09-694 Adopting Identity Theft Prevention ProgramCITY OF MERIDIAN RESOLUTION NO. D~f - (0 9~
BY THE CITY COUNCIL: BIRD, HOAGLUN, ROUNTREE, ZAREMBA
A RESOLUTION OF THE MAYOR AND COUNCIL OF THE CITY OF MERIDIAN,
IDAHO, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM.
WHEREAS, Section 114 of the Fair and Accurate Transaction Act of 2003 (FACTA)
and 12 CFR 41.90 and 41.91, and the Identity Theft Red Flags regulations and guidelines
contained therein, require the City as a utility provider that provides utility services to customers
on a credit basis to adopt an Identity Theft Prevention Program to protect its customers.
NOW THEREFORE, BE IT RESOLVED BY THE MAYOR AND CITY
COUNCIL OF THE CITY OF MERIDL~N, IDAHO:
Section 1. The City of Meridian hereby adopts the IDENTITY THEFT PREVENTION
PROGRAM attached as Exhibit "A."
Section 2. The administrative staff of the City is authorized to take all necessary steps to
carry out the Identity Theft Prevention Program provided by this Resolution. ~
ADOPTED by the City Council of the City of Meridian, Idaho, this e~7 day of
DC ~~- , 2009.
APPROVED by the Mayor of the City of Meridian, Idaho, this a"7 day of
OG~ ~~~, 2009.
APPROVED:
~,cfi,n V~.~.~r Cam,
ATTEST: `\\`~,,,~,~~~~~~~~~,~~~~~~~' S ~
.~° ''•
G . ~'
r~. -.
o
By:
Jayce .Holman, City €ler SE~~
y ~S'
'.,~90 T 1S'~ COQ, `\\`~`\``
,~
-,,,~,, ~ou~ , ,,,,.
RESOLUTION ADOPTING AN IDENTIFY THEFT PREVENTION PROGRAM- PAGE I of 1
~o~~
RESOLUTION NO.
EXHIBIT "A"
IDENTITY THEN PREVENTION PROGRAM
In order to help combat identity theft, Congress enacted section 114 of the Fair and
Accurate Transaction Act of 2003 (FACTA) and 12 CFR 41.90 and 41.91. In accordance
with the Identity Theft Red Flags regulations and guidelines adopted by the Federal
Trade Commission to implement FACTA, the City of Meridian, Idaho, as a utility
provider that allows its customers to pay for utility services after the services have been
received, is required to adopt an Identity Theft Prevention Program to protect its utility
customers.
The following policies and procedures are for the purpose of detecting, preventing and
mitigating identity theft. The policies and procedures take into account the size and
complexity of the City of Meridian's utility operations and account systems, and the
nature and scope of the City's utility activities.
For the purpose of this Program, the following definitions will apply:
"Covered Account" -
1. Any account the City offers or mamta,~ns prunarily for personal, family or
household purposes, that involves multiple payments or transactions; and
2. Any other account the City offers or maintains for which there is a
reasonable foreseeable risk to customers or to the safety and soundness of
the City from Identity Theft.
"Identifying Information" -
Any name or number that may be used alone, or in conjunction with any other
information, to identify a specific person, including: name, address, telephone number,
social security number, date of birth, government-issued driver's license or identification
number, alien registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's Internet
Protocol address, or routing number.
"Program Administrator" -
The City Chief Financial Officer, or the CFO's designee, shall serve as the Program
Administrator.
•
IDENTITY THEFT PREVENTION PROGRAM -PAGE 1 OF 7
I. IDENTIFYING RED FLAGS
The following are identified as "Red Flags", which are potential indicators of fraud. Any
time a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be
investigated for verification.
A. Alerts, Notifications or Warnings of Address Discrepancy
1. A notice of address discrepancy from the U.S. Postal Service, third party
service providers with which the City has a business arrangement, and any
other consumer reporting agency as defined in section 334.82(b) of the
Fairness and Accuracy in Credit Transactions Act.
B. Suspicious Documents
1. Documents provided for identification appear to have been altered, forged,
or otherwise give the appearance of having been destroyed and
reassembled;
2. The photograph or physical description on the identification is not
consistent with the appearance of the applicant or customer presenting the
identification;
3. Other information on the identification is not consistent with information
provided by the person opening a new covered account or customer
presenting the identification; and
4. Other mformation on the identification is not consistent with readily
accessible information that is on file with the City or is readily obtainable
from the Ada County Assessor's Office or the Idaho Department of Motor
Vehicles.
