The Fair and Accurate Credit Transaction Act of 2003 (“FACTA”), Section 114, as implemented by the Red Flag Rules, 16 C.F.R. Section 681.2, issued by the Federal Trade Commission, along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Policy. Pursuant to the regulations, the District is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family, or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft. Therefore, the District is required to implement an Identity Theft Prevention Policy.
The purpose of this Identify Theft Prevention Policy (“Policy”) is to detect, prevent, and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the District’s scope of services provided and the types of accounts. This Policy is created to identify patterns, practices, and specific activities that indicate the possible existence of identity theft, hereinafter referred to as “Red Flags.” The Policy sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered.
(Res. No. 2020-02, adopted 5/20/20)
The following definitions apply to this Article:
“Customer account”
shall mean a utility service account or other account provided by the District that constitutes a “covered account” under the Red Flag Rules.
“Identity theft”
shall mean a fraud committed or attempted using the personal identifying information of another person without his/her authority.
“Personal identifying information”
shall mean information that may be used to identify a specific person, including, but not limited to, a social security number, date of birth, government issued driver’s license or identification number, government passport number, unique biometric data such as fingerprints or physical appearance, any unique electronic identification number, telephone number or address.
“Red Flag”
shall mean a pattern, practice or specific activity that indicates the possible existence of identity theft as defined in the Red Flag Rules, and as specifically enumerated in this Article.
(Res. No. 2020-02, adopted 5/20/20)
The Board of Directors of the District designates to the General Manager or his or her designee the authority to develop, oversee, implement, and administer the Policy.
As part of the General Manager or designee’s oversight responsibilities for the Policy, the General Manager or designee is required to review and approve all material changes to the Policy as necessary to address changing identity theft risks. The General Manager or designee is also responsible for reviewing reports prepared by the District’s staff regarding the District’s compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Policy.
Section 23.3.1. 
Compliance Reports to Be Prepared by District Staff. The General Manager or designee will designate the District staff involved with the implementation of the Program to prepare reports regarding the District’s compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Policy. The reports should address material matters related to the Program, such as the following:
(a) 
The effectiveness of the District’s policies and procedures to address the risk of identity theft in connection with opening customer accounts, as well as with existing accounts. This includes identifying any issues related to identifying, detecting to the General Manager or his or her designee and responding to Red Flags;
(b) 
Third-party service provider arrangements;
(c) 
Significant incidents of identity theft or Red Flag detection, and the District’s responses to those incidents;
(d) 
Recommendations for material changes to the program to ensure that customer accounts are adequately protected from the risk of identity theft.
The reports should be prepared at least annually for review by the General Manager or his or her designee and/or the Board of Directors of the District.
Section 23.3.2. 
Red Flags Identified by the District. In identifying the Red Flags applicable to the District’s customer accounts, the District considered the following risk factors:
(a)
The types of accounts the District maintains;
(b)
The methods the District provides to open customer accounts;
(c)
The methods the District provides to access to customers’ accounts;
(d)
The District’s previous experiences with identity theft in connection with the customer accounts.
The Red Flags identified in this Policy have been incorporated from sources, which include supervisory guidance, past incidents of identity theft, and changes in methods of identity theft risk.
The District’s Identified Red Flags are, as follows:
(a) 
Suspicious Documents.
(1) 
Documents used for identification purposes appear to have been altered or forged.
(2) 
The photograph or physical description on the identification documents do not match the appearance of the person presenting the identification.
(3) 
Other information in identification documents does not match the information provided by the individual presenting the identification documents.
(4) 
Other information in the identification documents does not match the information on file with the District.
(5) 
The application to open the account appears to have been forged, altered, or gives the appearance of having been destroyed and reassembled.
(b) 
Suspicious Personal Identifying Information.
(1) 
Personal identifying information is inconsistent with other personal identifying information provided by the customer, such as a date of birth that does not correlate.
(2) 
Personal identifying information provided is associated with known fraudulent activity, as indicated by internal or third-party sources, such as the address or phone number on an application was previously provided on another fraudulent application.
(3) 
Personal identifying information is of a type commonly associated with fraudulent activity, as indicated by internal or third-party sources, such as a fictitious address, or an invalid phone number.
(4) 
The address or telephone number provided is the same as other individuals attempting to open an account or existing customers.
(5) 
The individual opening the account cannot provide all of the required personal identifying information for an application.
(6) 
Personal identifying information is inconsistent with the information provided by the customer on file with the District.
(c) 
Unusual Use of or Other Suspicious Activity Related to a Customer Account.
(1) 
Shortly after receiving a notice of change of address for the account, the District receives a request to add another name to the account.
(2) 
A new account is used in a manner commonly associated with known patterns of fraud, such as a first payment is made, and then no subsequent payments are made.
(3) 
An inactive account becomes active.
(4) 
Mail sent to the customer is returned repeatedly.
(5) 
The District is notified that a customer is not receiving his/her paper account statements.
(6) 
The District is notified of unauthorized transactions on a customer’s account.
(d) 
Notice of Possible Identity Theft.
(1) 
The District is notified by a customer of possible identity theft in connection with his/her account.
(2) 
The District is notified by a victim of identity theft of possible identity theft in connection with a customer account.
(3) 
The District is notified by law enforcement of possible identity theft in connection with a customer account.
(4) 
The District is notified by others of possible identity theft in connection with a customer account.
Section 23.3.3. 
Procedures for Detecting Red Flags. The following procedures are being implemented by the District to detect the Red Flags identified with opening of accounts and existing accounts identified above:
(a) 
Obtain personal identifying information of an individual to verify his/her identity prior to opening an account.
(b) 
Authenticate the identity of customers when they are requesting information about their accounts.
(c) 
Authenticate the identity of customers when they are requesting to make any changes to their accounts.
(d) 
Members of the District’s staff will be assigned and trained to detect Red Flags.
(e) 
In addition, the District may employ the services of a third party service provider and/or utilize computer software programs to assist in detecting Red Flags.
Section 23.3.4. 
Procedures for Responding to Red Flags. In order to prevent and mitigate identity theft, and after taking into consideration the risks of identity theft applicable to the customer accounts, the District implements the following procedures to respond to all Red Flags that are discovered. One or more of these procedures will be used each time a Red Flag is detected:
(a) 
Monitor accounts for evidence of identity theft.
(b) 
Change or add a password, security code, or other device that provides access to the account.
(c) 
Reopen an account with a new account number
(d) 
Close an existing account.
(e) 
Not open a new account.
(Res. No. 2020-02, adopted 5/20/20)