HomeMy WebLinkAboutResolution No. 2009-34 RESOLUTION NO. R2009-34
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF
FRIENDSWOOD, TEXAS, ADOPTING AN IDENTITY THEFT
PREVENTION PROGRAM.
� � � � �
WHEREAS, the Federal Trade Commission adopted rules pertaining to Identity Theft
Prevention pursuant to the Red Flags Rule which implements Section 114 of the Fair and
Accurate Credit Transactions Act of 2003 which requires that creditars adopt an Identity Theft
Prevention Program on or before May 1, 2009; and
WHEREAS, the Red Flags Rule defines creditor to include all utility companies and the
City owns and provides utility services and/or accepts payments for municipal utility services
and is therefore classified as a creditor; and
WHEREAS,the City Council has reviewed the Program and believes it fulfills, complies
and implements the Red Flags rule and other requirements outlined by the Federal Trade
Commission; and
WHEREAS, the City Council finds that it is in the public interest to approve the
Program attached hereto and incorporated herein as Exhibit"A" ("Program"); and
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF
FRIENDSWOOD,TEXAS:
Section 1. The City Council of the City of Friendswood, Texas, hereby approves and
adopts the Identity Theft Prevention Program attached as Exhibit"A" as the as the Identity Theft
Prevention Program for the City of Friendswood, Texas.
PASSED,APPROVED AND RESOLVED on this 18th day of Mav,2009.
David J. . Smrth
Mayor
ATT
� F F R�E/y0
� �O S�
D oris McKenzie, TRM o
� v
City Secretary *
*
�
���'F oF t��'�
R2009-34 2
Exhibit A
City of Friendswood
Red Flag Identity Theft Prevention Program
I. PURPOSE AND DEFINITIONS
A. Establish an Identity Theft Prevention Program
The purpose of this program is to establish an Identity Theft Prevention
Program designed to detect, prevent and mitigate identity theft in
connection with the opening of a covered account or an existing covered
account and to provide continued administration of the Program in
compliance with Part 618 of Title 16 of the Code of Federal Regulations
implementing Sections 114 and 315 of the Fair and Accurate Credit
Transactions Act (FACTA) of 2003.
This program was developed under the direction of the City Manager.
After consideration of the size and complexity of the City's operations and
Account systems, and the nature and scope of the City's activities, the City
Manager and City Council have determined that this program is
appropriate for the City, and therefore adopts this program.
B. Definitions
1. Covered account is "an account that the City offers or maintains,
primarily for personal, family, or household purposed, that
involves or is designed to permit multiple payments or
transactions." A covered account is also any other account the
City maintains for which there is a reasonably foreseeable risk to
customers or to the safety and soundness of the City from Identity
Theft. Covered accounts include credit cards, mortgage loans,
automobile loans, margin accounts, cell phone account, utility
accounts, checking and savings accounts.
2. Identify theft "means a fraud committed or attempted using the
identifying information of another person without authority."
3. Identifying information includes "name, social security number,
date of birth, official State or government issued driver's license or
identification number, alien registration number, government
passport number, employer or taxpayer identification number."
4. Program Administrator is the City of Friendswood's Director of
Administrative Services.
1
5. Red Flag means a pattern, practice or specific activity that
indicates the possible existence of identity theft.
6. Utility is the City of Friendswood Utility Billing division of
Administrative Services department.
II. OBJECTIVES
A. Identify relevant red flags
1. Alerts, notifications and warnings from credit reporting agencies
or service providers. Possible Red Flags for this category
include: a) Receiving a report or notice from a consumer reporting
agency of a credit freeze; b) Receiving a report of fraud with a
consumer report; and c) Receiving indication from a consumer
report of activity that is inconsistent with a customer's usual
pattern or activity.
2. Presentation of suspicious documents. Possible Red Flags for
this category include: a) Receiving documents that are provided
for identification that appear to be forged or altered; b) Receiving
documentation on which a person's photograph or physical
description is not consistent with the person presenting the
documentation; c) Receiving other documentation with
information that is not consistent with existing customer
information (such as if a person's signature on a check appears
forged); and d) Receiving an application for service that appears
to have been altered or forged.
3. Presentation of suspicious personal identifying information.
Possible Red Flags for this category include: a) A person's
identifying information is inconsistent with other sources of
information (such as an address not matching an address on a
consumer report or a social security number (SSN) that was
never issued); b) A person's identifying information is inconsistent
with other information the customer provides (such as
inconsistent SSNs or birth dates); c) A person's identifying
information is the same as shown on other applications found to
be fraudulent; d) A person's identifying information is consistent
with fraudulent activity (such as an invalid phone number or
fictitious billing address); e) A person's SSN is the same as
another customer's SSN; fl A person's address or phone number
is the same as that of another person; g) A person fails to provide
complete personal identifying information on an application when
reminded to do so; and h) A person's identifying information is not
consistent with the information that is on file for the customer.
