Resolution 09-1214RESOLUTION No.. 09-1214
A RESOLUTION OF THE CITY OF LONGWOOD,
FLORIDA, ADOPTING AN IDENTITY THEFT DETECTION
PROGRAM; PROVIDING FOR CONFLICTS, SEVERABILITY,
AND AN EFFECTIVE DATE.
WHEREAS, effective December 4, 2003 The Fair & Accurate Credit
Transactions Act of 2003; (FACTAct) was signed into law (Pub. L. No. 108-159, 117
Stat. 1952) and amends the Fair Credit Reporting Act (FRCA) in an attempt to improve
the accuracy of consumer reports and to help prevent identity theft; and
WHEREAS, Fed. IReg. 63718 (Nov. 9, 2007) requires each fmancial institution
and creditor to develop and implement a written. Identity Theft Prevention Program to be
in place not later than November 1, 2008 to help prevent identity theft and report any
incidents thereof, and
WHEREAS a utility company is defined as a creditor under the Regulations and
the City of Longwood meets the definition of a utility.
NOW THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION
OF THE CITY OF LONGWOOD, FLORIDA, AS FOLLOWS:
SECTION 1. The City Commission hereby adopts an Identity Theft Detection
and Prevention Program whereby any individuals' personal information is verified and
protected against identitytheft at all times.
SECTION 2. Conflicts. All Resolutions or parts of Resolutions in conflict with
any of the provisions of this Resolution are hereby repealed.
SECTION 3. Severability. If an;Y Section or portion of a Section of this
Resolution proves to be invalid, unlawful, or unconstitutional, it shall not be held to
invalidate or impair the Validity, force, or effect of any other Section or part of this
Resolution.
SECTION 4. Effective Date. This Resolution shall become effective
immediately upon its passage and adoption.
PASSED and ADOPTED thisL�y of
_ AD 2009.
ATTEST•
Sarah M. Mirus, MMC, MBA
City Clerk
H.G. " Butch" Bundy
Mayor
Approved as to form and legality for the use and reliance of the City of Longwood, Florida, only.
Teresa S. Roper, City Attorney
Identity Theft Detection and
Prevention Program
in compliance with the Federal FACTAct (2003)
Identity Theft Red Flag Ruling
Statement of Policy
May 1, 2009
Identity Theft Detection & Prevention Program
Program Purpose
A. Fulfilling requirements of the Red Flags Rule
Under the Red Flag Rule; every financial institution and creditor is required to establish
a "Identity Theft Prevention Program" tailored to its size, complexity and the nature of
its operation. Each program must contain reasonable policies and procedures to;
1. Identify relevant Red Flags for new and existing covered accounts and
incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and
mitigate Identity Theft; and
4. Ensure the Program is updated periodically, to reflect changes in risks to
customers or to the safety and soundness of the creditor from Identity Theft.
B. Red Flags Rule definitions used in this Program
The Red Flags Rule defines "Identity Theft" as "fraud committed using the identifying
information of another person" and a "Red Flag" as a pattern,, practice, or specific activity
that indicates the possible existence of Identity Theft.
According to the Rule, almunicipal utility is a creditor subject to the Rule requirements.
The Rule defines creditors "to include finance companies, automobile dealers, mortgage
brokers, utility companies, and teleconuinunications companies. Where non-profit and
government entities defer payment for goods or services, they.,, too, are to be considered
creditors."
All the City's accounts that are individual utility service accounts held by customers of
the utility whether residential, commercial or industrial are covered by the Rule. Under
the Rule, a "covered account" is:
1. Any account the City offers or maintains primarily for personal, family or
household purposes, that) involves multiple payments or transactions; and
2. Any other account the City offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the City from Identity
Theft.
"Identifying information" is defined under the Rule as "any name or number that may be
used, alone or'in conjunction with any other information, to identify a specific person,"
including: name, address, telephone number, social security number, date of birth,
government issued driver's license or identification number, alien registration number,
govenument passport number, employer or taxpayer identification number, unique
electronic identification number, computer's Iinternet Protocol address, or routing code.
1.3entity Theft Detection & Prevention Program
3
Identification of Redl Tags
In order to identify relevant Red Flags, the City considers the types of accounts that it
offers and maintains, the methods it provides to open its accounts, the methods it
provides to access its accounts, and its previous experiences with Identity Theft. The City
identifies the following red flags, in each of the Listed categories:
A. Suspicious Documents
Red Flaas
1. Identification document or card that appears to be forged, altered or
inauthentic;
2. Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing customer
information (such as if a person's signature on a. check appears forged); and
4. Application for service that appears to have been altered or forged.
B. Suspicious Personal Identifying Information
Red Flags
1. Identifying information presented that is inconsistent with other information
the customer provides (example: inconsistent birth dates);
2. Identifying information presented that is inconsistent with other sources of
information (for instance, an address not matching an address on a credit report);
3. Identifying information presented that is the same as information shown on
other applications that were found to be fraudulent;
4. Identifying information presented that is consistent with fraudulent activity
(such as an invalid phone'nuimber or fictitious balling address);
5. Driver's License number presented ttiat is the same as one given by another
customer;
6. An address or phone number presented that is the same as that of another
person;
7. A person fails to provide complete personal identifying information on an
application when reminded to do so (however, by law social security numbers must not
be required); and
8. A person's identifying information is not consistent with the infonmation that
is on file for the customer.
