HomeMy WebLinkAbout2009-69 - Identity Theft PreventionRESOLUTION NO. 2009 -69
A RESOLUTION OF THE COUNCIL OF THE CITY
OF NEWPORT BEACH AUTHORIZING THE CITY
MANAGER TO APPROVE A POLICY AND
PROCEDURES DOCUMENT FOR A IDENTITY
THEFT PREVENTION PROGRAM FOR THE CITY
OF NEWPORT BEACH
WHEREAS, the President of the United States signed Public Law 108 -109, the
Fair and Accurate Credit Transactions Act of 2003 (the "Law "); and
WHEREAS, this Law enjoined the United States Department of the Treasury,
Office of the Comptroller of the Currency and Office of Thrift Supervision, the
Federal Reserve System, the Federal Deposit Insurance Corporation, the
National Credit Union Administration, and the Federal Trade Commission (the
"Agencies ") to produce joint and final rules implementing the requirements of this
Law (the "Joint Rules "; and
WHEREAS, the Agencies issued the Joint Rules on November 9, 2007; and
WHEREAS, the Joint Rules require each financial institution and creditor to
establish an anti - identity theft program in which the financial institution or the
creditor must adopt reasonable written policies and procedures to identify, detect,
prevent, and mitigate the crime of identity theft; and
WHEREAS, the City meets the definition in the Joint Rules of "creditor" and is
thus subject to the Joint Rules and the Law and must adopt a Red Flag Anti -
Identity Theft Program; and
WHEREAS, the Administrative Services Director and Fire Department Chief
have developed and implemented an Identity Theft Prevention Program for the
City of Newport Beach; and
WHEREAS, the Joint Rules require that the "board of directors" approve a written
Policy and Procedures for a Red Flag Program; and
WHEREAS, the City Council has reviewed the Identity Theft Prevention Program
contained in Exhibit A, attached hereto,
NOW, THEREFORE, the Council of the City of Newport Beach resolves as
follows:
The Council approves and adopts the Identity Theft Prevention Program for the
City of Newport Beach set forth in Exhibit A, attached hereto.
BE IT FURTHER RESOLVED, that the City Manager is authorized to sign all
documents and to carry out the provisions of this Resolution.
ADOPTED, this 13'h day of October, 200
ATTEST:
4L � P r
Leilani Brown, City Jerk
Exhibit A
V
c \ 0
�s,
CITY OF NEWPORT BEACH
Identity Theft Prevention
Program
Effective November 1, 2009
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
I. PROGRAM ADOPTION
The City of Newport Beach developed this Identity Theft Prevention Program ( "Program ")
pursuant to the Federal Trade Commission's Red Flags Rule ( "Rule "), which implements
pertinent sections of the Fair and Accurate Credit Transactions Act of 2003. This Program
was developed by the Director of Administrative Services and Fire Chief ("Directors ").
After consideration of the size and complexity of the utility and EMS /fire service billing
operations and account systems, and the nature and scope of the utility and EMS /fire service
billing activities, the Directors have determined that this Program was appropriate for the
City of Newport Beach.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling Requirements of the Red Flags Rule
Under the Red Flag Rule, every financial institution and creditor is required to
establish a written "Identity Theft Prevention Program" tailored to the size,
complexity and nature of its operation. Each program must contain reasonable
policies and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and
incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and
mitigate Identity Theft; and
4. Ensure the Program is updated periodically, to reflect changes in risks to
customers or to the safety and soundness of the creditor from Identity Theft.
B. Red Flags Rule Definitions Used in this Program
"Covered Account ":
1. Any utility or EMS /fire service account the City offers or maintains primarily
for personal, family or household purposes, that involves multiple payments
or transactions; and
2. Any other account the City offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness of the
City from Identity Theft.
"Identifying Information":
Any name or number that may be used, alone or in conjunction with any other
information, to identify a specific person, including: name, address, telephone
number, social security number, date of birth, government issued driver's license or
identification number, alien registration number, government passport number,
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
employer or taxpayer identification number, unique electronic identification number,
unique biometric data such as fingerprints or other unique physical representation,
Medicare number, healthcare claim number, computer's Internet Protocol address, or
routing code.
"Identity Theft ":
A fraud committed or attempted using the Identifying Information of another person
without authority.
