FFY2011
Presented at FFY2011 EAP Annual
Training August 11 & 12, 2010
Section 5 contents:
 Chapter 13







Incidents
Semcac Flood
CAPSH Flood
Chapter 14
Data Practices &
Records
Security R. Gooley
Change Password in
eHEAT
Chapter 15
Communication &
Information
Various Reports
EAP
Annual
Training
Section 5
(of 6)
1
Chapter 13
Incidents
Chapter Contents
 Appeals
 Errors and Fraud
 Recovery of EAP Benefit Overpayment Due to
Error or Fraud
 Disaster and Emergency Planning
Combines Fraud & Error chapter
Chapter 13
Incidents
Handling Incidents – What to know
 No changes to the handling of incidents
 We have clarified the processes in the manual
 Highlighting some of the procedures to use
 Incidents have gone through the ICF evolution
 Controls to protect program and individuals
 These can be difficult situations
 We are your partners and are here to help you
Chapter 13
Incidents
Handling Incidents – What to know (Continued)





An incident is anything that happens outside of normal
expected EAP operations.
Incidents can be one of several things: error, fraud,
complaints, vendor goes out of business, etc.
When discovered fill out an incident report, provide enough
facts to paint the picture for us
Email the report to EAP.mail and copy to monitors
DOC staff reviews incident reports every Monday at our staff
meeting, unless expedience is required
Chapter 13
Incidents
Handling Incidents – What to know (Continued)