Identity Theft Detection & Prevention Program
4
C. Suspicions Account Activity or Unusual Use of Account
Red Flans
1. Change of address for an account followed by a request to change the account
holder's name;
2. Payments stopion an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example; very high
activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
S. Notice to the City that a customer is not receiving mail sent by the City;
6. Notice to the City that an account has unauthorized activity;
7. Breach in the City's computer systern security; and
8. Unauthorized access to or use of customer account information.
D. Alerts from Others
Red Flags
1. Notice to the City from a customer, identity theft victim, law enforcement or
other person that it has opened or is maintaining a fraudulent account for a person
engaged in Identity Theft'.
Detecting Red Flags
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a
new account, City persoiinel will take the; following steps to obtain and verify the
identity of the person openng the account:
1. Require certain identifying information such as name, date of birth, residential
or business address, principal place of business :for an entity, driver's license or other
identification;
2. Verify the customer's identity (for instance, review a driver's license or other
identification card);
3. Review docunnentation showing the existence of a business entity; and
4. Independently contact the customer.
B. Existing Accounts
1. Verify the identification of customers if they request information (in person,
via telephone, via facsimiile, via email);
�- 2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
Identity Theft Detection & Prevention Program
5
I
Preventing and Mitigating Identity Theft
In the event City persomiel detect any identified Red Flags, such personnel shall take one
or more of the following 'steps, depending on the degree of risk posed by the Red Flag:
Prevent and Mitigate
1. Continue to monitor an account for evidence of Identity Theft;
2.' Contact the customer;
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify a supervisor for determination of the appropriate step(s) to take;
8. Notify law enforcement; or
9. Determine thati no response is warranted under the particular circumstances.
Protect customer identifying information
In order to further prevent the likelihood of identity theft occurring with respect to City
accounts, the City will take the following steps with respect to its internal operating
procedures to protect customer identifying; information:
1. Ensure that its website is secure; or provide clear notice that the website is not
secure;
2. Ensure complete and secure destruction of paper documents and computer files
containing customer information within tlne state; prescribed guidelines;
3. Ensure that office computers are password protected;
4. Keep offices clear of papers containing customer information;
5. Ensure computer virus protection is up to date; and
6. Require and keep only the kinds of customer infonnation that are necessary for
utility purposes.
Program Updates
This program will be periodically reviewed and -updated to reflect changes in risks to
customers and the soundness of the Utility from Identity Theft. Periodically management
will consider the Utility's lexperiences with Identity Theft situations, changes in Identity
Theft methods, changes in Identity Theft detection and prevention methods, changes in
types of accounts the Utility maintains and changes in the Utility's business arrangements
with other entities. After considering these! factors, a determination will be made as to
whether changes to the Program, including the listing of Red Flags, are warranted. If
warranted, the City Adniimstrator will make a determination of whether to accept,
modify or reject those changes to the Pro rain.
Identity Theft Detection & Prevention Program
6
M
Program Administration
A. Oversight
Responsibility for developing, implementing and updating and administering this policy
lies with the Financial Services Director for reviewing any staff reports regarding the
detection of Red Flags and the steps for preventing and mitigating Identity Theft,
determining which steps of prevention and mitigation should be taken in particular
circumstances and considering periodic changes to the policy.
B. Service Provider Arrangements
In the event the City engages a service provider to perforni an activity in connection with
one or more accounts, the City will take the following steps to ensure the service provider
performs its activity in accordance with reasonable policies and procedures designed to
detect, prevent, and mitigate the risk of Identity Theft.
1. Require, by contract, that service providers have such policies and procedures
in place; and
2. Require, by contract, that service providers review the City's Program and
report any Red Flags to a�designated city representative.
C. Specific Program Elements and Confidentiality
For the effectiveness of Identity Theft Prevention Programs, the Red Flag Rule envisions
a degree of confidentiality regarding the City's specific practices relating to Identity
Theft detection, prevention and mitigation. Therefore, under thus program, knowledge of
such specific practices will be limited to those employees who need to know them for
purposes of preventing Identity Theft. Because this Program is to be adopted by a public
body and thus publicly available, it would. be counterproductive to list these specific
practices here. Therefore,; oily the Program's general red flag detection, implementation
and prevention practices are listed in this document.
D. Victim Record Request
Under the FACTAct, identity theft victims are entitled to a copy of the application or
other business transaction records relating to their identity theft free of charge. The City
must provide these records within 30 days or sooner of receipt of the victim's request.
The City must also provide these records to any law enforcement agency which the
victim authorizes.
Before providing the records to the victim, the City must ask the victims for:
Identity Theft Detection & Prevention Program
Ly-
a. Proof of identity, 'which may be a government -issued ID card, the same type of
inforration the identity thief used to opLn or access the account, or the type of
information the business is currently requesting from applicants or customers and
b. A police report and a completed affidavit, which may be either the FTC Identity
Theft Affidavit or the business's own affidavit.
E. IT Security
The Financial Services Director will request the Information Technology Manager
conduct periodic audits on system user access to privacy related information to ensure
only those requiring access are authorized. IT professionals shall agree not to disclose
private information.
F. Medical Conf dentiality
The City shall not obtain nor use medical infonnation pertaining to a consumer in
connection with any determination of the consumer's eligibility, or continued eligibility,
for services.
G. Reports, Reviews and Updates for Policy :Enforcement
Periodically, internal staff and auditors who report to the City Administrator, external
auditors and accountants, Iand government: regulators will review practices to ensure
compliance with corporate policy. The reports will be used to evaluate effectiveness of
and amend the Identity Theft Prevention Program.
An annual report reviewir g all incidents, program revisions and goals will be submitted
to the City Administrator.,
Identity Theft Detection & Prevention Program
8