C. Suspicious Personal Identifying Information
1. Personal identifying information provided is inconsistent when compared
against external information sources used by the City. For example,
a. The name or address does not match up with driver's license records
maintained by the Idaho Department of Motor Vehicles; andlor
b. The name or address does not match up with information maintained
by the Ada County Assessor's Office;.
2. Personal identifying information provided by the customer is inconsistent
with other information provided by the customer. For example,
a. The name, address, or driver's license information on the
Renter's Addendum is different from that which the customer has
provided to the City either online or by phone, fax, or on other
paperwork.
3. Personal identifying information provided is associated with known
fraudulent activity as indicated by internal or third-party sources used by
the City. For example,
IDENTITY THEFT PREVENTION PROGRAM -PAGE 2 OF 7
a. The address on an application is fictitious, a mail drop, or a prison;
b. The driver's license provided is the same as that submitted by other
persons opening an account or other customers;
c. The name or address provided is the same as or similar to the name or
address submitted by an unusually large number of other persons
opening accounts or other customers; and/or
d. The person opening the covered account or the customer fails to
provide either initially or upon notification, orally or in writing, all
required personal identifying information by the City.
4. Personal identifying information provided is not consistent with
information that is on file with the City; and
5. The person opening the covered account or the customer cannot provide
authenticating information in the event that the City
elects to include as part of the account application process or servicing of
other account information requests, the requirement for the individual to
provide the answer to a challenge question or a password for identify
verification purposes.
D. Unusual Use of, or Suspicious Activity Related to, the Covered Account
1. A new account is used in a manner commonly associated with known
fraud patterns. For example,
a. The customer fails to make the first three payments or makes an initial
payment but no subsequent payments;
b. Receipt of Credit Request on an account less than six (6) months old;
c. The customer requests an account number or account information
before the first billing cycle; and/or
d. Request for account password or username over the phone without
providing supporting personal identification information.
2. New or Existing Account activity occurs in a manner commonly
associated with known fraud patterns. For example,
a. The customer stops making payments without requesting
termination of services and does not contact the City upon
termination of services for lack of payment;
b. The City is notified that the customer is not receiving any
statements;
c. The account use pattern changes significantly;
d. The City's billing statement is returned despite continued use;
e. Use of provided services continues after move out;
f. Request for name change on an existing account without providing
supporting documentation justifying the name change; and/or
g. Request for account password or username over the phone without
providing supporting personal identification information.
•
IDENTITY THEFT PREVENTION PROGRAM -PAGE 3 OF 7
E. Notice from Customer, Victims of Identity Theft, Law Enforcement
Authorities, or Other Persons Regarding Possible Identity Theft in
Connection with Covered Accounts
1. The City is notified by customer, a victim of identity theft, a law
enforcement authority or any other person that the City has opened
a fraudulent account for a person engaged in identity theft.
II. PROCEDURES TO DETECT RED FLAGS
The following procedures will be utilized to detect "Red Flags" when interacting with
new and current account customers:
A. Verify Identity of Customers
1. Utility Customers will be required to provide sufficient information
to identify them as the owner of the property for which the utility
services are to be provided. For example,
a. Sufficient information includes, but is not limited to, a copy of the
customer's driver's license, records obtained from the Ada County
Assessor's Office, and the warranty deed.
2. Utility accounts will not be transferred into the name of a new
customer without obtaining the same verification as required for
the initial service request;
3. Utility accounts must be in the name of the property owner and not
in the name of the tenant, unless allowed by City ordinance and the required
forms (Renters Addendum and Billing Directive) have been signed and
submitted accordingly by both the tenant and the property owner
that the property owner will remain fully responsible for payment of the
account; Property Managers must provide copies of their contract with an
owner on record in order to have their names placed on the account; and
4. If the mailing address for the account is not the same address as
the property receiving the services, statements will be mailed to the service
address until such time as the customer provides verification that the
alternative address is valid, for example, through DMV records or other
records that can be independently substantiated.