After it’s reported to state continue your investigation as
appropriate
DOC may respond with clarifying questions or direction on next
steps depending on where we are in the process
Take it one step at a time
Don’t think solution first – something unusual has happened:
don’t assume fraud or error when it could be either, get the facts
As you investigate, collect facts & document them specifically.
 Date, time, talked to, they reported, etc.
In general, EAP coordinator and appropriate SP supervisors
should be involved
EAP and other SP staff should be on a need to know basis
Chapter 13
Incidents
Overpayment Due to Household Error or Fraud
Pages 7 & 8
When Household error or fraud results in overpayment of EAP
benefits use the following procedure:
 Document the facts of the situation.
 For delivered fuel vendors; recall any EAP credit on the
customer account up to the amount overpaid.
 For connected energy vendors; recall the entire amount of the
overpayment. The result may be an amount due on the
household’s vendor account.
 For direct payment to households; recall the entire amount of
the overpayment.
Chapter 13
Incidents
Overpayment Due to Household Error or Fraud
Page 7 & 8
Write to the client to:
 Notify them
 Request repayment of excess funds not recovered
 Clarify the household’s rights and responsibilities
 Offer to meet with them
 Try to agree on a repayment schedule as needed
 Allow installment payments
 If the household and you can agree on a reasonable timetable,
include this in your repayment request to the household
Chapter 13
Incidents
Overpayment Due to Household Error
Page 7 & 8
In the case of household error (not fraud), if repayment
by the household poses a hardship for the household,
the Service Provider must:
 Terminate recovery procedures when:
 The household declares and describes the hardship in
writing.
 Signs and dates their statement.
 Place their letter in the household’s file.
Chapter 13
Incidents
Fraud
 In cases when it is determined that fraud has occurred
procedures outlined in the manual for investigating,
documenting and ultimately escalating should be
followed.
 SP staff are encouraged to consult with their attorney
 DOC will advise and assist as appropriate
Chapter 13
Incidents
Disasters – the worst incidences
 Disasters can and do happen
 This is why we ask you to include disaster plans in
your local plan
 So you can think about disasters before they happen
 Susie Thompson from Semcac
 Scott Zemke from CAPSH
 lessons learned
 I wish I knew then what I know now….
Chapter 13
Incidents
Disasters Sharing
 Susie Thompson from Semcac
Disaster Recovery Efforts
~Housing~
• MHFA Quick Start Loan
– 263 loans were processed for housing rehab
or replacement.
– Loans to date total > $9 million.
Disaster Recovery Efforts
~Housing~
• GMHF Loan and Grant
– 54 loans (totaling > $270,000) and 15 grants
have been processed for income-eligible
households.
• Weatherization
– Performed weatherization 9 homes.
– Replaced furnaces/water heaters at 23
homes.
Disaster Recovery Efforts
~Agency Facilities~
Affected facilities
–Main Building
–4-plex
–Senior Dining’s equipment and
supplies at the Tenborg Center
–Semcac Housing—Rushford, Inc.’s
Rush Creek Apartments
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Clean-up
Main Office Clean-up
Rushford/Winona Bus Route
Temporary Main Office
Temporary Main Office
Temporary Main Office
Disaster Recovery Efforts
~Agency Facilities~
Resources for recovery
– Insurance—auto and partial property
– Federal and State Aid applications (FEMA, SBA,
MIF)
– OEO, SMIF grant, Medtronic donation, Hunger
Solutions (through OEO) other Community Action
Agencies, WSU nursing students’ fundraiser,
other contributions from businesses and
• Direct program
individuals.
disaster recovery
aid for Head Start,
EAP,
Weatherization,
and
Transportation
We made it back to Rushford—Never Give Up!
Chapter 13
Incidents
Disasters Sharing
 Scott Zemke from CAPSH
CAPSH Office Flood 2008
 Building owner failed to shut off and bleed outdoor
spigot.
 Pipe froze and burst overnight on MLK holiday.
 Found by building maintenance.
 2 inches of standing water.
 Administrative functions of agency shut down for about
two weeks
35
36
Results of Planning
 Server and computing capability remained
 All computer equipment raised up off of the floor at all times
 Other program staff able to work remotely from home
or other partner facilities
 EAP largely unaffected
 Shut down for 2 days while walls/carpet dried (no
reconstruction needed).
 No access to rest of office (admin support, copier, etc.).
 No application processing for 2 days.
Results of Planning (cont.)
 Did not need to implement full disaster plan that
involves co-locating at a partner organization
 Would have been more time consuming to move files and
equipment twice than simply wait for ability to return.
 Changed EAP VM to state the problem, asked for patience
and provided our emergency phone number
 EAP staff checked VM and returned calls from home
Chapter 14
Data Practices and Records
Chapter Contents
 Collection and Maintenance of Private Data
 Application Documentation
 Sharing EAP Private Data
Chapter 14
Data Practices and Records
Pages 2 & 9-11
Third Party Requests for Information
 Minnesota Statues (Minn. Stat.) §216C.266 says, “Data on
individuals collected, maintained, or created because an
individual applies for benefits or services provided by the
Energy Assistance and Weatherization programs is private
data on individuals and must not be disseminated except
pursuant to section 13.05, subdivisions 3 and 4”
 Information about a data subject may only be released to a
third party if the data subject consents by submitting a signed
Informed Consent to Release Private Data form
 Service Providers commonly deny verbal requests received from the
Department of Revenue and attorneys working to garnish wages
Chapter 14
Data Practices and Records
Page 2
E-Mail Data Privacy
To maintain data privacy on e-mails
 Use only household numbers for identification when possible
 Use secure e-mail practices when private household data is
included
 Use secure e-mail practices to send New Vendor information
containing Tax IDs and/or Social Security Numbers
 Remind vendors to use only household numbers when
communication via e-mail about a customer
 Contact DOC for help if a vendor does not cooperate with data
privacy requirements, as required by the vendor agreement
Chapter 14
Data Practices and Records
Page 2
Social Security Number for LIHEAP and WAP Applications
 Social Security numbers (SSNs) are used in the administration of EAP
and to assure that only eligible applicants and their household members
receive allowable benefits
 Federal law allows States to require applicants to disclose their SSN to
prevent, detect, and correct fraud and abuse.
 See Chapter 5 – Program Eligibility Requirements for details
Safe at Home (SAH) Participant SSN
 A participants in the State’s Safe at Home (SAH) program is one
exception to the policy requiring primary household applicants to provide
a verifiable SSN for the household to be eligible for EAP services
 Providers should neither require nor request the SSN for SAH participants.
Chapter 14
Data Practices and Records
Responsibility for Data Privacy
 Individuals with access to private data must be aware of their
responsibilities under the MGDPA
 A best practice is to document regular training on data practices to
each staff with access to applications or household information

