2009R16-Identify Theft
RESOLUTION NO. 09-R-16
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF
SCHERTZ, TEXAS ADOPTING A WRITTEN IDENTITY THEFT
PREVENTION PROGRAM AND AUTHORIZING THE CITY
MANAGER TO APPROVE CHANGES IN THE PROGRAM.
WHEREAS, the Federal Trade Commission (FTC) recently adopted rules on identity
theft "red flags", or warning signs, pursuant to the Fair and Accurate Credit Transactions
Act of2003 (FACTA); and
WHEREAS, the new rules, which require action by May 1, 2009, require any business
with a "covered account" to adopt and implement an identity theft prevention program;
and
WHEREAS, a "covered account" is one where an entity, such as municipal water utility
and EMS, provides a service or good before the consumer pays for it; and
WHEREAS, a city with such accounts must adopt a program by May 1, 2009 that "red
flags" relevant identity theft, provides detection of the "red flags", provides appropriate
responses for any "red flags" detected, and ensures the program is updated periodically to
address changing risks; and
WHEREAS, the City of Schertz servicing of its water and wastewater utility customers
and EMS customers falls within the federal mandate;
WHEREAS, the City Council of the City of Schertz wishes to be proactive and adopt an
identity Theft Prevention Program that will be in compliance with the criteria set forth by
the FTC; and
WHEREAS, upon full review and consideration of the City's Identity Theft Prevention
Program, and all matters related thereto, the City Council is of the opinion and finds that
the Program should be adopted, and that the City Manager should be authorized to
develop, implement, administer and amend the Program on behalf of the City of Schertz,
Texas;
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY
OF SCHERTZ to adopt the Identity Theft Prevention Program that is in compliance with
federal law and is attached to this resolution as Exhibit "A".
PASSED, APPROVED, AND ADOPTED9l~'
Mayor, City of Schertz
CITY OF SCHERTZ, TEXAS
Identity Theft Prevention Program
"Red Flags Rules"
General Information
The Identity Theft Red Flags Regulation was jointly issued by the Federal Trade Commission
Office of Theft Supervision and several other government agencies, implementing Section 114 of
the Fair and Accurate Credit Transactions Act of2003 (FACTA) and is effective on May 1,2009.
The Identity Theft Red Flags Regulation requires financial institutions to develop and implement
a written identity theft program to detect, prevent and diminish identity theft in connection with
opening of certain accounts or maintaining certain existing accounts.
Under the regulation financial institutions that offer or maintain covered accounts must develop
and implement a written program. A covered account is defined as (1) an account primarily used
for personal, family, or household purposes that involves or is designed to permit multiple
payments or transaction, and (2) any other account for which there is reasonable foreseeable risk
to customers or the safety and soundness of the financial agency or creditor from identity theft.
The issuing agencies of the regulation have indentified utility accounts as an example of accounts
designed to permit multiple payments or transactions and which present a reasonably foreseeable
risk of identity theft.
I. Purpose
The purpose of this program is to ensure the City of Schertz (the "City") has a program in place
to identify, detect, prevent, diminish, and respond to identity theft in connection with the opening
of water and wastewater accounts, and to establish written procedures for security and storing of
personal information within the Utility Department as well as the EMS Department, pursuant to
the Identity Theft Red Flags Regulation implemented pursuant to Section 114 of the FACT A, to
be effective on May 1, 2009.
II. Application
This policy applies to all City employees and service providers that have access to personal
information for customers of the Utility Billing Department and the EMS Department, regardless
of medium.
III. Definitions
IdentifYing Information: Any name or number that may be used alone or with any other
information to identify a specific person (includes name, social security number, date of birth,
alien registration number, government passport, and employer/tax identification number).
Identity Theft: A fraud committed using the identifying information of another person.
Red Flags: A pattern, practice, or specific activity that indicates the possible risk of identity
theft.
50160320.1 1
IV. Policy
A. Red Flags Alerts
When opening new utility customer accounts, staff needs to carefully scrutIniZe
documents submitted for identification or proof of residency for red flags such as:
1. Documents provided for identification appear to be altered or forged.
2. The photograph or physical description of the identification is not consistent with
the appearance of the customer requesting service.
3. Other information on the identification is not consistent with information
provided by the person requesting service.
4. Other information is not consistent with information that is on file (i.e. previous
application submitted with driver's license).
5. Lease or deed submitted for proof of residency appears to be altered or forged.
6. Personal information submitted is associated with known fraudulent activity.
7. The social security number submitted is known to be the same as another
customer's.
8. Notification of a chargeback received from a bank.
9. New account requested immediately after disconnection for non-payment.
B. New Utility Account Activation
To ensure proper identification verification, effective May 1, 2009, all requests for new
utility service must be subject to the following verification:
1. Applicants must provide a government issued photo ID (or two forms of picture
identification) to initiate utility service.
