Regulation 4, “Application for Service” b) Utilities Customer Service, Credit and Collection, and Billing staffs will include the Procedures for Identity and Credit Security in their Policies and Procedures.  Utilities Customer Support Services Division Requirement c) Utilities Customer Service, Credit and Collection, and Billing staffs will conduct annual training in the Procedures for all staff members.  Utilities Customer Support Services Division Requirement 2. Detecting Red Flags a) To prevent unauthorized access to a Covered Account, a Utilities account will be subject to investigation and frozen for transactions in P a g e | 11 Proposed Effective Date: February 8, 2016 the event of presentation of suspicious documents for program application or discounts, determination of a compromised customer password, notices from banking institutions of unauthorized charges to an account, and/or notices from consumer reporting agencies on customer credit freezes.  City Policy and Procedure 1-35/UTL, “Interim Guidelines and Procedures for Protecting Confidential Utilities Information”  Utilities Customer Service Requirement 3. Responding to Red Flags a) Customer reports of identity or credit card theft provided to Customer Service will be routed to the Palo Alto Police Department’s Identity Theft Section for completion of the Identity Theft Report Form. Customers contacting the PAPD to report an incident of identity or credit card theft will be routed to Customer Service, so that the customer’s Covered Account Red Flag data can be secured.  Utilities Customer Service Requirement 4. Mitigating Red Flags a) To prevent unauthorized access to red flag data tables, the SAP query functions that had allowed CPAU staff access to non-masked customer confidential data have been disabled. b) To prevent unauthorized access to red flag data in a covered account, all electronic “screen shots” of monitor images containing red flag data submitted to the IT Helpdesk by staff to illustrate account problems will be stored in a secure electronic folder with staff access restricted by authorized SAP role.  Business Requirement  SAP Project Management Office (PMO) Requirement c) Access to the archived BANNER customer information database will continue to be limited to staff having an authorized SAP role. To prevent unauthorized access to Red Flag data in an archived Covered Account, all Red Flag data has been deleted in BANNER (prior Utilities Customer Information System), including Social Security Numbers (SSN), and the confidential Customer Notes section has been deleted. d) Full Encryption of credit card numbers in SAP Production, Testing and Development environments is required.  Business Requirement  SAP Project Management Office (PMO) Requirement B. Billing And Payment Customers may self-report instances of identity or credit theft; notice may be made by law enforcement agencies of identity or credit theft; inaccurate information may be provided by customers for bank draft payments of Utilities bills; reports may be received of compromised internal credit card P a g e | 12 Proposed Effective Date: February 8, 2016 security; reports may be received of compromised internal checking account (bank draft) security; and reports may be received of compromised external third-party payment vendor security (reported by customer or vendor). 1. Identifying Red Flags The Utilities customer credit card information has been encrypted in conformance with Payment Card Industry (PCI) Standards. a) Utilities customer credit card information will not be stored on the same server that houses the portal that customers use to access their account data. b) Activation of the "role" for access to the encrypted data table will be restricted to three Information Technology staff members who are responsible for data management of the Utilities SAP system, and who take direction from the PMO (but are not part of the PMO). Once access to the encrypted data table is approved by the PMO, and then activated, only an expert programmer familiar with the SAP programming language and the encryption protocol will be authorized to decrypt the data. Thus, access to the credit card data will be protected by three levels of security. c) For quality control purposes, all access to the table containing the encrypted data will be continuously monitored and tracked by the SAP audit function. d) Utilities customer Social Security Numbers, Tax Identification Numbers, credit card numbers and expiration and bank drafting information will be masked on all three CCS and UCES software production, test, and development platforms. e) Customers choosing to pay by bank draft will submit voided checks which are kept in a locked cabinet with access restricted to the Manager, Customer Service and Meter Reading, and the Customer Service Specialist-Lead, and maintained in accordance with the City’s Records Retention Policy.  Business Requirement  SAP Project Management Office (PMO) Requirement 2. Detecting Red Flags a) Receipts produced for credit card payments only contain the last four digits of the credit card, and as an added precaution, expiration date information is not included on the receipt.  