Newhall County Water District N. Pine Street P.O. Box Santa Clarita, CA Telephone: (661) Facsimile: (661)

Transcription

1 Newhall County Water District N. Pine Street P.O. Box Santa Clarita, CA Telephone: (661) Facsimile: (661) AGENDA ITEM E3 TO: FROM: Governing Board of Directors Stephen L. Cole, General Manager DATE: November 12, 2015 SUBJECT: Annual Report and Review of Identity Theft Prevention Program Appendix X Identity Theft Prevention Policy PURPOSE: Annual review of the District s Identity Theft Prevention Program and report of any Red Flag events in compliance with regulations issued by the Federal Trade Commission ( FTC ). FACTS: Appendix X Identity Theft Prevention Policy, adopted October, 2013, covers the FTC regulations that require creditors holding consumer or other covered accounts to develop and implement an identity theft prevention program and provide for the detection of and response to specific activities ( Red Flags ) that could be related to identify theft. A covered account is defined by the FTC as any account where customer payment information is collected in order to bill for services rendered. Appendix X also outlines specific steps to identify relevant patterns, practices and specific activities which alert staff of potential Red Flags. These Red Flags could signal possible identity theft relating to information maintained in customers accounts and would require prompt response to prevent or mitigate identity theft. One specific step is that a credit check is required for new customers to verify identity, and credit worthiness, and does not impact their credit. In accordance with the programs provision, staff completed its annual review and determined that no changes to the FTC regulations have been made, and there were no Red Flag events for fiscal year 2014/2015. RECOMMENDATION: Board of Directors receive and file. Page 1 of 1

2 Table of Contents Section Page # s 1.0 INTRODUCTION Purpose IDENTITY THEFT POLICY Adopted Procedures RED FLAGS Red Flag Identifiers Notifications of Potential Fraud PREVENT OR MITIGATE IDENTITY THEFT General Identity Theft Prevention Measures District Customer Service Staff Procedures POLICY ADMINISTRATION AND OVERSIGHT Management Process...4 EXHIBIT 1 - General Agreement for Red Flag Rules Protected Information Agreement NCWD Policies, Rules and Regulations Page i of i Rev. 10/2013

3 1.0 INTRODUCTION This establishes a policy to comply with regulations issued by the Federal Trade Commission (FTC) as part of the implementation of the Fair and Accurate Credit Transaction (FACT) Act of On October 9, 2008, the District adopted Resolution Adopting an Identity Theft Prevention Program in compliance with the FACT Act. This policy replaces Resolution , which is being rescinded concurrently herewith. 1.1 Purpose The FACT Act requires financial institutions and creditors implement written programs which provide for the detection of and response to specific activities ( Red Flags ) which could be related to identity theft. This policy complies with FTC regulations which require creditors holding consumer or other covered accounts to develop and implement an identity theft prevention program. The FTC regulations require that the program must be established to: 1. Identify relevant patterns, practices and specific activities (referred to in this Policy as Red Flags ) which signal possible identity theft relating to information maintained in the District s customers accounts, both those currently existing and those accounts to be established in the future. 2. Detect Red Flags. 3. Respond promptly and appropriately to detected Red Flags to prevent or mitigate identity theft relating to District customer account information. 4. Ensure the Program is updated periodically to reflect any necessary changes. NCWD Policies, Rules and Regulations Page 1 of 4 Rev. 10/2013

4 2.0 IDENTITY THEFT POLICY 2.1 Adopted Procedures 3.0 RED FLAGS 1. A new applicant which applies for water service is required to sign an application form allowing the District to perform a credit check. This is utilized to verify his/her identity prior to establishing a water service account. 2. Upon a request by a current customer to change his/her billing information, the District requires the information in writing, or by or fax. This allows NCWD to have written documentation attached to the customer s account to verify the change and avert any potential identity theft. 3. The District utilizes a secure third-party payment processor to accept all customer credit card and electronic check payments. The District does not store credit card information. 4. All rental properties are required to have both renter and owner apply for water service as co-applicants. 3.1 Red Flag Identifiers 1. A customer does not provide required identification documents when attempting to establish a utility account, make a payment or establish a direct debit account. 2. Name on application does not match name given by customer on account. 3. A person attempts to open an account with suspicious proof of identity. 4. A customer refuses to provide proof of identity when discussing an established water service account. 5. A person, other than the account holder, requests information about or asks to make changes to an established water service account. 6. A person, other than the account holder, requests personal information contained on the account. 7. An unauthorized employee requests access to the water service billing system or information about a utility account. NCWD Policies, Rules and Regulations Page 2 of 4 Rev. 10/2013

