HomeMy WebLinkAbout[04f] Policy Book Amendment?~
c:rr~= ~>R sar ac~F vx
Council Agenda Item 4f
MEETING DATE: April 16, 2009
AGENDA ITEM: Policy book Amendment -Requested Action: Amend the Policy Book to
include the Identity Theft Policy.
SUBMITTED BY: Finance
BOARD/COMMISSION/COMMITTEE RECOMMENDATION: N/A
PREVIOUS COUNCIL ACTION: None
BACKGROUND INFORMATION: The Federal Trade Commission passed a law in 2008 that requires public
utilities to adopt a plan before May 1, 2009 to prevent identity theft. Staff has drafted the policy based
on potential identity theft pertaining to the City's utility funds and activities. The policy identifies
potential red flags and how the City will detect, respond and prevent identity theft.
BUDGET/FISCAL IMPACT: None
ATTACHMENTS: Identity Theft Policy
REQUESTED COUNCIL ACTION: Adopt the Identity Theft Policy as presented adding the same to the
Policy Book approved on March 2, 2009
Adopted 04-1609
PROGRAM ADOPTION
The City of St. Joseph ("Utility")developed this Identity Theft Prevention Program ("Program") pursuant
to the Federal Trade Commission's Red Flags Rule ("Rule"), which implements Section 114 of the Fair
and Accurate Credit Transactions Act of 2003. 16 C. F. R. § 681.2. This Program was developed with
oversight and approval of the City Council. After consideration of the size and complexity of the Utility's
operations and account systems, and the nature and scope of the Utility's activities, the City Council
determined that this Program was appropriate for the City of St. Joseph, and therefore approved this
Program on April 16 , 2009.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling requirements of the Red Flags Rule
Under the Red Flag Rule, every financial institution and creditor is required to establish an "Identity
Theft Prevention Program" tailored to its size, complexity and the nature of its operation. Each program
must contain reasonable policies and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red
Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft;
and
4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the
safety and soundness of the creditor from Identity Theft.
B. Red Flags Rule definitions used in this Program
The Red Flags Rule defines "Identity Theft" as "fraud committed using the identifying information of
another person" and a "Red Flag" as "a pattern, practice, or specific activity that indicates the possible
existence of Identity Theft."
According to the Rule, a municipal utility is a creditor subject to the Rule requirements. The Rule defines
creditors "to include finance companies, automobile dealers, mortgage brokers, utility companies, and
telecommunications companies. Where non-profit and government entities defer payment for goods or
services, they, too, are to be considered creditors."
All the Utility's accounts that are individual utility service accounts held by customers of the utility
whether residential, commercial or industrial are covered by the Rule. Under the Rule, a "covered
account" is:
1. Any account the Utility offers or maintains primarily for personal, family or household purposes,
that involves multiple payments or transactions; and
2. Any other account the Utility offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the Utility from identity Theft.
"Identifying information" is defined under the Rule as "any name or number that may be used, alone or
in conjunction with any other information, to identify a specific person;' including: name, address,
telephone number, social security number, date of birth, government issued driver's license or
identification number, alien registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's Internet Protocol address, or
routing code.
III. IDENTIFICATION OF RED FLAGS.
In order to identify relevant Red Flags, the Utility considers the types of accounts that it offers and
maintains, the methods it provides to open its accounts, the methods it provides to access its accounts,
and its previous experiences with Identity Theft. The Utility identifies the following red flags, in each of
the listed categories:
A. Suspicious Documents
Red Flaas
1. Payment received by an unknown name.
B. Suspicious Personal Identifying Information
Red Flaas
1. An address presented that is the same as that of another person/business; and
Service requested for unknown service address.
C. Suspicious Account Activity or Unusual Use of Account
Red Flaas
1. Continuous non-payment for account;
2. Mail sent to account owner is routinely undeliverable;
3. Frequently changes addresses (more than 2 times per year);
4. Frequently changes owner's name for account (more than 2 times per year); and
5. Water usage changes significantly from normal use for account and as compared to the average
residential usage.
