[Ord. No. 893, 7-21-2009]
A.
Introduction. The City of Lake Lotawana, Missouri, Sewer District
Number 1 and 2 (the "utility") has developed this Identity Theft Prevention
Program ("program") pursuant to the Federal Trade Commission ("FTC")
Red Flag Rule, which implements Section 114 of the Fair and Accurate
Credit Transaction Act of 2003, pursuant to 16 CFR 681.2. This Program
is designed to detect, prevent and mitigate identity theft in connection
with the opening and maintenance of certain utility accounts. For
the purpose of this program, "identity theft" is considered to be
"fraud committed using the identifying information of another person."
The accounts addressed by the program (the "accounts") are defined
as:
1.
A continuing relationship that the utility has with an individual
through an account the utility maintains for payment of sewer bills
for a building connected to the utility's system.
2.
This program was developed with the approval of the Board of
Aldermen of the City of Lake Lotawana, Missouri, which approved the
program on July 21, 2008.
B.
Identification Of Red Flags. A "red flag" is a pattern, practice
or specific activity that indicates the possible existence of identity
theft. In order to identify relevant red flags, the utility considered
risk factors such as the types of accounts that it offers and maintains,
the methods it provides to open its accounts, the methods it provides
to access its accounts, and its previous experiences with identity
theft. The utility identified the following possible red flags for
the utility:
1.
Receiving an application for service that appears to have been
altered or forged.
2.
An account with a stable history shows irregularities (such
as late or no payments when the account has been timely in the past).
3.
The utility is notified of unauthorized charges or transactions
in connection with a customer's account.
4.
The utility receives notice from a customer, an identity theft
victim, law enforcement or any other person that it has opened or
is maintaining a fraudulent account for a person engaged in identity
theft.
C.
Detection Of Red Flags. In order to detect any of the red flags identified
above, utility personnel will take the following steps to monitor
transactions with an account:
1.
Verifying the identification of customers if they request information
(in person, via telephone, via facsimile, via e-mail).
2.
Verifying the validity of requests to change billing addresses.
3.
Verifying changes in banking information given for billing and
payment purposes.
4.
Independently contacting the customer.
D.
Preventing And Mitigating Identity Theft. In the event utility personnel
detect any identified red flags, such personnel shall take one (1)
or more of the following steps, depending on the degree for risk posed
by the red flag:
1.
Steps can include:
a.
Continuing to monitor an account for evidence of identity theft.
b.
Contacting the customer.
c.
Notifying law enforcement.
d.
Determining that no response is warranted under the particular
circumstances.
e.
Notifying the Program Administrator (as defined below) for determination
of the appropriate step(s) to take.
2.
In order to further prevent the likelihood of identity theft
occurring with respect to utility accounts, the utility will take
the following steps with respect to its internal operating procedures:
a.
Providing a secure website.
b.
Insuring complete and secure destruction of paper documents
and computer files containing customer information, including documentation
of such destruction.
c.
Ensuring that office computers are password protected and that
computer screens lock after a set period of time.
d.
Limiting access to account to only employees that require access.
e.
Prohibiting account information to be written on sticky pads
or note pads.
f.
Ensuring that computer screens are only visible to the employee
accessing the account.
g.
Requiring customers to authenticate addresses and personal information,
rather than account representatives asking if the information is correct.
h.
The only information the utility will provide with respect to
an account is the current balance due for an account address.
E.
Updating The Program And The Red Flags. This program will be periodically
reviewed and updated to reflect changes in risks to customers and
the soundness of the utility from identity theft. At least once per
year, the Program Administrator will consider the utility's experiences
with identity theft situation, changes in identity theft methods,
changes in identity theft detection and prevention methods, changes
in types of accounts the utility maintains and changes in the utility's
business arrangements with other entities. After considering these
factors, the Program Administrator will determine whether changes
to the program, including the listing of red flags, are warranted.
If warranted, the Program Administrator will present the Board of
Aldermen with the recommended changes, and the Board of Aldermen will
make a determination of whether to accept, modify or reject those
changes to the program.
F.
Program Administrator.
1.
Oversight. The utility's program will be overseen by a Program
Administrator. The Program Administrator shall be the City Clerk of
the City of Lake Lotawana. The Program Administrator will be responsible
for the program's administration, for ensuring appropriate training
of utility staff on the program, for reviewing any staff reports regarding
the detection of red flags and the steps for preventing and mitigating
identity theft, determining which steps of prevention and mitigation
should be taken in particular circumstances, reviewing and, if necessary,
approving changes to the program.
2.
Oversight. Staff Training And Reports. Utility staff responsible
for implementing the program shall be trained either by or under the
direction of the Program Administrator in the detection of red flags,
and the responsive steps to be taken when a red flag is detected.
Such training will be sufficient to effectively implement the program.
3.
Oversight. Service Provider Arrangements. In the event the utility
engages a service provider to perform an activity in connection with
one (1) or more accounts, the utility will take the following steps
to ensure the service provider performs its activity in accordance
with reasonable policies and procedures designed to detect, prevent,
mitigate the risk of identity theft.