City of Palo Alto Cash Handling Procedures  Utilities Customer Service Desk Procedures 3. Responding to Red Flags Customer Service has worked with the Palo Alto Police Department (PAPD) to update the existing PAPD Identity Theft Report Form. This update includes the contact information for CPAU Customer Service and requests the P a g e | 13 Proposed Effective Date: February 8, 2016 individual completing the document to contact CPAU to report the identity or credit problem, so that the customer’s Utilities account information can be secured. a) Incidents of possible customer identity theft shall be reported to the PAPD within 24 hours.  Utilities Customer Service Requirement 4. Mitigating Red Flags a) Verification of SAP credit card handling of encrypted storage, masked display and access tracking will be provided to the City Auditor.  Project Management Office (PMO) Requirement b) Copies of customer credit card slips (when paid by phone) shall be shredded, unless mailed to the customer at their request. c) Customer data printouts, reports, efficiency applications, worksheets, receipts, and bills generated in the IT Test or Development systems, will be shredded. d) To ensure proper security and handling of credit card slips, Customer Service Phone Center staff will use a keyed lockbox for storage. e) To secure credit card transactions, the computer terminal used for credit card transaction payment processing in the Customer Service Phone Center will be secured so it cannot be viewed by non- Customer Service staff.  Business Requirement  SAP Project Management Office (PMO) Requirement C. Credit And Collection 1. Identifying Red Flags Identification of Red Flag events in the Credit and Collections process will include: a) Failure to internally pursue payment of outstanding debt on a covered account b) Failure by Collection Agency to pursue outstanding debt on a covered account c) Change in billing address for reimbursement of deposits or payment credits without a change in service address.  Utilities Credit and Collection/Bad Debt Process 2. Mitigating Red Flags a) Customer security deposits will be manually and electronically established and tracked. b) CPAU will continue to recommend residential and commercial deposits policies to Council which utilize the provisions of the California Public Utilities Code, allowing each utility to establish accounts and furnish service based solely upon the creditworthiness of the applicant as determined by the utility. P a g e | 14 Proposed Effective Date: February 8, 2016 c) CPAU will not utilize commercially available consumer credit reports to establish deposits. Section 311 of the FACT Act requires a creditor to provide consumers with a risk-based pricing notice when, based in whole or in part of the consumer’s credit report, the creditor grants, extends or otherwise provides credit to the consumer on “material terms that are materially less favorable than the most favorable terms it grants to a substantial portion of its other customers.”  Utilities Credit and Collection/Bad Debt Process D. Other City Departments 1. Identifying Red Flags a) Other Departments in the City, wishing to have online access to Utilities customer account information to determine residency, verify program applicability, determine dates for permitting, etc., will be restricted in their ability to view customer Red Flag data, and will not be able to make changes to the data in the system. 2. Detecting Red Flags a) Other Departments in the City, wishing to have “hard copy” reports of Utilities customer information will be unable to have printouts containing customer Red Flag information. 3. Responding to Red Flags a) Employees of GreenWaste Recovery shall be permitted electronic access to the Utilities CCS system pursuant to the contract with the City for solid waste services. {End} P a g e | 1 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 City of Palo Alto Utilities DRAFT 2010 2016 Procedures for Customer Identity and Credit Security Security ATTACHMENT B P a g e | 2 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 2010 2016 Procedures for Customer Identity and Credit Security SECTION PAGE 1. Policy Statement 3 3 2. Utilities Identity and Credit Theft Prevention Program 4 A. Definitions 4 B. The Red Flag Rule 4 C. Identity and Credit Theft Program Adoption 5 (Procedures) D. Requirements of the Procedures 5 3. Administration of the Procedures for Customer Identity and Credit Security 6 A. Palo Alto City Council 6 B. Director of Utilities 6 C. Executive Leadership Team 6 4. Customer Identity and Credit Information, Systems and Access 7 A. Classification of Information B. Utilities Customer Information Systems 7 C. Identity and Credit Information Access 8 5. Identification, Detection, Response and Mitigation of Red Flags 10 A. Customer Service 10 B. Billing and Payment 11 C. Credit and Collection 13 D. Other City Departments 14 endEnd P a g e | 3 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 1. Policy Statement The City of Palo Alto shall ensure that proprietary and confidential Utilities customer information is secure from identity theft as required by law and business practice. The Fair Credit Reporting Act, 15 United States Code, Section 1681 ETet. seq., was amended to include the Fair and Accurate Credit Transactions Act of 2003 (Public Law 108-159), hereinafter referred to as the FACT Act. The FACT Act requires those businesses and organizations which can affect consumer credit to create a formal program to detect, prevent, respond and mitigate potential identity theft before December 31, 2010. P a g e | 4 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 2. Utilities Identity and Credit Theft Prevention Program The Fair and Accurate Credit Transaction Act of 2003 (FACT Act) requires those entities