"Red Flag ":
A pattern, practice, or specific activity that indicates the possible existence of
Identity Theft.
III. IDENTIFICATION OF RED FLAGS
In order to identify relevant Red Flags, the City considers the types of accounts that it offers
and maintains, the methods it provides to open its accounts, the methods it provides to access
its accounts, and its previous experiences with Identity Theft.
The City identifies the following Red Flags, in each of the listed categories. The City shall
also identify Red Flags as they arise and incorporate them into the Program.
A. Suspicious Personal Identifying Information
Red Flags
1. Identifying Information presented that is inconsistent with other information
the customer provides (example: inconsistent birth dates);
2. Identifying Information presented that is inconsistent with other sources of
information;
3. Identifying Information presented that is the same as information shown on
other applications that were found to be fraudulent;
4. Identifying Information presented that is consistent with fraudulent activity
(such as an invalid phone number or fictitious billing address);
5. An address or phone number presented that is the same as that of another
person;
6. Failure to provide complete Identifying Information on an application when
reminded to do so (however, by law social security numbers must not be
required); and
7. A person's Identifying Information is not consistent with the information that
is on file for the customer.
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
B. Suspicious Account Activity or Unusual Use of Account
Red Flags
1. Change of address for an account followed by a request to change the
account holder's name;
2. Requests for additional authorized users on an account shortly following a
change of address;
3. Nonpayment of the first payment on the account;
4. Payments stop on an otherwise consistently up -to -date account;
5. Account used in a way that is not consistent with prior use (example: very
high activity);
6. Mail sent to the account holder is repeatedly returned as undeliverable
despite continued account activity;
7. Notice to the City that a customer is not receiving billing mail sent by the
City;
8. Notice to the City that an account has unauthorized activity;
9. Attempts to access an account by persons who cannot provide authenticating
information;
10. Breach in the City's computer system security; and
11. Unauthorized access to or use of customer account information.
C. Alerts from Others
Red Flags
1. Notice to the City from a customer, Identity Theft victim, credit agency, law
enforcement or other person that it has opened or is maintaining a fraudulent
account for a person engaged in Identity Theft or that another agency or
entity is investigating fraud relating to the account holder.
2. A complaint or question from a customer regarding receipt of another
person's bill, receipt of a bill for services not received, a dispute of a bill
based on a claim of Identity Theft, and similar complaints.
D. Suspicious Documents
Red Flags
I Identification document or card that appears to be forged, altered or
inauthentic;
2. Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing
customer information (such as if a person's signature on a check appears
forged); and
0
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
4. Application for service that appears to have been altered or forged.
IV. DETECTING RED FLAGS.
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening
of a new account, City staff will take the following steps to obtain and verify the
identity of the person opening the account:
Detect
1. Require certain Identifying Information such as name, date of birth,
residential or business address, principal place of business for an entity,
driver's license or other identification;
2. Review documentation showing the existence of a business entity;
3. Independently contact the customer; and
4. Verify the customer's identity.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, City
staff will take the following steps to monitor transactions with an account:
Detect
1. Verify the identification of customers if they request information or services
in person, via telephone, via facsimile, or via email. For EMS /fire service
accounts, verification shall include the patient's date ofbirth, address and last
four digits of the social security number, if on file, and, if requested in
person, a government issued picture identification card of the patient;
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment
purposes.
C. Suspicious Documents at Time of Transport
For new or existing customers receiving EMS /fire services, City staff shall be on the
alert for patients or patient representatives who present suspicious documents such as
a form of identification that appears to have been altered or does not match other
information about the patient. Whenever possible, City staff shall attempt to verify
the identity of the patient with someone who knows the patient and/or someone who
has rendered care of the patient. Staff shall not delay the provision of care when
verifying this information and should obtain this information after the transport.
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
V. PREVENTING AND MITIGATING IDENTITY THEFT
In the event City staff detects any identified Red Flags, such staff shall notify and consult
with a supervisor. The supervisor, in coordination with the City's Revenue Manager or
Emergency Medical Services Manager, shall take one or more of the following steps,
depending on the degree of risk posed by the Red Flag along with any aggravating factors:
A. Prevent and Mitigate
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the customer;
3. Change any passwords or other security devices that permit access to
accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify the Director for determination of the appropriate step(s) to take;
8. Notify law enforcement; or
9. Determine that no response is warranted under the particular
circumstances.