2. Applications may be submitted by fax, e-mail, or mail, but will not be processed
without proper identification verification.
3. Applications must be completed by the person seeking to open a utility account.
The name on the application must match the submitted identification and lease
agreement/settlement page.
4. The City reserves the right to refuse utility service in the event of inability to
provide sufficient identification.
C. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, personnel
will take the following steps to monitor transactions with an account:
1. Verify the identification of existing customers if they request information (in
person, via telephone, via facsimile, via e-mail);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
D. Credit Card Transactions
The City accepts credit card payments via service vendor. Customers paying with a
credit card in person must show valid identification that matches the name and/or address
on the credit card.
50160320.1 2
E. Data Security and Storage
1. Employees are required to maintain a high level of confidentiality as it relates to
customers' personal information. Release of information is limited to the
account holder(s) or as permitted by law. Subject to the Texas Public
Information Act, customers are given the opportunity to indicate if they wish
their utility account information to be kept confidential. Access to EMS
customer records IS governed by the Health Insurance Portability and
Accountability Act, as amended.
2. Access into the billing system requires a user name assigned by the Systems
Administrator. A password is also required, which is determined by the user and
is CJIS (Criminal Justice Information Systems) compliant based upon the City's
Information Technology Security Policy that has been implemented. The system
will permit three (3) sign on attempts and then will temporarily disable the
password. Upon termination, employee passwords are immediately disabled.
3. Disclosure of personal information. Personal information is, or could be, used as
a means of identification, for internal verification, or administration purposes,
credit checks, and for debt collection purposes. Information submitted to the
City's debt collection agency is on file in the Utility Billing Department and
EMS Billing Department.
4. Utility Billing Department Data Storage. Hard copy information is stored in
filing cabinets in the Utility Billing Department. The office is monitored by
security cameras and secured by one locked door. Cash receipt information is
stored in the locked safe and the Senior Accountant's storage areas.
5. EMS Department Data Storage. Hard copy information is stored in filing
cabinets in the EMS Building, which are kept locked at all times other than
during business hours. Only EMS Billing Department staff have access to these
files. The office is secured by one locked door. EMS customer records are
maintained in. compliance with the Health Insurance Portability and
Accountability Act, as amended.
6. Laptop computers. The use and security of laptop computers containing
Identifying Information shall be governed by the City's laptop security policy.
Additionally, EMS laptops comply with the requirements of the Health Insuranl?e
Portability and Accountability Act, as amended.
F. Data Retention! Access
Records are disposed of in accordance with state and federal law including the local
records retention schedule issued by the Texas State Library and Archives Commission
and City Code.
All City records are subject to the Texas Public Information Act. Requests for
information that may be excepted from disclosure under the Texas Public Information
Act are forwarded to the Attorney General's office for an official ruling on whether the
information may be withheld.
G. Identity Theft Notification
A zero tolerance policy is in effect for all fraudulent transactions pertaining to the Utility
Billing Department and the EMS Billing Department. Once written notification and
50]60320.] 3
verification is received of fraudulent activity from a customer, banking institution, and/or
collection agency, the Utility Billing Department and the EMS Billing Department will
(1) proceed with notating and taking corrective actions on the account, (2) gather all
pertinent information that is available, and (3) immediately contact the Schertz Police
Department to initiate a criminal investigation.
H. Prevent and Mitigate Identity Theft
In the event City personnel detect any identified Red Flags, such personnel shall take one
or more of the following steps, depending on the degree of risk posed by the Red Flag:
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the customer;
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account in the customer's name;
5. Close an existing account of the customer;
6. Reopen the customer's account with a new number;
7. Notify the Program Administrator for determination of the appropriate step(s) to
take;
8. Notify law enforcement; or
9. Determine that no response is warranted under the particular circumstances.
1. Training
Training of all Utility Billing Department and EMS Billing Department employees will
be accomplished prior to May 1, 2009 or as soon thereafter as possible. The training will
assist staff in recognizing Identity Theft Red Flags and will prepare them with the action
steps to take, depending on the Red Flag finding. As staff is hired, training will occur for
each employee as part of their initial training.
J. Periodic Review and Reporting
The Finance Director will serve as the Program Administrator for the Identity Theft
Prevention Program and will conduct an annual review to determine staff compliance
with the Identity Theft Prevention Program, staff effectiveness in addressing the risk of
identity theft, and address significant incidents involving identity theft and management's
response. If it is determined that changes may be necessary, the Program Administrator
will detail any changes to the City Manager, who has the authority to approve any
recommended changes in policy.
50160320.] 4