which can affect consumer credit to create a formal identity theft prevention program to detect, prevent and mitigate identity theft before December 31, 2010. A. Definitions The “Red Flag Rule” is a set of United States federal regulations that require certain businesses and organizations identified as “creditors” to develop and implement documented plans to protect consumers from identity theft. “Identity theft' means a fraud committed using the identifying information of another person. A “creditor” is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. A "covered account" is either: an account primarily for personal, family, or household purposes; that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, car loan, margin account, cell phone account, utility account, checking account, or savings account; or any other account for which there is a reasonably foreseeable risk to customers or creditor from identity theft. An “Identity Theft Report” alleges an identity theft; is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service; and, subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. B. Red Flag Rule There are a total of twenty-six individual red flags comprising the Red Flag Rule, with five categories of common red flags: P a g e | 5 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 1. Alerts, notifications, and warnings from a credit reporting company, including address discrepancies. 2. Suspicious documents that look like they have been altered or forged, or that the information or description does not match the applicant or customer. 3. Suspicious personal identifying information, including inconsistent data. 4. Suspicious account activity, including name changes, unauthorized charges or address changes for credits or refunds. 5. Notification by another source, including a customer, another victim of identity theft, a law enforcement authority, or other person regarding an account having an Identity heft Report completed, or other notice that an account may have been compromised by identity theft. C. Identity and Credit Theft Prevention Program Adoption (the Procedures) The City Council of Palo Alto adopted the Utilities Department formal identity and credit theft prevention program entitled , the “Procedures for Customer Credit Security” (Procedures) on September 3, 2008. The Procedures focus on red flags - defined as patterns, practices, or specific activities that indicate possible existence of identity theft on a covered account. On September 2, 2009, Staff provided the Utilities Advisory Commission (UAC) with a summary of red flag events that occurred during the prior twelve month reporting period, and proposed 2009 updates to the original 2008 Procedures. The UAC recommended that the Council approve the proposed changes to the 2008 Procedures. Council approved the 2009 changes on October 5, 2009 (CMR: 390:09). D. Requirements of the Procedures The Procedures were designed to: 1. Identify red flags for covered accounts and incorporate those red flags into the programProcedures 2. Detect red flags that have been incorporated into the Procedures 3. Respond appropriately to any red flags that are detected 4. Mitigate the occurrence of identity or credit theft 5. Ensure the Procedures are updated annually, to reflect the changes in identity or credit theft risk 6. Provide for administration and update of the Procedures with red flags identified and incorporated into specific operational and transactional policies and procedures for City departments with access to confidential Utilities customer data. P a g e | 6 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 3. Administration of the Identity and Credit Theft Procedures for Customer Identity and Credit Security A. Palo Alto City Council The City Council shall review the “Procedures for Identity and Credit Security” (Procedures) annually, and adopt appropriate changes to meet the requirements of the FACT Act. B. Director of Utilities The Director of Utilities shall oversee implementation of the Procedures in conformance with the FACT Act. Implementation of the Procedures will provide for specific responsibility of oversight, reports, and material changes to the Procedures. The Director shall submit an annual report to the Utilities Advisory Commission and City Council providing an update on the identification, detection, response and mitigation of Red Flag issues occurring during the reporting period, and recommending the business, organizational, and security changes to the Council needed to keep the Procedures current. Recommended changes to the Procedures shall be based on experience with identification, detection, prevention and mitigation of identity and credit theft; changes in types of customer accounts offered; and, changes in business practices. C.A. Executive Leadership Team The Palo Alto City Council shall provide for the continued administration of the Procedures. This includes: 1. Approval of the initial written Procedures by Council; 2. Designating the City Manager as Administrator for oversight, development, implementation and administration of the Procedures; 3. As Administrator for the Procedures, the City Manager shall, pursuant to 12 CFR Sec. 41.90 of the FACT Act: a. assign specific responsibility for the implementation of the Procedures; b. review annual reports prepared by staff regarding Utilities compliance with the provisions of the FACT Act; c. have Utilities staff coordinate the data security provisions of the