HomeMy WebLinkAboutCity of Tamarac Resolution R-2009-048Temp. Reso. # 11596 - 3/25/09
Page 1
CITY OF TAMARAC, FLORIDA
RESOLUTION NO. R-2009- Yr
A RESOLUTION OF THE CITY COMMISSION OF THE
CITY OF TAMARAC, FLORIDA, ADOPTING THE IDENTITY
THEFT PREVENTION PROGRAM FOR THE CITY OF
TAMARAC WATER AND SEWER UTILITY; PROVIDING
FOR CONFLICTS; PROVIDING FOR SEVERABILITY; AND
PROVIDING AN EFFECTIVE DATE.
WHEREAS, the Federal Trade Commission (FTC) has established an Identity
Theft Red Flags Rule; and
WHEREAS, the rule requires utilities to develop an "Identity Theft Prevention
Program" that consists of selecting methods to detect red flags when accounts are
fraudulent, procedures to prevent the establishment of false accounts, procedures to
ensure existing accounts are not being manipulated, and procedures to respond to
identity theft; and
WHEREAS, all utilities are required to comply with the FTC's "Identity Theft Red
Flag Rule" even if only nominal information such as name, phone number and address
are collected; and
WHEREAS, the primary purpose of the rule is to protect against the
establishment of false accounts and ensure existing accounts are not being
manipulated; and
WHEREAS, the City of Tamarac is desirous of complying with the FTC's Identity
Theft Red Flags Rule; and
WHEREAS, the Identity Theft Prevention Program for the City of Tamarac Water
and Sewer Utility, attached hereto as Exhibit "A", has been prepared for said purpose;
and
Temp. Reso. # 11596 - 3/25/09
Page 2
WHEREAS, input was received from the Parks and Recreation, Information
Technology, City Clerk's Office, Utilities, and Finance Departments for the City of
Tamarac in developing the Identity Theft Prevention Program for the City of Tamarac
Water and Sewer Utility; and
WHEREAS, the Director of Parks and Recreation recommends the adoption and
implementation of the proposed Identity Theft Prevention Program for City of Tamarac
Water and Sewer Utility; and
WHEREAS, the City Commission of the City of Tamarac, Florida, deems it to be
in the best interest of the citizens and residents of the City of Tamarac to adopt the
proposed Identity Theft Prevention Program for City of Tamarac Water and Sewer
Utility.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION OF THE
CITY OF TAMARAC, FLORIDA:
SECTION 1: The foregoing "WHEREAS" clauses are hereby ratified and
confirmed as being true and correct and are hereby made a specific part of this
resolution. All exhibits attached hereto are hereby incorporated herein by this reference.
SECTION 2: The Identity Theft Prevention Program for City of Tamarac Water and
Sewer Utility, attached hereto as Exhibit "A", is HEREBY ADOPTED. The City Commission
further delegates the authority to the City Manager to approve future program amendments.
SECTION 3: That all resolutions or parts of resolutions in conflict herewith are
hereby repealed to the extent of such conflict.
1
Temp. Reso. # 11596 - 3/25/09
Page 3
SECTION 4: If any clause, section, other part or application of this Resolution is held
by any court of competent jurisdictions to be unconstitutional or invalid, in part or in
application, it shall not affect the validity of the remaining portion or applications of this
Resolution.
SECTION 5: This Resolution shall become effective immediately upon adoption.
PASSED, ADOPTED AND APPROVED this 2)day of k , 2009.
BETH FLANSBAU -TALABISCO
MAYOR
ATTEST:
MARION SWENSON, CIVIC
CITY CLERK
I HEREBY CERTIFY that
have approved this
RESOLUTION as to form.
. SAMUEL S. GOREN
A!- "dITY ATTORNEY
1
RECORD OF COMMISSION
MAYOR FLANSBAUM-TALABISCO
DIST 1:
COMM BUSHNELL
DIST 2:
VM ATKINS-GRAD
DIST 3:
COMM. GLASSER
DIST 4:
COMM. DRESSLER
Temp. Reso. #11596 — Attachment A
Identity Theft Prevention Program Compliance Policy
This plan has been designed to comply with the Federal Trade Commission's (FTC) Identity
Theft Red Flags Rule. The rule requires utilities to develop an "Identity Theft Prevention
Program." The program consists of selecting methods to detect red flags when accounts are
fraudulent, procedures to prevent the establishment of false accounts, procedures to ensure
existing accounts are not being manipulated, and procedures to respond to identity theft.
