HomeMy WebLinkAboutO-2009-3138 Identity Theft Prevention Program
H
REQUEST FOR CITY COUNCIL AGENDA ITEM
Agenda Date Requested: Aoril27.2009
Aoorooriation
Requested By: Michael G. Dolbv. CPA
Source of Funds:
N/A
Department: Finance
Account Number:
N/A
Report: --X-Resolution: _Ordinance:_
Amount Budgeted:
N/A
Exhibits: Identity Theft oolicv
Amount Requested:
N/A
Exhibits:
Ordinance
Budgeted Item:
YES
NO
Exhibits:
Customer Letter
SUMMARY & RECOMMENDATION
The Federal Trade Commission issued new "red flag" rules which apply to all municipalities that have utility
accounts such as water, sewer or electricity, and other operations that defer payment for services on a regular basis.
In accordance with a recent decision by the FTC, the rules now require that by May 1, 2009 such municipalities
have in place written programs to identity detect and respond to patterns, practices or specific activities-known as
"red flags' - that could indicate identity theft.
Attached is an identity theft policy and ordinance that has been prepared by the staff for the City of La Porte to be in
compliance with the rulings of the Federal Trade Commission. Non-compliance with the FTC rules could subject
the city to audits and substantial fines.
Council Auenda
Ron Bottoms, City Manager
16-J / il~
I
Date
CITY OF LA PORTE
IDENTITY THEFT PREVENTION PROGRAM
EFFECTIVE MAY 1,2009
I. ADOPTION OF PROGRAM AND GENERAL INFORMATION
a. The City of La Porte- ("City") developed this Identity Theft Prevention Program
("Program") pursuant to the Federal Trade Commission's Red Flags Rule ("Rule"), which
implements Section 114 of the Fair and Accurate Credit Transactions Act of2003. 16 C. F. R. S
681.2. This Program was developed with oversight from City of La Porte Finance Department
with approval by the La Porte City Council.
b. An Identity Theft Prevention Program was created and designed to detect,
prevent, and mitigate identity theft relating to "Covered Accounts" of the City. The objective of
the City of La Porte is to safeguard the "Identifying Information" of customers utilizing City
covered accounts, including utility accounts, or any other City operations that provides a service
for which payment is deferred until a future date, for the purpose of identifying and preventing
identity theft.
II. PROGRAM PURPOSE AND DEFINITIONS
a. Fulfilling Requirements of the Red Flags Rule. Under the Red Flag Rule, every
financial institution and creditor is required to establish an "Identity Theft Prevention Program"
tailored to its size, complexity and the nature of its operation. To ensure the City of La Porte has
a program in place to detect, prevent, and diminish identity theft in connection with the opening
and maintaining of utility accounts, and to establish written procedures for security and storing
of personal information, each program must contain reasonable policies and procedures to:
(1) Identify relevant Red Flags for new and existing covered accounts and
incorporate those Red Flags into the Program
(2) Detect Red Flags that have been incorporated into the Program;
(3) Respond appropriately to any Red Flags that are detected to prevent and
mitigate Identity Theft; and
(4) Ensure the Program is updated periodically, to reflect changes in risks to
customers or to the safety and soundness of the creditor from Identity
Theft.
b. Red Flags Rule definitions used in this Program
S:\Council Agendas - Draft\04272009\Finance\La Porte Rcd Flag Policy (final ror adoption 4 27 09l.docl
(1) Identity Theft - fraud committed using the identifying information of
another person.
(2) Red Flag - pattern, practice, or specific activity that indicates the possible
existence of Identity Theft.
(3) Creditors - include finance companies, automobile dealers, mortgage
brokers, utility companies, and telecommunications companies. Where
non-profit and government entities defer payment for goods or services,
they, too, are to be considered creditors. According to the Rule, a city is a
creditor subject to the Rule requirements.
(4) Covered Account - Any account the City offers or maintains primarily
for personal, family or household purposes, that involves multiple
payments or transactions; and any other account the City offers or
maintains for which there is a reasonably foreseeable risk to customers or
to the safety and soundness of the City from Identity Theft. By way of
example, all the City's accounts that are individual utility service accounts
held by customers of the utility whether residential, commercial or
industrial are covered by the Rule.