Procedures with the Information Technology Department’s requirements for the Information Security Policy and Information Privacy Policy. d. train staff, as necessary, to effectively implement the Procedures; Formatted: Indent: Left: 0.25", Numbered + Level: 2 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.75" + Tab after: 1" + Indent at: 1", Tab stops: 0.5", List tab + Not at 1" Formatted: Normal, Left, Indent: Left: 0.5", No bullets or numbering, Tab stops: 0.5", Left P a g e | 7 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 e. exercise appropriate and effective oversight of service provider arrangements; and f. approve material changes to the Procedures as necessary to address changing identity and credit theft risk (Section 6(a)(3)). If potential or actual physical or electronic theft of customer identity or credit occurs, the Directors of the Utilities, Information Technology, and Administrative Services, and Public Works Departments shall work with the City Manager’s Office, City Attorney, City Auditor and the Palo Alto Police Department, as appropriate, to mitigate the threat. Formatted: Tab stops: 1", Left P a g e | 8 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 4. Customer Identity and Credit Information, Systems and Access A. Classification of Information 1. Customer Identity Information Customer identity and credit information subject to theft includes name, address, account number, Social Security Number, spouse or secondary account holder identification, contact information, credit information, log-ins and passwords. 2. Customer Financial Information Customer financial information subject to theft includes payment history, deposit information, payment transaction records, extended payment arrangements, credit card numbers, voided check information, and bank account numbers. B. Utilities Customer Information Systems 1. Historical Customer Identification and Financial Information Current and prior customer information resides in BANNER, the CPAU predecessor to SAP. This database has been retained for archival purposes, and this information could be subject to theft. 2. SAP Utilities Customer Care and E-Services On May 4, 2009, the City implemented a new SAP-based Utilities Customer Care and Service (U-CCS) information system. In March of 2010, the Utilities Customer E-Service (UCES) system with the “My Utilities Account” (MUA) web portal was activated. Confidential Utilities Customer information is retained in the U-CCS and Utilities Customer E- Service (U-CES) online information system, and this information could be subject to theft. Implementation of the U-CCS requires ongoing review and modification of the business practices, policies and procedures for protecting consumer identity and credit information in Utilities Customer Service, Billing and Payment, Credit and Collection, and other City departments. Cyber-security precautions were created prior and subsequent to the implementation of the online customer e-service system. Cyber-security enhancements are also made on an ongoing basis to assure that access to customer identity and credit data is properly restricted to authorized staff. P a g e | 9 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 C. Identity and Credit Information Access 1. Securing Identity and Credit Information within the SAP Utilities Customer Care and Service (U-CCS) System a. Unique numbers are used to establish credit, manage customer account security, identify customers, and permit collection action after disconnection for non-payment. This information is required under Utilities Rule and Regulations #4 “Application for Service.” Refusal to provide the required information will terminate the CPAU “Application for Service” process. a. b.Upon opening, transferring or closing customer accounts, current customer billing procedures require the applicant (and spouse or secondary account holder if the account is opened in both names) to provide either his/her/their Social Security Numbers (SSN) or Driver’s License Numbers (DLN). For residential customers, if the SSN or DLN is not available, the identification requirement defaults to the U.S. customer’s passport number. These numbers will be masked except for the last four digits. b. c.For commercial customers, the required identification is the Tax Identification Numbers (TIN). TINs will be masked except for the last four digits. c. d.City staff access to customer Utilities information will be SAP role- specific, allowing certain functions within the system to be accessible. Role assignments will be made based upon review and approval by the SAP Project Management Office (PMO), the Utilities Department, and the Administrative Services Department. Financial functions of particular roles include, but are not limited to: establishment and refund of deposits; billing adjustments; payment reversals; cancellation of bills; and write-off of outstanding balances. Roles and responsibilities will be reviewed quarterly by CPAU management and the PMO, with the intent to limit the number of staff having access to sensitive customer identity and financial data. d. e.Staff will review documents to ensure that only customer name, and correct mailing or service address, are displayed in any mail-merged documents or mailing labels. e. f.A bonded, professional shredding company will be retained to destroy all bulk documents containing customer billing information. Documents awaiting bulk destruction will be kept in a locked receptacle. Documents with red flag data, not being held for bulk destruction, will be shredded on-site, as soon as they are no longer needed by the staff member generating the documents. f. g.All payment and operational transactions within each customer account will be monitored and tracked by the SAP internal audit function. Formatted: Numbered + Level: 1 + Numbering Style: a, b, c, … + Start at: 1 + Alignment: Left + Aligned at: 0.75" + Tab after: 1" + Indent at: 1" Formatted: Indent: Left: 0.75", No bullets or numbering P a g e | 10 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 g. h.Staff roles and authorizations for the unmasking and transmission of customer Social Security Numbers to the City’s collection agency will be restricted and monitored. 