The URL can be used to link to this page

Home My WebLink About2009-69 - Identity Theft PreventionRESOLUTION NO. 2009 -69 A RESOLUTION OF THE COUNCIL OF THE CITY OF NEWPORT BEACH AUTHORIZING THE CITY MANAGER TO APPROVE A POLICY AND PROCEDURES DOCUMENT FOR A IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF NEWPORT BEACH WHEREAS, the President of the United States signed Public Law 108 -109, the Fair and Accurate Credit Transactions Act of 2003 (the "Law "); and WHEREAS, this Law enjoined the United States Department of the Treasury, Office of the Comptroller of the Currency and Office of Thrift Supervision, the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Federal Trade Commission (the "Agencies ") to produce joint and final rules implementing the requirements of this Law (the "Joint Rules "; and WHEREAS, the Agencies issued the Joint Rules on November 9, 2007; and WHEREAS, the Joint Rules require each financial institution and creditor to establish an anti - identity theft program in which the financial institution or the creditor must adopt reasonable written policies and procedures to identify, detect, prevent, and mitigate the crime of identity theft; and WHEREAS, the City meets the definition in the Joint Rules of "creditor" and is thus subject to the Joint Rules and the Law and must adopt a Red Flag Anti - Identity Theft Program; and WHEREAS, the Administrative Services Director and Fire Department Chief have developed and implemented an Identity Theft Prevention Program for the City of Newport Beach; and WHEREAS, the Joint Rules require that the "board of directors" approve a written Policy and Procedures for a Red Flag Program; and WHEREAS, the City Council has reviewed the Identity Theft Prevention Program contained in Exhibit A, attached hereto, NOW, THEREFORE, the Council of the City of Newport Beach resolves as follows: The Council approves and adopts the Identity Theft Prevention Program for the City of Newport Beach set forth in Exhibit A, attached hereto. BE IT FURTHER RESOLVED, that the City Manager is authorized to sign all documents and to carry out the provisions of this Resolution. ADOPTED, this 13'h day of October, 200 ATTEST: 4L � P r Leilani Brown, City Jerk Exhibit A V c \ 0 �s, CITY OF NEWPORT BEACH Identity Theft Prevention Program Effective November 1, 2009 City of Newport Beach Identity Theft Prevention Program November 1, 2009 I. PROGRAM ADOPTION The City of Newport Beach developed this Identity Theft Prevention Program ( "Program ") pursuant to the Federal Trade Commission's Red Flags Rule ( "Rule "), which implements pertinent sections of the Fair and Accurate Credit Transactions Act of 2003. This Program was developed by the Director of Administrative Services and Fire Chief ("Directors "). After consideration of the size and complexity of the utility and EMS /fire service billing operations and account systems, and the nature and scope of the utility and EMS /fire service billing activities, the Directors have determined that this Program was appropriate for the City of Newport Beach. II. PROGRAM PURPOSE AND DEFINITIONS A. Fulfilling Requirements of the Red Flags Rule Under the Red Flag Rule, every financial institution and creditor is required to establish a written "Identity Theft Prevention Program" tailored to the size, complexity and nature of its operation. Each program must contain reasonable policies and procedures to: 1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; 2. Detect Red Flags that have been incorporated into the Program; 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and 4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft. B. Red Flags Rule Definitions Used in this Program "Covered Account ": 1. Any utility or EMS /fire service account the City offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and 2. Any other account the City offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the City from Identity Theft. "Identifying Information": Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, City of Newport Beach Identity Theft Prevention Program November 1, 2009 employer or taxpayer identification number, unique electronic identification number, unique biometric data such as fingerprints or other unique physical representation, Medicare number, healthcare claim number, computer's Internet Protocol address, or routing code. "Identity Theft ": A fraud committed or attempted using the Identifying Information of another person without authority. "Red Flag ": A pattern, practice, or specific activity that indicates the possible existence of Identity Theft. III. IDENTIFICATION OF RED FLAGS In order to identify relevant Red Flags, the City considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. The City identifies the following Red Flags, in each of the listed categories. The City shall also identify Red Flags as they arise and incorporate them into the Program. A. Suspicious Personal Identifying Information Red Flags 1. Identifying Information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates); 2. Identifying Information presented that is inconsistent with other sources of information; 3. Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent; 4. Identifying Information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address); 5. An address or phone number presented that is the same as that of another person; 6. Failure to provide complete Identifying Information on an application when reminded to do so (however, by law social security numbers must not be required); and 7. A person's Identifying Information is not consistent with the information that is on file for the customer. City of Newport Beach Identity Theft Prevention Program November 1, 2009 B. Suspicious Account Activity or Unusual Use of Account Red Flags 1. Change of address for an account followed by a request to change the account holder's name; 2. Requests for additional authorized users on an account shortly following a change of address; 3. Nonpayment of the first payment on the account; 4. Payments stop on an otherwise consistently up -to -date account; 5. Account used in a way that is not consistent with prior use (example: very high activity); 6. Mail sent to the account holder is repeatedly returned as undeliverable despite continued account activity; 7. Notice to the City that a customer is not receiving billing mail sent by the City; 8. Notice to the City that an account has unauthorized activity; 9. Attempts to access an account by persons who cannot provide authenticating information; 10. Breach in the City's computer system security; and 11. Unauthorized access to or use of customer account information. C. Alerts from Others Red Flags 1. Notice to the City from a customer, Identity Theft victim, credit agency, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft or that another agency or entity is investigating fraud relating to the account holder. 2. A complaint or question from a customer regarding receipt of another person's bill, receipt of a bill for services not received, a dispute of a bill based on a claim of Identity Theft, and similar complaints. D. Suspicious Documents Red Flags I Identification document or card that appears to be forged, altered or inauthentic; 2. Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document; 3. Other document with information that is not consistent with existing customer information (such as if a person's signature on a check appears forged); and 0 City of Newport Beach Identity Theft Prevention Program November 1, 2009 4. Application for service that appears to have been altered or forged. IV. DETECTING RED FLAGS. A. New Accounts In order to detect any of the Red Flags identified above associated with the opening of a new account, City staff will take the following steps to obtain and verify the identity of the person opening the account: Detect 1. Require certain Identifying Information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification; 2. Review documentation showing the existence of a business entity; 3. Independently contact the customer; and 4. Verify the customer's identity. B. Existing Accounts In order to detect any of the Red Flags identified above for an existing account, City staff will take the following steps to monitor transactions with an account: Detect 1. Verify the identification of customers if they request information or services in person, via telephone, via facsimile, or via email. For EMS /fire service accounts, verification shall include the patient's date ofbirth, address and last four digits of the social security number, if on file, and, if requested in person, a government issued picture identification card of the patient; 2. Verify the validity of requests to change billing addresses; and 3. Verify changes in banking information given for billing and payment purposes. C. Suspicious Documents at Time of Transport For new or existing customers receiving EMS /fire services, City staff shall be on the alert for patients or patient representatives who present suspicious documents such as a form of identification that appears to have been altered or does not match other information about the patient. Whenever possible, City staff shall attempt to verify the identity of the patient with someone who knows the patient and/or someone who has rendered care of the patient. Staff shall not delay the provision of care when verifying this information and should obtain this information after the transport. City of Newport Beach Identity Theft Prevention Program November 1, 2009 V. PREVENTING AND MITIGATING IDENTITY THEFT In the event City staff detects any identified Red Flags, such staff shall notify and consult with a supervisor. The supervisor, in coordination with the City's Revenue Manager or Emergency Medical Services Manager, shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag along with any aggravating factors: A. Prevent and Mitigate 1. Continue to monitor an account for evidence of Identity Theft; 2. Contact the customer; 3. Change any passwords or other security devices that permit access to accounts; 4. Not open a new account; 5. Close an existing account; 6. Reopen an account with a new number; 7. Notify the Director for determination of the appropriate step(s) to take; 8. Notify law enforcement; or 9. Determine that no response is warranted