HomeMy WebLinkAboutResolution 2009-28 Identity Theft Detection/Prevention ProgramRESOLUTION NO. 2009-28
A RESOLUTION OF THE CITY COMMISSION OF THE
CITY OF WINTER SPRINGS, SEMINOLE COUNTY,
FLORIDA ADOPTING THE CITY'S IDENTITY THEFT
DETECTION AND PREVENTION PROGRAM; ADOPTING
RELATED FORMS FOR REPORTING AND TRACKING
POSSIBLE OCCURRENCES OF IDENTITY THEFT;
PROVIDING FOR THE REPEAL OF PRIOR INCONSISTENT
RESOLUTIONS, SEVERABILITY AND AN EFFECTIVE
DATE.
WHEREAS, the City is granted the authority, under § 2(b), Art. VIII of the State
Constitution, to exercise any power for municipal purposes, except when expressly prohibited by
law; and
WHEREAS, the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1581 et. seq., was
amended in 2003 in an attempt to improve the accuracy of consumer reports and to help prevent
identity theft; and
WHEREAS, the amendments to the FCRA require creditors such as utilities to develop and
implement a written Identity Theft Prevention Program to detect "red flags" and to respond
appropriately to said red flags in an effort to prevent and mitigate identity theft; and
WHEREAS, compliance with the FCRA amendments is required no later than May 1, 2009;
and
WHEREAS, the City Commission desires to adopt the City's Identity Theft Detection and
Prevention Program consistent with the requirements of the FCRA as set forth herein; and
WHEREAS, City Commission deems that this Resolution is in the best interests of the
public health, safety, and welfare of the citizens of Winter Springs.
NOW, THEREFORE, BE IT DULY RESOLVED BY THE CITY COMMISSION OF
THE CITY OF WINTER SPRINGS, SEMINOLE COUNTY, FLORIDA, THAT:
Section 1. Incorporation of Recitals. The foregoing recitals are deemed true and
correct and are hereby fully incorporated herein by reference.
Section 2. Adoption of Identity Theft Detection and Prevention Program. The City
Commission of the City of Winter Springs hereby adopts the City of Winter Springs IdentityTheft
Detection and Prevention Program and forms as set forth in Exhibit "A," attached hereto and fully
City of Winter Springs
Resolution No. 2009-28
Page 1 of 2
incorporated herein by this reference. The City Manager is hereby authorized to approve minor
modifications to the Program and forms, as needed.
Section 3. Severability. If any section, subsection, sentence, clause, phrase, word, or
portion of this Resolution is for any reason held invalid or unconstitutional by a court of competent
jurisdiction, whether for substantive or procedural reasons, such portion shall be deemed a separate,
distinct, and independent provision, and such holding shall not affect the validity of the remaining
portions of this Resolution.
Section 4. Repeal of Prior Inconsistent Resolutions. All prior resolutions or parts of
resolutions in conflict herewith are hereby repealed to the extent of the conflict.
Section 5. Effective Date. This Resolution shall become effective on May 1, 2009.
ADOPTED by the City Commission of the City of Winter Springs, Florida, in a regular
meeting assembled on this 27thday of April , 2009.
A
LORENZO-LUACES, City Clerk
' JOHN F. BUSH, Mayor -
Y
a
Approved as to legal form and sufficiency for
the City of Winter Springs only:
ANTHONY A. GARGANESE, City Attorney
City of Winter Springs
Resolution No. 2009-28
Page 2 of 2
City of Winter Springs
IDENTITY THEFT DETECTION AND
PREVENTION PROGRAM
In compliance with the Federal FACTAct (2003)
Identity Theft Red Flag Ruling
TABLE OF CONTENTS
1. General Information
II. Purpose
III. Scope
IV. Responsibility
V. Definitions
VI. Privacy Committee
VII. Policy and Procedures
A. Red Flags Identification and Mitigation
B. Data Security and Storage
C. Internal Data Base Security
D. Data Storage
E. Disclosure of Personal Information
F. Data Retention and Disposal
G. Training Employees
H. Handling Reports of Suspected Identity Theft
I. Reports, Reviews and Updates for Policy
Enforcement
VIII. Identity Theft Prevention Program Incident Report
Page
3
3
3
4
4
4
5
5
7
8
8
8
8
8
9
9
10
2
IDENTITY THEFT PROGRAM
Effective date May 1, 2009
1. General Information
A ruling known as the `Identity Theft Red Flags Regulation' was jointly issued by the
Federal Trade Commission, Office of Thrift Supervision and several other governing
agencies ("Agencies") implementing section 114 of the Fair and Accurate Credit
Transactions Act of 2003 (FACT ACT) and is effective on May 1, 2009.
