The URL can be used to link to this page

Home My WebLink AboutRES 09-116 RESOLUTION NO. 09-116 A RESOLUTION ADOPTING AN "IDENTITY THEFT PREVENTION PROGRAM"TO COMPLY W ITH FEDERAL REGULATIONS RELATING TO RED FLAGS AND IDENTITY THEFT AND APPROVING ADMINISTRATIVE RULES ENTITLED "IDENTITY THEFT PREVENTION PROGRAM RULES." WHEREAS pursuant to federal law the Federal Trade Commission adopted Identity Theft Rules requiring the creation of certain policies relating to the use of consumer reports, address discrepancy and the detection, prevention and mitigation of identity theft; WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR § 681.2 require creditors, as defined by 15 U.S.C. § 1681 a(r)(5)to adopt red flag policies to prevent and mitigate identity theft with respect to covered accounts; WHEREAS 15 U.S.C. § 1681a(r)(5) cites 15 U.S.C. §1691a, which defines a creditor as a person that extends, renews or continues credit,and defines credit'in part as the right to purchase property or services and defer payment therefore; WHEREAS the Federal Trade Commission regulations include utility companies in the definition of creditor; WHEREAS the City of Beaumont is a creditor with respect to 16 CFR§681.2 by virtue of providing utility services or by otherwise accepting payment for other municipal services in arrears; WHEREAS the Federal Trade Commission regulations define"covered account" in part as an account that a creditor provides for personal, family or household purposes that is designed to allow multiple payments or transactions and specifies that a utility account, among others, is a covered account; WHEREAS the Federal Trade Commission regulations require each creditor to adopt an Identity Theft Prevention Program which will use red flags to detect, prevent and mitigate identity theft related to information used in covered accounts; WHEREAS the City provides water, sewer, storm sewer, and refuse collection services for which payment is made after the product is consumed or the service has otherwise been provided which by virtue of being utility accounts are covered accounts; WHEREAS customer accounts for Municipal Court fines for which payment is made after the fine is imposed are covered accounts by virtue of allowing for multiple payments or transactions; WHEREAS, customer accounts for emergency medical services and other municipal services for which payment is made after the service is provided are covered accounts; and WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR 681.1, require users of consumer credit reports to develop policies and procedures relating to address discrepancies between information provided by a consumer and information provided by a consumer credit company; WHEREAS the City of Beaumont uses consumer credit reports to establish various customer accounts; and WHEREAS the duly elected governing authority of the City of Beaumont is the City Council thereof; NOW, THEREFORE, BE IT RESOLVED that the City Council of the City of Beaumont, Texas, hereby adopts and approves the Administrative Rules entitled "Identity Theft Prevention Program" attached hereto as Exhibit "A." PASSED BY THE CITY COUNCIL of the City of Beaumont this the 28th day of April, 2009. ar p 1 1 VVV , Mayor Becky Ames - ill`, ATTE By: 4l, Tina Broussard, City Clerk APPROVED: By: Tyro E. o , City Attorney City of Beaumont Identity Theft Prevention Program May 1,2009 I. Adoption of Program and General Information. The City of Beaumont ("City") has developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's Red Flags Rule ("Rule"), which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. § 16 C.F.R. §681.2. II. Purpose. The purpose of this policy is to ensure the City of Beaumont has a program in place to detect, prevent and diminish identity theft in connection with water utility and garbage accounts, municipal court fines, emergency medical services billings, and any other account meeting the definition of cover accounts below, to establish written procedures for security and storing of personal information. III. Application. This policy applies to City Staff who enter or modify customer personal information that is submitted in person, by telephone, facsimile, mail, email and over the internet. IV. Definitions. For purposes of this Article, the following definitions apply: A. City—The City of Beaumont, Texas. B. Covered Account — (i) An account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as credit card account, or utility account, or Municipal Court imposed fine or costs; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft. C. Credit — The right granted by a creditor to a debtor to defer payment of debt or incur debts and defer its payment or to purchase property or services and defer payment therefore. D. Creditor—Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who EXHIBIT "A" participates in the decision to extend, renew, or continue credit and includes utility companies. E. Customer—A person that has a covered account with a creditor. F. Identity theft — A fraud committed or attempted using identifying information of another person without authority. G. Person — A natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association. H. Identifying Information—Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number. 1. Red Flag — A pattern, practice, or specific activity that indicates the possible existence of identity theft. J. Service Provider—A person that provides a service directly to the city. V. Findings. A. The City is a creditor pursuant to 16 CFR Section 681.2 due to its provision or maintenance of covered accounts for which payment is made in arrears. B. The processes of opening new covered account, restoring an existing covered account, making payments on such accounts have been identified as potential processes in which identity theft could occur. C. The city limits access to personal identifying information to those employees responsible for or otherwise involved in opening or restoring covered accounts or accepting payment for use of covered accounts. Information provided to such employees is entered directly into the city's computer system and is not otherwise recorded. D. The city determines that there is a low risk of identity theft occurring in the following ways: (1) Use by an applicant of another person's personal identifying information to establish a new covered account; (2) Use of a previous customer's personal identifying information