2. Securing Identity and Credit Information within the SAP Utilities Customer E- Service (U-CES) System In order to access account information online, customers must create a user name and password. These are controlled by the customer, and the Utilities Customer E-Service (U-CES) account is accessed via the “My Utilities Account” (MUA) web portal. Customer accessible information includes: the name(s) on the account, billing and service addresses associated with the account, consumption data; meter reads; dates of service; charges; billing adjustments; and payment history. Customers can conduct a limited number of on-line transactions, including modifying their e-mail addresses, establishing or updating a phone number, and sending a customer note to CPAU staff regarding account information. The U-CES system permits the linking of all accounts for the same customer to a single customer-created user name and password; viewing and payment of bills online; printing of monthly bills via an online download; requesting a move-out, online self-enrollment in bank drafting; making single- transaction credit card payments; communicating with CPAU staff via email, and reviewing bank draft transactions. a. Failure by the authorized account-holder to designate alternative parties to access their account information (spouse, domesticate partner, or other third-party) will restrict account access to either the customer, or court- ordered estate executor. b. The Terms and Conditions and Frequently Asked Questions sections for cyber-security, customer access, and use of the online My Utilities Account system will be updated immediately after changes are implemented. c. Notification of CPAU by the authorized account holder that their identity or credit information has been compromised or stolen will result in termination of external online access to the affected account until such time as the account can be re-established by the customer. d. A firewall installed to protect the SAP UCES portal “My Utilities Account” shall be tested and maintained on an on-going basis. 3. Non-Utilities City Staff Access to Customer Red Flag Data a. Strict role definitions, limiting the potential of access or theft of information via stolen password or City staff ID, will be maintained. Access to changes to customer accounts will be limited to the specific roles, reviewed and authorized quarterly. b. Individual or department access to Utilities customer account data by non- Utilities City staff will be reviewed and approved quarterly by the SAP Project Management Office (PMO) and CPAU management. P a g e | 11 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 c. Electronic access to selected Utilities customer account data by non-Utilities City staff will be restricted to non-red flag data fields and tables. d. Audit trails will be kept for financial transactions within the U-CCS and U-CES systems and include, but not be limited to, reversed transactions, account credits and refunds, and physical refund checks. e. Confidential data included in correspondence submitted to the City shall be redacted before being made publicly available. 5. Identification, Detection, Response and Mitigation of Red Flags The 2009 “Procedures for Customer Identity and Credit Security” are already in place to protect customer identity and credit information from theft. Some of the Procedures that apply are initiated by CPAU staff, while others apply when customers access their own account information. The “Procedures” are utilized during the opening, access, billing and collection of payments, and the transfer or closing of customer accounts. They also apply as customer accounts and associated records are internally accessed. Any identification, detection or awareness by CPAU of a Red Flag incident would result in an investigative response and mitigation effort on the part of Utilities, and may include contact with an appropriate law enforcement agency on behalf of a CPAU customer, or self-reporting by an existing CPAU customer. CPAU will determine whether to freeze access to the customer account information, or initiate a review of staff access of account information to verify the appropriateness of that access. A. Customer Service 1. Identifying Red Flags a) To validate the identity of the prospective covered account holder, a Utilities account will not be opened, changed or closed without submittal of the Red Flag data required to determine the identity of the account holder. Customer failure to provide a Social Security Number, Driver’s License Number, Tax Identification Number, or Passport Number will terminate the account initiation process.  