HomeMy WebLinkAboutResolution 2009-014RESOLUTION NO. 2009-014
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF NORTH
RICHLAND HILLS, TEXAS; TO ADOPT AN IDENTITY THEFT POLICY
IN ACCORDANCE WITH AN AMENDMENT TO THE FAIR AND
ACCURATE CREDIT TRANSACTION ACT OF 2003; PROVIDING A
SEVERABILITY CLAUSE AND DECLARING AN EFFECTIVE DATE.
WHEREAS, a recent amendment to the Fair and Accurate Credit Transaction Act of
2003 requires the development of an Identity Theft Prevention Program;
and
WHEREAS, the new rules are scheduled to become effective May 1, 2009 and require
municipal utilities and other departments to implement an identity theft
program; and
WHEREAS, this resolution is being passed in full accordance with all requirements of
State law; and
WHEREAS, the City Council determines that the passage of this Resolution is in the
best interest of the public.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF
NORTH RICHLAND HILLS, TEXAS:
SECTION 1. THAT all matters set forth herewith are found to be true and correct, are
incorporated herein by reference as if copied in their entirety, and are
adopted by the City.
SECTION 2. THAT the City hereby adopts the policy attached to this Resolution as
Exhibit `A' and incorporated by reference herein to be the City's Identity
Theft Protection Policy.
PASSED AND APPROVED this the 27th day of April, 2009.
CITY O N TH HLAN ILLS
By:
O r revino, M or
ATTEST:
C
~oPatrldia Huf~,f
~ r srr-
O ': g,~ :~
J ., >,
1 74'
Resollu~ld~}~M1k~~~1009-014
Page 1 of 9
City Secretary
AP OV D S T FORM AND LEGALITY:
Ge rge A. tapl s, City Attorney
APPROVED AS TO CONTENT:
,~
~~ ~.
Larry K nce, Director of Finance
Resolution No. 2009-014
Page 2 of 9
EXHIBIT "A"
MANAGEMENT POLICY
suB~ECT
Identity Theft Program
I. General Information
NUMBER
CMANumber
REv
EFFECTNE DATE PAGE OF
_May 1, 2009 1 7
ORIGINATED BY
Utility Customer Service
SUPERCEDES APPROVED 8Y CITY MANAGER
A ruling known as the 'Identity Theft Red Flags Regulation' was jointly issued by the Federal
Trade Commission, Office of Thrift Supervision and several other governing agencies;
implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT
ACT) and is effective on May 1, 2009.
The Identity Theft Red Flags Regulation requires ftnancial institutions to develop and
implement a written Identity Theft Program to detect, prevent and diminish identity theft in
connection with opening of certain accounts or certain existing accounts, Each program must
contain policies .and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and incorporate
those Red Flags into the Program;
2. De#ect Red Flags that have been incorporated into the Program
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate
Identity Theft; and
4. Ensure the Program is update periodically, to reflect changes in risks to customers
or to the safety and soundness of the creditor from Identity Theft.
Red Flay Rule Qefinitions
The Red Flags Rule defines "Identity Theft" as "fraud committed using the identifying
information of another person" and a "Red Flag" as a "pattern, prac#ice, or specific activity
that indicates the possible existence of Identity Theft."
According to the Rule, a municipal utility~is a creditor subject to the Rule requirements; The
Rule defines credi#ors "to include fenance companies, automobile dealers, mortgage brokers,
utility companies, and telecommunication companies. Where non-profit and government
entities defer payment for goods or services, they, too, are to be considered credi#ors."
All the Utility's accounts that are individual utility service accounts held by customers of the
utility whether residential, commercial ar industrial are covered by the rule. Under the Rule, a
"covered account" is:
1. Any account the Utility offers or maintains primarily for personal, family or
household purposes, that involves multiple payments or transactions; and
Revtsed 2/25/98
CITY OF NORThi RICHIAND HILLS
AD-001A
Resolution No. 2009-014
Page 3 of 9
MANAGEMENT POLICY
SUBJECT
Identity Theft Program
NUMBER EFFECTIVE DATE PAGE OF
CMANumber May 1, 2009 2 7
^~
REV ORIGINATED BY
IItlllty CUStOmer SerVICe
SUPERCEDES APPROVED BY CITY MANAGER
2. Any other account the Utility offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the Utility from
Identity Theft.
"Identifying information is defined under the Rule as "any name or number that may be used,
alone or in conjunction with any other information, to identify a specific person," including:
name, address, telephone number, social security number, date of birth, government issued
driver's license or identification number, alien registration number, government passport
number, employer or taxpayer identification number, unique electronic identification number,
computer's Interne# Protocol address, or routing code.
