Print -
Share
- Text Size: a
A - Traducir al Espanol
Staff Report
MEMORANDUM
TO: City Council
FROM: David J. Deutsch, City Manager
SUBJECT: R-22-09, Resolution Adopting an “Identity Theft Prevention Program” to detect, prevent and mitigate identity theft and to comply with Federal regulations relating to Red Flag Identity Theft
DATE: April 2, 2009
Background
The following information was taken from an Issue Brief released by the Government Finance Officers Association:
“In order to combat the growing problem of identity theft, the Federal Trade Commission (FTC) has issued new “Red Flag” rules which apply to all municipalities that have utility accounts, such as water, sewer or electricity, and other operations that defer payment for services on a recurring basis. In accordance with a recent decision by the FTC to delay enforcement of these new rules for six months, the rules now require that by May 1, 2009 such municipalities have in place written programs to identify, detect and respond to patterns, practices or specific activities, known as “Red Flags”, that could indicate identity theft.
In particular, the new rules apply to all municipal utility and other operations that provide a service for which payment is deferred until a future date. For example, when water, sewer or electricity is provided by a city and then paid for by the consumer at the end of a billing cycle, the city has extended credit for the purpose of the FTC rules. The definition of a “creditor” in the rules includes “utility companies” and a “covered account” (those accounts to which the rules apply) is defined to include an account that a creditor “offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a utility account.”
The FTC rules mandate that creditors (like municipal utilities) that offer or maintain “covered accounts” develop and implement a written Identity Theft Prevention Program that helps protect consumer identity by responding to possible signals of identity theft known as “Red Flags”. Red Flags are warnings of identity theft and are defined in the rules as a “pattern, practice or specific activity that indicates the possible existence of identity theft.” Examples of Red Flags include alerts, notifications or warnings from a consumer reporting agency, forged or inconsistent customer identifying information, as well as many other examples set forth in the FTC rules.
According to the FTC, each Identity Theft Prevention Program should be tailored to the needs of the municipality creating the program, taking into account such issues as its size and complexity, as well as the nature of its operations.”
The City Attorney has drafted Resolution R-22-09 after reviewing the FTC rules and regulations and other Identity Theft Prevention Program compliance models. Staff feels existing identity theft risk is minimal. The City’s Water and Sewer System can easily verify property owner names, validate service location addresses and confirm the existence of most business entities.
Federal regulations require that municipal utility companies, such as the City’s Water and Sewer System, have an Identity Theft Prevention Program in place by May 1, 2009. Council’s approval of Resolution R-22-09 is requested.
DJD/rsp
Attachment
R-22-09
A RESOLUTION
OF THE COUNCIL OF THE CITY OF BOWIE, MARYLAND,
ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM TO DETECT, PREVENT AND MITIGATE IDENTITY THEFT IN CONNECTION WITH OPENING OR MAINTAINING AN ACCOUNT WITH THE CITY IN ACCORDANCE WITH FEDERAL REGULATIONS RELATING TO RED FLAG IDENTITY THEFT
WHEREAS, the Federal Trade Commission adopted Part 681 of Title 16 of the Code of Federal Regulations (the “Regulations”) to implement Sections 114 and 315 of the Fair and Accurate Credit Transaction Act (FACTA) of 2003; and
WHEREAS, the Regulations require creditors, on or before May 1, 2009, to adopt an Identity Theft Prevention Program which will use red flags to detect, prevent and mitigate identity theft related to information used in covered accounts; and
WHEREAS, the Regulations define “creditor” as a person that extends, renews or continues credit, and defines “credit” in part as the right to purchase property or services and defer payment therefore; and
WHEREAS, the Regulations include utility providers in the definition of “creditor,” and define “covered account” in part as an account that a creditor provides for personal, family, or household purposes that is designed to allow multiple payments or transactions and specifies that a utility account is a covered account; and
WHEREAS, the City of Bowie (the “City”) is a creditor with respect to 16 CFR § 681.2 (c) by virtue of providing utility services to its residents or by otherwise accepting payment for municipal services in arrears; and
WHEREAS, the Council of the City of Bowie wishes to comply with the Regulations and believes that it is in the interest of the City and its residents to provide an Identity Theft Prevention Program which will use red flags to detect, prevent and mitigate identity theft related to information used in covered accounts.
