[Ord. No. 7108 §1, 4-27-2009]
Pursuant to Federal law the Federal Trade Commission adopted
Identity Theft Rules requiring the creation of certain policies relating
to the use of consumer reports, address discrepancy and the detection,
prevention and mitigation of identity theft. The Federal Trade Commission
regulations adopted as 16 CFR §681.2 require creditors, as defined
by 15 U.S.C. §681(a)(5) to adopt red flag policies to prevent
and mitigate identity theft with respect to covered accounts. 15 U.S.C.
§1681a(r)(5) cites 15 U.S.C. §1691a, which defines a creditor
as a person that extends, renews or continues credit, and defines
"credit" in part as the right to purchase property or services and
defer payment therefore. The Federal Trade Commission regulations
include utility companies in the definition of creditor. The City
of Maryville is a creditor with respect to 16 CFR §681.2 by virtue
of providing water and sewer utility services or by otherwise accepting
payment for municipal services in arrears. This program was developed
with oversight and approval of the City Council. After consideration
of the size and complexity of the City's water and sewer utility (the
utility) operations and account systems, and the nature and scope
of the utility's activities, the City Council determined that this
program was appropriate for the utility, and therefore approved this
program on April 27, 2009.
[Ord. No. 7108 §1, 4-27-2009]
A. Fulfilling Requirements Of The Red Flags Rule. Under the
Red Flag Rule, every financial institution and creditor is required
to establish an "Identity Theft Prevention Program" tailored to its
size, complexity and the nature of its operation. Each program must
contain reasonable policies and procedures to:
1. Identify relevant red flags for new and existing covered accounts
and incorporate those red flags into the program;
2. Detect red flags that have been incorporated in the program;
3. Respond appropriately to any red flags that are detected to prevent
and mitigate identity theft; and
4. Ensure the program is updated periodically, to reflect changes in
risks to customers or to the safety and soundness of the creditor
from identity theft.
B. Red Flags Rule Definitions Used In The Program.
1. The red flags rule defines "identity theft" as fraud
committed using the identifying information of another person and
a "red flag" as a pattern, practice, or specific
activity that indicates the possible existence of identity theft.
2. According to the rule, a municipal utility is a creditor subject
to the rule requirements. The rule defines "creditors" to include finance companies, automobile dealers, mortgage brokers,
utility companies, and telecommunications companies. Where non-profit
and government entities defer payment for goods or services, they,
too, are to be considered creditors.
3. All the utility's accounts that are individual utility service accounts
held by customers of the utility whether residential or commercial
are covered by the rule. Under the Rule, a "covered account" is:
a. Any account the utility offers or maintains primarily for personal,
family or household purposes that involves multiple payments or transactions;
and
b. Any other account the utility offers or maintains for which there
is a reasonably foreseeable risk to customers or to the safety and
soundness of the utility from identity theft.
|
"Identifying information" is defined under
the rule as any name or number that may be used, alone or in conjunction
with any other information, to identify a specific person, including:
name, address, telephone number, Social Security number, date of birth,
government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's
Internet protocol address, or routing code.
|
[Ord. No. 7108 §1, 4-27-2009]
A. In
order to identify relevant red flags, the utility considers the types
of accounts that it offers and maintains, the methods it provides
to open its accounts, the methods it provides to access its accounts,
and its previous experiences with identity theft. The utility identifies
the following red flags, in each of the listed categories:
1. Notifications and warnings from credit reporting agencies
(if a consumer credit report is used; currently the utility does not
use credit reports). Examples of alerts include but are not
limited to:
a. A fraud or active duty alert that is included with a consumer report;
b. A notice of credit freeze in response to a request for a consumer
report;
c. A notice of address discrepancy provided by a consumer reporting
agency;
d. Indications of a pattern of activity in a consumer report that is
inconsistent with the history and usual pattern of activity of an
applicant or customer.
2. Suspicious documents. Examples of suspicious documents
include:
a. Documents provided for identification that appear to be altered or
forged;
b. Identification on which the photograph or physical description is
inconsistent with the appearance of the applicant or customer;
c. Identification on which the information is inconsistent with existing
customer information (such as if a person's signature on a check appears
forged);
3. Suspicious personal identifying information. Examples
of suspicious identifying information include:
a. Personal identifying information that is inconsistent with external
information sources used by the utility. For example:
(1)
The address does not match any address in the consumer report
(if used by the utility); or
(2)
The Social Security number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File (if
used by the utility);
b. Other information provided, such as fictitious mailing address, mail
drop addresses, jail addresses, invalid phone numbers, pager numbers
or answering services, is associated with fraudulent activity;
c. The Social Security number provided is the same as submitted by another
customer;
d. The applicant fails to provide all required personal identifying
information on an application or in response to notification that
the application is incomplete;
e. Personal identifying information is not consistent with information
that is on file;
f. Personal identifying information provided by the customer is not
consistent with other personal identifying information provided by
the customer, such as a lack of correlation between the Social Security
number range and the date of birth;
g. Personal identifying information or a phone number or address, is
associated with known fraudulent application or activities as indicated
by internal or third-party sources used by the utility.