All utilities are required to comply with the FTC's "Identity Theft Red Flag Rule" even if only
nominal information such as name, phone number and address are collected.
The primary purpose of the rule is to protect against the establishment of false accounts and
ensure existing accounts are not being manipulated. This regulation does not address or
require utilities to adopt measures that will protect consumer information and prevent
unauthorized access. However, implementation of good management practices to protect
personal consumer data can prevent identity theft.
Steps required in the development of a utility's individual Identity Theft Prevention Program:
• Assess their existing identity theft risk (risk assessment) for new and existing accounts.
• Use the risk assessment to select measures (red flags) that may be used to detect
attempts to establish fraudulent accounts.
• Identify procedures for employees to prevent the establishment of false accounts and
procedures for employees to implement if existing accounts are being manipulated.
• Obtain program approval by the governing body or designated senior management by
May 1, 2009.
• Train the appropriate employees on the program's policies and procedures.
• Update the plan annually with review and approval by the governing body or designated
senior management. The annual report should address any material matters related to
the program such as the effectiveness of the policies and procedures, the oversight and
effectiveness of any third party billing and account establishment entities, a summary of
any identity thefts incidents and the response to the incident, and recommendations for
substantial changes to the program, if any.
Page 1 of 7
Identity Theft Prevention Program
For
City of Tamarac Water and Sewer Utility
7525 NW 881h Ave
Tamarac, Fl., 33321
February 11, 2009
City of Tamarac Water and Sewer Utility
Identity Theft Prevention Program
This Plan is intended to identify red flags that will alert our employees when new or existing
accounts are opened using false information, protect against the establishment of false accounts,
methods to ensure existing accounts were not opened using false information, and measures to
respond to such events.
Contact Information:
The Senior Management Person responsible for this plan is:
Name: Jeffrey L. Miller
Title: City Manager
Phone number: 954-597-3500
The Governing Body Members of the Utility are the Mayor and City Commission of the City of
Tamarac:
1._Mayor Beth Flansbaum-Talabisco— City of Tamarac
2._Vice MUor Patricia Atkins -Grad --City of Tamarac
3.�Commissioner Pamela Bushnell--- City of Tamarac
4. Commissioner Diane Glasser — City of Tamarac
5. Commissioner Harry Dressler — City of Tamarac
Page 2 of 7
Risk Assessment
The City of Tamarac Water and Sewer Utility has conducted an internal risk assessment to
evaluate how at risk the current procedures are at allowing customers to create a fraudulent
account and evaluate if current (existing) accounts are being manipulated. This risk assessment
evaluated how new accounts were opened and the methods used to access the account
information. Using this information the utility was able to identify red flags that were
appropriate to prevent identity theft:
❑ New accounts opened In Person
❑ New accounts opened via Telephone
❑ New accounts opened via Fax
❑ New accounts opened via Web
❑ Account information accessed In Person
❑ Account information accessed via Telephone (Person)
❑ Account information is accessed via Telephone (Automated)
❑ Account information is accessed via Web Site
❑ Identity theft occurred in the past from someone falsely opening a utility account
Detection (Red Flags):
The City of Tamarac Water and Sewer Utility adopts the following red flags to detect potential
fraud. These are not intended to be all-inclusive and other suspicious activity may be
investigated as necessary:
❑ Identification documents appear to be altered
❑ Photo and physical description do not match appearance of applicant
❑ Other information is inconsistent with information provided by applicant
❑ Other information provided by applicant is inconsistent with information on file.
❑ Application appears altered or destroyed and reassembled
ca Address or telephone # is the same as that of other customer at utility
❑ Customer fails to provide all information requested
❑ Personal information provided is inconsistent with information on file for a
customer
❑ Applicant cannot provide information requested beyond what could commonly be
found in a purse or wallet
❑ Identity theft is reported or discovered
Response
Any employee that may suspect fraud or detect a red flag will implement the following response
as applicable. All detections or suspicious red flags shall be reported to the senior management
official.
