Loading...
2009R16-Identify Theft RESOLUTION NO. 09-R-16 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SCHERTZ, TEXAS ADOPTING A WRITTEN IDENTITY THEFT PREVENTION PROGRAM AND AUTHORIZING THE CITY MANAGER TO APPROVE CHANGES IN THE PROGRAM. WHEREAS, the Federal Trade Commission (FTC) recently adopted rules on identity theft "red flags", or warning signs, pursuant to the Fair and Accurate Credit Transactions Act of2003 (FACTA); and WHEREAS, the new rules, which require action by May 1, 2009, require any business with a "covered account" to adopt and implement an identity theft prevention program; and WHEREAS, a "covered account" is one where an entity, such as municipal water utility and EMS, provides a service or good before the consumer pays for it; and WHEREAS, a city with such accounts must adopt a program by May 1, 2009 that "red flags" relevant identity theft, provides detection of the "red flags", provides appropriate responses for any "red flags" detected, and ensures the program is updated periodically to address changing risks; and WHEREAS, the City of Schertz servicing of its water and wastewater utility customers and EMS customers falls within the federal mandate; WHEREAS, the City Council of the City of Schertz wishes to be proactive and adopt an identity Theft Prevention Program that will be in compliance with the criteria set forth by the FTC; and WHEREAS, upon full review and consideration of the City's Identity Theft Prevention Program, and all matters related thereto, the City Council is of the opinion and finds that the Program should be adopted, and that the City Manager should be authorized to develop, implement, administer and amend the Program on behalf of the City of Schertz, Texas; NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF SCHERTZ to adopt the Identity Theft Prevention Program that is in compliance with federal law and is attached to this resolution as Exhibit "A". PASSED, APPROVED, AND ADOPTED9l~' Mayor, City of Schertz CITY OF SCHERTZ, TEXAS Identity Theft Prevention Program "Red Flags Rules" General Information The Identity Theft Red Flags Regulation was jointly issued by the Federal Trade Commission Office of Theft Supervision and several other government agencies, implementing Section 114 of the Fair and Accurate Credit Transactions Act of2003 (FACTA) and is effective on May 1,2009. The Identity Theft Red Flags Regulation requires financial institutions to develop and implement a written identity theft program to detect, prevent and diminish identity theft in connection with opening of certain accounts or maintaining certain existing accounts. Under the regulation financial institutions that offer or maintain covered accounts must develop and implement a written program. A covered account is defined as (1) an account primarily used for personal, family, or household purposes that involves or is designed to permit multiple payments or transaction, and (2) any other account for which there is reasonable foreseeable risk to customers or the safety and soundness of the financial agency or creditor from identity theft. The issuing agencies of the regulation have indentified utility accounts as an example of accounts designed to permit multiple payments or transactions and which present a reasonably foreseeable risk of identity theft. I. Purpose The purpose of this program is to ensure the City of Schertz (the "City") has a program in place to identify, detect, prevent, diminish, and respond to identity theft in connection with the opening of water and wastewater accounts, and to establish written procedures for security and storing of personal information within the Utility Department as well as the EMS Department, pursuant to the Identity Theft Red Flags Regulation implemented pursuant to Section 114 of the FACT A, to be effective on May 1, 2009. II. Application This policy applies to all City employees and service providers that have access to personal information for customers of the Utility Billing Department and the EMS Department, regardless of medium. III. Definitions IdentifYing Information: Any name or number that may be used alone or with any other information to identify a specific person (includes name, social security number, date of birth, alien registration number, government passport, and employer/tax identification number). Identity Theft: A fraud committed using the identifying information of another person. Red Flags: A pattern, practice, or specific activity that indicates the possible risk of identity theft. 50160320.1 1 IV. Policy A. Red Flags Alerts When opening new utility customer accounts, staff needs to carefully scrutIniZe documents submitted for identification or proof of residency for red flags such as: 1. Documents provided for identification appear to be altered or forged. 2. The photograph or physical description of the identification is not consistent with the appearance of the customer requesting service. 3. Other information on the identification is not consistent with information provided by the person requesting service. 4. Other information is not consistent with information that is on file (i.e. previous application submitted with driver's license). 5. Lease or deed submitted for proof of residency appears to be altered or forged. 6. Personal information submitted is associated with known fraudulent activity. 7. The social security number submitted is known to be the same as another customer's. 8. Notification of a chargeback received from a bank. 9. New account requested immediately after disconnection for non-payment. B. New Utility Account Activation To ensure proper identification verification, effective May 1, 2009, all requests for new utility service must be subject to the following verification: 1. Applicants must provide a government issued photo ID (or two forms of picture identification) to initiate utility service. 2. Applications may be submitted by fax, e-mail, or mail, but will not be processed without proper identification verification. 