The URL can be used to link to this page

Home My WebLink About05 - Identity Theft Prevention ProgramCITY OF NEWPORT BEACH CITY COUNCIL STAFF REPORT Agenda Item No. 5 October 13, 2009 TO: HONORABLE MAYOR AND MEMBERS OF THE CITY COUNCIL FROM: Administrative Services Department Dennis C. Danner, Administrative Services Director (949) 644 -3123 or ddanner _city.newport- beach.ca.us Glen Everroad, Revenue Manager (949) 644 -3144 or everroad(cDcitv.newport- beach.ca.us SUBJECT: IDENTITY THEFT PREVENTION PROGRAM ISSUE Should the City Council adopt a Resolution approving the Identity Theft Prevention Program for the City of Newport Beach? RECOMMENDATION: Staff recommends the City Council adopt the attached proposed Resolution approving the Identity Theft Prevention Program effective November 1, 2009. DISCUSSION: Background: The Federal Trade Commission has issued regulations which require financial institutions and creditors with "covered accounts" to design and implement a written identity theft prevention program by November 1, 2009. The FTC regulations, also known as "Red Flag Rules," were developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. The Red Flag Rules require the implementation of an identity theft prevention program to "identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft ". Because the City of Newport Beach provides water, sewer and fire medic services for which payment is made after the product or service is consumed, it is considered a creditor with 'covered accounts ". The Administrative Services and Fire Departments have developed and implemented the attached Identity Theft Prevention Program (Program) in compliance with the FTC regulations. The Program has been reviewed by the Office of the City Attorney, which recommended Council adopt a Resolution approving the Identity Theft Prevention Program. The Program identifies specific red Identity Theft Prevention Program October, 13, 2009 Page 2 flags associated with suspicious personal identifying information, suspicious account activity or unusual use of account and alerts from others for both new and existing accounts. The Program also establishes measures for preventing and mitigating identity theft. The Program will be periodically reviewed and updated to reflect changes in risks to customers in the soundness of the City from identity theft. It should be noted that this FTC required Identity Theft Prevention Program is far less rigorous than state and other federal data confidentiality and disclosure laws that the Administrative Services and Fire Departments have been subject to for many years. For example, the Fire Department has been subject to the Health Insurance Portability and Accountability Act (HIPPA) since 1996 and the Patient Safety and Quality Improvement Act (PSQIA) since 2005. Similarly, California Revenue and Taxation Code impose various data confidentiality and disclosure restrictions that the Revenue Division has been subject to since 1976. Environmental Review: The City Council's approval of this item does not require environmental review. Public Notice: The agenda item has been noticed according to the Brown Act (72 hours in advance of the meeting at which the City Council considers the item). Funding Availability: City funding is not required by this action. Alternatives: Not applicable. Prepared by: Submitted by: Gen rroad Dennis C. Danner Revenue Manager Administrative Services Director Attachments: Proposed Resolution Identity Theft Prevention Program (Resolution Exhibit A) RESOLUTION NO. 2009 - A RESOLUTION OF THE COUNCIL OF THE CITY OF NEWPORT BEACH AUTHORIZING THE CITY MANAGER TO APPROVE A POLICY AND PROCEDURES DOCUMENT FOR A IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF NEWPORT BEACH WHEREAS, the President of the United States signed Public Law 108 -109, the Fair and Accurate Credit Transactions Act of 2003 (the "Law "); and WHEREAS, this Law enjoined the United States Department of the Treasury, Office of the Comptroller of the Currency and Office of Thrift Supervision, the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Federal Trade Commission (the "Agencies ") to produce joint and final rules implementing the requirements of this Law (the "Joint Rules "; and WHEREAS, the Agencies issued the Joint Rules on November 9, 2007; and WHEREAS, the Joint Rules require each financial institution and creditor to establish an anti - identity theft program in which the financial institution or the creditor must adopt reasonable written policies and procedures to identify, detect, prevent, and mitigate the crime of identity theft; and WHEREAS, the City meets the definition in the Joint Rules of 'creditor" and is thus subject to the Joint Rules and the Law and must adopt a Red Flag Anti - Identity Theft Program; and WHEREAS, the Administrative Services Director and Fire Department Chief have developed and implemented an Identity Theft Prevention Program for the City of Newport Beach; and WHEREAS, the Joint Rules require that the "board of directors" approve a written Policy and Procedures for a Red Flag Program; and WHEREAS, the City Council has reviewed the Identity Theft Prevention Program contained in Exhibit A, attached hereto, NOW, THEREFORE, the Council of the City of Newport Beach resolves as follows: The Council approves and adopts the Identity Theft Prevention Program for the 1 City of Newport Beach set forth in Exhibit A, attached hereto. BE IT FURTHER RESOLVED, that the City Manager is authorized to sign all documents and to carry out the provisions of this Resolution. ADOPTED, this _ day of 2009. Edward D. Selich, Mayor ATTEST: Leilani Brown, City Clerk 2 Exhibit A �`�� Nei CITY OF NEWPORT BEACH Identity Theft Prevention Program Effective November 1, 2009 City of Newport Beach Identity Theft Prevention Program November 1, 2009 I. PROGRAM ADOPTION The City of Newport Beach developed this Identity Theft Prevention Program ( "Program ") pursuant to the Federal Trade Commission's Red Flags Rule ( "Rule "), which implements pertinent sections of the