Utilities Rule and Regulation 4, “Application for Service” b) Utilities Customer Service, Credit and Collection, and Billing staffs will include the Procedures for Identity and Credit Security in their Policies and Procedures.  Utilities Customer Support Services Division Requirement c) Utilities Customer Service, Credit and Collection, and Billing staffs will conduct annual training in the Procedures for all staff members.  Utilities Customer Support Services Division Requirement 2. Detecting Red Flags Formatted: Font: Bold P a g e | 12 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 a) To prevent unauthorized access to a Covered Account, a Utilities account will be subject to investigation and frozen for transactions in the event of presentation of suspicious documents for program application or discounts, determination of a compromised customer password, notices from banking institutions of unauthorized charges to an account, and/or notices from consumer reporting agencies on customer credit freezes.  City Policy and Procedure 1-35/UTL, “Interim Guidelines and Procedures for Protecting Confidential Utilities Information”  Utilities Customer Service Requirement 3. Responding to Red Flags a) Customer reports of identity or credit card theft provided to Customer Service will be routed to the Palo Alto Police Department’s Identity Theft Section for completion of the Identity Theft Report Form. Customers contacting the PAPD to report an incident of identity or credit card theft will be routed to Customer Service, so that the customer’s Covered Account Red Flag data can be secured.  Utilities Customer Service Requirement 4. Mitigating Red Flags a) To prevent unauthorized access to red flag data tables, the SAP query functions that had allowed CPAU staff access to non-masked customer confidential data have been disabled. b) To prevent unauthorized access to red flag data in a covered account, all electronic “screen shots” of monitor images containing red flag data submitted to the IT Helpdesk by staff to illustrate account problems will be stored in a secure electronic folder with staff access restricted by authorized SAP role.  Business Requirement  SAP Project Management Office (PMO) Requirement c) Access to the archived BANNER customer information database will continue to be limited to staff having an authorized SAP role. To prevent unauthorized access to Red Flag data in an archived Covered Account, all Red Flag data has been deleted in BANNER (prior Utilities Customer Information System), including Social Security Numbers (SSN), and the confidential Customer Notes section has been deleted. d) Full Encryption of credit card numbers in SAP Production, Testing and Development environments is required.  Business Requirement  SAP Project Management Office (PMO) Requirement B. Billing And Payment Customers may self-report instances of identity or credit theft; notice may be made by law enforcement agencies of identity or credit theft; inaccurate Formatted: Font: Bold P a g e | 13 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 information may be provided by customers for bank draft payments of Utilities bills; reports may be received of compromised internal credit card security; reports may be received of compromised internal checking account (bank draft) security; and reports may be received of compromised external third-party payment vendor security (reported by customer or vendor). 1. Identifying Red Flags The Utilities customer credit card information has been encrypted in conformance with Payment Card Industry (PCI) Standards. a) Utilities customer credit card information will not be stored on the same server that houses the portal that customers use to access their account data. b) Activation of the "role" for access to the encrypted data table will be restricted to three Information Technology staff members who are responsible for data management of the Utilities SAP system, and who take direction from the PMO (but are not part of the PMO). Once access to the encrypted data table is approved by the PMO, and then activated, only an expert programmer familiar with the SAP programming language and the encryption protocol will be authorized to decrypt the data. Thus, access to the credit card data will be protected by three levels of security. c) For quality control purposes, all access to the table containing the encrypted data will be continuously monitored and tracked by the SAP audit function. d) Utilities customer Social Security Numbers, Tax Identification Numbers, credit card numbers and expiration and bank drafting information will be masked on all three CCS and UCES software production, test, and development platforms. e) Customers choosing to pay by bank draft will submit voided checks which are kept in a locked cabinet with access restricted to the Manager, Customer Service and Meter Reading, and the Customer Service Specialist-Lead, and maintained in accordance with the City’s Records Retention Policy.  Business Requirement  SAP Project Management Office (PMO) Requirement 2. Detecting Red Flags a) Receipts produced for credit card payments only contain the last four digits of the credit card, and as an added precaution, expiration date information is not included on the receipt.  