5 3.2 Notifications of Potential Fraud 1. A customer notifies the District of any of the following activities: a. Water service statements are not being received. b. Unauthorized changes to a water service account. 2. The District is notified by a victim of identity theft or by a member of law enforcement that a water service account has been opened for a person engaged in identity theft. 4.0 PREVENT OR MITIGATE IDENTITY THEFT 4.1 General Identity Theft Prevention Measures 1. All current applications for service and related information upon receipt, are scanned then shredded. 2. Accounts will not be opened for purported customers with suspicious personal identifying information. 3. No personal information is given on customer accounts without verification of identity such as: a. Password (customer requested account set-up with a password) b. Last four (4) digits of Social Security or Driver's license number or visual verification of customer's identity. 7. Internal passwords for access to the water service billing program are changed on a quarterly basis. 8. Security on server "Watchguard Firewall" provides for security protection against hackers to the District computer software. 9. Third party vendors which receive customer account information are required to sign the NCWD General Agreement for Red Flag Rules Protected Information Agreement or sign a mutually agreeable contract which includes their information and security requirements to protect the District's customer information as required by the Red Flag Rules. 10. A current list of vendors which have access or have received customer account information is maintained by the District. 11. Upon dissolution of vendor services, the vendor is required to return, purge and/or destroy any District or customer information in their possession. NCWD Policies, Rules and Regulations Page 3 of 4 Rev. 10/2013

6 4.2 District Customer Service Staff Procedures 1. Report Red Flags to the Customer Service and Water Efficiency Coordinator and/or Director of Finance/Administration. 2. When a customer reports fraudulent activity, work with the customer to make necessary changes to the account, such as: a. Connect/disconnect service b. Customer deactivate automatic payments c. Update personal information on the water service account d. Update account notes to document the fraudulent activity 3. If fraudulent activity has been determined, notify the General Manager and/or Director of Finance/Administration and, if appropriate, the Los Angeles County Sheriff's Department at (661) If a major incident occurs such as stolen records or unauthorized access to a customer's account, notify the General Manager and/or Director of Finance/Administration, and if appropriate, the Los Angeles County Sheriff's Department at (661) POLICY ADMINISTRATION AND OVERSIGHT The policy will be reviewed at least annually and will be updated as needed based on experience with identity theft, changes to the programs offered to NCWD customers, implementation of new systems and/or vendor contracts and other such activities. District staff is required to prepare an annual report which addresses the effectiveness of the policy, documents significant incidents involving identity theft and actions taken and includes recommendations for material changes to the program. 5.1 Management Process 1. The Customer Service Water Efficiency Conservation Coordinator will oversee the daily activities related to identity theft and prevention and will ensure all District staff are trained to detect and respond to Red Flags. 2. The Director of Finance/Administration will review the annual report and the General Manager will approve recommended changes to the policy, annually and on an ongoing basis. NCWD Policies, Rules and Regulations Page 4 of 4 Rev. 10/2013

7 NEWHALL COUNTY WATER DISTRICT GENERAL AGREEMENT FOR RED FLAG RULES PROTECTED INFORMATION AGREEMENT This GENERAL AGREEMENT (GA) is made and entered into this day of, 20, by and between NEWHALL COUNTY WATER DISTRICT ("District") and ("Vendor"). A. RED FLAG RULES 1. Vendor is aware of the Fair and Accurate Credit Transactions ( FACT ) Act of 2003 and the resulting rules and regulations promulgated by the Federal Trade Commission, whether now or in the future, commonly referred to as Red Flag Rules. 2. Vendor has implemented Red Flag policies and procedures to ensure the protection of information obtained from the District in conjunction with professional or other services provided to the District. This includes, among other things, actions to ensure all customer information obtained directly or indirectly from the District is protected and maintained in a confidential and secure manner. B. CONFIDENTIALITY 1. Vendor shall not disclose, publish, or authorize others to disclose or publish customer information, District personnel information, or other information of the type and nature described under FACT Act, to which the Vendor has had access during the term of this GA without express written consent of the District. 2. Upon expiration or other termination of the GA, the Vendor shall return, purge and/or destroy any District or customer information in Vendor s possession. C. AGREEMENT 1. In the event that Vendor has an existing GA for Professional Services with the District, this GA for Red Flag Rules is supplemental to the GA for Professional Services. If there is no other existing agreement between Vendor and the District, this GA for Red Flag Rules shall constitute the entire agreement between Vendor and the District. Vendor: Address: By: Title: Print Name: Phone: Date: ===================================================================================== NEWHALL COUNTY WATER DISTRICT N. Pine Street P.O. Box Santa Clarita CA By: Title: Print Name: Date: Appendix X Exhibit 1 Rev. 10/2013