Fair and Accurate Credit Transactions Act of 2003. This Program was developed by the Director of Administrative Services and Fire Chief ('Directors "). After consideration of the size and complexity of the utility and EMS /fire service billing operations and account systems, and the nature and scope of the utility and EMS /fire service billing activities, the Directors have determined that this Program was appropriate for the City of Newport Beach. II. PROGRAM PURPOSE AND DEFINITIONS A. Fulfilling Requirements of the Red Flags Rule Under the Red Flag Rule, every financial institution and creditor is required to establish a written "Identity Theft Prevention Program" tailored to the size, complexity and nature of its operation. Each program must contain reasonable policies and procedures to: 1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; 2. Detect Red Flags that have been incorporated into the Program; 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and 4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft. B. Red Flags Rule Definitions Used in this Program "Covered Account ": 1. Any utility or EMS /fire service account the City offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and 2. Any other account the City offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the City from Identity Theft. "Identifyinm Information ": Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, City of Newport Beach Identity Theft Prevention Program November 1, 2009 employer or taxpayer identification number, unique electronic identification number, unique biometric data such as fingerprints or other unique physical representation, Medicare number, healthcare claim number, computer's Internet Protocol address, or routing code. "Identity Theft": A fraud committed or attempted using the Identifying Information of another person without authority. "Red Flag ": A pattern, practice, or specific activity that indicates the possible existence of Identity Theft. III. IDENTIFICATION OF RED FLAGS In order to identify relevant Red Flags, the City considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. The City identifies the following Red Flags, in each of the listed categories. The City shall also identify Red Flags as they arise and incorporate them into the Program. A. Suspicious Personal Identifying Information Red Flags 1. Identifying Information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates); 2. Identifying Information presented that is inconsistent with other sources of information; 3. Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent; 4. Identifying Information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address); 5. An address or phone number presented that is the same as that of another person; 6. Failure to provide complete Identifying Information on an application when reminded to do so (however, by law social security numbers must not be required); and 7. A person's Identifying Information is not consistent with the information that is on file for the customer. City of Newport Beach Identity Theft Prevention Program November 1, 2009 B. Suspicious Account Activity or Unusual Use of Account Red Flags 1. Change of address for an account followed by a request to change the account holder's name; 2. Requests for additional authorized users on an account shortly following a change of address; 3. Nonpayment of the first payment on the account; 4. Payments stop on an otherwise consistently up -to -date account; 5. Account used in a way that is not consistent with prior use (example: very high activity); 6. Mail sent to the account holder is repeatedly returned as undeliverable despite continued account activity; 7. Notice to the City that a customer is not receiving billing mail sent by the City; 8. Notice to the City that an account has unauthorized activity; 9. Attempts to access an account by persons who cannot provide authenticating information; 10. Breach in the City's computer system security; and 11. Unauthorized access to or use of customer account information. C. Alerts from Others Red Flags Notice to the City from a customer, Identity Theft victim, credit agency, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft or that another agency or entity is investigating fraud relating to the account holder. A complaint or question from a customer regarding receipt of another person's bill, receipt of a bill for services not received, a dispute of a bill based on a claim of Identity Theft, and similar complaints. D. Suspicious Documents Red Flags 1. Identification document or card that appears to be forged, altered or inauthentic; 2. Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document; 3. Other document with information that is not consistent with existing customer information (such as if a person's signature on a check appears forged); and 11 City of Newport Beach Identity Theft Prevention Program November 1, 2009 4. Application for service that appears to have been altered or forged. IV. DETECTING RED FLAGS. A. New Accounts In order to detect any of the Red Flags identified above associated with the opening of a new account, City staff will take the following steps to obtain and verify the identity of the person opening the account: Detect 1. Require certain Identifying Information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification; 2. Review documentation showing the existence of a business entity; 3. Independently contact the customer; and 4. Verify the customer's identity. B. Existing Accounts In order to detect any of the Red Flags identified above for an existing account, City staff will take the following steps to monitor transactions with an account: Detect 1. Verify the identification of customers if they request information or services in person, via telephone, via facsimile, or via email. For EMS /fire service accounts, verification shall include the patient's date of birth, address and last four digits of the social security number, if on file, and, if requested in person, a government issued picture