HomeMy WebLinkAbout6832RESOLUTION NO 6832
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF REDLANDS
ADOPTING THE IDENTITY THEFT PREVENTION PROGRAM
WHEREAS, the Federal Fair and Accurate Credit Transactions Act of 2003 ("FACT
Act"), which was signed into law on December 4, 2003, required the Federal Trade Commission
(FTC) and a number of federal banking agencies to issue joint rules and guidelines regarding the
detection, prevention, and mitigation of identity theft by financial institutions and other creditors;
and
WHEREAS, the Federal Trade Commission issued its final rules and guidelines
implementing the pertinent portions of the FACT Act in late 2007 with an effective date of
January 1, 2008 and a mandatory compliance date of November 1, 2008 which was subsequently
extended to May 1, 2009• and
WHEREAS, the FTC rules require utilities and all other creditors to develop and
implement a written Identity Theft Prevention Program that is designed to detect, prevent and
mitigate identity theft in connection with the opening of a covered account or any existing
covered account, and the rules require the Program to include reasonable policies and procedures
designed to accomplish the following:
• Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the
Program;
• Detect Red Flags that have been incorporated into the Program;
• Respond appropriately to any Red Flags that are detected to prevent and mitigate identity
theft; and
• Ensure the Program is updated periodically to reflect changes in risks to customers or to
the safety and soundness of the utility from identity theft.
WHEREAS, the City of Redlands (the `City") is subject to the FTC rules referenced
above because it owns and operates municipal utilities and other enterprise funds for the
provision of water, wastewater, solid waste, household hazardous waste disposal, street cleaning,
and cemetery purposes and bills it customers in arrears for such services; and
WHEREAS, the City Council of the City of Redlands, having considered its existing
practices and past experiences regarding the opening of or access to utility accounts in light of
the requirements of the FTC rules, has determined that the Identity Theft Prevention Program
that is attached hereto and incorporated herein by this reference is appropriate and should be
adopted and approved;
I:\cclerk\Resolutions\Res 6800-6879\6832 Identity Theft Red Flag Reso.doc 1
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY
OF REDLANDS AS FOLLOWS
Section 1 The City of Redlands Identity Theft Prevention Program, attached to this
Resolution as Exhibit "A" and incorporated by reference, is hereby adopted and approved by the
City Council of the City of Redlands
Section 2 The City of Redlands' Identity Theft Prevention Program shall be
implemented and administered by the City's Finance Director and the Director of Municipal
Utilities and Engineering as the Program Administrators, or their respective designees
Section 3 Changes to the City of Redlands' Identity Theft Prevention Program of a day-
to-day operational character and decisions relating to the interpretation and implementation of
the Program may be made by the Program Administrators, however, major changes or shifts of
policy position under the Program shall be reported to the City Council and effected by
resolution of this City Council.
ADOPTED, SIGNED AND APPROVED this 21st day of April, 2009
Mayor Pro Tem
Attest
I, Lorrie Poyzer, City Clerk of the City of Redlands, hereby certify that the foregoing resolution
was duly adopted by the City Council of the City of Redlands at a regular meeting thereof held
on the 21st day of April, 2009, by the following vote
AYES Councilmembers Gilbreath, Gallagher, Aguilar, Bean, Mayor Harrison
NOES- None
ABSENT None
ABSTAIN None
Lo Poyzer, f# lerk
I lccierk\Resolutions\Res 6800-6879\6832 - Identity Theft Red Flag Reso.doc 2
r
(
EXHIBIT "A" OF RESOLUTION 6832
CITY OF REDLANDS
MUNICIPAL UTILITIES AND ENGINEERING DEPARTMENT
CUSTOMER SERVICE DIVISION
IDENTITY THEFT PREVENTION PROGRAM
I. PROGRAM ADOPTION
The City of Redlands developed this Identity Theft Prevention Program
("Program") in response to and in compliance with the Federal Trade
Commission's Red Flags Rule ("Rule"), which implements Section 114 of the Fair
and Accurate Credit Transactions Act of 2003. (See 16 Code of Federal
Regulations (C.F.R.) § 681.2) and The Identity Theft Red Flags and Address
Discrepancy Under the Fair Credit Transactions Act of 2003. Final Rule issued
on November 9, 2007
II. PROGRAM PURPOSE AND DEFINITIONS
The purpose of the Identity Theft Prevention Program is to protect customers of
the City's various utility services from identity theft. The Program is intended to
establish reasonable policies and procedures tailored to our size, complexity and
the nature of our operation to facilitate the detection, prevention and mitigation of
identity theft in connection with the opening of new Covered Accounts and
activity on existing Covered Accounts.
This Program applies to the creation, modification and access to Identifying
Information of a customer of one or more of the utilities operated by the City
(water wastewater solid waste, and any new utility that may be established in
the future by the City) by any and all personnel of the City including
management personnel.