11. Identification of Red Flags
In order to identify relevant Red Flags, the Utility considers the types of accounts that it offers
and maintains, the methods it provides to open its account, the methods it provides to access
its accounts, and it previous experiences with Identity Theft. The Utility identifies the
following red flags, in each of the listed categories:
A. Notifications and Vllarnings from Credit Reporting Agencies
Red Flags:
1. Report of fraud accompanying a credit report
2. Notice or report from a credit agency of a credit freeze on a customer or applicant;
3. Notice or report from a credit agency of an active duty alert for an applicant; and
4. Indication from a credit report of activity that is inconsistent with a customer's usual
pattern or activity.
B. Suspicious Documents
Red Flags:
1. Idea#ification document or card appears to be forged, altered or inauthentic;
2. Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document.
3. Other document with information that is not consistent wi#h existing customer
information (such as if a person's signature on a check appears forged}; and
4. Application for service appears to have been alter or forged.
5. Lease submitted for proof of residency appears to be al#ered or forged.
Revised 2/25/98
CITY OF NORTH RICHLAND HILLS
AD-001 A
Resolution No. 2009-014
Page 4 of 9
MANAGEMENT POLICY
SUBJECT NUMBER I;FFECTNE DATE PAGE OF
Identity Theft Program CMANumber May 1, 2009 3 7
REV ORIGWATED BY
Utility Customer Service
SUPERCEDE5 APPROVED BY CITY MANAGER
C. Suspicious Personal ldentifying Information
Red Flags:
1. Identifying information presented that is inconsistent with other information the
customer provides (example: inconsistent birth dates);
2. Identifying information presented that is inconsistent with other sources of
information (for instance, an address not matching an address on a credit report);
3. Identifying information presented that is the same as information shown on other
applications that were found to be fraudulent;
4. Identifying information presented tha# is consistent with fraudulent activity (such as
an invalid phone number or fictitious billing address);
5. Social Security number presented that is the same as one give by another
customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete personal identifying information on an
application when reminded to do so (however, by law social security numbers must
not be required); and
8. A person's identifying information is not consistent with the information that is on
file for the customer.
D. Suspicious Account Activity or Unusual Use of Account
Red Flags:
t . Change of address for an account followed by a request to change the account
holder's name;
2. Payments stop on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example: very high
activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to the Utility that a customer is not receiving mail sent by the Utility;
6. Notice to the Utility that an account has unauthorized activity;
7. Notice #o the Utility that the customer on file is deceased;
8. Breach in the Utility's computer system security; and
9. Unauthorized access to or use of customer account information
Revised 7125!88
CITY OF NORTH RtCHLAND MILLS
AD-001 R
Resolution No. 2009-014
Page 5 of 9
MANAGEMENT P4~ICY
SUBJECT NUMBER EFFECTNE DATE PAGE OF
Identity Theft Program CMANumber May 1, 2009 4 7
REV ORIGINATED BY
Utility Customer Service
5UPERCEDES APPROVED BY CITY MANAGER
E. Alerts #rom Others
Red Flags:
1. Notice to the Utility from a customer, identity theft victim, law enforcement or other
person that it has opened or is maintaining a firaudulent account for a person
engaged in Identity Theft; and
2. Notification of a chargeback received from a banking institution
I11. Detectjng Red Flags
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new
account, Utility Personnel will take the following steps to obtain and verify the identity of the
person opening the account:.
1. Require certain identifying information such as name, date of birth, two prior
addresses, current residential or business address, principal place of business for
entity, driver's license or other identification;
2. Verify the customer's Identity
a. Review and make a copy of driver's license or other identification card;
b. If there is a question, run an Online 1D Check report;
c. Review documentation showing the existence of a business entity; and
d. !f there are additional questions, contact the customer or owner of the property
(if it is rental property).
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, Utili#y
personnel will take the fopowing steps to monitor transactions with an account:
1. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
2. Verify the validity of requests to Change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
Revised 2/25198 CITY OF NORTH RIGHLAND H1LL5 AD-001A
Resolution No. 2009-014
Page 6 of 9
MANAGEMENT POLICY
SUB.IECT NUMBER EFFECTIVE DATE PAGE OF
Identity Theft Program GMANumber May 1, 2gO9 5 7
REV ORIGINATED BY
Utility Customer Service
SUPERCEDES APPROVED BY CITY MANAGER
IV. Preventing and Mitigating Identity Theft
In the event Utility personnel detect any identified Red Flags, such personnel shall take one
ar more of the following steps, depending on the degree of risk posed by the Red Flag:
A. Prevent and Mitigate
1. Continue to monitor an account #or evidence of Identity Theft;
2. Contact the customer;
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify North Richland Hills Police Department's Communication Section at {817)
427-7199 to initiate a criminal investigation; and
8. Determine if no response is warranted under the particular circumstances.
B. Protect Customer identifyina Information
In order to further prevent the likelihood of Identity Theft occurring with respect to Utility
accounts, the Utility will take the fallowing steps with respect to its internal operating
procedures to protect customer identifying information:
1. Ensure that the website is secure or provide clear notice that the website is not
secure;
2. Ensure employees undergo a background check conducted by the Human
Resource Department prior to hiring.
