[R.O. 2017 § 160.010; Ord. No. 2009-04, 4-7-2009]
The Identity Theft Prevention Program
("program") was developed by the City of Battlefield pursuant to the
Federal Trade Commission's Red Flags Rule ("Rule"), which implements
Section 114 of the Fair and Accurate Credit Transactions Act of 2003,
16 CFR 681.2. This program was developed by City staff taking into
consideration of the size and complexity of the utility's ("utility")
operations and account systems and the nature and scope of the utility's
activities. The program was approved by the Board of Aldermen by resolution
on April 7, 2009.
[R.O. 2017 § 160.020; Ord. No. 2009-04, 4-7-2009]
A. Fulfilling Requirements Of The Red Flags
Rule. Under the Red Flags Rule, every financial institution and creditor
is required to establish an Identity Theft Prevention Program tailored
to its size, complexity and the nature of its operation. Each program
must contain reasonable policies and procedures to:
1.
Identify relevant red flags for new
and existing covered accounts and incorporate those red flags into
the program;
2.
Detect red flags that have been incorporated
into the program;
3.
Respond appropriately to any red
flags that are detected to prevent and mitigate identity theft; and
4.
Ensure the program is updated periodically
to reflect changes in risks to customers or to the safety and soundness
of the creditor from identity theft.
B. Red Flags Rule Definitions Used In This
Program. The Red Flags Rule defines "identity theft" as fraud committed
using the identifying information of another person and a "red flag"
as a pattern, practice or specific activity that indicates the possible
existence of identity theft.
According to the Rule, a municipal
utility is a creditor subject to the Rule requirements. The Rule defines
"creditors" to include finance companies, automobile dealers, mortgage
brokers, utility companies and telecommunications companies. Where
non-profit and government entities defer payment for goods or services,
they, too, are to be considered creditors.
All the utility's accounts that are
individual utility service accounts held by customers of the utility
whether residential, commercial or industrial are covered by the Rule.
Under the Rule, a "covered account" is:
1.
Any account the utility offers or
maintains primarily for personal, family or household purposes, that
involves multiple payments or transactions; and
2.
Any other account the utility offers
or maintains for which there is a reasonably foreseeable risk to customers
or to the safety and soundness of the utility from identity theft.
"Identifying information" is defined
under the rule as "any name or number that may be used, alone or in
conjunction with any other information, to identify a specific person,"
including: name, address, telephone number, social security number,
date of birth, government issued driver's license or identification
number, alien registration number, government passport number, employer
or taxpayer identification number, unique electronic identification
number, computer's internet protocol address or routing code.
|
[R.O. 2017 § 160.030; Ord. No. 2009-04, 4-7-2009]
A. In order to identify relevant red flags,
the utility considers the types of accounts that it offers and maintains,
the methods it provides to open its accounts, the methods it provides
to access its accounts and its previous experiences with identity
theft. The utility identifies the following red flags in each of the
listed categories:
1.
Notifications And Warnings From Credit
Reporting Agencies. Red flags:
a.
Report of fraud accompanying a credit
report;
b.
Notice or report from a credit agency
of a credit freeze on a customer or applicant;
c.
Notice or report from a credit agency
of an active duty alert for an applicant; and
d.
Indication from a credit report of
activity that is inconsistent with a customer's usual pattern or activity.
2.
Suspicious Documents. Red flags:
a.
Documents provided for identification
appear to have been altered or forged.
b.
Identification document or card on
which a person's photograph or physical description is not consistent
with the person presenting the document.
c.
Other information on the identification
is not consistent with information provided by the person opening
a new covered account or customer presenting the information.
d.
Other information on the identification
is not consistent with readily accessible information that is on file
with the utility, such as a signature card or a recent check.
3.
Suspicious Personal Identifying Information.
Red flags:
a.
Personal identifying information
provided is associated with known fraudulent activity as indicated
by internal or third-party sources used by the utility. For example:
(1) The address on an application
is the same as the address provided on a fraudulent application; or
(2) The phone number on
an application is the same as the number provided on a fraudulent
application.
b.
The Social Security number provided
is the same as that submitted by other persons opening an account
or other customers.
(1) The person opening the
covered account or the customer fails to provide all required personal
identifying information on an application or in response to notification
that the application is incomplete.
(2) Personal identifying
information provided is not consistent with personal identifying information
that is on file with the utility.
4.
Suspicious Account Activity Or Unusual
Use Of Account. Red flags:
a.
A covered account is used in a manner
that is not consistent with established patterns of activity on the
account;
b.
A covered account that has been inactive
for a reasonably lengthy period of time is used (taking into consideration
the type of account, the expected pattern of usage and other relevant
factors);
c.
Mail sent to the customer is returned
repeatedly as undeliverable although transactions continue to be conducted
in connection with the customer's covered account;
d.
The utility is notified that the
customer is not receiving paper account statements;
e.
The utility is notified of unauthorized
charges or transactions in connection with a customer's covered account;
f.
Breach in the utility's computer
system security; and
g.
Unauthorized access to or use of
customer account information.
5.
Alerts From Others. Red flag:
a.
Notice to the utility from a customer,
identity theft victim, law enforcement or other person that it has
opened or is maintaining a fraudulent account for a person engaged
in identity theft.
[R.O. 2017 § 160.040; Ord. No. 2009-04, 4-7-2009]
A. New Accounts. In order to detect any of
the red flags identified above associated with the opening of a new
account, utility personnel will take the following steps to obtain
and verify the identity of the person opening the account:
1. Detect. Require certain identifying information such as name, date
of birth, residential or business address, principal place of business
for an entity, driver's license number or other identification.