The Minnesota Department of Administration Information
Policy Analysis Division assists individuals and entities with
Minnesota’s Data Practices Act.
 Website http://www.ipad.state.mn.us
Chapter 14
Data Practices and Records
Pages 3 & 4
Documents that must be in the household’s hard copy file or easily
identified and accessed electronic file include
 Copies of any correspondence with the applicant not documented by eHEAT
 Documentation of research and responses to a question, complaint or appeal
not maintained in eHEAT
 Pertinent program forms
 A signed signature page from the application (or, rarely, a copy)
 The application
 Documentation of income
 Income calculations not completed in eHEAT
 Case notes if they are not kept on eHEAT
Page 6
Chapter 14
Data Practices and Records
Sharing Private Data with Vendors
 EAP data provided to vendors is limited to information necessary to obtain vendor
account and consumption information and allow vendors to apply EAP benefits to
customer accounts
 The household data required is available to vendors through their access to eHEAT
 The information verifies the household’s EAP eligibility and the amount to apply to
their or their landlord’s account
 To illustrate, EAP collects household data on income and household size, but the data

is not required to apply EAP payments to customer accounts. Therefore, this data is not
to be provided to the vendor
 With the exception that EAP allows vendor employees working with affordability
programs to request additional EAP private data if the household has agreed to
participate in an affordability program
The vendor must obtain an Informed Consent for Release of Data form signed by the
household before requesting EAP household data for any other use or program
Chapter 14
Data Practices and Records
Pages 6 & 7
Sharing Private Data for Delivery of ERR Services
Sharing private data with Weatherization Assistance Program
(WAP) staff and contractors providing ERR services for EAP households
requires both EAP and WAP programs to be responsible for protecting
private data
 ERR participants (Auditors, Inspectors, Heating Contractors and etc.)
must be informed of data privacy requirements and provided with only
the household data necessary to deliver services and do their jobs
 Both EAP and WAP eHEAT users export household data from eHEAT
for specific business uses
 The eHEAT system’s security is designed for the local eHEAT
Administrator(s) to assign authorized users to perform only the tasks and
processes necessary to deliver services and perform assigned duties.
Page 10
Chapter 14
Data Practices and Records
The Debtor’s Exemption Claim Notice
 Is a type of Informed Consent Form
 Minn. Stat. §13.05, Subd. 4 prescribes the content of
the form and is consistent with the required content of
the Informed Consent Request Form, as long as it is
on the letterhead or otherwise names the third party
recipient of the information
Chapter 14
Data Practices and Records
Managing eHEAT Security Agreements for Admin & Users
 Have new users fill out agreement before access
 Make sure users have only the functions they need
 Disable users who no longer need access
Chapter 14
Data Practices and Records
Questionnaires & surveys used for referrals
 Keep them clearly separate from EAP
 Do not include with the Energy Programs Application

Make sure the household knows the form and individual
questions are optional
Best Practices
 Ask households to check services/programs of interest
 Do not ask invasive questions that allow staff to recommend
drug treatment, anger management, etc.
Security talk and tactics
Richard Gooley
Chief Information Security Officer
Minnesota Department of Commerce
Presenter
56
Sec-UR-rity - You are at the center
 The only totally secure computer is offline
 There is no “Set it and Forget it©” in security

57
Today's Program
•
•
•
•
•
•
•
Protecting Your Information
Protecting Your Computer
Staying Safe Online
Passwords and Pass Phrases
Technical Risk Assessment
Free Stuff and Reference Material
Stump the geek
58
Protecting Your Information

What information are you protecting?
–
–
–
–
–
Social Security Number
Addresses
Children
Household income
Private financial information
59
Protecting Your Information

Paper
– Applications, Hand written notes, Memos, Printed emails

Electronic data
– PC’s, Laptops
– Hand held Devices, Phones,
– Flash Drives, Dvds, CDs, Diskette, Tapes
60
Protecting Your Information