by another person in an effort to have service restored in the previous customers' name; (3) Use of another person's credit card, bank account, or other method of payment by a customer to pay such customer's covered account or accounts (4) Use by a customer desiring to restore customer's covered account of another person's credit card, bank account, or other method of payment. VI. Process of Establishing a Covered Account. A. As a precondition to opening a covered account in the city, each applicant shall provide the city with personal identifying information of the customer as may be reasonably requested by the employee opening said account. Such information shall be entered directly into the city's computer system and shall not otherwise be recorded. B. Each account shall be assigned an account number. VII. Access to Covered Account Information. A. Access to customer accounts shall be limited to authorized city personnel. B. Any unauthorized access to or other breach of customer accounts is to be reported immediately to the Chief Financial Officer and City Manager. C. Personal identifying information included in customer accounts is considered confidential and any request or demand for such information shall be immediately forwarded to the City Manager and the City Attorney. VIII. Credit Card Payments. A. In the event that credit card payments that are made over the Internet are processed through a third party service provider, such third party service provider shall certify that it has an adequate identity theft prevention program in place that is applicable to such payments. B. All credit card payments made over the telephone or the city's website shall be entered directly into the customer's account information in the computer data base. C. Account statements and receipts for covered accounts shall include only the last four digits of the credit or debit card or the bank account used for payment of the covered account. IX. Identification of Red Flags. In order to identify relevant Red Flags, the City considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. The City identifies the following red flags, in each of the listed categories: A. Red Flags for Suspicious Documents. When opening new account, personnel need to carefully scrutinize documents submitted for identification or proof of residency for red flags such as: (1) Documents provided for identification appear to be altered, forged or unauthentic; (2) The photograph or physical description on the identification is not consistent with the appearance of the customer or applicant; (3) Other information on the identification is not consistent with information provided by the person requesting service ( such as if a person's signature on a check appears forged); and (4) Application that appears to have been altered or forged, or appears to have been destroyed and reassembled; or (5) Identification on which the information is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. B. Red Flags for Suspicious Personal Identifying Information. (1) Personal identifying information that is inconsistent with external information sources. For example: (a) The address does not match any address in the consumer report. (b) The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administrations' Death Master File. (c) Inconsistent birth dates. (2) Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer, such as a lack of correlation between the SSN range and the date of birth; (3) Personal identifying information or a phone number or address, was shown on other applications that were found to be fraudulent; (4) Personal identifying information presented that is consistent with fraudulent activity, such as an invalid phone number or fictitious billing address; (5) The SSN provided is the same as that submitted by other applicants or customers; (6) The address or telephone number provided is the same as or similar to that of another customer or that of an unusually large number of applicants or customers; (7) The applicant or customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete; (8) Personal identifying information is not consistent with personal identifying information that is on file for the customer; (9) The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. C. Red Flags for Suspicious Account Activity or Unusual Use of Account. (1) Shortly following the notice of a change of address for an account, City receives a request for the addition of authorized users on the account or change of account holder's name. (2) A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: The customer fails to make the first payment or makes an initial payment but no subsequent payments. (3) An account is used in a manner that is not consistent with established patterns or activity on the account. There is, for example, nonpayment when there is no history of late or missed payments. (4) An account that has been inactive for a long period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). (5) Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's account. (6) The city is notified that the customer is not receiving paper account statements. (7) The city is notified of unauthorized charges or transactions in connection with a customer's account. (8) The city is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft. D. Red Flag—Alerts from Others. (1) Notice to the City from a customer, identifying theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft; (2) Alerts from consumer reporting agencies, fraud detection agencies or service providers. X. Detecting Red Flags. A. New Accounts — In order to detect any of the Red Flags identified above associated with the opening of a new account, City personnel will take the following steps to obtain and verify the identity of the person opening the account: (1) Require certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification; this information is entered directly into the software; (2) Verify the customer's identity, for example review a driver's license or other identification card; (3) Review documentation showing the existence of a business entity; (4) Independently contact the customer. B. Existing Accounts —In order to detect any Red Flags identified above for an existing account, City personnel will take the following steps to monitor transactions with an account: (1) Verify the identification of customers if they request information(in person, via telephone, via facsimile, via email); (2) Verify the validity of request to change billing addresses; and (3) Verify changes in banking information given for billing and payment purposes. XI. Preventing and Mitigating Identity Theft. A. Existing Accounts - In the event that any city employee responsible for or involved in restoring an existing covered account or accepting payment for a covered account becomes aware of red flags indicating possible identity theft with respect to existing covered accounts, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Chief Financial Officer. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the Chief Financial Officer, who may in his or her discretion determine that no further action is necessary. If the Chief Financial Officer in his or her discretion determines that further action is necessary, a city employee shall perform one or more of the following responses, as determined to be appropriate by the Chief Financial Officer: (1) Contact the customer; (2) Change any account numbers, passwords, security codes, or other security devices that permit access to an account; (3) Close the account; (4) Cease attempts to collect additional charges from the customer and decline to sell the customer's account to a debt collector in the event that the customer's account has been accessed without authorization and such access has caused additional charges to accrue; (5) Reopen an account with a new number; (6) Notify law enforcement, in the event that someone other than the customer has accessed the customer's account causing additional charges to accrue or accessing personal identifying information; or (7) Take other appropriate action to prevent or mitigate identity theft. B. New Accounts - In the event that any city employee responsible for or involved in opening a new covered account becomes aware of red flags indicating possible identity theft with respect an application for a new account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Chief Financial Officer. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the Chief Financial Officer, who may in his or her discretion determine that no further action is necessary. If the Chief Financial Officer in his or her discretion determines that further action is necessary, a city employee shall perform one or more of the following responses, as determined to be appropriate by the Chief Financial Officer: (1) Request additional identifying information from the applicant; (2) Deny the application for the new account; (3) Notify law enforcement of possible identity theft; or (4) Take other appropriate action to prevent or mitigate identity theft. C. Protect Customer Identifying Information — In order to further prevent the likelihood of Identity Theft occurring with respect to City accounts, the City will take the following steps with respect to its internal operating procedures to protect customer identifying information: (1) Ensure that its website is secure or provide clear notice that the website is not secure; (2) Ensure complete and secure destruction of paper documents and computer files containing customer information; (3) Ensure that office computers are password protected and that computer screens lock after a set period of time; (4) Keep offices clear of papers containing customer information; (5) Ensure computer virus protection is up to date; and (6) Require and keep only the kinds of customer information that is necessary for utility, municipal court and emergency medical services billing and collection purposes. XII. Updating the Program. A. The Chief Financial Officer along with the Staff will periodically review and update this Program to reflect changes in risks to customers and the soundness of the Program from Identity Theft. During the review, Staff will consider the experiences with identity theft situations, changes in identity theft methods of detection and prevention, and changes in the types of accounts that the city offers or maintains, and changes in service provider arrangements. After considering these factors, the Chief Financial Officer and Staff will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Chief Financial Officer will update the Program or present the City Council with his or her recommended changes and the City Council will make a determination of whether to accept, modify or reject those changes to the Program. XIII. Program Administration. A. The Chief Financial Officer is-responsible for oversight of the program and for program implementation. The City Manager is responsible for reviewing reports prepared by Staff regarding compliance with red flag requirements and with recommending material changes to the program, as necessary in the opinion of the City Manager to address changing identity theft risks and to identify new or discontinued types of covered accounts. Any recommended material changes to the program shall be submitted to the City Council for consideration by the Council. B. The Chief Financial Officer will report to the City Manager, at least annually, on compliance with the red flag requirements. The report will address material matters related to the program and evaluate issues such as: (1) The effectiveness of the policies and procedures of City in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; (2) Service provider arrangements; (3) Significant incidents involving identity theft and management's response; and (4) Recommendations for material changes to the Program. C. The Chief Financial Officer is responsible for providing training to all employees responsible for or involved in opening a new covered account, restoring an existing covered account or accepting payment for a covered account with respect to the implementation and requirements of the Identity Theft Prevention Program. The Chief Financial Officer shall exercise his or her discretion in determining the amount and substance of training necessary. XIV. Outside Service Providers. In the event that the city engages a service provider to perform an activity in connection with one or more covered accounts the Chief Financial Officer shall exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her ability, that the service provider's activities are conducted in accordance with policies and procedures, agreed upon by contract, that are designed to detect any red flags that may arise in the performance of the service provider's activities and take appropriate steps to prevent or mitigate identity theft.