The URL can be used to link to this page

Home My WebLink AboutCity of Tamarac Resolution R-2009-048Temp. Reso. # 11596 - 3/25/09 Page 1 CITY OF TAMARAC, FLORIDA RESOLUTION NO. R-2009- Yr A RESOLUTION OF THE CITY COMMISSION OF THE CITY OF TAMARAC, FLORIDA, ADOPTING THE IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF TAMARAC WATER AND SEWER UTILITY; PROVIDING FOR CONFLICTS; PROVIDING FOR SEVERABILITY; AND PROVIDING AN EFFECTIVE DATE. WHEREAS, the Federal Trade Commission (FTC) has established an Identity Theft Red Flags Rule; and WHEREAS, the rule requires utilities to develop an "Identity Theft Prevention Program" that consists of selecting methods to detect red flags when accounts are fraudulent, procedures to prevent the establishment of false accounts, procedures to ensure existing accounts are not being manipulated, and procedures to respond to identity theft; and WHEREAS, all utilities are required to comply with the FTC's "Identity Theft Red Flag Rule" even if only nominal information such as name, phone number and address are collected; and WHEREAS, the primary purpose of the rule is to protect against the establishment of false accounts and ensure existing accounts are not being manipulated; and WHEREAS, the City of Tamarac is desirous of complying with the FTC's Identity Theft Red Flags Rule; and WHEREAS, the Identity Theft Prevention Program for the City of Tamarac Water and Sewer Utility, attached hereto as Exhibit "A", has been prepared for said purpose; and Temp. Reso. # 11596 - 3/25/09 Page 2 WHEREAS, input was received from the Parks and Recreation, Information Technology, City Clerk's Office, Utilities, and Finance Departments for the City of Tamarac in developing the Identity Theft Prevention Program for the City of Tamarac Water and Sewer Utility; and WHEREAS, the Director of Parks and Recreation recommends the adoption and implementation of the proposed Identity Theft Prevention Program for City of Tamarac Water and Sewer Utility; and WHEREAS, the City Commission of the City of Tamarac, Florida, deems it to be in the best interest of the citizens and residents of the City of Tamarac to adopt the proposed Identity Theft Prevention Program for City of Tamarac Water and Sewer Utility. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION OF THE CITY OF TAMARAC, FLORIDA: SECTION 1: The foregoing "WHEREAS" clauses are hereby ratified and confirmed as being true and correct and are hereby made a specific part of this resolution. All exhibits attached hereto are hereby incorporated herein by this reference. SECTION 2: The Identity Theft Prevention Program for City of Tamarac Water and Sewer Utility, attached hereto as Exhibit "A", is HEREBY ADOPTED. The City Commission further delegates the authority to the City Manager to approve future program amendments. SECTION 3: That all resolutions or parts of resolutions in conflict herewith are hereby repealed to the extent of such conflict. 1 Temp. Reso. # 11596 - 3/25/09 Page 3 SECTION 4: If any clause, section, other part or application of this Resolution is held by any court of competent jurisdictions to be unconstitutional or invalid, in part or in application, it shall not affect the validity of the remaining portion or applications of this Resolution. SECTION 5: This Resolution shall become effective immediately upon adoption. PASSED, ADOPTED AND APPROVED this 2)day of k , 2009. BETH FLANSBAU -TALABISCO MAYOR ATTEST: MARION SWENSON, CIVIC CITY CLERK I HEREBY CERTIFY that have approved this RESOLUTION as to form. . SAMUEL S. GOREN A!- "dITY ATTORNEY 1 RECORD OF COMMISSION MAYOR FLANSBAUM-TALABISCO DIST 1: COMM BUSHNELL DIST 2: VM ATKINS-GRAD DIST 3: COMM. GLASSER DIST 4: COMM. DRESSLER Temp. Reso. #11596 — Attachment A Identity Theft Prevention Program Compliance Policy This plan has been designed to comply with the Federal Trade Commission's (FTC) Identity Theft Red Flags Rule. The rule requires utilities to develop an "Identity Theft Prevention Program." The program consists of selecting methods to detect red flags when accounts are fraudulent, procedures to prevent the establishment of false accounts, procedures to ensure existing accounts are not being manipulated, and procedures to respond to identity theft. All utilities are required to comply with the FTC's "Identity Theft Red Flag Rule" even if only nominal information such as name, phone number and address are collected. The primary purpose of the rule is to protect against the establishment of false accounts and ensure existing accounts are not being manipulated. This regulation does not address or require utilities to adopt measures that will protect consumer information and prevent unauthorized access. However, implementation of good management practices to protect personal consumer data can prevent identity theft. Steps required in the development of a utility's individual Identity Theft Prevention Program: • Assess their existing identity theft risk (risk assessment) for new and existing accounts. • Use the risk assessment to select measures (red flags) that may be used to detect attempts to establish fraudulent accounts. • Identify procedures for employees to prevent the establishment of false accounts and procedures for employees to implement if existing accounts are being manipulated. • Obtain program approval by the governing body or designated senior management by May 1, 2009. • Train the appropriate employees on the program's policies and procedures. • Update the plan annually with review and approval by the governing body or designated senior management. The annual report should address any material matters related to the program such as the effectiveness of the policies and procedures, the oversight and effectiveness of any third party billing and account establishment entities, a summary of any identity thefts incidents and the response to the incident, and recommendations for substantial changes to the program, if any. Page 1 of 7 Identity Theft Prevention Program For City of Tamarac Water and Sewer Utility 7525 NW 881h Ave Tamarac, Fl., 33321 February 11, 2009 City of Tamarac Water and Sewer Utility Identity Theft Prevention Program This Plan is intended to identify red flags that will alert our employees when new or existing accounts are opened using false information, protect against the establishment of false accounts, methods to ensure existing accounts were not opened using false information, and measures to respond to such events. Contact Information: The Senior Management Person responsible for this plan is: Name: Jeffrey L. Miller Title: City Manager Phone number: 954-597-3500 The Governing Body Members of the Utility are the Mayor and City Commission of the City of Tamarac: 1._Mayor Beth Flansbaum-Talabisco— City of Tamarac 2._Vice MUor Patricia Atkins -Grad --City of Tamarac 3.