(5) Identifying information - Any name or number that may be used, alone
or in conjunction with any other information, to identify a specific person,
including: name, address, telephone number, social security number, date
of birth, government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's
Internet Protocol address, or routing code.
c. This policy applies to all City employees and service providers that have access to
Covered Accounts maintained by City containing customer's Identifying Information that is
submitted in person, by email. by fax, through regular mail, or over the internet.
III. IDENTIFICATION OF RED FLAGS
a. In order to identify relevant Red Flags, the City considers the types of accounts
that it offers and maintains, the methods it provides to open its accounts, the methods it provides
to access its accounts, and its previous experiences with Identity Theft. The City identifies the
following red flags, in each of the listed categories:
b. Red Flags for Notifications and Warnings from Credit Reporting Agencies
(1) Report of fraud accompanying a credit report;
(2) Notice or report from a credit agency of a credit freeze on a customer or
applicant:
S:\Council Agendas - DraJil04272009\FinanceILa P(lrt~ R~d Flag Policy (final for adoption 4 27 (9)doc2
(3) Notice or report from a credit agency of an active duty alert for an
applicant; and
(4) Indication from a credit report of activity that IS inconsistent with a
customer's usual pattern or activity.
c. Red Flags for Suspicious Documents
(1) Identification document or card that appears to be forged, altered or
inauthentic;
(2) Identification document or card on which a person's photograph or
physical description is not consistent with the person presenting the
document;
(3) Other document with information that is not consistent with eXlstmg
customer information (such as if a person's signature on a check appears
forged); and
(4) Application for service that appears to have been altered or forged.
d. Red Flags for Suspicious Personal Identifying Information
(1) Identifying information presented that is inconsistent with other
information the customer provides (example: inconsistent birth dates);
(2) Identifying information presented that is inconsistent with other sources of
information (for instance, an address not matching an address on a credit
report);
(3) Identifying infoffi1ation presented that is the same as infoffi1ation shown
on other applications that were found to be fraudulent;
(4) Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address);
(5) Social security number presented that is the same as one given by another
customer;
(6) An address or phone number presented that is the same as that of another
person;
(7) A person fails to provide complete personal identifying information on an
application when reminded to do so (however, by law social security
numbers must not be required); and
S:\Council Agenda,; - Dram04272009\Finance\La Pone Red Flag Policy (final for adoption 4 27 (9)doc3
(8) A person's identifying information is not consistent with the information
that is on file for the customer.
e. Red Flags for Suspicious Account Activity or Unusual Use of Account
(1) Change of address for an account followed by a request to change the
account holder's name;
(2) Payments stop on an otherwise consistently up-to-date account;
(3) Account used in a way that is not consistent with prior use (example: very
high activity);
(4) Mail sent to the account holder is repeatedly returned as undeliverable;
(5) Notice to the City that a customer is not receiving mail sent by the City;
(6) Notice to the City that an account has unauthorized activity;
(7) Breach in the City's computer system security; and
(8) Unauthorized access to or use of customer account information.
f. Red Flag Alerts from Others. Notice to the City from a customer, identity theft
victim, law enforcement or other person that it has opened or is maintaining a fraudulent account
for a person engaged in Identity Theft.
IV. DETECTING RED FLAGS
a. Detection of New Accounts. In order to detect any of the Red Flags identified
above associated with the opening of a new account, City personnel will take the following steps
to obtain and verify the identity of the person opening the account:
(1) Require certain identifying information such as name, residential or
business address, driver's license or other identification;
(2) Request additional documentation to establish identity if necessary:
(3) Independently contact the customer.
c. Detection of Existing Accounts. In order to detect any of the Red Flags
identified above for an existing account. City personnel will take the following steps to monitor
transactions with an account:
S:\Council Agendas - Drati\04272009\Financc\La Parle Red Flag Policy (final for adoption 4 27 (9).doc4
(1) Verify the identification of customers if they request information (in
person, via telephone, via facsimile, via email);
(2) Verify the validity of requests to change billing addresses; and
(3) Verify changes in banking information given for billing and payment
purposes.
