RES 2010-22 ADOPTING ANTI-IDENTITY THEFT PREVENTION PROGRAM=int•_; -i RESOLUTION No, 2010-22
A RESOLUTION of the City Council of the City of Bainbridge
: r Island, Washington, a row .and adopting n i ent t theft
prevention program, .
WHEREAS, the City of Bainbridge Island operates a consolidated T ter or utility
providing water, sewer and storm and surface Fater management utility services pursuant to
Title 13 of the City of Bainbridge Island Municipal Code andTitle 57 of the - CW; and
WHEREAS,, the Fair and Accurate Credit Tr nsactlons' A. t Of 2003, Pub. L. 108-159)
"Red Flag Rules") requires certain financial institutions and creditors with "Covered Accounts"
to prepare, adopt, and implement an 'Identitytheft prevention program to identify, detect, respond
to and mitigate patterns, practices or specific activitle.s which could indicate identity theft; and
WHEREAS, the City maintains certain continuing -accounts with utility service
customers and for other purposes which involve multiple payments or transactions with payment
deferred until a future date and such accounts are "Covered Accounts" within the meaning cf the
Red . Flag Rules; and
WHEREAS, to condi with the Red Flag Rules, the City has an identity theft prevention
program in the form attached hereto as Exhibit ""A." and incorporated herein by this reference (the
"Program") and has recommended that the Program now be approved and adopted by the City
Council for implementation; now, therefore,
THE CITY COUNCIL of THE CITY of BAINBRIDGE ISLAND,
WASHINGTON., DOES S R SOLVE AS FOLLOWS:
1. The Program is hereby approved and adopted effective as of the date set forth below.
2. Thi Finance Director is hereby authorized and directed to implement the Program in
accordance with its terms.
PASSED by the City Codncil thi's 2nd day of Jure, 2010.
APPROVED by the Mayor this 2nd day of June, 2010.
400 -
Bob Scales, Mayor
403746.2 109470010105
ATTEST/AUTHENTICATE
Rosalind D. Lasso, City Clerk
FILED WIT THE CITY CLERK: May 27,2010
PASSED BY THE CITY. COUNCIL; June 21, 2010
RESOLUTION NO, 2010'-22
40371. 1 094700 10105 -2-
S
.t
X I ►IT A
_- �
Identity Theft Prevention Program
1. Purpose. To establish an Identity Theft Prevention Program, designed to detect, prevent
and mitigate theft in connection with the opening of a Covered Account or an existing
Covered. Acount .and to provide for continued administration' of the Program in
compliance -with Part 681 of Title 16 of the Code of Federal' R.egul tl s implementing.
Sections 114 and 315 of the Fair and Accurate Credit Transactions Act FACTA of
2003..
2. Definitions,
Account is defined as a continuing relationship establish d by a person with a creditor t
obtain a product or .service for personal, family, household or business purposes.
Covered Account is defined x an account. that a. financial institution offers or
maintains -primarily for personal,. family or household purposes, that involves or is
designed to permit, multiple payments or transactions, including one or more deferred
payments* and(ii) any other accounts the City identifies as having a foreseeable risk to
customers or to -the safety and soundness of the City from identity theft.
Creditor -has the same meaning -as defined in Section 702 of the Equal Credit
Opportunity Act, 15 U.S.C. 1691a, and includes a person or entity that arranges -for the
extension, renewal or continuation of credit, including the City.
Custom is a. person or u siness entity that has a. Covered Account with the City.
Identifying information means any name or number that may be used alone or with any
other in rr ation to identify a specif"re person; including name, address, telephone
number, social security- number, date of birth, official state or government- issued driver's
is
license or identification number, alien registration number, government passport,
employer or tax identification number, and unique electronic identification number;,
Identity Theft is defined s fraud committed using the identifying information of another
person,
Red Flag is deferred as a pattern, practice, or specific aetivity that indicates the possible
existence of Identity Theft.
Service Provider means a person or business entity that provides a service directly to the
City relating to or connection with a Covered Account.