D. Alerts from Others
Red Flaa
1. Notification of insufficient funds after payment received for services;
2. Third party reports suspicious activity;
3. Rental Inspector, Public Works, Police Department report suspicious activity; and
4. Tenant reports owner changed.
IV. DETECTING RED FLAGS.
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new account,
Utility personnel will take the following steps to obtain and verify the identity of the person opening the
account:
~ =a ;
Detect
1. Review the "Memo" field in Banyon Utility Billing stating name and service address changes to
track the changes that is retained for 1 year;
2. Match Certificate of Occupancy for new construction with owner information;
3. Review final plat and addressing maps for proper service address;
4. Review Banyon Utility Billing for duplicate service addresses; and
5. Obtain mailing address of the owner to send utility bills to.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, Utility personnel will
take the following steps to monitor transactions with an account:
Detect
1. Verify the identification of customers if they request information (in person, via telephone, via
facsimile, via email);
2. Identify extreme account usage from normal activity for the account and compared to the
average residential usage;
3. Rental inspections conducted by building inspectors identifies owner which is compared to
Banyon Utility Billing owner information;
4. Review the "Memo" field in Banyon Utility Billing stating name and service address changes to
track the changes that is retained for 1 year;
5. Compare owner information on the Stearns County Website;
6. Interim meter reading for suspicious account usage;
7. Post notice on the property to disconnect service; and
8. Request an appointment with the owner to look for leaks causing higher than usual usage.
V. PREVENTING AND MITIGATING IDENTITY THEFT
In the event Utility personnel detect any identified Red Flags, such personnel shall take one or more of
the following steps, depending on the degree of risk posed by the Red Flag:
Prevent and Miti¢ate
1. Require a verifiable address for the new service;
2. Contact the customer;
3. Not open a new account;
4. Close an existing account;
5. Reopen an account with a new number;
6. Only bill invoices to the property owner listed;
7. Only provide outstanding billing information to the owner listed, and/or third party agents
working on behalf of the owner (i.e. Title Company, financial institution);
8. Require refuse/recycling service at all single-family residences;
9. Look for suspicious activity through routine drive-bys;
10. Disconnect services only after a mailed notice sent and a notice of disconnect put on the door of
a property;
11. Send unpaid balances and insufficient funds to a City designated collection service or certify to
Stearns County for collection with property taxes;
-t == r
12. Notify the Program Administrator for determination of the appropriate step(s) to take;
13. Notify law enforcement; and/or
14. Determine that no response is warranted under the particular circumstances.
Protect customer identifvine information
In order to further prevent the likelihood of Identity Theft occurring with respect to Utility accounts, the
Utility will take the following steps with respect to its internal operating procedures to protect customer
identifying information:
1. Ensure complete and secure destruction of paper documents and computer files containing
customer information;
2. Ensure that office computers are password protected;
3. Limited access is granted to the Utility database;
4. Keep offices clear of papers containing customer information that would be visible to others
without the right to know private information;
5. Do not provide private account information out to others not identified as the owner;
6. Ensure computer virus protection is up to date;
7. Require and keep only the kinds of customer information that are necessary for utility purposes;
and
8. Follow the Minnesota Statutes for the "Safe At Home" program.
VI. PROGRAM UPDATES
The Program Administrator will periodically review and update this Program to reflect changes in risks to
customers and the soundness of the Utility from Identity Theft. In doing so, the Program Administrator
will consider the Utility's experiences with Identity Theft situations, changes in Identity Theft methods,
changes in Identity Theft detection and prevention methods, and changes in the Utility's business
arrangements with other entities. After considering these factors, the Program Administrator will
determine whether changes to the Program, including the listing of Red Flags, are warranted. If
warranted, the Program Administrator will update the Program and present the City Council with his or
her recommended changes. The City Council will make a determination of whether to accept, modify or
reject those changes to the Program.
VII. PROGRAM ADMINISTRATION.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with an Identity Theft
Committee for the Utility. The Committee is headed by a Program Administrator who may be the head
of the Utility or his or her appointee. Two or more other individuals appointed by the head of the Utility
or the Program Administrator comprise the remainder of the committee membership. The Program
Administrator will be responsible for the Program administration, for ensuring appropriate training of
Utility staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the
steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation
should be taken in particular circumstances and considering periodic changes to the Program. The City
of St. Joseph appoints the Administrator to be the Program Administrator. The Finance Director and
Utility Billing Clerk along with the Administrator make up the Identity Theft Committee for the Utility.
~ ~~ ~
B. Staff Training and Reports
Utility staff responsible for implementing the Program shall be trained either by or under the direction
of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a
Red Flag is detected.
C. Non-disclosure of Specific Practices
For the effectiveness of this Identity Theft Prevention Program, knowledge about specific Red Flag
identification, detection, mitigation and prevention practices must be limited to the Identity Theft
Committee who developed this Program and to those employees with a need to know them. Any
documents that may have been produced or are produced in order to develop or implement this
program that list or describe such specific practices and the information those documents contain are
considered "security information" as defined in Minnesota Statutes Section 13.37 and are unavailable to
the public because disclosure of them would be likely to substantially jeopardize the security of
information against improper use, that use being to circumvent the Uti{ity's Identity Theft prevention
efforts in order to facilitate the commission of Identity Theft.
~ s~ ~