[R.O. 1997 §150.010; Ord. No. 1565 §2, 10-27-2008]
A.
The City of Cassville (the "utility") has developed this
Identity Theft Prevention Program ("Program") pursuant to the Federal
Trade Commission's (FTC) Red Flag Rule, which implements Section 114
of the Fair and Accurate Credit Transaction Act of 2003, pursuant
to 16 CFR 681.2. This Program is designed to detect, prevent and mitigate
identity theft in connection with the opening and maintenance of certain
utility accounts. For purposes of this Program, "identity theft" is
considered to be "fraud committed using the identifying information
of another person." The accounts addressed by the Program (the "accounts")
are defined as:
1.
A continuing relationship the Utility has with
an individual through an account the Utility offers or maintains primarily
for personal, family or household purposes, that involves multiple
payments or transactions; and
2.
Any other account the Utility offers or maintains
for which there is a reasonably foreseeable risk to customers or to
the safety and soundness of the Utility from identity theft.
B.
This Program was developed with oversight and approval
of the Board of Aldermen. After consideration of the size and complexity
of the Utility's operations and account systems and the nature and
scope of the Utility's activities, the Board of Aldermen determined
that this Program was appropriate for the utilities provided by the
City and therefore approved this Program on October 27, 2008.
[R.O. 1997 §150.020; Ord. No. 1565 §2, 10-27-2008]
A.
A "red flag" is a pattern, practice or specific activity
that indicates the possible existence of identity theft. In order
to identify relevant red flags, the Utility considered risk factors
such as the types of accounts that it offers and maintains, the methods
it provides to open its accounts, the methods it provides to access
its accounts, and its previous experiences with identity theft. The
Utility identified the following red flags in each of the listed categories:
1.
Notifications And Warnings From Consumer
Reporting Agencies. (Note: A utility will likely only have
a listing in this category if it reports to or obtains information
from consumer reporting agencies.) Possible red flags for this category
include:
a.
A fraud or activity alert is included with a consumer
report;
b.
Receiving a report or notice from a consumer reporting
agency of a credit freeze;
c.
Receiving a report of fraud with a consumer report;
and
d.
Receiving indication from a consumer report of
activity that is inconsistent with a customer's usual pattern or activity.
2.
Suspicious Documents. Possible
red flags for this category include:
a.
Receiving documents that are provided for identification
that appear to be forged or altered;
b.
Receiving documentation on which a person's photograph
or physical description is not consistent with the person presenting
the documentation;
c.
Receiving other documentation with information
that is not consistent with existing customer information (such as
if a person's signature on a check appears forged); and
d.
Receiving an application for service that appears
to have been altered or forged.
3.
Suspicious Personal Identifying Information. Possible red flags for this category include:
a.
A person's identifying information is inconsistent
with other sources of information (such as an address not matching
an address on a consumer report or a SSN that was never issued);
b.
A person's identifying information is inconsistent
with other information the customer provides (such as inconsistent
SSNs or birth dates);
c.
A person's identifying information is the same
as shown on other applications found to be fraudulent;
d.
A person's identifying information is consistent
with fraudulent activity (such as an invalid phone number or fictitious
billing address);
e.
A person's SSN is the same as another customer's
SSN;
f.
A person's address or phone number is the same
as that of another person;
g.
A person fails to provide complete personal identifying
information on an application when reminded to do so; and
h.
A person's identifying information is not consistent
with the information that is on file for the customer.
4.
Unusual Use Of Or Suspicious Activity
Related To An Account. Possible red flags for this category
include:
a.
A change of address for an account followed by
a request to change the account holder's name or add other parties;
b.
A new account is used in a manner consistent with
fraud (such as the customer failing to make the first payment or making
the initial payment and no other payments);
c.
An account being used in a way that is not consistent
with prior use (such as late or no payments when the account has been
timely in the past);
d.
Mail sent to the account holder is repeatedly
returned as undeliverable;
e.
The Utility receives notice that a customer is
not receiving his paper statements; and
f.
The Utility receives notice that an account has
unauthorized activity.
NOTE: Based on discussions with utility representatives,
other red flags in this category may include breaches in a utility's
computer system, unauthorized access to or use of customer account
information and a utility's plans to take steps with certain data
it maintains that contains customer information (i.e. destroying computer
files).
B.
NOTE: The red flags given as examples both here and in
Appendix A to the FTC red flag rule should not be considered a complete
list of red flags, but only examples of possible red flags for your
system.
[R.O. 1997 §150.030; Ord. No. 1565 §2, 10-27-2008]
A.