What are you protecting the information from:
–
–
–
–
Unauthorized use
Modification
Destruction
Temporary or permanent loss
61
Protecting Your Computer
62
Protecting Your Computer

Who wants the information?
– Hi-Tech cyber criminals
– Worldwide Cyber crime
63
Protecting Your Computer
64
Protecting Your Computer

Vulnerabilities - How They Attack
– Vulnerabilities are flaws in computer software that
create weaknesses in the overall security of the
computer or network. Vulnerabilities can also be
created by improper computer or security
configurations. Threats exploit the weaknesses of
vulnerabilities resulting in potential damage to the
computer or personal data.
– Used to be emails now it’s websites.
65
How can I tell if my computer is infected?

Signs of infection
–
–
–
–
–
–
–
–
–
My computer is running extremely slowly
Applications won't start
I cannot connect to the Internet or it runs very slowly
When I connect to the Internet, all types of windows open
or the browser displays pages I have not requested
Where have my files gone?
My antivirus has disappeared, my firewall is disabled
My computer is speaking a strange language
Programs have disappeared from my computer
My computer has gone mad... literally
66
Protecting Your Computer

What can we do to protect your computer?
– Number one Computer Security Risk

Computers remain unpatched
– Move to Windows 7
– Use a profile that isn’t the “Administrator”
67
Protecting Your Computer

What is a patch?
– A patch is a piece of software designed to fix problems
with, or update a computer program or its supporting data
68
Java and QuickTime
69
Java

Click Start
– Control Panel
• Java
70
Adobe Reader
71
Apple QuickTime

Click Start
– Control Panel
• QuickTime
72
Windows Update
73
Windows Update
74
Protecting Your Computer

Microsoft Windows 7 or XP operating system?
– Exploits using Windows XP as an attack vector will grow
this year
– Windows XP is nine years old and some patches will no
longer be supported
– Threat detections are down against Windows 7
75
Protecting Your Computer

User Profiles
– For everyday use have a profile that is a “User” or “Power
User” Group. Instead of the default “Administrators”
Group.
• “Administrator” is All Powerful… I can install programs.
• “Power User” Powerful… I can install a printer
• “User”… I can run applications
76
Staying Safe Online
Spoofed emails – Email to me.. From me?
 Phishing – Nigerian email scams
 Spear Phishing- Your local bank wants you
password

77
Staying Safe Online
Spyware
 Typosquatter

–
–
–
–
www.examlpe.com
www.example.co
www.example.com
How many ways can you spell freecreditreport.com?
• Netcorp registered 1,017 domain name variations on
FreeCreditReport.com
78
Passwords: Longer is Stronger

Examples of passwords
–
–
eX@mp13s – No longer a good password
What's my uncles phone number?
•
–
wMUp#?6125356519
Do you know my address?
•
DUKma?45410akland
79
Pass Phrase: Longer is Stronger

Pass Phrases – Long and complex
–
What's my uncles phone number?
•
–
What's my uncl3s phon3 numb3r? 6513246519
Do you know my address?
•
D0 y0u kn0w my address? 45410akland
80
Risk Assessment

What is a Risk Assessment?
– A report that shows assets, vulnerabilities, likelihood of
damage, estimates of the costs of recovery, summaries of
possible defensive measures and their costs and
estimated probable savings from better protection.
81
Risk Assessment
Determine a risk assessment strategy that best suits
the needs of your organization.
 A risk assessment is a useful tool.
 Non-profit has special needs to consider when
devising a risk assessment.
 Know and address these needs to allow for a more
accurate and detailed risk assessment.

82
Tools and Reference Material
83
Useful Tools

Tools to wipe drives when disposing computer
–
–

Free tools
–
–
–

www.killdisk.com/
www.diskwipe.org/
http://www.fileinspect.com/task-manager/
http://www.wireshark.org/
http://www.solarwinds.com/
Restore disks
–
http://www.restoredisks.com
84
Reference Resources
www.msisac.org - Information Sharing and Analysis Center
www.drj.com - Disaster Recovery Journal
www.ready.gov - Family Emergency Preparations
www.sans.org – Security Training, Certification and Research
www.itsecurity.com –Help Choosing Security Products
http://technet.microsoft.com – Microsoft Technical Information
yo.nerd@gmail.com
85
Conclusion
Security is a daily practice
 Patch your computer at work and home
 Thank you!