3. The Prot!rain. The City establishes an Identity Theft Program to detect, prevent and
mitigate identity theft.. The Program shall include reasonable policies and procedures to:
403746.E 1 094700 10105 -3-
A. Identify relevant Red Flags for Covered Accounts that if offers' or
maintains and 'incorporate those Red Flags into the Progr ;
rY
B. Detect lied Flags that have been incorporated into the Program; � s
C. Respond appropriately to any Red Flags that are detected to prevent Ind
mitigate identity theft; 4nd
D. Ensure that the Program is updated periodically to reflect any change§ in
risk to , the customers and to the safety and soundness of the credi
C. Applicable le supervisory guidance. -
5. a tr c o e fit identifles the following4f Red Flags and will train
y
.s the appropriate staff to recognize these Red Flags as they are encountered in the ordinary
+- course of City business
A. - Suspicious documents
Identification document. or card that appears to be forged,
altered or unauthentic;
ii. Identification document or card where a -person's
photograph or physical description is not consistent with
the person presenting the document;
Iii. other information on the identification document is not
consistent with the information provided by the person
opening new Covered Account, her the customer
presenting the identification, or with existing customer
-information on -file with the creditor (such as a signature
card or recut check); and
iv,. Application for service that appears to have been altered or
forged.
B. - - :Suspicious personal identifying information
i, Identifying information presented that is inconsistent with
other information that .the customer provides, for instance,
where there is lack of correlation between the social
security number range and the date ofbirth;
il. Identifying information presented that is inconsistent with
external sources of information,, for instance, and address
sloes not ma ch a consumer report or a social security
number is listed in the Social Security Administration's
Death piaster File;
iii. Identifying - information presented is associated with
common types of fraudulent activity, such as presentation
f ars invalid phone number or fictitious billing address
used in previous fraudulent activity;
I . Social security number presented is the sane number that
has been given by another customer;
V. An address or phone number presented that is the same as
that of another person;
403746,2109470010105 -5-
C.
Vi. A person fails to provide complete personal idetitifying
information on a application when reminded to do so
however, by. law;-, social - .:security : ribxiiber8 must not be
required) ; and
vii, A person's identifying i formati n is not consistent with
the information that is. on dile for the customer.
Suspicious account activity or unusual use of an account
i. Change of address for an account followed by a request to
change the account holder's name;
1, Payments. stop on ars otherwise consistently up-to-date .
account;
iii. Account used in a way that is not consistent with Prior use
(example: very high activity); .
iv. Mail sent to the account holder is repeatedly returned as
undeliverable-,
V. Notice -to the City that a customer is not receiving mail sent
by the City;
i. Notice to the Citi that an account has unauthorized
activity;
vii. Breach in the City's computer system security; and
vii. Unauthorized access to or use of customer account
information,
D. Alerts from others -
E. .
Notice to the City from a customer, identity theft victim,
law. enforcement officer or other Person that the City has
opened or is maintaining a fraudulent account for a person
engaged in identity theft.
Notifications and Warnings From Credit Reporting Agencies
i. Report of fraud accompanying a credit report;
ii, Notice or reposl from a credit agency of a credit freeze on a
customer or applicant;
403746.E 1 094700 10105 -6-
:. iii, Notice or report from a - credit agency . of an.active duty alert
for anapplicant; and
iv. indication from a credit report of - activity that is
II
inconsistent with a cuss' tomer''s us�lal pattern or activity
'. Detecting Red F1a
A. New .cco .nts. 'In order to detect any of the Red Flags identified above
associated with- the opening of a new account, City staff will take the
following steps -to. obtain and verify the identity of the. person opening the
account:
L Require certain identifying information such as name, date
of firth, residential _ or business address, principal place of
business for an entity, driver's license or other
identification,
rr. verify the customer's identity (for instance, review
driver's licnse or Other identification card);,
iii.. Review documentation shoving the existence' of a business
entity; and
Iv. Independently contact the customer.
B. Existing Accounts, In order to detect any of the Red Flags identified
above for an existing account, City staff will take the following steps to
monitor transactions with - account;
Verify the identification of customers if they request
information in person, via telephone, via facsimile, via
email);
ii, verify the validity of requests to change billing addresses;
and
iii. Verify changes in banking information given for billing and
payment p -poses.
. Preventing and Mitigating Identity Theft. in the event that City staff detect an
identified Red Flags, such staff must contact the City's Finance Director. The Finance
Director will then decide which of the following steps should be talent
A. Monitor the Covered Account for evidence of identity theft;
B. Contact the customer;
403746.2 10947001 10 -7-
a
C. Change any passwords, security codes, r other security devices t at
exit' access to a Covered Account;
D. Reopen en Covered Account with a new number;
E. Not -open new Covered Account;
F. Close ars existing Covered Account;
G. Notify law enforcement; or
H. Determine that no response is warranted udder the particalar
circumstances.