identification card of the patient; 2. Verify the validity of requests to change billing addresses; and 3. Verify changes in banking information given for billing and payment purposes. C. Suspicious Documents at Time of Transport For new or existing customers receiving EMS /fire services, City staff shall be on the alert for patients or patient representatives who present suspicious documents such as a form of identification that appears to have been altered or does not match other information about the patient. Whenever possible, City staff shall attempt to verify the identity of the patient with someone who knows the patient and/or someone who has rendered care of the patient. Staff shall not delay the provision of care when verifying this information and should obtain this information after the transport. City of Newport Beach Identity Theft Prevention Program November 1, 2009 V. PREVENTING AND MITIGATING IDENTITY THEFT In the event City staff detects any identified Red Flags, such staff shall notify and consult with a supervisor. The supervisor, in coordination with the City's Revenue Manager or Emergency Medical Services Manager, shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag along with any aggravating factors: A. Prevent and Mitigate 1. Continue to monitor an account for evidence of Identity Theft; 2. Contact the customer; 3. Change any passwords or other security devices that permit access to accounts; 4. Not open a new account; 5. Close an existing account; 6. Reopen an account with a new number; 7. Notify the Director for determination of the appropriate step(s) to take; 8. Notify law enforcement; or 9. Determine that no response is warranted under the particular circumstances. B. Protect Customer Identifying Information In order to further prevent the likelihood of Identity Theft occurring with respect to City utility and EMS /fire service accounts, the City will take the following steps with respect to its internal operating procedures to protect customer Identifying Information: 1. Ensure that its website is secure or provide clear notice that the website is not secure; 2. Ensure that office computers are password protected; 3. Keep offices clear of papers containing customer information; 4. Ensure computer virus protection is up to date; and 5. Require and keep only the kinds of customer information that are necessary for utility or EMS /fire service purposes. VI. NOTIFICATION OF CUSTOMER AND INVESTIGATION OF IDENTITY THEFT A. Customer Notification If there is a confirmed incident of Identity Theft or attempted Identity Theft, the City will notify the customer by certified mail or any other method of communication designed to give notice, after consultation with law enforcement about the timing and content of such notification, to ensure notification does not impede an investigation. Victims of Identity Theft will be encouraged to cooperate with law enforcement in City of Newport Beach Identity Theft Prevention Program November 1, 2009 identifying and prosecuting the suspected identity thief and will be encouraged to complete the FTC Identity Theft Victims' Complaint and Affidavit. B. Investigation of Suspected Identity Theft If an individual claims to be a victim of Identity Theft, the City shall investigate the claim. The following guidelines apply: 1. The individual will be instructed to file a police report for Identity Theft; 2. The individual will be instructed to complete the FTC Identity Theft Affidavit, including supporting documentation or any other Identity Theft affidavit recognized under state law; 3. The individual will be requested to cooperate by comparing his/her personal information with information in the City's records; 4. If, following investigation, it appears that the individual has been a victim of Identity Theft, the City shall take the following actions: cease collection on open accounts that resulted from Identity Theft; cooperate with any law enforcement investigation relating to the Identity Theft; take other actions as appropriate; and 5. If, following investigation, it does not appear that Identity Theft has occurred, the City shall give written notice to the individual that he /she is responsible for payment of any bills on the account. The notice shall state the basis for determining that the person claiming to be a victim of Identity Theft was, in fact, the customer. VII. PROGRAM UPDATES This Program will be periodically reviewed and updated to reflect changes in risks to customers and the soundness of the City from Identity Theft. At least annually, the Directors will consider the City's experiences with Identity Theft, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, changes in types of accounts the City maintains and changes in the City's business arrangements with other entities. After considering these factors, the Directors will determine whether changes to the Program are warranted. If warranted, the Directors will update the Program and present the recommended changes to the City Council. The City Council will make a determination of whether to accept, modify or reject those changes to the Program. VIIL STAFF TRAINING AND REPORTS City staff responsible for implementing the Program shal l be trained either by, or under the direction of, the Directors in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. 7 City of Newport Beach Identity Theft Prevention Program November 1, 2009 A. Specific Program Elements and Confidentiality For the effectiveness of Identity Theft prevention Programs, the Red Flag Rule envisions a degree of confidentiality regarding the City's specific practices relating to Identity Theft detection, prevention and mitigation. Therefore, under this Program, knowledge of such specific practices is to be limited to those employees who need to know them for purposes of preventing Identity Theft. Because this Program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the Program's general Red Flag detection, implementation and prevention practices are listed in this document.