86
Chapter 14
Data Practices and Records
Password Reset
Chapter 14
Data Practices and Records
Password Reset (Continued)
All entered info must match what is in eHEAT
Chapter 14
Data Practices and Records
Keep User Profile Current
Chapter 15
Communication, Information & Reports
Chapter Structure
 Information and Reporting
 Federal Leveraging Incentive Fund
 DOC Communication Tools
 Service Provider Communication Requirements
90
Chapter 15
Communication, Information & Reports
General Chapter Changes
 Chapter combines former Information & Reporting
chapter with Communication information from the
former Overview of Service Provider Admin
Responsibility chapter
 Federal Leveraging chapter also part of this new
chapter
91
Chapter 15
Communication, Information & Reports
Specific Chapter Changes
Page 3
Due Date Change: FSR submission date is now the 5th of the
month
 The due date for FSR submission was 5th of the month in
WAP contract last year, so EAP FSR due date has been
changed for DOC consistency.
92
Chapter 15
Communication, Information & Reports
Specific Chapter Changes
Page 7
Addition: Service Provider staff members who provide back-up
during a coordinator’s absence must know under what
circumstances it is necessary to contact their Field Representative,
eap.mail@state.mn.us or Eheat.doc@state.mn.us
93
Chapter 15
Communication, Information & Reports
Specific Chapter Changes
New Section
Page 8
Service Provider’s Other Reportable Conditions
If SP becomes aware of the existence (or apparent existence) of fraud,
waste, or abuse related to the organization’s activities, grants or use of grant
funds including non-DOC grants, it must report this information to DOC
The purpose of this is to inform DOC of situations that may impact the SP
general administrative capability
94
Chapter 15
Communication, Information & Reports
Specific Chapter Changes
Appendix 15B
Report Name Change
Expenditure Detail Report is the new name for the Budget
Summary
95
Chapter 15
Communication, Information & Reports
Related Changes
 Added "Leveraged Activities" to Advocacy Services
reason list in A16 in eHEAT to help with tracking
(thanks to suggestion from Gayle at Inter-County)
 Reminder that the Leveraging Report is coming up.
 Mailed September 24
 Due to DOC October 22
96
Chapter 15
Communication, Information & Reports
Related Changes
Increasing use of the DOC website for SP
 For forms & appendices that used to be attached to
the Policy Manual
 Increasingly we’ll direct you to the web to find
documents, as we did with the Local Plan
 Check website first
97
eHEAT
Report Highlights/Review
 Crisis Benefit Report
 Agency Application Count Comparison
 SP Payments By County
 Household Additional Info
 Application Search
eHEAT
Report Highlights/Review
Crisis Benefit Report
eHEAT
Report Highlights/Review
Crisis Benefit Report
 Export includes fields not shown on screen
 Both mailing address and hh address included in
export
 Vendor information is included if criteria is checked
 CRISISAWARDEDAMT and CRISISPAIDAMT field is
for application and are the totals awarded and paid for
application not event
eHEAT
Report Highlights/Review
Agency Application Count Comparison
eHEAT
Report Highlights/Review
Agency Application Count Comparison
 Counts of states at point in time
 Compares to previous years on the same date
 Data is live
eHEAT
Report Highlights/Review
SP Payments By County
eHEAT
Report Highlights/Review
SP Payments By County
 Can not span program years with dates
 Definitions of $ are on hover note
 Data is live
 Previous program data is available
eHEAT
Report Highlights/Review
Household Additional Info
eHEAT
Report Highlights/Review
Household Additional Info
 Allows access to letters to Denied households
 Includes Request Date and Processed Date
eHEAT
Report Highlights/Review
Application Search
 ROFW added
 Both Addresses included in export Label
Refund Process
 Address added to export