under the particular circumstances. B. Protect Customer Identifying Information In order to further prevent the likelihood of Identity Theft occurring with respect to City utility and EMS /fire service accounts, the City will take the following steps with respect to its internal operating procedures to protect customer Identifying Information: 1. Ensure that its website is secure or provide clear notice that the website is not secure; 2. Ensure that office computers are password protected; 3. Keep offices clear of papers containing customer information; 4. Ensure computer virus protection is up to date; and 5. Require and keep only the kinds of customer information that are necessary for utility or EMS /fire service purposes. VI. NOTIFICATION OF CUSTOMER AND INVESTIGATION OF IDENTITY THEFT A. Customer Notification If there is a confirmed incident of Identity Theft or attempted Identity Theft, the City will notify the customer by certified mail or any other method of communication designed to give notice, after consultation with law enforcement about the timing and content of such notification, to ensure notification does not impede an investigation. Victims of Identity Theft will be encouraged to cooperate with law enforcement in City of Newport Beach Identity Theft Prevention Program November 1, 2009 identifying and prosecuting the suspected identity thief and will be encouraged to complete the FTC Identity Theft Victims' Complaint and Affidavit. B. Investigation of Suspected Identity Theft If an individual claims to be a victim of Identity Theft, the City shall investigate the claim. The following guidelines apply: I. The individual will be instructed to file a police report for Identity Theft; 2. The individual will be instructed to complete the FTC Identity Theft Affidavit, including supporting documentation or any other Identity Theft affidavit recognized under state law; 3. The individual will be requested to cooperate by comparing his/her personal information with information in the City's records; 4. If, following investigation, it appears that the individual has been a victim of Identity Theft, the City shall take the following actions: cease collection on open accounts that resulted from Identity Theft; cooperate with any law enforcement investigation relating to the Identity Theft; take other actions as appropriate; and 5. If, following investigation, it does not appear that Identity Theft has occurred, the City shall give written notice to the individual that he /she is responsible for payment of any bills on the account. The notice shall state the basis for determining that the person claiming to be a victim of Identity Theft was, in fact, the customer. VII. PROGRAM UPDATES This Program will be periodically reviewed and updated to reflect changes in risks to customers and the soundness of the City from Identity Theft. At least annually, the Directors will consider the City's experiences with Identity Theft, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, changes in types of accounts the City maintains and changes in the City's business arrangements with other entities. After considering these factors, the Directors will determine whether changes to the Program are warranted. If warranted, the Directors will update the Program and present the recommended changes to the City Council. The City Council will make a determination of whether to accept, modify or reject those changes to the Program. VIII. STAFF TRAINING AND REPORTS City staff responsible for implementing the Program shall be trained either by, or under the direction of, the Directors in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. City of Newport Beach Identity Theft Prevention Program November 1, 2009 A. Specific Program Elements and Confidentiality For the effectiveness of Identity Theft prevention Programs, the Red Flag Rule envisions a degree of confidentiality regarding the City's specific practices relating to Identity Theft detection, prevention and mitigation. Therefore, under this Program, knowledge of such specific practices is to be limited to those employees who need to know them for purposes of preventing Identity Theft. Because this Program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the Program's general Red Flag detection, implementation and prevention practices are listed in this document. STATE OF CALIFORNIA } COUNTY OF ORANGE } ss. CITY OF NEWPORT BEACH } I, Leilani I. Brown, City Clerk of the City of Newport Beach, California, do hereby certify that the whole number of members of the City Council is seven; that the foregoing resolution, being Resolution No. 2009 -69 was duly and regularly introduced before and adopted by the City Council of said City at a regular meeting of said Council, duly and regularly held on the 13th day of October, 2009, and that the same was so passed and adopted by the following vote, to wit: Ayes: Henn, Rosansky, Curry, Webb, Gardner, Mayor Selich Noes: None Absent: Daigle Abstain: None IN WITNESS WHEREOF, I have hereunto subscribed my name and affixed the official seal of said City this 14th day of October, 2009. p►Dw1'' City Clerk V Newport Beach, California (Seal)