v. PREVENTING AND MITIGATING IDENTITY THEFT
a. Prevention and Mitigation. In the event City personnel detect any identified Red
Flags, such personnel shall take one or more of the following steps, depending on the degree of
risk posed by the Red Flag:
(1) Continue to monitor an account for evidence of Identity Theft;
(2) Contact the customer through use of a designated employee for releasing
information, including by form of letter attached hereto attachment "A";
(3) Change any passwords or other security devices that permit access to
accounts;
(4) Not open a new account;
(5) Close an existing account;
(6) Reopen an account with a new number;
(7) Notify law enforcement; or
(8) Contact affected businesses/banks
(9) Contact major credit bureaus
(10) Determine that no response is warranted under the particular
circumstances.
b. Protect customer identifying information. In order to further prevent the
likelihood of Identity Theft occurring with respect to utility accounts, the City will take the
following steps with respect to its intemal operating procedures to protect customer identifying
information:
(1) Ensure that its website is secure or provide clear notice that the website is
not secure;
S:\Council Agendas - Drafl\04272009\Finance\La Porte Red Flag Policy (fInal for adoption 4 27 09l.doc5
(2) Ensure complete and secure destruction of paper documents and computer
files containing customer information according to Federal and State law;
(3) Ensure that office computers are password protected and that computer
screens lock after a set period of time;
(4) Keep offices clear of papers containing customer information
(5) Keep paper documents, files, CD's, disks, zip drives, tapes and backups in
a locked room.
(6) Inventory all computers, laptops, flash drives, disks and other equipment
to identify sources of sensitive data.
(7) Ensure computer virus protection is up to date; and
(8) Require and keep only the kinds of customer information that are
necessary for utility and recreation purposes.
c. Notice of Identity Theft. Once a customer identifies themselves to the City as a
victim of identity theft and notifies the City of the theft the City shall request from the customer
the following:
(1) Request the utility customer provide a picture identification that meets the
requirements for a opening a new account;
(2) The City will provide the utility customer with a Notice of Identity Theft
Affidavit to be completed;
(3) The utility customer will be required to submit a copy of both a police
report and a completed Notice of Identity Theft Affidavit;
(4) The City will document the receipt of the documents;
(5) When the documents are received the City will take action that could
include the following:
a. Monitor the account
b. Contact the customer
c. Refuse to open the account
d. Notify law enforcement
e. Notify major credit bureaus
S:\Council Agendas - Draftl04272009\Finance\La Porte Red Flag Policy (final for adoption 4 27 09).doc6
f. Notify businesses and banks
g. Determine that no response is warranted under the particular
circumstances
VI. PROGRAM UPDATES
The Director of Finance will periodically review and update this Program to reflect
changes in risks to customers and the soundness of the City from Identity Theft. In doing so, the
Director of Finance will consider the City's experiences with Identity Theft situations, changes in
Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes
in the City's business arrangements with other entities. After considering these factors, the
Director of Finance will determine whether changes to the Program, including the listing of Red
Flags, are warranted. If warranted, the Director of Finance will update the Program or present
the City Council with his or her recommended changes and the City Council will make a
determination of whether to accept, modify, or reject those changes to the Program.
VII. PROGRAM ADMINISTRATION.
a. Oversight. Responsibility for developing, implementing and updating this
Program lies with the Director of Finance or their designee. This person will be responsible for
the Program administration, for ensuring appropriate training of all employees in a position to
have access to or the use of Identifying Information, for reviewing any staff reports regarding the
detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining
which steps of prevention and mitigation should be taken in particular circumstances, and
considering periodic changes to the Program.
b. Staff Training and Reports. Finance Department staff responsible for
implementing the Program shall be trained either by or under the direction of the Director of
Finance in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is
detected.
c. Service Provider Arrangements. In the event the City engages a service
provider to perform an activity in connection with one or more accounts, the City will take the
following steps to ensure the service provider perfoffi1s its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.
(1) Require, by contract, that service providers have such policies and
procedures in place; and
(2) Require, by contract, that service providers review the City's Progran1 and
report any Red Flags to the Director of Finance.