3. Applications must be completed by the person seeking to open a utility account. The name on the application must match the submitted identification and lease agreement/settlement page. 4. The City reserves the right to refuse utility service in the event of inability to provide sufficient identification. C. Existing Accounts In order to detect any of the Red Flags identified above for an existing account, personnel will take the following steps to monitor transactions with an account: 1. Verify the identification of existing customers if they request information (in person, via telephone, via facsimile, via e-mail); 2. Verify the validity of requests to change billing addresses; and 3. Verify changes in banking information given for billing and payment purposes. D. Credit Card Transactions The City accepts credit card payments via service vendor. Customers paying with a credit card in person must show valid identification that matches the name and/or address on the credit card. 50160320.1 2 E. Data Security and Storage 1. Employees are required to maintain a high level of confidentiality as it relates to customers' personal information. Release of information is limited to the account holder(s) or as permitted by law. Subject to the Texas Public Information Act, customers are given the opportunity to indicate if they wish their utility account information to be kept confidential. Access to EMS customer records IS governed by the Health Insurance Portability and Accountability Act, as amended. 2. Access into the billing system requires a user name assigned by the Systems Administrator. A password is also required, which is determined by the user and is CJIS (Criminal Justice Information Systems) compliant based upon the City's Information Technology Security Policy that has been implemented. The system will permit three (3) sign on attempts and then will temporarily disable the password. Upon termination, employee passwords are immediately disabled. 3. Disclosure of personal information. Personal information is, or could be, used as a means of identification, for internal verification, or administration purposes, credit checks, and for debt collection purposes. Information submitted to the City's debt collection agency is on file in the Utility Billing Department and EMS Billing Department. 4. Utility Billing Department Data Storage. Hard copy information is stored in filing cabinets in the Utility Billing Department. The office is monitored by security cameras and secured by one locked door. Cash receipt information is stored in the locked safe and the Senior Accountant's storage areas. 5. EMS Department Data Storage. Hard copy information is stored in filing cabinets in the EMS Building, which are kept locked at all times other than during business hours. Only EMS Billing Department staff have access to these files. The office is secured by one locked door. EMS customer records are maintained in. compliance with the Health Insurance Portability and Accountability Act, as amended. 6. Laptop computers. The use and security of laptop computers containing Identifying Information shall be governed by the City's laptop security policy. Additionally, EMS laptops comply with the requirements of the Health Insuranl?e Portability and Accountability Act, as amended. F. Data Retention! Access Records are disposed of in accordance with state and federal law including the local records retention schedule issued by the Texas State Library and Archives Commission and City Code. All City records are subject to the Texas Public Information Act. Requests for information that may be excepted from disclosure under the Texas Public Information Act are forwarded to the Attorney General's office for an official ruling on whether the information may be withheld. G. Identity Theft Notification A zero tolerance policy is in effect for all fraudulent transactions pertaining to the Utility Billing Department and the EMS Billing Department. Once written notification and 50]60320.] 3 verification is received of fraudulent activity from a customer, banking institution, and/or collection agency, the Utility Billing Department and the EMS Billing Department will (1) proceed with notating and taking corrective actions on the account, (2) gather all pertinent information that is available, and (3) immediately contact the Schertz Police Department to initiate a criminal investigation. H. Prevent and Mitigate Identity Theft In the event City personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag: 1. Continue to monitor an account for evidence of Identity Theft; 2. Contact the customer; 3. Change any passwords or other security devices that permit access to accounts; 4. Not open a new account in the customer's name; 5. Close an existing account of the customer; 6. Reopen the customer's account with a new number; 7. Notify the Program Administrator for determination of the appropriate step(s) to take; 8. Notify law enforcement; or 9. Determine that no response is warranted under the particular circumstances. 1. Training Training of all Utility Billing Department and EMS Billing Department employees will be accomplished prior to May 1, 2009 or as soon thereafter as possible. The training will assist staff in recognizing Identity Theft Red Flags and will prepare them with the action steps to take, depending on the Red Flag finding. As staff is hired, training will occur for each employee as part of their initial training. J. Periodic Review and Reporting The Finance Director will serve as the Program Administrator for the Identity Theft Prevention Program and will conduct an annual review to determine staff compliance with the Identity Theft Prevention Program, staff effectiveness in addressing the risk of identity theft, and address significant incidents involving identity theft and management's response. If it is determined that changes may be necessary, the Program Administrator will detail any changes to the City Manager, who has the authority to approve any recommended changes in policy. 50160320.] 4