2
4. Suspicious activity or unusual use of an account. Possible Red
Flags for the category include: a) A change of address for an
Account followed by a request to change the Account holder's
name; b) An account being used in a way that is not consistent
with prior use (such as late or no payments when the Account has
been timely in the past); c) Mail sent to the Account holder is
repeatedly returned as undeliverable; d) The City receives notice
that a customer is not receiving his paper statements; and e) The
City receives notice that an Account has unauthorized activity.
5. Alerts from others. Red Flags for this category includes receipt of
notice from a customer, an identity theft victim, law enforcement
or any other person that it has opened or is maintaining a
fraudulent Account for a person engaged in Identity Theft.
B. Detect red flags- In order to detect any of the Red Flags identified above
with the opening of a new Utility Account, City personnel will take one or
more of the following steps to obtain and verify the identity of the person
opening the Account:
1. New Accounts
a. Require certain identifying information (name, date of birth,
driver's license or other identification)
b. Verify the identity with photo identification
c. Independently contact the customer
2. Existing Accounts
a. Authenticate customers (verify identity)
b. Verify the validity of requests to change billing address
c. Verify banking information
C. Mitigate identify theft- City personnel shall take the following steps to
prevent and mitigate identity theft:
1. Monitor/continue to monitor an account for evidence of identity
theft
2. Contact the customer
3. Change any passwords, security codes or devices that permit
access to an account
4. Not open a new account
5. Close an existing account
6. Reopen an account with a new number
7. Notify program administrator
8. Notify law enforcement
9. Determine no response is warranted under the particular
circumstances
3
D. Update the program
The program shall be updated bi-annually to reflect changes in risks or to
the safety and soundness of the identity theft program based on:
1. Experiences of the organization with identity theft
2. Changes in methods of identity theft
3. Changes in methods to detect, prevent and mitigate identity theft
4. Changes in the types of accounts the organization offers or
maintains
5. Changes in business arrangements (acquisitions, alliances, joint
ventures, service providers)
If warranted, the City Council will make a determination of whether to
accept, modify or reject those changes to the program.
III. PROGRAM ADMINISTRATION
A. Oversight and Administration
1. Responsibility for developing, implementing, oversight, and
updating this Program is assigned to the Director of
Administrative Services. The Director may delegate this
responsibility and assign a Program Director.
a. The program director will review reports prepared by staff
regarding compliance
b. The Program Director will approve material changes to the
Program as necessary to address changes in risks of identity
theft.
2. Reports
a. At least annually, staff responsible for development,
implementation and administration of the Program shall
report to the Director of Administrative Services on the
compliance by the organization.
b. The report shall address and evaluate the effectiveness of
policies and procedures in addressing risk, service provider
agreements, significant incidents involving identity theft
including management's response and recommendations for
material changes.
� 4
3. Staff Training
a. Staff responsible for implementation and administration shall
be trained in the detection of Red Flags and the responsive
steps to be taken when a Red Flag is detected.
b. Procedures will be designed to enable the organization to
form a reasonable assurance to detect, prevent and mitigate
the risk of identity theft.
4. Oversight of Service Provider Agreements
If the City engages a service provider to perform an activity
with one or more accounts, the City will take steps to ensure
there are reasonable policies and procedures designed to
detect, prevents and mitigate the risk of identity theft.
a. Require, by contract, that the service provider have such
policies and procedures in place.
b. Require, by contract, that the service provider reviews the
City's Program and report any Red Flags to the Program
Administrator.
B. Non-disclosure of Specific Practices
For the effectiveness of this Identity Theft Prevention Program, knowledge about
specific Red Flag identification, detection, mitigation and prevention practices must be
limited to the Identify Theft Committee who developed this Program and to those
employees with a need to know them. Any documents that may have been produced or
are produced in order to develop or implement this program that list or describe specific
practices and the information those documents contain are considered unavailable to
the public because disclosure of them would be likely to substantially jeopardize the
security of the information against improper use, that use being to circumvent the
Identity Theft prevention efforts.
If a request is received for such information, City staff will request an opinion from the
Texas Attorney General as to whether or not such information is public, citing concerns
in regard to identity theft and federal laws requiring prevention.
5