To establish an identity theft prevention program designed to protect, prevent and diminish identity theft in connection with the opening of a city utility account or of an existing utility account and to provide for continued administration of the program in compliance with part 681 of title 16 of the Code of Federal Regulations in implementing sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 (Federal Trade Commission’s red flags rule).
(2007 Code, sec. 13.08.001)
(a) 
Fulfilling requirements of red flags rule.
Under the red flags rule, every financial [institution] and creditor, including municipal utilities, is required to establish an identity theft prevention program tailored to its size and the nature of its operation. Each program must have reasonable policies and procedures to:
(1) 
Identify relevant red flags for new and existing covered accounts and include these red flags in the program;
(2) 
Detect red flags that have been incorporated into the program;
(3) 
Respond appropriately to any red flags that are detected to prevent and help reduce or eliminate identity theft; and
(4) 
Ensure that the program is reviewed and updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from identity theft.
(b) 
Definitions.
(1) 
The red flags rule defines identity theft as “fraud committed using the identifying information of another person” and a red flag as “a pattern, practice or specific activity that indicates the possible existence of identity theft.”
(2) 
All of the city utility accounts, whether the account is classified residential or commercial, are covered by this program.
(3) 
Identifying information is defined under the rule as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including name, address, telephone number, social security number, date of birth, government-issued driver’s license or identification number, unique identification number, computer’s internet protocol address, or routing code.
(2007 Code, sec. 13.08.002)
The city manager shall be responsible for the development, implementation, oversight and continued administration of the program. The finance department director and staff will administer the program and shall train staff, as necessary, to effectively implement the program.
(2007 Code, sec. 13.08.003)
(a) 
In order to identify relevant red flags, the city considers the types of accounts that it offers and maintains, the methods it provides to open its accounts and the methods it provides to access its accounts. The program shall include relevant red flags from the following categories as appropriate:
(1) 
Alerts, notifications or other warnings received from consumer reporting agencies and service providers, such as fraud detection services;
(2) 
The presentation of suspicious documents:
(A) 
An identification document or card that appears to be forged, altered or inauthentic;
(B) 
An identification document or card on which a person’s photograph or physical description is not consistent with the person’s photograph or physical description is not consistent with [sic] the person presenting the document;
(C) 
Other document information that is not consistent with existing customer information (such as if a person’s signature on a check appears forged);
(D) 
An application for service that appears to have been altered or forged;
(3) 
The unusual use of, or other suspicious activity related to, a utility account;
(4) 
Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with utility accounts;
(5) 
The presentation of suspicious personal identifying information:
(A) 
Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
(B) 
Identifying information presented that is inconsistent with other sources of information (example: an address not matching an address on a credit report or letter of credit);
(C) 
Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
(D) 
Identifying information presented that is consistent with fraudulent activity (such as an invalid telephone number or fictitious billing address);
(E) 
Social security number presented that is the same as that of another customer;
(F) 
An address or telephone number presented that is the same as that of another person;
(G) 
A person fails to provide complete personal identifying information on an application when reminded to do so (however, by law, social security numbers must not be required); and
(H) 
A person’s identifying information is not consistent with the information that is on file for the customer.
(6) 
Suspicious account activity or unusual use of account:
(A) 
Change of address for an account followed by a request to change the account holder’s name;
(B) 
Payments stop on an otherwise consistently up-to-date account;
(C) 
Account used in a way that is not consistent with prior use (example: very high activity);
(D) 
Mail sent to the account holder is repeatedly returned as undeliverable;
(E) 
Notice to the city that an account has unauthorized activity;
(F) 
Breach in the city’s computer system security; and
(G) 
Unauthorized access to or use of customer account information.
(b) 
The program shall consider the following risk factors in identifying relevant red flags for utility accounts as appropriate:
(1) 
The type of covered utility accounts offered or maintained;
(2) 
The methods provided to open covered utility accounts;
(3) 
The methods provided to access covered accounts; and
(4) 
If any, previous experience with identity theft.
(2007 Code, sec. 13.08.004)
(a) 
New accounts.
In order to detect any of the red flags identified above associated with the opening of a new account, utility billing staff will take the following steps to obtain and verify the identity of the person opening the account:
(1) 
Require identifying information such as name, date of birth, residential or business address, driver’s license or other identification;
(2) 
Verify the customer’s identity (example: review a driver’s license or other identification card);
(3) 
Review all documentation presented for accuracy. If in doubt, follow up by independently contacting the customer.
(b) 
Existing accounts.
In order to detect any of the red flags identified above for an existing account, utility billing staff will take the following steps to monitor transactions with an account:
(1) 
Verify the identification of customers if they request information (in person, via telephone, via facsimile, via e-mail);
(2) 
Verify the validity of requests to change billing addresses; and
(3) 
Verify changes in banking information given for billing and payment purposes.
(2007 Code, sec. 13.08.005)
In the event utility billing staff detect any identified red flags, staff will take one or more of the following steps, depending on the degree of risk posed by the red flag:
(1) 
Continue to monitor an account for evidence of identity theft;
(2) 
Contact the customer to verify information;
(3) 
Upon review by the finance director and customer service manager, do not open a new account, or close an existing account;
(4) 
Reopen an account with a new identifying number;
(5) 
Request direction from the program administrator to determine the appropriate course of action;
(6) 
With management’s approval, notify the city police department; or
(7) 
Upon full review of the circumstances, determine that no response is warranted.
(2007 Code, sec. 13.08.006)
In order to further prevent the likelihood of identify theft occurring with respect to the city utility accounts, the city will take the following steps to protect the customer identifying information:
(1) 
Ensure that its website is secure or provide clear notice that the website is not secure;
(2) 
Ensure complete and secure destruction of paper documents and computer files containing customer information;
(3) 
Ensure that office computers are password protected and that computer screens lock after a set period of time;
(4) 
Request only the last 4 digits of social security numbers (if any) for verification purposes;
(5) 
Ensure computer virus protection is up to date; and
(6) 
Require and keep only the required customer information for utility purposes.
(2007 Code, sec. 13.08.007)
The program will be reviewed periodically, at a minimum of once a year. The program administrator will determine if any updates or changes are required considering the city’s experiences with identity theft situations.
(2007 Code, sec. 13.08.008)
The utility billing staff shall be trained by, or under the direction of, the program administrator in the detection of red flags and responsive steps to be taken when a red flag is detected. Each training session will be documented and training files will be maintained by human resources.
(2007 Code, sec. 13.08.009)
If the city utility billing division engages a service provider to perform an activity in connection with one or more accounts, e.g., a collection agency, the city will ensure that the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate risk of identity theft.
(2007 Code, sec. 13.08.010)