When used in this Program, the following terms have the meanings set forth
opposite their name, unless the context clearly requires that the term be given a
different meaning:
Covered Account: The term covered account' means an account that the City
offers or maintains, primarily for personal, family or household purposes or a
business that is supported from an individual person that involves or is designed
to permit multiple payments or transactions. A City of Redlands municipal
services account is a `covered account'
1
Identifying Information: The term 'identifying information' means any name or
number that may be used, alone or in conjunction with any other information, to
identify a specific person, including any name, social security number date of
birth, mother's birth name, official State or government issued driver's license or
identification number alien registration number government passport number
employer or taxpayer identification number unique electronic identification
number computer's Internet Protocol address, or routing code.
Identity Theft: The term 'identity theft' means a fraud committed or attempted
using the identifying information of another person without authority
Red Flag, The term 'Red Flag' means a pattern, practice or specific activity that
indicates the possible existence of identity theft.
Certain terms used but not otherwise defined herein shall have the meanings
given to them in the FTC's Identity Theft Rules (16 CFR Part 681) or the Fair
Credit Reporting Act of 1970 (15 U S.0 § 1681 et seq.) as amended by the Fair
and Accurate Credit Transactions Act of 2003 into law on December 4 2003.
III. ADMINISTRATION OF THE PROGRAM
The initial adoption and approval of the Identity Theft Prevention Program shall
be by resolution of the City Council. Thereafter changes to the Program of a
day-to-day operational character and decisions relating to the interpretation and
implementation of the Program may be made by the Director of the Municipal
Utilities and Engineering Department (Program Administrator). Major changes or
shifts of policy positions under the Program shall be reported to the City Council.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with
the Program Administrator or his or her appointee, who may but is not required
to, appoint a committee to administer the Program. The Program Administrator
will be responsible for the Program administration, for ensuring appropriate
training of staff on the Program, for reviewing any staff reports regarding the
detection of Red Flags and the steps for preventing and mitigating identity theft,
determining which steps of prevention and mitigation should be taken in
particular circumstances and considering periodic changes to the Program.
B. Staff Training and Reports
Initially all Customer Service staff shall be trained either by or under the direction
of the Program Administrator in the detection of Red Flags, and the responsive
steps to be taken when a Red Flag is detected. Thereafter all Customer Service
2
staff shall undergo update training not less than annually Additionally all new
Customer Service staff shall undergo training.
The Program Administrator shall submit reports annually concerning the City's
compliance with the Program, the training that has been given and the
effectiveness of the policies and procedures in addressing the risk of Identity
Theft, including recommendations for changes to the Program. While incidents
of Identity Theft are to be reported immediately to the Program Administrator the
annual report shall contain a recap of the incident and include the steps taken to
assist with resolution of the incident.
C. Service Provider Arrangements
In the event the City engages a service provider to perform an activity in
connection with one or more accounts, the City will take the following steps to
ensure the service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of
Identity Theft.
1 Require, by contract or contract amendment, that service providers
have such policies and procedures in place; and
2. Require, by contract or contract amendment, that service providers
review the City's Program and report any Red Flags to the Program
Administrator
D Specific Program Elements and Confidentiality
1 Paper documents, files, and electronic media containing secure
information will be stored in locked filing cabinets.
2. Only specially identified employees with a legitimate need will have
keys to the cabinets.
3. Employees will not leave sensitive papers out on their desks when
they are away from their workstations.
4 Employees store files when leaving their work areas.
5. Employees log off of their computers when leaving their work
areas.
6. Any sensitive information shipped using outside carriers or
contractors will be encrypted.
7 Any sensitive information shipped will be shipped using a shipping
service that allows tracking of the delivery of this information.
8. Visitors or non-essential employees who must enter areas where
sensitive files are kept must be escorted by an employee of the
City
9 No visitor or non-essential employee will be given any entry codes
or allowed unescorted access to the office.
10. Access to sensitive information will be controlled using passwords.
3
11 Passwords will not be shared or posted near workstations.
12. User names and passwords will be different.
13. Access to customer's personal identity information is limited to
employees with a 'need to know
14 Procedures exist for making sure that employees who leave your
employ or transfer to another part of the City no longer have access
to sensitive information.
15. Paper records will be shredded before being placed in the trash.
16. Personal identifying information included in customer's municipal
services accounts is considered confidential and any request or
demand for such information shall be immediately forwarded to the
City Manager and the City Attorney
17 In the event credit card payments that are made over the Internet
are processed through a third party service provider such third
party service provider shall certify that it has an adequate identity
theft prevention program in place that is applicable to such
payments.
