Identity Theft:

- Department of Public Health: San Francisco General Hospital is the Department of Public Health’s largest cash operation. Cash and credit card operations are handled directly with the Bank of America. The Department of Public Health runs its own information technology operation with applications including patient registration, accounting, lifetime clinical services, laboratory work, and on-line eligibility. To facilitate billing with Medicare and Medi-Cal, it is necessary to keep patient social security numbers on file. Although the Department of Public Health has about 5,000 computer workstations at over 400 separate sites, no credit card data is kept on Department’s computer files. There is no clause protecting the confidentiality of data in the Department of Public Health’s contract with Bank of America. 4

- Office of the Treasurer & Tax Collector: In 2004-2005 the treasurer took in over $2.3 billion in tax revenue. Of this total, $19 million was collected by processing 11,200 transactions over the World Wide Web. The treasurer contracted with VeriSign, a NASDAQ- listed corporation that processes over 14 billion Internet transactions daily3, to handle their Web- related credit card operations. Another $8 million was collected by processing 2,700 transactions through Interactive Voice Response (IVR), an enhanced automated phone service for processing payments made with credit cards. The City treasurer contracted with Official Payments Corporation for these IVR transactions. Official Payments Corporation has been processing government payments electronically since 1996. Official Payments Corporation also does processing for the United States Internal Revenue Service, 25 states, and more than 1,600 counties and municipalities. No credit card data for Web or IVR transactions are kept on City computer files. A clause protecting confidentiality of data is present in the Treasurer’s contract with Official Payments Corporation. (Note: Mail and walk-in credit card numbers are kept on the Treasurer’s cashiering system, and are available only to the vault teller on an audit report. This on-request audit report is produced only when there are cash balancing problems.)

– Department of Parking & Traffic: The Department of Parking & Traffic contracts out daily management responsibilities for City-owned parking garages to various parking firms. All credit card transactions with parking garages are handled by the parking firms. Once again, no credit card data or social security numbers are kept on City computer files.

- Parking Citations Division: The Municipal Transportation Agency’s Citations Division receives approximately $14 million yearly from some 250,000 Web transactions. As with the Office of the Treasurer & Tax Collector, VeriSign handles its Web transactions. Approximately $4 million is collected annually through some 78,000 phone transactions. Again, Official Payments Corporation handles phone payment transactions. The Citations Division does not retain any credit card or social security numbers on their files.

- Payroll: The Controller’s Office has processed City’s payroll since 1985 on a heavily modified package application processor that is run on the City’s mainframe computer system. Although the payroll system must retain social security numbers for tax reporting purposes and bank account numbers for direct deposits, computer access is limited exclusively to payroll and programming staff. Similar to credit card transactions in shops and restaurants, only the last four digits of social security numbers are printed on checks. No credit card data is kept on the payroll system.

- Police Department: Although our investigation of departments which process major credit card transactions revealed no evidence of City-caused identity theft, we conducted a final interview with the San Francisco Police Department’s Fraud Detail to verify our findings. Through early December 2005, police statistics reflect 1,300 instances of all types of identity theft in San Francisco. The police have no records involving identity theft within City government. Statistics are not kept by location of theft because most victims of identity theft do 3 http://www.verisign.com/verisign-inc/index.html 5 not know where or how their personal information was stolen.

- Conclusion: The Civil Grand Jury asked all departments listed above and the Department of Telecommunications & Information Services the direct question, “Are you aware of any instances of identity theft caused by the City and County of San Francisco?” All replied negatively to this question.