The Identity Theft Red Flags Regulation requires financial institutions to develop and
implement a written Identity Theft Program to detect, prevent and diminish identity theft
in connection with opening of certain accounts or certain existing accounts.
Under the regulation only those financial institutions that offer or maintain `covered
accounts' must develop and implement a written program. A `covered account' is
defined as (1) an account primarily used for personal, family, or household purposes,
that involves or is designed to permit multiple payments or transactions and (2) any other
account for which there is a reasonably foreseeable risk to customers or the safety and
soundness of the financial institution or creditor from identity theft.
The Agencies believe that accounts such
utility, checking, automobile loans, and
designed to permit multiple payments or
foreseeable risk of identity theft.
as credit cards, mortgage loans, cell phone,
savings accounts are examples of accounts
transactions and also contain a reasonably
H. Purpose
The goal of this policy is to ensure City of Winter Springs has an established written
procedure to detect, prevent and mitigate identity theft and for security and storing of
customers' personal information. City of Winter Springs recognizes the responsibility to
safeguard customer's personal information during its collection, recording and handling
within the work place.
III. Scope
This policy applies to all city employees and service providers that have access to utility
customers' personal information that is submitted in person, by fax, mail, email and over
the internet. Any part or whole of policies and procedures written and developed will be
incorporated into the program where appropriate. This does not replace, but rather
supplements, any of the City of Winter Springs' standing policies.
IV. Responsibility
The City of Winter Springs must protect its customer data and implement policies and
procedures that meet standards established by the Federal Trade Commission by May 1,
2009. Therefore, the City of Winter Springs will continually report and monitor the
program's integrity, completeness, and deficiencies. Any oversight or patches to perfect
the program will be reviewed and amended annually when necessary.
V. Defmitions
A. Identity Theft: A fraud committed using the identifying information of another
person.
B. Red Flags: A pattern, practice or specific activity that indicates the possible
risk of identity theft.
C. Identifying Information: Any name or number that may be used alone or with
any other information to identify a specific person; includes name, social
security number, date of birth, official state or government issued driver's
license or identification number, alien registration number, government
passport and employer or tax identification number.
VI. Privacy Committee
The City of Winter Springs Privacy Committee was established to create, drive and
monitor the program. A Privacy Officer functions as the head of the committee and
reports to a member of Senior Management regarding the outcomes and needs of the
Identity Theft Detection and Prevention Program.
Position Role
Controller Privacy Officer - Coordinates audit and reviews pattern
of incidents. Expert in flow of funds.
Finance Director Senior Management - supply recourses to establish
proactive Identity Theft Program.
Utility Billing Services Provides insight in day-to-day processes in opening new
Manager accounts and monitoring activity on existing accounts.
Revenue Officer Provides insight in collection policies and procedures.
Economic Crimes Investigator Provides insight regarding identity theft.
Information Technology Provides insight in data network security.
Coordinator/Security
Administrator
4
VII. Policy and Procedures
A. Red Flag Identification and Mitigation Policies
All applications must be submitted by the responsible party; parents, siblings, or any
other interested party cannot activate service on behalf of another person.
Red Flags
Alert
Presentation of Susp
Identification documents
appear altered or forged
Photo/physical description
does not match applicant.
Next
Documents
Ask customer to visit the
issuing agency (i.e.
DMV) and get an
acceptable copy of the
suspicious document.
Other information on
identification is inconsistent
with information given on the
application.
Information in utility records
is inconsistent with
information provided.
Example: signature on file
does not match signature on
license.
Application looks altered or
forged or destroyed and
reassembled.
Lease submitted for proof of
residency appears to be
altered or forged.
Ask the customer to visit
the issuing agency (i.e.
DMV) and get an updated
copy of the identification
document.
Ask the customer to
verify the inconsistent
information with
supporting documentation
such as marriage license
or social security card.
Inform the customer of
the discrepancy and ask
the customer to verify the
inconsistent information
with supporting
documentation.
Ask the customer to fill
out another application in
the office and verify all
suspicious information.
Ask the customer to
supply an unaltered lease
with the Landlord's
notarized.
