Loading...
10/28/2008 CC Rpt 17 COUNCIL AGENDA STAFF REPORT coy CL� FFK/USE.9NLY cl rt. Meeting Date: October 28, 2008 TOME OCT 22 PH i 3: 50 Public Hearing: 0 .- f ; , is L[NK Discussion Item: ❑/ Cl-iiN0 iiILLS itia Consent Item: g' OCTOBER 21, 2008 TO: HONORABLE MAYOR AND CITY COUNCIL MEMBERS FROM: CITY MANAGER SUBJECT: IDENTITY THEFT PREVENTION PROGRAM RECOMMENDATION: 1. Approve the attached Identity Theft Prevention Program. 2. Adopt a resolution entitled: ` A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF CHINO HILLS, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM. BACKGROUND/ANALYSIS: The Fair and Accurate Credit Transactions Act of 2003 (implemented at 16 Code of Federal Regulations, Part 681 and Federal RegisterNol. 72, No. 217/ Nov. 9, 2007, pages 63718-63775, requires financial institutions and creditors to develop and implement written identity theft prevention programs by November 1, 2008. These programs must provide for the identification, detection, and response to patterns, practices, or specific activities — known as "red flags" —that could indicate identity theft ("Red Flags Rules"). These programs may include methods, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the City Council or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers. With respect to cities, it appears that the Rules apply to cities in cases where local government entities are "creditors"with "covered accounts." The Federal Trade Commission (FTC)considers a government entity to be a creditor where it defers payment for goods or services by its customers, he most common example being public utilities. A"covered account" is defined as (1) an account that is used primarily for family, personal, or household purposes and involves or is designed for /9 AGENDA DATE: OCTOBER 28, 2008 )BJECT: IDENTITY THEFT PREVENTION PROGRAM AGE TWO multiple payments or transactions, such as credit card accounts, utility accounts, and checking or savings accounts; or (2) any other account that involves a foreseeable risk of identity theft. FTC personnel clarified that it is their view that municipalities 'defer payments' by their utility customers when water, electric, gas, trash and the like are sold to customers day-by-day but paid for at the end of the billing cycle. Accordingly, if a municipality provides utility or other services to their customers prior to billing their customers for such services,then the municipality is considered to be a "creditor" with "covered accounts" as defined under the Rules. REVIEW BY OTHERS: This agenda item has been reviewed by the City Attorney. FISCAL IMPACT: There is no fiscal impact for this agenda item. v.pectfully submitted, Recommended by: ‘Th 'Tait% r/ d , Dodi gleg.N. La Belle, City Manager J = R. rj:ncaster, Finance Director DLB:JRL:ddk Attachment: Identify Theft Prevention Program Resolution Exhibit A / i\ CITY OF CHINO HILLS CITY OF CHINO HILLS Identity Theft Prevention Program Effective November 1, 2008 PROGRAM ADOPTION This Administrative Policy and Procedure("AP&P")establishes an Identity Theft Prevention Program ("Program") in accordance with the Federal Trade Commission's Red Flags Rule ("Rule")which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003 ("FACT") as implemented at 16 CFR § 681.2. II. APPLICABILITY. The Program applies to the Finance Department. In particular, the Program applies to the Water, Wastewater, and Solid Waste utilities. In accordance with the FACT, the Program is intended to: A. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; B. Detect Red Flags that have been incorporated into the Program; C. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and D. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft. III. DEFINITIONS. Unless the contrary is stated or clearly appears from the context, the following definitions will govern the construction of the words and phrases used in this AP&P. Words and phrases not defined by this AP&P have the meanings stated in the FACT, and any successor statutes or regulations. A. "Covered account" means Any account the City offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and Any other account the City offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the City from Identity Theft. B. "Identity theft" means a fraud committed or attempted using the identifying information of anther person without authority. C. "Identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien 2 registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer's Internet Protocol address, or routing code. D. "Red Flag" as a pattern, practice, or specific activity that indicates the possible existence of Identity Theft. IV. IDENTIFICATION OF RED FLAGS. Red Flags include the following: A. Notifications and Warnings from Third-Parties. Report of fraud accompanying a credit report; ii. Notice or report from a credit agency of a credit freeze on a customer or applicant; ii. Notice or report from a credit agency of an active duty alert for an applicant; iv. Indication from a credit report of activity that is inconsistent with a customer's usual pattern or activity; and v. Notice to the City from a customer, identity theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft. B. Suspicious Documents. Identification document or card that appears to be forged, altered or inauthentic; Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates); Other document with information that is not consistent with existing customer information (such as if a person's signature on a check appears forged); and iv. Application for service that appears to have been altered or forged. C. Account Activity. Change of address for an account followed by a request to change the account holder's name; Payments stop on an otherwise consistently up-to-date account; 3 Account used in a way that is not consistent with prior use (example: very high activity); iv. Notice to the City that a customer is not receiving mail sent by the City; v. Notice to the City that an account has unauthorized activity; vi. Breach in the City's computer system security; and vii. Unauthorized access to or use of customer account information. D. Patterns, Practices or Specific Activities. Person offers suspicious documents that appear to be altered, non- official, copied from an original, information purposely obscured, physical description does not match photo; i. Suspicious personal identifying information used to open an account, such as not knowing their address for the new account, asking for basic information that should be known by the resident or business; address on application same address from previously known fraudulent account; or fails to provide all required information. i. Mail sent to address is returned as undeliverable although transactions continue to be conducted in connection with the customer's account. iv. Customer makes first payment and makes an initial payment, but no subsequent payments. v. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent; vi. A person's identifying information is not consistent with the information that is on file for the customer. E. Detection of Red Flags. City staff should review on a monthly basis lists of accounts where payments have not been made, and should cross-check payment history to determine if one of the red flags is present. H. City staff will be contacted if a customer claims that s/he is not receiving account statements, and staff should verify payment history, when account was opened, and when last account statement was sent. V. RESPONSE IF RED FLAG TRIGGERED. If any red flags are detected, the Finance Director, or designee, and Police Chief, or designee, must be notified. Those persons 4 must determine if illegal activity occurred. If so, they must take appropriate action to stop any further illegal transactions, notify credit reporting agencies, contact the person whose identity has been compromised, and take other reasonable measures, including, without limitation, changing security codes (if applicable); reopening the account with a new account number; not opening a new account; closing an existing account; and/or commencing a criminal fraud investigation. VI. PROTECTING IDENTIFYING INFORMATION. To reduce the opportunity for identity theft, Department Directors must take the following steps: A. Ensure that the City website is secure or provide clear notice that the website is not secure; B. Ensure complete and secure destruction of paper documents and computer files containing customer information; C. Ensure that office computers are password protected and that computer screens lock after a set period of time; D. Keep offices clear of papers containing customer information; E. Request only the last 4 digits of social security numbers (if any); F. Ensure computer virus protection is up to date; and G. Require and keep only the kinds of customer information that are necessary for utility purposes. VII. SERVICE PROVIDER ARRANGEMENTS. If the City retain a service provider to perform an activity in connection with one or more accounts, the City will take the following steps to ensure the service provider performs its services in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft. A. Require, by contract, that service providers have such policies and procedures in place; and B. Require, by contract, that service providers review the City's Program and report any Red Flags to the Finance Director. VIII. TRAINING. A. Staff. Each department involved in financial transactions with residents or businesses must be provided a copy of this policy and trained regarding the identification, detection and response to red flags. B. Consultants All consultants and companies which provide credit card or other 5 financial transaction processing services for the City must also be provided a copy of this policy and be required to comply with these provisions, as applicable. City staff must collaborate with such consultants and companies to implement programs which integrate red flag detection into such services. IX. REVIEW OF PROGRAM. Every twenty-four months, the Finance Director should review this policy to determine if modifications are needed to address operational changes, amendment to governing law, actual experiences encountered during the prior twenty-four months, increase or decrease in covered accounts, and changes in risks from identity theft. 6 RESOLUTION NO. 08R- 76 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF CHINO HILLS, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM. WHEREAS, regulations require that financial institutions and creditors implement written programs that provide for detection of and response to specific activities that could be related to identity theft; and WHEREAS, staff has prepared the City of Chino Hills Identity Theft Prevention Program in response to and in compliance with the Fair and Accurate Credit Transaction (FACT) Act of 2003 and regulations promulgated by the Federal Trade Commission; and WHEREAS, the City Council has reviewed the Identity Theft Prevention Program. NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF CHINO HILLS DOES RESOLVE, DETERMINE, AND ORDER AS FOLLOWS: SECTION 1. The City hereby adopts, and directs City staff to implement the Identify Theft Prevention Program attached as Exhibit "A" and incorporated by reference. SECTION 2. The City Clerk shall certify as to the adoption of this Resolution. SECTION 3. This Resolution becomes effective immediately upon adoption. PASSED, APPROVED, and ADOPTED this 28th day of October 2008. .7"</_. . flatly vo-i;, ATTEST: inaliZiii liti -7 * MARY M. Mc FFEE, CITY CLEr ii APPROVED S TO FORM: MARK D HENSLEY, CITY AT%RNEY ��JJ Page 1 of 2 STATE OF CALIFORNIA COUNTY OF SAN BERNARDINO ) CITY OF CHINO HILLS I, MARY M. McDUFFEE, City Clerk of the City of Chino Hills, DO HEREBY CERTIFY that the foregoing Resolution No. 08R-76 was duly passed and adopted by the City Council of the City of Chino Hills at their regular meeting held October 28, 2008, by the following roll call vote: AYES: COUNCIL MEMBERS: HAGMAN, ROGERS, GRAHAM, KRUGER NOES: COUNCIL MEMBERS: NONE ABSENT: COUNCIL MEMBERS: NORTON-PERRY . ild, 11,,a2CL_ MARY M. Mc► iFFEE, CITY CLERK/ (SEAL) The foregoing is the original of Resolution No. 08R-76 duly passed and adopted by the Chino Hills City Council at their regular meeting held October 28, 2008. ga47.fr/WAII , MARY M. DUFFEE, CITY CLER1 (SEAL) ll////// 2