B. Protect Customer Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to
City utility and EMS /fire service accounts, the City will take the following steps with
respect to its internal operating procedures to protect customer Identifying
Information:
1. Ensure that its website is secure or provide clear notice that the website is not
secure;
2. Ensure that office computers are password protected;
3. Keep offices clear of papers containing customer information;
4. Ensure computer virus protection is up to date; and
5. Require and keep only the kinds of customer information that are necessary
for utility or EMS /fire service purposes.
VI. NOTIFICATION OF CUSTOMER AND INVESTIGATION OF IDENTITY THEFT
A. Customer Notification
If there is a confirmed incident of Identity Theft or attempted Identity Theft, the City
will notify the customer by certified mail or any other method of communication
designed to give notice, after consultation with law enforcement about the timing and
content of such notification, to ensure notification does not impede an investigation.
Victims of Identity Theft will be encouraged to cooperate with law enforcement in
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
identifying and prosecuting the suspected identity thief and will be encouraged to
complete the FTC Identity Theft Victims' Complaint and Affidavit.
B. Investigation of Suspected Identity Theft
If an individual claims to be a victim of Identity Theft, the City shall investigate the
claim. The following guidelines apply:
I. The individual will be instructed to file a police report for Identity Theft;
2. The individual will be instructed to complete the FTC Identity Theft
Affidavit, including supporting documentation or any other Identity Theft
affidavit recognized under state law;
3. The individual will be requested to cooperate by comparing his/her personal
information with information in the City's records;
4. If, following investigation, it appears that the individual has been a victim of
Identity Theft, the City shall take the following actions: cease collection on
open accounts that resulted from Identity Theft; cooperate with any law
enforcement investigation relating to the Identity Theft; take other actions as
appropriate; and
5. If, following investigation, it does not appear that Identity Theft has occurred,
the City shall give written notice to the individual that he /she is responsible
for payment of any bills on the account. The notice shall state the basis for
determining that the person claiming to be a victim of Identity Theft was, in
fact, the customer.
VII. PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in risks to
customers and the soundness of the City from Identity Theft. At least annually, the Directors
will consider the City's experiences with Identity Theft, changes in Identity Theft methods,
changes in Identity Theft detection and prevention methods, changes in types of accounts the
City maintains and changes in the City's business arrangements with other entities. After
considering these factors, the Directors will determine whether changes to the Program are
warranted. If warranted, the Directors will update the Program and present the
recommended changes to the City Council. The City Council will make a determination of
whether to accept, modify or reject those changes to the Program.
VIII. STAFF TRAINING AND REPORTS
City staff responsible for implementing the Program shall be trained either by, or under the
direction of, the Directors in the detection of Red Flags, and the responsive steps to be taken
when a Red Flag is detected.
City of Newport Beach
Identity Theft Prevention Program
November 1, 2009
A. Specific Program Elements and Confidentiality
For the effectiveness of Identity Theft prevention Programs, the Red Flag Rule
envisions a degree of confidentiality regarding the City's specific practices relating
to Identity Theft detection, prevention and mitigation. Therefore, under this
Program, knowledge of such specific practices is to be limited to those employees
who need to know them for purposes of preventing Identity Theft. Because this
Program is to be adopted by a public body and thus publicly available, it would be
counterproductive to list these specific practices here. Therefore, only the Program's
general Red Flag detection, implementation and prevention practices are listed in this
document.
STATE OF CALIFORNIA }
COUNTY OF ORANGE } ss.
CITY OF NEWPORT BEACH }
I, Leilani I. Brown, City Clerk of the City of Newport Beach, California, do hereby
certify that the whole number of members of the City Council is seven; that the foregoing resolution,
being Resolution No. 2009 -69 was duly and regularly introduced before and adopted by the City
Council of said City at a regular meeting of said Council, duly and regularly held on the 13th day of
October, 2009, and that the same was so passed and adopted by the following vote, to wit:
Ayes: Henn, Rosansky, Curry, Webb, Gardner, Mayor Selich
Noes: None
Absent: Daigle
Abstain: None
IN WITNESS WHEREOF, I have hereunto subscribed my name and affixed the
official seal of said City this 14th day of October, 2009.
p►Dw1''
City Clerk V
Newport Beach, California
(Seal)