4. Suspicious account activity or unusual use of account. Examples of suspicious activity include:
a. Change of address for an account followed by a request to change
the account holder's name;
b. Payments stop on an otherwise consistently up-to-date account;
c. An account being used in a way that is not consistent with prior
use (such as very high activity);
d. Mail sent to the account holder is repeatedly returned as undeliverable;
e. Notice to the utility that a customer is not receiving mail sent
by the utility;
f. Breach in the utility's computer system security; and
g. Unauthorized access to or use of customer account information.
5. Alerts from others. Notice to the utility from a
customer, identify theft victim, law enforcement or other person that
it has opened or is maintaining a fraudulent account for a person
engaged in identity theft.
[Ord. No. 7108 §1, 4-27-2009]
A. In
order to detect any of the red flags identified above in the opening
of a new account, utility personnel will take the following steps
to obtain and verify the identify of the person opening the account:
1. Require certain identifying information such as name, residential
or business address, principal place of business for an entity, driver's
license or other identification;
2. Verify the customer's identity (such as by reviewing a driver's license
or other identification card); and
3. Review documentation showing the existence of a business entity.
B. In
order to detect any of the red flags identified above for an existing
account, utility personnel will take the following steps to monitor
transactions with an account:
1. Verify the identification of customers if they request information
(in person, via telephone, via facsimile, via e-mail);
2. Verify changes in banking information given for billing and payment
purposes.
[Ord. No. 7108 §1, 4-27-2009]
A. In
the event utility personnel detect any identified red flags, such
personnel shall take one (1) or more of the following steps, depending
on the degree of risk posed by the red flag:
1. Continue to monitor an account for evidence of identity theft;
4. Close an existing account;
5. Reopen an account with a new number;
6. Notify the program Administrator for determination of the appropriate
step(s) to take;
7. Notify law enforcement; or
8. Determine that no response is warranted under the particular circumstances.
B. In
order to further prevent the likelihood of identity theft occurring
with respect to utility accounts, the utility will take the following
steps with respect to its internal operating procedures to protect
customer identifying information:
1. Ensure complete and secure destruction of paper documents and computer
files containing customer information;
2. Ensure that office computers are password protected and that computer
screens lock after a set period of time;
3. Keep offices clear of papers containing customer information;
4. Require and keep only the kinds of customer information that are
necessary for utility purposes;
5. Require customers to authenticate addresses and personal information,
rather than utility personnel asking if the information is correct.
[Ord. No. 7108 §1, 4-27-2009]
The Program Administrator will periodically review and update
this program to reflect changes in risks to customers and the soundness
of the utility from identity theft. In doing so, the Program Administrator
will consider the utility's experiences with identity theft situations,
changes in identity theft methods, changes in identity theft detection
and prevention methods, and changes in the utility's business arrangements
with other entities. After considering these factors, the Program
Administrator will determine whether changes to the program, including
the listing of red flags, are warranted. If warranted, the Program
Administrator will update the program or present the City Council
with his or her recommended changes and the City Council will make
a determination of whether to accept, modify or reject those changes
to the program.
[Ord. No. 7108 §1, 4-27-2009]
A. Oversight. Responsibility for developing, implementing and
updating this program lies with an Identity Theft Committee to be
comprised of the Program Administrator (the City Manager) and the
Finance Director. The Program Administrator will be responsible for
the program administration, for ensuring appropriate training of utility
staff on the program, for reviewing any staff reports regarding the
detection of red flags and the steps for preventing and mitigating
identity theft, determining which steps of prevention and mitigation
should be taken in particular circumstances and considering periodic
changes to the program.
B. Staff Training And Reports. Utility staff responsible for
implementing the program shall be trained either by, or under, the
direction of the Program Administrator in the detection of red flags,
and the responsive steps to be taken when a red flag is detected.
C. Service Provider Arrangements. In the event the utility
engages a service provider to perform an activity in connection with
one (1) or more accounts, the utility will take the following steps
to ensure the service provider performs its activity in accordance
with reasonable policies and procedures designed to detect, prevent,
and mitigate the risk of identity theft.
1. Require, by contract, that service providers have such policies and
procedures in place; and
2. Require, by contract, that service providers review the utility's
program and report any red flags to the Program Administrator.