Section 1. NOW, THEREFORE, BE IT RESOLVED that the City of Bowie adopts the following Identity Theft Prevention Program:
IDENTITY THEFT PREVENTION PROGRAM
Sec. 1. Definitions.
(a) “Covered Account” means:
1. An account that the City offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, including utility accounts; and
2. Any other account that the City offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
(b) “Credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
(c) “Creditor” means any person who regularly extends, renews, or continues Credit; any person who regularly arranges for the extension, renewal, or continuation of Credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue Credit.
(d) “Customer” or “Consumer” means the person or entity that has a Covered Account with the City.
(e) “Identifying Information” is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, Social Security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol (IP) address, or routing code.
(f) “Identity Theft” means fraud committed or attempted using the Identifying Information of another person without authority.
(g) “Program” means the Identity Theft Prevention Program.
(h) “Red Flag” means a pattern, practice or specific activity that indicates the possible existence of Identity Theft.
Sec. 2. Identity Theft Prevention Program.
There is hereby established an Identity Theft Prevention Program to detect, prevent and mitigate Identity Theft. The Program includes reasonable policies and procedures to: (1) Identify relevant Red Flags for Covered Accounts and incorporate those Red Flags into the Program; (2) detect Red Flags that have been incorporated into the Program; (3) respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and (4) ensure that the Program is updated periodically to reflect changes in risks to the City and its Customers arising from Identity Theft.
Sec. 3. Program Administration.
(a) The City Manager or his designee shall be responsible for the development, implementation, oversight and continued administration of the Program.The City Manager or designee shall: (1) ensure that staff is trained, as necessary, to effectively implement the Program; (2) exercise appropriate and effective oversight of service provider arrangements, as provided in Section 8; (3) review reports prepared by staff regarding compliance; and (4) approve material changes to the Program as necessary.
(b) Reports shall be prepared by the Department of Finance and submitted to the City Manager at least annually, no later than June 30, on the City’s Program compliance. Such reports shall address and evaluate: (1) the effectiveness of the policies and procedures in addressing the risk of Identity Theft in regard to existing Covered Accounts and the opening of Covered Accounts; (2) significant incidents involving Identity Theft and management’s response; (3) service provider agreements; and (4) recommendations for material changes to the Program.
Sec. 4. Identification of Red Flags.
In order to identify relevant Red Flags, the City shall consider the types of accounts that the City provides and maintains, the methods used to open accounts, the methods used to access accounts and previous experience with Identify Theft. The City shall identify the following Red Flags in each of the listed categories:
(a) Notifications and Warnings From Credit Reporting Agencies and Other Service or Information Providers.
1. Report of fraud accompanying a credit report;
2. Notice or report of a credit freeze on a Customer or applicant;
3. Notice or report of an active duty alert for an applicant; and
4. Indication from a credit report of activity that is inconsistent with a Customer’s usual pattern or activity.
(b) Suspicious Documents.
1. Identification document or card that appears to be forged, altered or inauthentic;
2. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing Customer information (such as if a person’s signature on a check appears forged); and
4. Application for service that appears to have been altered or forged.
(c) Suspicious Personal Identifying Information.
1. Identifying Information presented that is inconsistent with other information that the Customer provides (example: inconsistent birth dates);
2. Identifying Information presented that is inconsistent with other sources of information (for instance, an address not matching an address on the credit report);
3. Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent;
4. Identifying Information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
5. Social Security Number presented that is the same as one given by another Customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete personal Identifying Information on an application when reminded to do so (however, by law social security numbers must not be required); and
8. A person’s Identifying Information is not consistent with the information that is on file for the Customer.
(d) Suspicious Account Activity or Unusual Use of Account.
1. Change of address for an account followed by a request to change the account holder’s name;
2. Payments stop on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example: very high activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to the locality that a Customer is not receiving mail sent by the locality;
6. Notice to the locality that an account has unauthorized activity;
7. Breach in the locality’s computer system security; or
8. Unauthorized access to or use of Customer account information.
(e) Alerts from Others.