�Commissioner Pamela Bushnell--- City of Tamarac 4. Commissioner Diane Glasser — City of Tamarac 5. Commissioner Harry Dressler — City of Tamarac Page 2 of 7 Risk Assessment The City of Tamarac Water and Sewer Utility has conducted an internal risk assessment to evaluate how at risk the current procedures are at allowing customers to create a fraudulent account and evaluate if current (existing) accounts are being manipulated. This risk assessment evaluated how new accounts were opened and the methods used to access the account information. Using this information the utility was able to identify red flags that were appropriate to prevent identity theft: ❑ New accounts opened In Person ❑ New accounts opened via Telephone ❑ New accounts opened via Fax ❑ New accounts opened via Web ❑ Account information accessed In Person ❑ Account information accessed via Telephone (Person) ❑ Account information is accessed via Telephone (Automated) ❑ Account information is accessed via Web Site ❑ Identity theft occurred in the past from someone falsely opening a utility account Detection (Red Flags): The City of Tamarac Water and Sewer Utility adopts the following red flags to detect potential fraud. These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary: ❑ Identification documents appear to be altered ❑ Photo and physical description do not match appearance of applicant ❑ Other information is inconsistent with information provided by applicant ❑ Other information provided by applicant is inconsistent with information on file. ❑ Application appears altered or destroyed and reassembled ca Address or telephone # is the same as that of other customer at utility ❑ Customer fails to provide all information requested ❑ Personal information provided is inconsistent with information on file for a customer ❑ Applicant cannot provide information requested beyond what could commonly be found in a purse or wallet ❑ Identity theft is reported or discovered Response Any employee that may suspect fraud or detect a red flag will implement the following response as applicable. All detections or suspicious red flags shall be reported to the senior management official. ❑ Ask applicant for additional documentation Page 3 of 7 ❑ Notify internal manager: Any utility/customer service employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customers identity must notify the Customer Service Supervisor ❑ Notify law enforcement: The utility will notify the Broward Sheriffs Office of any attempted or actual identity theft. ❑ Do not open the account ❑ Close the account ❑ Do not attempt to collect against the account but notify authorities. Personal Information Security Procedures: The City of Tamarac Water and Sewer Utility adopts the following security procedures. 1. Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets. 2. Only specially identified employees with a legitimate need will have keys to the cabinet. 3. Niles containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file. 4. Employees will not leave sensitive papers out on their desks when they are away from their workstations. S. Employees store files when leaving their work areas. 6. Employees lock file cabinets when leaving their work areas. 7. Access to offsite storage facilities is limited to employees with a legitimate business need. 8. Any sensitive information shipped will be shipped using a shipping service that allows tracking of the delivery of this information. 9. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility. 10. No visitor will be given any entry codes or allowed unescorted access to the office. 11. Access to sensitive information will be controlled using "strong" passwords. Employees will choose passwords with a mix of letters, numbers, and characters. User names and passwords will be different. Passwords will be changed every six months. 12. Passwords will not be shared or posted near workstations. Page 4 of 7 13. Password -activated screen savers will be used to lock employee computers after a period of inactivity. 14. When installing new software, immediately change vendor -supplied default passwords to a more secure strong password. 15. Sensitive information will not be stored on portable storage devices. 16. When sensitive data is received or transmitted, secure connections will be used 17. The use of laptops is restricted to those employees who need them to perform their jobs. 18. Laptop users will not store sensitive information on their laptops. 19. Employees never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage. 20. if a laptop must be left in a vehicle, it will be stored out of sight and the vehicle will be locked. 21. The computer network will have a firewall where your network connects to the Internet. 22. Any wireless network in use is secured. 23. Maintain central log files of security -related information to monitor activity on your network. 24. Monitor incoming traffic for signs of a data breach. 25. Monitor outgoing traffic for signs of a data breach. 26. Implement a breach response plan. 27. Check references or do background checks before hiring employees who will have access to sensitive data. 28. Access to customer's personal identity information is limited to employees with a "need to know." 29. Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. 30. Implement a regular schedule of employee training. 31. Employees will be alert to attempts at phone phishing. Page 5 of 7 32. Employees are required to notify their manager immediately if there is a potential security breach, such as a lost or stolen laptop. 33. Employees who violate security policy will be subject to discipline, up to, and including, termination. 34. Service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of our data. Page 6 of 7 Identity Theft Prevention Program Review and Approval This plan has been reviewed and adopted by the City Commission of the City of Tamarac. ATTEST: Marion Swenson, CMC, City Clerk APPROVED AS TO FORM & LEGALITY Samuol S. Goren, City Attorney CITY OF TAMARAC, FLORIDA Beth Flansbaum-Talabisco, ayor APPROVED BY: JefWey L. Adfier, City Manager A report will be prepared annually and submitted to the above named senior management or governing body to include matter related to the program, the effectiveness of the policies and procedures, the oversight and effectiveness of any third party billing and account establishment entities, a summary of any identify theft incidents and the response to the incident, and recommendations for substantial changes to the program, if any. Page 7 of 7