In order to detect any of the red flags identified above
with the opening of a new account, utility personnel will take the
following steps to obtain and verify the identity of the person opening
the account. Steps can include:
1.
Requiring certain identifying information such
as name, date of birth, residential or business address, principal
place of business for an entity, SSN, driver's license or other identification;
2.
Verifying the customer's identity, such as by
copying and reviewing a driver's license or other identification card;
3.
Reviewing documentation showing the existence
of a business entity; and
4.
Independently contacting the customer.
B.
In order to detect any of the red flags identified above
for an existing account, utility personnel will take the following
steps to monitor transactions with an account. Steps can include:
[R.O. 1997 §150.040; Ord. No. 1565 §2, 10-27-2008]
A.
In the event utility personnel detect any identified red
flags, such personnel shall take one (1) or more of the following
steps, depending on the degree of risk posed by the red flag:
1.
Steps can include:
a.
Continuing to monitor an account for evidence
of identity theft;
b.
Contacting the customer;
c.
Changing any passwords or other security devices
that permit access to accounts;
d.
Reopening an account with a new number;
e.
Not opening a new account;
f.
Closing an existing account;
g.
Notifying law enforcement;
h.
Determining that no response is warranted under
the particular circumstances; or
i.
Notifying the Program Administrator (as defined
below) for determination of the appropriate step(s) to take.
2.
NOTE: Because a utility will not be able to predict
particular circumstances that may arise, this Section may be modified
to show a range of possible responses and identifying one (1) or more
persons who will be responsible within the Utility for determining
what response is appropriate in a circumstance. For example, if the
Utility receives notice that its system has been compromised such
that a customer's personal information has become accessible, the
Utility would likely, at a minimum, notify the customer and change
passwords. If the Utility receives notice that a person has provided
inaccurate identification information, the appropriate response may
be to close the account and contact law enforcement. If the Utility
notices late payments on an account that has been regularly paid and
determines the resident has been incapacitated, no action may be warranted.
B.
In order to further prevent the likelihood of identity
theft occurring with respect to utility accounts, the Utility will
take the following steps with respect to its internal operating procedures.
These steps are not outlined in the FTC's red flag rule, but possible
steps may include:
1.
Providing a secure website or clear notice that
a website is not secure;
2.
Ensuring complete and secure destruction of paper
documents and computer files containing customer information, including
documentation of such destruction;
3.
Ensuring that office computers are password-protected
and that computer screens lock after a set period of time;
4.
Requiring only the last four (4) digits of SSNs
on customer applications;
5.
Limiting access to accounts to only employees
that require access;
6.
Prohibiting account information to be written
on sticky pads or note pads;
7.
Ensuring that computer screens are only visible
to the employee accessing the account; and
8.
Requiring customers to authenticate addresses
and personal information, rather than account representatives asking
if the information is correct.
[R.O. 1997 §150.050; Ord. No. 1565 §2, 10-27-2008]
This Program will be periodically reviewed and updated to reflect
changes in risks to customers and the soundness of the Utility from
identity theft. At least once per year, the Program Administrator
will consider the Utility's experiences with identity theft situations,
changes in identity theft methods, changes in identity theft detection
and prevention methods, changes in types of accounts the Utility maintains
and changes in the Utility's business arrangements with other entities.
After considering these factors, the Program Administrator will determine
whether changes to the program, including the listing of red flags,
are warranted. If warranted, the Program Administrator will present
the Board of Aldermen with his or her recommended changes, and the
Board of Aldermen will make a determination of whether to accept,
modify or reject those changes to the program.
NOTE: A utility's program may also authorize the Program Administrator
to adopt program changes.
[R.O. 1997 §150.060; Ord. No. 1565 §2, 10-27-2008]
A.
Oversight. The Utility's program will
be overseen by a Program Administrator. The Program Administrator
shall be the City Administrator or equivalent. The Program Administrator
will be responsible for the program's administration, for ensuring
appropriate training of utility staff on the program, for reviewing
any staff reports regarding the detection of red flags and the steps
for preventing and mitigating identity theft, determining which steps
of prevention and mitigation should be taken in particular circumstances,
reviewing and, if necessary, approving changes to the program.
B.
Staff Training And Reports. Utility staff
responsible for implementing the program shall be trained either by
or under the direction of the Program Administrator in the detection
of red flags and the responsive steps to be taken when a red flag
is detected. Such training will be sufficient to effectively implement
the program.
C.
Service Provider Arrangements. The Utility
will take the following steps to ensure the service provider performs
its activity in accordance with reasonable policies and procedures
designed to detect, prevent and mitigate the risk of identity theft.
These steps may include:
