File #: 2010-0575    Version:
Type: Motion Status: Passed
File created: 12/6/2010 In control: Government Accountability and Oversight Committee
On agenda: Final action: 12/13/2010
Enactment date: Enactment #: 13397
Title: A MOTION approving written identity theft prevention programs for the department of natural resources and parks and the Seattle-King County department of public health in compliance with sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, and the Red Flags Rule adopted by the Federal Trade Commission; and the enterprise, employee and third party information security, and information privacy policies promulgated by the office of information resource management.
Sponsors: Kathy Lambert
Indexes: Natural Resources, Department of, Public Health
Attachments: 1. 13397.pdf, 2. A. Identity Theft Prevention Program--Department of Natural Resources and Parks--Effective Date June 1, 2010, 3. B. Identity Theft Prevention Program--Public Health-Seattle & King County--Effective Date October 30, 2009, 4. C. Employee and Third Party Policy for Information Technology Security and Privacy Policy--Effective Date 12/15/08, 5. D. Enterprise Information Security Policy--Effective Date 9/9/09, 6. E. Information Privacy Policy--Dated June 9, 2010, 7. 2010-0575 Transmittal Letter.doc, 8. 2010-0575 Red Flag Staff Report SR, 9. 2010-0575 REVISED Red Flag Staff Report SR, 10. A. Identity Theft Prevention Program--Department of Natural Resources and Parks--Effective Date June 1, 2010, 11. B. Identity Theft Prevention Program--Public Health-Seattle & King County--Effective Date October 30, 2009, 12. C. Employee and Third Party Policy for Information Technology Security and Privacy Policy--Effective Date 12/15/08, 13. D. Enterprise Information Security Policy--Effective Date 9/9/09
Staff: Giambattista, Jenny
Drafter
Clerk 11/04/2010
title
A MOTION approving written identity theft prevention programs for the department of natural resources and parks and the Seattle-King County department of public health in compliance with sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, and the Red Flags Rule adopted by the Federal Trade Commission; and the enterprise, employee and third party information security, and information privacy policies promulgated by the office of information resource management.
body
      WHEREAS, Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, required the Federal Trade Commission ("FTC") to adopt rules to prevent identity theft from information gathered and maintained by financial institutions, utilities and other creditors, and
      WHEREAS, the FTC adopted a new rule on identity theft, known as the "Red Flags Rule," that require financial institutions, utilities and other creditors to set up a program aimed at preventing identity theft, and
      WHEREAS, the King County wastewater treatment division ("WTD") provides regional sewer services to thirty-four local sewer utilities and those local sewer utilities bill customers directly for local sewer charges and the King County wholesale sewer rate, and
      WHEREAS, WTD is authorized under RCW 35.58.570 and 36.94.140 to impose a capacity charge for new connections to its system, and
      WHEREAS, pursuant to K.C.C. 28.84.050, WTD's capacity charge is billed for a fifteen-year period with the customer receiving a discount for paying the full amount earlier, and
      WHEREAS, the Red Flags Rule defines a "covered account" as either:
        1.  A consumer account that allows multiple payments or transactions; or
        2.  Any other account that presents a reasonably foreseeable risk from identity theft, and
      WHEREAS, WTD currently maintains over eighty thousand continuing accounts for customers paying the county's capacity charge which may involve multiple payments or transactions, and
      WHEREAS, the Red Flags Rule requires those utilities and other creditors having "covered accounts" to develop and implement a written Identity Theft Prevention Program, attached to this motion as Attachment A and incorporated in this motion by this reference, for the detection, prevention and mitigation of identity theft in connection with certain accounts, and
      WHEREAS, the Seattle-King County department of public health manages transactional systems and processes with identifying information subject to the Red Flags Rule, and
      WHEREAS, the Red Flags Rule requires agencies having "covered accounts" to develop and implement a written program, attached to this motion as Attachment B and incorporated in this motion by this reference, for the detection, prevention and mitigation of identity theft, and
      WHEREAS, the office of information resource management has promulgated the following policies:  Employee and Third Party Policy for Information Technology Security and Privacy Policy; and the Enterprise Information Security Policy, and
      WHEREAS, these policies were adopted by the county's information technology governance committees, and
      WHEREAS, these policies apply to all county agencies and workforce members, and support the intent of the Red Flags Rule, and
      WHEREAS, the King County council finds the department of natural resources and parks and the Seattle-King County department of public health Programs are sufficient to comply with the Red Flags Rule, and
      WHEREAS, the King County council also finds the Employee and Third Party Policy for Information Technology Security and Privacy Policy and the Enterprise Information Security Policy promulgated by the office of information resource management comply with the intent of the Red Flags Rule;
      NOW, THEREFORE, BE IT MOVED by the Council of King County:
      The identity theft prevention programs developed for the department of natural resources and parks and the Seattle-King County department of public health, which are Attachments A and B to this motion, respectively, and the information security policies promulgated by the office of information resource management, which are Attachments C and D to this motion, are hereby approved.  The council intends to consider for adoption an information privacy policy during 2011.