B. Existing Accounts. In order to detect any
of the red flags identified above for an existing account, utility
personnel will take the following steps to monitor transactions with
an account:
1. Detect.
a. Verify the identification of customers if they request information
(in person, via telephone, via facsimile, via email); and
b. Verify changes in banking information given for billing and payment
purposes.
[R.O. 2017 § 160.050; Ord. No. 2009-04, 4-7-2009]
A. In the event utility personnel detect any
identified red flags, such personnel shall take one (1) or more of
the following steps, depending on the degree of risk posed by the
red flag:
1.
Prevent And Mitigate.
a.
Verify the validity of customer change
of address on existing accounts in order to monitor the diversion
of statements as a prelude to possible account manipulation.
b.
Consumer Education. The City believes
consumers have an important role to play in protecting themselves
from identity theft. As identity thieves become more sophisticated,
consumers can benefit from accurate, up-to-date information designed
to educate them concerning steps they should take to reduce their
vulnerability to this type of fraud. The City will make efforts to
raise consumer awareness of this type of fraud and what they can do
to protect themselves.
c.
Continue to monitor an account for
evidence of identity theft.
d.
If a red flag is detected, possible
mitigation includes:
(2) Change any passwords
or other security devices that permit access to accounts.
(4) Close an existing account.
(5) Reopen an account with
a new number.
(6) Notify the Program Administrator
for determination of the appropriate step(s) to take.
2.
Protect Identifying Information.
In order to further prevent the likelihood of identity theft occurring
with respect to utility accounts, the utility will take the following
steps with respect to its internal operating procedures to protect
identifying information:
a.
Ensure that its website is secure
or provide clear notice that the website is not secure;
b.
Ensure complete and secure destruction
of paper documents and computer files containing customer information;
c.
Ensure that office computers are
password protected and that computer screens lock after a set period
of time;
d.
Ensure computer virus protection
is up to date; and
e.
Require and keep only the kinds of
customer information that are necessary for utility purposes.
[R.O. 2017 § 160.060; Ord. No. 2009-04, 4-7-2009]
This program will be periodically
reviewed and updated to reflect changes in risks to customers and
the soundness of the utility from identity theft. At least once a
year, the Program Administrator will consider the utility's experiences
with identity theft situation, changes in identity theft methods,
changes in identity theft detection and prevention methods, changes
in types of accounts the utility maintains and changes in the utility's
business arrangements with other entities. After considering these
factors, the Program Administrator will determine whether changes
to the program, including the listing of red flags, are warranted.
If warranted, the Program Administrator will update the program and
the Board of Aldermen will make a determination of whether to accept,
modify or reject those changes to the program.
[R.O. 2017 § 160.070; Ord. No. 2009-04, 4-7-2009]
A. Oversight. Oversight of program development,
implementation and administration shall be the responsibility of the
City Collector or designee who will be responsible for the program
administration, for ensuring appropriate training of utility staff
on the program, for reviewing any staff reports regarding the detection
of red flags and the steps for preventing and mitigating identity
theft, determining which steps of prevention and mitigation should
be taken in particular circumstances and considering periodic changes
to the program.
B. Training And Reports.
1.
Appropriate personnel shall be trained
to fully execute the program:
a.
Employees with direct access to customer
information will be looked to as a primary source of information that
can help identify red flags.
b.
During implementation, employees
with direct and indirect access to customer information will receive
annual training thereafter.
2.
The City's IT contractor will provide
technical expertise and guidance to ensure electronic information
stored by the City will be adequately secure and will take action
if an electronic security breach occurs.
3.
The City's IT contractor will perform
random security assessments/audits to ensure the network is protected
from external threats.
4.
The City will use its website and
the media to alert customers of the need to protect themselves from
identity theft.
5.
Follow-up sessions will be performed
to ensure the City has and is following the theft protection program.
6.
Annual reports shall be submitted
to the City Administrator to include:
a.
Effectiveness of the program.
b.
Explanation of "significant events."
c.
Recommendations for program changes.
d.
Evolving risks and methods of identity
theft.
C. Service Provider Arrangements. In the event
the utility engages a service provider to perform an activity in connection
with one (1) or more accounts, the utility will take the following
steps to ensure the service provider performs its activity in accordance
with reasonable policies and procedures designed to detect, prevent
and mitigate the risk of identity theft.
1.
Require, by contract, that service
providers have such policies and procedures in place; and
2.
Require, by contract, that service
providers review the utility's program and report any red flags to
the Program Administrator.
D. Specific Program Elements And Confidentiality.
For the effectiveness of identity theft prevention programs, the Red
Flag Rule envisions a degree of confidentiality regarding the utility's
specific practices relating to identity theft detection, prevention
and mitigation. Therefore, under this program, knowledge of such specific
practices is to be limited to the Identity Theft Committee and those
employees who need to know them for purposes of preventing identity
theft. Because this program is to be adopted by a public body and
thus publicly available, it would be counterproductive to list these
specific practices here. Therefore, only the program's general red
flag detection, implementation and prevention practices are listed
in this document.
E. Conclusion. The City realizes that despite
generally strong controls and practices currently in place by the
City, methods for stealing personal data and committing fraud with
such data will continue to evolve. The City will, therefore, treat
the theft of personal information as a significant risk area due to
its potential impact on the safety and soundness of the local government
and the damage it poses to its consumers. The City believes collaborative
efforts with the public, other levels of government and the business
community can significantly minimize threats to consumers and data
security.