City of Palo Alto Cash Handling Procedures  Utilities Customer Service Desk Procedures 3. Responding to Red Flags P a g e | 14 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 Customer Service has worked with the Palo Alto Police Department (PAPD) to update the existing PAPD Identity Theft Report Form. This update includes the contact information for CPAU Customer Service and requests the individual completing the document to contact CPAU to report the identity or credit problem, so that the customer’s Utilities account information can be secured. a) Incidents of possible customer identity theft shall be reported to the PAPD within 24 hours.  Utilities Customer Service Requirement 4. Mitigating Red Flags a) Verification of SAP credit card handling of encrypted storage, masked display and access tracking will be provided to the City Auditor.  Project Management Office (PMO) Requirement b) Copies of customer credit card slips (when paid by phone) shall be shredded, unless mailed to the customer at their request. c) Customer data printouts, reports, efficiency applications, worksheets, receipts, and bills generated in the IT Test or Development systems, will be shredded. d) To ensure proper security and handling of credit card slips, Customer Service Phone Center staff will use a keyed lockbox for storage. e) To secure credit card transactions, the computer terminal used for credit card transaction payment processing in the Customer Service Phone Center will be secured so it cannot be viewed by non-Customer Service staff.  Business Requirement  SAP Project Management Office (PMO) Requirement C. Credit And Collection 1. Identifying Red Flags Identification of Red Flag events in the Credit and Collections process will include: a) Failure to internally pursue payment of outstanding debt on a covered account b) Failure by Collection Agency to pursue outstanding debt on a covered account c) Change in billing address for reimbursement of deposits or payment credits without a change in service address.  Utilities Credit and Collection/Bad Debt Process 2. Mitigating Red Flags a) Customer security deposits will be manually and electronically established and tracked. b) CPAU will continue to recommend residential and commercial deposits policies to Council which utilize the provisions of the California Public Utilities Code, allowing each utility to establish Formatted: Font: Bold Formatted: Font: Not Italic P a g e | 15 Effective Date: November 1, 2010 Page 1 of 14 Proposed Effective Date: February 8, 2016 accounts and furnish service based solely upon the creditworthiness of the applicant as determined by the utility. c) CPAU will not utilize commercially available consumer credit reports to establish deposits. Section 311 of the FACT Act requires a creditor to provide consumers with a risk-based pricing notice when, based in whole or in part of the consumer’s credit report, the creditor grants, extends or otherwise provides credit to the consumer on “material terms that are materially less favorable than the most favorable terms it grants to a substantial portion of its other customers.”  Utilities Credit and Collection/Bad Debt ProceduresProcess D. Other City Departments 1. Identifying Red Flags a) Other Departments in the City, wishing to have online access to Utilities customer account information to determine residency, verify program applicability, determine dates for permitting, etc., will be restricted in their ability to view customer Red Flag data, and will not be able to make changes to the data in the system. 2. Detecting Red Flags a) Other Departments in the City, wishing to have “hard copy” reports of Utilities customer information will be unable to have printouts containing customer Red Flag information. 3. Responding to Red Flags a) Employees of GreenWaste Recovery shall be permitted electronic access to the Utilities CCS system pursuant to the contract with the City for solid waste services. {Eend} Formatted: Font: Bold NOT YET APPROVED 160114 jb 6053669 Resolution No. _____ Resolution of the Council of the City of Palo Alto Approving the City of Palo Alto Utilities 2016 Procedures for Customer Identity and Credit Security R E C I T A L S A. Federal Trade Commission (FTC) regulations under the Fair and Accurate Credit Transactions Act (FACT Act) of 2003 require entities which can affect consumer credit to create a Security program to detect, prevent, and mitigate identity theft. B. A public utility such as the City of Palo Alto Utilities is considered such an entity because it offers or maintains a type of consumer account covered under the FACT Act. C. Council adopted the City of Palo Alto Utilities original “Procedures for Customer Credit Security” (Procedures) via Resolution No. 8857 on September 15, 2008. D. There have not been any verified instances of Utilities customer identity or credit theft since the adoption of the 2010 Procedures. NOW, THEREFORE, the Council of the City of Palo Alto RESOLVES as follows: SECTION 1. The Council hereby adopts the City of Palo Alto Utilities “2016 Procedures for Customer Identity and Credit Security.” / / / / / / / / / / / / / / / / ATTACHMENT C NOT YET APPROVED 160114 jb 6053669 SECTION 2. The Council finds that the adoption of this resolution does not constitute a project under Section 21065 of the California Environmental Quality Act and the CEQA Guidelines and, therefore, no environmental assessment is required. INTRODUCED AND PASSED: AYES: NOES: ABSENT: ABSTENTIONS: ATTEST: __________________________ _____________________________ City Clerk Mayor APPROVED AS TO FORM: APPROVED: ___________________________ Deputy City Attorney _____________________________ City Manager _____________________________ Director of Utilities _____________________________ Director of Administrative Services