III. PROCEDURES TO PREVENT AND MITIGATE IDENTITY THEFT
A. Administrative Procedures to Prevent and Mitigate Identity Theft upon the
Detection of a "Red Flag"
1. Proper reporting procedures
a. Any time a Red Flag is identified relating to a covered account, the
information will be provided to the Program Administrator;
IDENTITY THEFT PREVENTION PROGRAM -PAGE 4 OF 7
•
b. The Program Administrator will review the information and seek to
resolve the circumstances surrounding the detected Red Flag at the
administrative level; and
c. The Program Administrator in reviewing the information may
consult with the City Attorney at any time to determine which of the
following steps should be taken:
(1) Continued monitoring of the account for evidence of identity theft;
(2) Contact the customer at the address where the services are being
received to verify the information and/or identity of the customer;
(3) Change any passwords or other security devices, if any are used by
the City, that would permit access to accounts;
(4) Refuse to establish the account in the name of the person
requesting the account be opened or the name of the account be
changed;
(5) Close an existing account;
(6) Reopen an account with a new number;
(7) Notify law enforcement; and/or
(8) Determine that no response is warranted under the particular
circumstances.
B. Procedures for Staff to Follow to Maintain the Confidentiality of the
Personal Information of Customers Received by the City for Identity
Verification Purposes
1. Proper filing, storage, and maintenance of customer personal identifying
information
a. Enter driver's license number onto the account in the computer (which
only staff members have access to);
b. Keep working hard copy forms in locked cabinets at staff's work area;
and
c. Retain hard copy forms for completed transactions in file room
or the secure basement storage area.
2. Record Retention and Disposal
a. Customer records will be retained in accordance to State and
City record retention policies; and
b. All hard copy customer records being purged are to be shredded by
authorized vendor.
•
IV. PROGRAM ADMINISTRATION
The Program Administrator shall have the following duties and responsibilities under the
Program:
A. Administrative Duties
IDENTITY THEFT PREVENTION PROGRAM - PAGE S OF 7
1. Develop, implement and update the Program;
2. Oversee the administration of this Program;
3. Report identity theft to the City Attorney and law enforcement;
5. Review and evaluate the Program on an annual basis; and
6. Report any recommended Program changes to City Council.
B. Duties Related to Staff Training and Reports
1. Ensure that the City's utility staff is appropriately trained;
2. Review and follow up on any staff report regarding identity theft; and
4. Require staff to prepare a report at least annually for the Program
Administrator, including but not limited to the following:
a. An evaluation of the effectiveness of the Program with respect to
opening accounts;
b. An evaluation of existing covered accounts;
c. An evaluation of service provider arrangements;
d. Significant incidents involving identity theft and response; and
e. Recommendations for changes to the Program.
C. Service Provider Arrangements
1. In the event the City engages a service provider to perform an activity in
connection with one or more accounts, the City will take the following
steps to ensure the service provider performs its activity in accordance
with reasonable policies designed to detect, prevent, and mitigate the nsk
of identity theft:
a. Require, by contract if appropriate, the service provider to have such
policies and procedures in place; and
b. Require, by contract if appropriate, the service provider review the
Program and report any red flags to the Program Administrator.
V. PERIODIC UPDATING OF THE PROGRAM
This Program will be reviewed by the Program Administrator annually to determine if the
Program needs to be amended to reflect changes in risks to customers and to determine
the soundness of the Program to protect City covered accounts from identity theft.
A. Factors to Consider when Conducting Annual Review and Program
Modification
1. The City's experience with the Program;
2. Changes in the City's experience with identity theft and/or changes in the
incidence rate of identity theft in the utility industry;
3. Changes in methods of detecting, preventing, and mitigating identity theft
including the availability of new identity theft prevention technology;
IDENTITY THEFT PREVENTION PROGRAM - PAGE G OF ~
4. Receipt of new information regarding identity theft from other sources
including, but not limited to, the Federal Trade Commission and law
enforcement agencies recommending specific additions to, or modification
of, the Program;
5. Changes in the City's utility business arrangements with other entities
including third party service providers; and
6. Changes in types of accounts offered or account services.
B. Procedures for Updating the Program
1. If the Program Administrator determines that updates to this Program are
warranted, the Program Administrator will make recommendations for
changes to the City Council; and
2. The City Council may accept, modify or reject recommended
changes to the Program.
L
•
IDENTITY THEFT PREVENTION PROGRAM -PAGE 7 OF 7