❑ Ask applicant for additional documentation
Page 3 of 7
❑ Notify internal manager: Any utility/customer service employee who becomes
aware of a suspected or actual fraudulent use of a customer or potential customers
identity must notify the Customer Service Supervisor
❑ Notify law enforcement: The utility will notify the Broward Sheriffs Office of
any attempted or actual identity theft.
❑ Do not open the account
❑ Close the account
❑ Do not attempt to collect against the account but notify authorities.
Personal Information Security Procedures:
The City of Tamarac Water and Sewer Utility adopts the following security procedures.
1. Paper documents, files, and electronic media containing secure information will be stored
in locked file cabinets.
2. Only specially identified employees with a legitimate need will have keys to the cabinet.
3. Niles containing personally identifiable information are kept in locked file cabinets except
when an employee is working on the file.
4. Employees will not leave sensitive papers out on their desks when they are away from
their workstations.
S. Employees store files when leaving their work areas.
6. Employees lock file cabinets when leaving their work areas.
7. Access to offsite storage facilities is limited to employees with a legitimate business
need.
8. Any sensitive information shipped will be shipped using a shipping service that allows
tracking of the delivery of this information.
9. Visitors who must enter areas where sensitive files are kept must be escorted by an
employee of the utility.
10. No visitor will be given any entry codes or allowed unescorted access to the office.
11. Access to sensitive information will be controlled using "strong" passwords. Employees
will choose passwords with a mix of letters, numbers, and characters. User names and
passwords will be different. Passwords will be changed every six months.
12. Passwords will not be shared or posted near workstations.
Page 4 of 7
13. Password -activated screen savers will be used to lock employee computers after a period
of inactivity.
14. When installing new software, immediately change vendor -supplied default passwords to
a more secure strong password.
15. Sensitive information will not be stored on portable storage devices.
16. When sensitive data is received or transmitted, secure connections will be used
17. The use of laptops is restricted to those employees who need them to perform their jobs.
18. Laptop users will not store sensitive information on their laptops.
19. Employees never leave a laptop visible in a car, at a hotel luggage stand, or packed in
checked luggage.
20. if a laptop must be left in a vehicle, it will be stored out of sight and the vehicle will be
locked.
21. The computer network will have a firewall where your network connects to the Internet.
22. Any wireless network in use is secured.
23. Maintain central log files of security -related information to monitor activity on your
network.
24. Monitor incoming traffic for signs of a data breach.
25. Monitor outgoing traffic for signs of a data breach.
26. Implement a breach response plan.
27. Check references or do background checks before hiring employees who will have access
to sensitive data.
28. Access to customer's personal identity information is limited to employees with a "need
to know."
29. Procedures exist for making sure that workers who leave your employ or transfer to
another part of the company no longer have access to sensitive information.
30. Implement a regular schedule of employee training.
31. Employees will be alert to attempts at phone phishing.
Page 5 of 7
32. Employees are required to notify their manager immediately if there is a potential
security breach, such as a lost or stolen laptop.
33. Employees who violate security policy will be subject to discipline, up to, and including,
termination.
34. Service providers notify you of any security incidents they experience, even if the
incidents may not have led to an actual compromise of our data.
Page 6 of 7
Identity Theft Prevention Program Review and Approval
This plan has been reviewed and adopted by the City Commission of the City of Tamarac.
ATTEST:
Marion Swenson, CMC, City Clerk
APPROVED AS TO FORM & LEGALITY
Samuol S. Goren, City Attorney
CITY OF TAMARAC, FLORIDA
Beth Flansbaum-Talabisco, ayor
APPROVED BY:
JefWey L. Adfier, City Manager
A report will be prepared annually and submitted to the above named senior
management or governing body to include matter related to the program, the
effectiveness of the policies and procedures, the oversight and effectiveness of any
third party billing and account establishment entities, a summary of any identify theft
incidents and the response to the incident, and recommendations for substantial
changes to the program, if any.
Page 7 of 7