SICouncil Agendas - Draft\04272009IFinanceILa Porte Red Flag Policy (fInal for adoption 4 27 (9).doc7
ORDINANCE NO. 2009- ~ t. ~<g'
AN ORDINANCE APPROVING AND ADOPTING AN IDENTITY THEFT PREVENTION
PROGRAM, WITH AN EFFECTIVE DATE OF MAY 1, 2009; PROVIDING A SEVERABILITY
CLAUSE; CONTAINING A REPEALING CLAUSE; FINDING COMPLIANCE WITH THE OPEN
MEETINGS LAW; AND PROVIDING AN EFFECTIVE DATE THEREOF.
BE IT ORDAINED BY THE CITY COUNCIL OF THE CITY OF LA PORTE:
Section 1. The City Council of the City of La Porte herby approves and adopts an Identity Theft
Prevention Program, as reflected in the document titled "City of La Porte Identity Theft
Prevention Program", a true and correct copy which is attached to this ordinance as Exhibit "A",
incorporated by reference herein, and made a part hereof for all purposes.
Section 2. If any section, sentence phrase, clause, or any part of any section, sentence,
phrase, or clause, of this Ordinance or the City of La Porte Identity Theft Prevention Program
adopted thereby shall for any reason, be held invalid, such invalidity shall not affect the
remaining portions of this ordinance, or said Identity Theft Prevention Program, and it is hereby
declared to be the intention of this City Council to have passed each section, sentence, phrase
or clause, or part thereof, irrespective of the fact that any other section, sentence, phrase or
clause or part thereof may be declared invalid.
Section 3. The City Council officially finds, determines, recites, and declares that a sufficient
written notice of the date, hour, place and subject of this meeting of the City Council was posted
at a place convenient to the public at the City Hall of the city for the time required by law
preceding this meeting, as required by the Open Meetings Law, Chapter 551, Texas
Government Code; and that this meeting has been open to the public as required by law at all
times during which this ordinance and the subject matter thereof has been discussed,
considered and formally acted upon. The City Council further ratifies, approves and confirms
such written notice and the contents and posting thereof.
Section 4. All ordinances or parts of ordinances inconsistent with the terms of this ordinance,
including any policies adopted in accordance therewith, are hereby repealed.
Section 5. This Ordinance shall be effective from and after its passage and approval, and it is
so ordered. The City of La Porte Identity Theft Prevention Program adopted by this ordinance
shall be effective from and after May 1, 2009.
PASSED and APPROVED this 27th day of April, 2009.
City of La porte<:\)
~,\~
Alton Porter, Mayor
ATTEST:
~
Martha illett, City Secretary
APPROVED:
/<<~r~
Clark T. Askins, Assist. City Attorney
Attachment A
CITY OF LA PORTE
Established 1892
Date
Dear
We are contacting you a potential problem involving identity theft. [Describe the
information compromise and how you are responding to it.]
We recommend that you place a fraud alert on your credit file. A fraud alert tells
creditors to contact you before they open any new accounts or change your existing
accounts. Call anyone of the three major credit bureaus. As soon as one credit bureau
confirms your fraud alert, the others are notified to place fraud alerts. All three credit
reports will be sent to you, free of charge, for your review.
Equifax
800-685-1111
Experian
888-397-3742
TransUnionCorp
800-680-7289
Even if you do not find any suspicious activity on your initial credit reports, the Federal
Trade Commission recommends that you check your credit reports periodically. Victim
information sometimes is held for use or shared among a group of thieves at different
times. Checking your credit reports periodically can help you spot problems and address
them quickly.
If you find suspicious activity on your credit reports or have reason to believe your
information is being misused, call your local law enforcement agency and file a police
report. Get a copy of the report; many creditors want the infom1ation it contains to
absolve you of the fraudulent debts. You also should file a complaint with the FTC at
www.ftc.gov/idtheftorat 1-877-ID-THEFT (877-438-4338). Your complaint will be
added to the FTC's Identity Theft Data Clearinghouse. where it will be accessible to law
enforcers for their investigations.
Sincerely.
Michael G. Dolby. CPA
Director of Finance
604 W. Fairmont Pkwy. · La Porte, Texas 77571 · (281) 471-5020