. Protect Customer Iden'tifying Information. In order to further - regret the likelihood
res pct tot accounts the 1t shah take the
.f Identity `heft occurring t p
following steps with respect to its internal operating procedures to protect customer
Identifying information:
A. Secure the City website but provi6de clear notice that th.e website is tiot
secure;
B. Undertake complete and secure destruction of paper documents and
computer files containing customer information;
C. Mae office computers password protected and provide that comp&er
screens lock: after a set period of time;
D. Keep ' offices clear of papers containing customer identifying info matio ;
E. Request only the last 4 digits of social security numbers. if any);
F. Maintain conf uter virus protection up to date; and
G. Require and keep only the kinds s of customer information that fire
necessary for City purposes.
9. Program . The Finance Director, or designee, shall serve as the Program
Administrator. The 'Program Administrator will periodically 'review and A date this
Program to reflect changes in risk to customers or to the safety and sound ess of the
organization from identity theft based on factors such as:
A. The experiences of he City with identity theft;
Charges in methods of identity theft;
C. Changes in methods to prevent, detect and mitigate identity theft;
403746.2 1094700 10105 --
D. Changes in tie' types ofaccounts that the City offers or maintains; or
E. Changes in the business arrangements of the -City, 'nel din mergers,
.' acquisitions, alliances, joint ventures and ear ice =p rovrd r arrangements.
eats,
After considering these - factors, the Program A'd i i.str t r will. determine whether
change's . io the Program, including the listing . of Red Flags, are warrant d. If war ranted,
the Program Administrator -will -update the Program or present the City Cou ch with
recommended Phanges,. and the City Council il.l make e a determination of whether to
accept, modify, or rej e t those changes to the Program.
10. Administration of Ithe Proms.
A. The Pr gr m Administrator shall he responsible for the development,
implementation, oversight, and continued administration of the Program;
B. The Program shall include staff` training, as necessary, to effectively
implement the Program.
C. The Program. shall, include appropriate and effective oversight of service
provider -arrangements.
i 11. oversight o the grogram, oversight o the Program all include:
f r
1
I
A. lmple,mentation :of the Program;
B. Review of reports prepared by staff regarding compliance;
C. Approval of material changes to the Program as accessary to address
changing risk of identity theft, r
Reports shall ' e prepared 's follows:
A, Thestaff responsible for development, implementation tion and admi istration
f the Program shall report to the Program Administrator annually, at
least, regarding compliance her the organization to the Program.
B. The report shall include matters related to the Program such s:
The ef'f'ectiveness of the policies and procedures in
addressing the risk of identity theft as it relates to the
opening of Covered Accounts and existing Covered
Accounts;
ii. Service provider agreements;
403746.E 1 094700 10105 -9-
Significant incMents. involving identity . theft. and
management's response.
lv. Recommendations for material.. changes to the Program.
12.-: -- Service Provider' Arrangements,. In the evert, the City. engages a Service P ovider to
p rfor' m- an a tivity in- cOnnectionwith one or more Covered Accounts, the City shall
tale 'the following step's to require that the Service Provider performs its activity in
-accorda ce with reasonable policies and procedures dosigned to detect, & ent, and.
mitigate the risk f Identity `heft:
.@ Require, by contract, that Service Providers acknowledge receipt dtid
review of the Program and agree to perform its activities with respect to
City Covered Accounts in com fiance with the terms and conditions of the
Program and with all instruction aad directives issued by the .Progrm
Administrator relative'to the Program; or
B. Require, by contract, that Service Providers aclnowlege receipt dud
review of the Program and agree to perform its a tivities with respect to
City Covered Accounts in compliance with the terms and conditions of the
Service Provider's identity theft prevention program and will t l e
appropriate action to prevent and mitigate identity theft; and that the
Service Providers a re to report promptly to the City in writing if the
Service Provider, in connection with A City Covered Account, detects an
incident of actual or attempted identity theft or is unable to resolve one or
more Red Flags that the Service Provider detects in connection wit
Covered Account.
13, Customer Identifying` Information and Public Disclosure. The identifying
information of City customers with Covered Ac'courts shall be kept confid&inial and
shall be exempt from public disclosure to the maximum extent authorized by law,
including RCW .42.56:230.(4). The City Council also Binds and determines That public
disclosure of the City's specific practices to identity, detect, prevent and. mitt"ga,te identify
theft may corap r mi e - the effectiveness of such practices and hereby directs that, under
the Program, knowledge ledge of such. specific practices shall be limited to the Program
Administrator and those. City employees and Service Providers who need to b aware of
such practices for the purpose of preventing Identity Theft.
403746.2 1094700 10105 -10-