IV IDENTIFICATION OF RED FLAGS
In order to identify relevant Red Flags, the City considered the types of accounts
that it offers and maintains, the methods it provides to open its accounts, the
methods it provides to access its accounts, and its previous experiences with
identity theft. The City identified the following Red Flags, in each of the listed
categories:
A. Suspicious Documents
1 Identification document or card that appears to be forged, altered or
inauthentic;
2. Identification document or card on which a person's photograph or
physical description is not consistent with the person presenting the
document;
3. Application for service that appears to have been altered or forged;
4 Other document with information that is not consistent with existing
customer information (such as if a person's signature on a check
appears forged); and
5. Lease agreements or escrow documents that appear to have been
altered or forged.
B. Suspicious Personal Identifying Information
1 Identifying information presented that is inconsistent with other
information the customer provides;
2. Identifying information presented that is inconsistent with other sources
of information;
4
3. Identifying information presented that is the same as information
shown on other applications that were found to be fraudulent;
4 Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address);
5. An address or phone number presented that is the same as that of
another person;
6. A person who fails to provide complete personal identifying information
on an application when reminded to do so (however by law social
security numbers may not be required); and
7 A person's identifying information is not consistent with the information
that is on file for the customer
C. Suspicious Account Activity or Unusual Use of Account
1 Change of address for an account followed by a request to change the
account holder's name;
2. Payments stop on an otherwise consistently up-to-date account;
3. Mail sent to the account holder is repeatedly returned as undeliverable;
4 Notice to the City that a customer is not receiving mail sent by the City
5. Notice to the City that an account has unauthorized activity'
6. Breach in the City's computer system security
7 Unauthorized access to or use of customer account information;
8. Evidence that more than one person is identifying themselves as the
account holder and
9. Non-payment or frequent delinquency when there is no prior history of
late of missed payments.
D Alerts From Others
1 Notice to the City from a customer identity theft victim, law
enforcement or other person that it has opened or is maintaining a
fraudulent account for a person engaged in identity theft.
V DETECTING RED FLAGS
A. New Accounts
In order to detect any of the Red Flags identified above associated with the
opening of a new account, the City may take the following steps to obtain and
verify the identity of the person opening the account:
1 Require certain identifying information such as name, date of birth,
residential or business address, principal place of business for an
entity driver's license or other identification;
2. Verify the customer's identity (for instance, review a driver's license or
other identification card);
5
3. Review documentation showing the existence of a business entity
4 Request additional documentation to establish identity and
5. Independently contact the customer or business.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing municipal
services account, the City will take the following steps to monitor transactions
with an account:
1 Verify the identification of customers if they request information;
2. Verify the validity of requests to close accounts or change billing
addresses; and
3. Verify changes in banking information given for billing and payment
purposes.
VI. PREVENTING AND MITIGATING IDENTITY THEFT
In the event City personnel suspect or detect Red Flags, such personnel shall
take one or more of the following steps, depending upon the degree of risk posed
by the Red Flag:
A. Prevent and Mitigate
1 Continue to monitor an account for evidence of identity theft;
2. Contact the customer sometimes through multiple methods;
3. Change any passwords or other security devices that permit access to
accounts;
4 Not open a new account;
5. Not close an exiting account;
6. Do not close the account, but monitor or contact authorities;
7 Reopen an account with a new number
8. Notify the Program Administrator for determination of the appropriate
step(s) to take;
9 Notify law enforcement; or
10. Determine that no response is warranted under the particular
circumstances.
B. Protect Customer Identifying Information
In order to further prevent the likelihood of identity theft occurring with respect to
municipal services accounts, the City will take the following steps with respect to
its internal operating procedures to protect customer identifying information:
1 Ensure that it website is secure or provide clear notice that the website
is not secure;
6
2. Where and when allowed, ensure complete and secure destruction of
paper documents and computer files containing customer information;
3. Ensure that office computers are password protected and that
computer screens lock after a set period of time;
4 Change passwords on office computers on a regular basis;
5. Ensure all computers are backed up properly and any backup
information is secured;
6. Keep offices clear of papers containing customer information;
7 Request only the last 4 digits of social security number (if any);
8. Ensure computer virus protection is up to date; and
9 Require and keep only the kinds of customer information necessary for
utility purposes.
VII. PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in
risks to customers and the soundness of the City from Identity Theft. At least
annually the Program Administrator will consider the City's experiences with
identity theft situations, changes in identity theft methods, changes in identity
Theft detection and prevention methods, changes in types of accounts the City
maintains and changes in the City's business arrangements with other entities,
consult with law enforcement authorities, and consult with other City personnel.
After considering these factors, the Program Administrator will determine whether
changes to the Program, including the listing of Red Flags, are warranted. If
warranted, the Program Administrator will update the Program or present the City
Council with his or her recommended changes and the City Council will make a
determination of whether to accept, modify or reject those changes to the
Program.
7