Notice to the City from a Customer, Identity Theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.
Sec. 5. Detection of Red Flags.
(a) New Accounts. In order to detect any of the Red Flags identified in Section 4 associated with the opening of a new account, the following steps shall be taken to obtain and verify the identity of the person opening the account:
1. Require certain Identifying Information such as name, date of birth, residential or business address, principal place of business for an entity, driver’s license or other identification;
2. Verify the Customer’s identity (for instance, review a driver’s license or other identification card);
3. Review documentation showing the existence of a business entity; and
4. Independently contact the Customer.
(b) Existing Accounts. In order to detect any of the Red Flags identified in Section 4 for an existing account, the following steps shall be taken to monitor transactions with an account:
1. Verify the identification of Customers if they request information, whether in person, via telephone, via facsimile or via e-mail;
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
Sec. 6. Response to Suspected Identity Theft.
(a) In the event a Red Flag is detected, one or more of the following steps shall be taken, depending on the degree of risk posed by the Red Flag:
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the Customer:
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify the City Manager or designee for determination of the appropriate step(s) to take;
8. Notify law enforcement; or
9. Determine that no response is warranted under the particular circumstances.
(b) In order to further prevent the likelihood of Identity Theft occurring, the following steps involving internal operations shall be taken to protect Customer Identifying Information:
1. Ensure that the City’s website is secure or provide clear notice that the website is not secure;
2. Ensure complete and secure destruction of paper documents and computer files containing Customer information;
3. Ensure that the office computers are password protected and that employees log off or lock their computers when leaving their work area;
4. Keep offices clear of papers containing Customer information;
5. Request only the last 4 digits of social security numbers (if any);
6. Ensure computer virus protection is up to date; and
7. Require and keep only the kinds of Customer information that are necessary for utility purposes.
Sec. 7. Address Discrepancies.
(a) The City shall develop policies and procedures to enable it to form a reasonable belief that a credit report, when such a report is requested from the nationwide consumer reporting agency, relates to a City Customer when a notice of an address discrepancy is received from the reporting agency indicating that the address given by the Customer differs from the address contained in the report. An address may be confirmed by the following means or by any other means deemed reasonable by management: (1) Verification by contacting the Consumer; (2) verification by reviewing utility records; or (3) verification through third-party sources.
(b) If an accurate address is confirmed by the process established under subsection (a) of this section, the City shall furnish the address to the reporting agency from which it was received if: (1) the City has established or will establish a continuing relationship with the account holder; and (2) the City regularly, in the ordinary course of business, furnishes information to the reporting agency.
Sec. 8. Oversight of Service Provider Arrangements
In the event a service provider is engaged to perform an activity in connection with one or more Covered Accounts affected by the Program, the City Manager or his designee shall ensure that the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft. A service provider engaged pursuant to this section shall be required by contract to have such policies and procedures in place and may, at the City Manager’s discretion, be required by contract to review the City’s Program and report Red Flags to the City Manager or designee.
Sec. 9. Updating the Program.
The Program shall be updated periodically to reflect changes in risks to Customers or to the safety and soundness of the City’s internal business practices in regard to Identity Theft. Such Program updates shall reflect the following elements:
(a) Experiences involving Identity Theft;
(b) Changes in the methods used in Identity Theft;
(c) Changes in the methods used to detect, prevent and mitigate Identity Theft;
(d) Changes in the types of accounts the City offers or maintains;
(e) Changes in the City’s business practices.
NOW, THEREFORE, BE IT FURTHER RESOLVED, that the City Manager or his designee is hereby authorized to develop and implement any and all policies necessary to carry out the Identity Theft Prevention Program set forth herein.
INTRODUCED AND PASSED by the Council of the City of Bowie, Maryland at a regular meeting on the 6th day of April, 2009.
ATTEST: THE CITY OF BOWIE, MARYLAND
By:
Pamela A. Fleming G. Frederick Robinson, Mayor
City Clerk
APPROVED AS TO FORM AND SUFFICIENCY:
______________________________
Robert H. Levan, City Attorney
52000:121458-v3