3. Ensure office computers and software systems are password protected;
4. Information received is used only as a means of identification for internal
verification, administrative purposes, credit checks or debt collection purposes.
5, Request only the last 4 digits of social security number when verifying identity over
the phone or web.
6. Retain only the kinds of customer information that are necessary far Utility
purposes. Records are disposed of in accordance with state and federal law,
including the local records retention schedule issued by the Texas State Library
and Archives Commission.
Revised 2125/98
CITY OF NORTH RICHLAND HILLS
AD-001A
Resolution No. 2009-014
Page 7 of 9
MANAGEMENT POLICY
SUBJECT NUMBER
Identity Theft Program CMANumber
REv
SUPERCEDES
EFFECTIVE DATE PAGE OF
May 1, 2009 6 7
ORIGINATED BY
Utility Customer Service
APPROVED BY CITY MANAGER
7. Ensure the security of the Utility office by identifying who has access, secure
storage of sensitive information and monitoring of the office by law enforcement.
V. Program Updates
The Program Adminis#rator will periodically review and update this Program to reflect
changes in risks to customers and the soundness of the Utility from Identity Theft. In doing
so, the Program Administrator will consider the Utility's experiences with Identity Theft
situations, changes in identity Theft methods, changes in Identity Theft detection and
prevention methods, and changes in the Utility's business arrangements with other entities.
After considering these factors, the Program Administrator will determine whether changes to
the Program, including the listing of Red Flags, are warranted. If warranted, the Program
Administrator will update the Program ar present the City Council with his or her
recommended changes and the City Council will make a determination of whe#her to accept,
modify or reject those changes to the Program.
Vi. Program Administration
A. Oversight
Responsibility for developing, implementing and updating this Program lies with an Identity
Theft Committee for the Utility. The Committee is headed by a Program Administrator who
may kie the head of the Utility or his or her appointee. Two or more other individuals
appointed by the head of the Utility or the Program Administrator comprise the remainder of
the committee membership. The Program Administrator will be responsible for the Program
administration, for ensuring proper training of Utility staff on the Program, for reviewing any
staff reports regarding the detection of Red Flags and the steps for preventing and mitigating
Identity Theft, determining which steps of prevention and mitigation should be taken in
particular circumstances and considering periodic changes to the Program.
B. Staff Training and Reports
Utility staff responsible for implementing the Program shall be trained either by or under the
direction of the Program Administrator in the detection of Red Flags, and the responsive
steps to be taken when a Red Flag is detected.
Revised 2/25/98
CITY OF NORTH RICHLAND HILLS
AD-001 A
Resolution No. 2009-014
Page 8 of 9
MANAGEMENT PC)LtCY
SUBJEGT NUMBER
Identity Theft Program CMANumber
REV
SUPERCEDES
EF~'ECTNE DATE PAGE OF
May 1, 2009 7 7
ORIGINATED BY
Utility Customer Service
APPROVED BY CITY MANAGER
Staff will provide reports to the Program Administrator on incidents of Identity Theft, the
Utility's compliance with the Program and the effectiveness of the Program.
C. Service Provider Arrangements
In the event the Utility engages a service provider to perform an activity in connection with
one or more accounts, the Utility will take the following steps to ensure the service provider
performs its ac#ivity in accordance with reasonable policies and procedures designed to
detect, prevent, anal mitigate the risk of Identity Theft.
1. Require, by contract, that service providers have policies and procedures in place;
and
2. Require, by contract,. that service providers review the Utility's Program and report
any Red Flags to the Program Administrator.
D. Non-Disctosu re of Specific Practices
For the effectiveness of this Identity Theft Prevention Program, knowledge about specific Red
Flag Identification, detection, mitigation and prevention practices must be limited to the
Identity Theft Committee who developed this Program and to #hose employees with a need to
know them. Any documents that may have been produced or are produced in order to
develop or implement this program that list or describe such specific practices and the
information of those documen#s contain are considered unavailable to the public because
disclosure of them would be likely to substantially jeopardized the security of information
against improper use, that use being to circumvent the Utility's Identity Theft prevention
efforts in order to facilitate the commission of Identity Theft.
If a request is received for such information, City staff wil! request an opinion from the Texas
Attorney General as to whether ar not such information is public, citing concerns in regard to
identity theft and federal laws requiring prevention of identity theft.
Revised 2/25/9$
CITY OF NORTH RICNIAND HILLS
AD-001A
Resolution No. 2009-014
Page 9 of 9