Do not open the account.
Do not open the account.
If customer is unable to
verify information, do not
open the account.
It may be appropriate to
notify law enforcement if a
customer who is able to
verify his identity to you
believes his signature has
been previously forged in
connection with identity
theft.
Do not open the account
unless you are able to verify
the information on the
Do not open the account
unless you are able to verify
the residency requirement.
5
Red Flags Next Ste Mitigation
Alert
Suspicious Personal Ides
Applicant fails to provide
all personal identification
requested.
Payments are made in a
manner associated with
fraud. For example:
deposit or initial payment is
made and no payments are
made thereafter.
Mail sent to customer is
repeatedly returned.
Notification of a
chargeback received from
the bank due to fraudulent
Inform the customer of the
requirements to open an
account and direction for
obtaining this
documentation.
Contact the customer.
Contact the customer to
verify the correct billing
address.
Do not open the account
unless you are able to verify
the identity with other types
of acceptable
documentation.
Close inactive accounts
after a reasonable period of
time.
New account requested
immediately after
disconnection for
nonpayment.
If you are able to verify the
correct address and then
change the address on file,
no further action should be
Add all charges back to the I Notify law enforcement
account.
Ask customer to provide a
government issued photo
I.D. for identification
purposes.
Require all new accounts to
present a government
issued photo I.D. prior to
opening an account.
Applications submitted by
fax, email or mail need to
include-a copy of a
government issued I.D. and
a notarized form affirming
the identification. No
account will be started prior
to this proof of
identification.
6
Red Flags Next Ste Mitigation
Alert e
Customer notifies utility Verify the identity of the If you are able to verify the
that they are not receiving customer and then verify correct address and then
their bill. the correct address. change the address on file,
no further action should be
necessary.
Utility is notified of Ask the customer to supply Notify law enforcement
unauthorized charges or documentation regarding
transactions in connection the possible identity theft
with a customer's account. such as an affidavit or
police report.
Utility is notified by law Follow the instructions of Depending on what law
officials or others that they law officials. enforcement asks you to do,
have opened a fraudulent you may close or closely
account for a person monitor the account.
engaged in identitheft.
B. Data Security and Storage
1) Various Cisco Devices are deployed and used to protect against intentional or
accidental intrusion into the city's data network. The Florida Department of
Law Enforcement conducts periodic audits of the city-network design and
security practices to ensure they meet the Criminal Justice Information
Services (CJIS) policy. The Information Technology Manager coordinates
objective, third-party network-intrusion testing for the city network on a
periodic basis.
2) All Information Technology employees are subject to a full background check
by the city-Human Resources Department and the City of Winter Springs
Police Department. All employees who function in the Information
Technology Department are required to pass a fingerprint-based background
check submitted through the City of Winter Springs' Police Department,
Seminole County Sheriffs Office (SCSO) and Florida Department of Law
Enforcement.
3) The Network Administrator provides the initial password for each employee
to access the system. The employee is required to create a unique individual
password. In our efforts to provide the City of Winter Springs with a secure
network, the Information Technology Department has adopted the use of
strong passwords and account lockout. Password and account lockout settings
are designed to protect user accounts and data by minimizing the threat of
brute force guessing of user account passwords. Employees are required to
change their password every ninety (90) days. The system will permit three
sign-on attempts, and then will disable the password. Upon termination,
employee accounts are immediately disabled.
C. Internal Data Base Security
System administrator passwords are known only to the Information
Technology staff and are not divulged to any person outside the Information
Technology Division.
D. Data Storage
System administrator passwords are known only to the Information
Technology staff and are not divulged to any person outside the Information
Technology Division.
E. Disclosure of Personal Information
1) Information is used as a means of identification, for internal verification,
administrative purposes and for debt collection purposes.
2) The City of Winter Springs falls under the Public Records Law and all
records are open to inspection. Chapter 119, Florida Statutes, commonly
known as Florida's "Public Records Law," provides information on public
records in Florida, including policies, definitions, exemptions, general
information on records access, inspection, examination and duplication of
records. Florida's public records laws are very broad, and most
documents and records are available to the public. However, the laws do
provide specified exceptions such as social security numbers.
F. Data Retention and Disposal
Records are disposed of in accordance with state and federal law, including the
local records retention schedule issued by the State of Florida General Records
Schedule for State and Local Government Agencies and Public Utilities.
Documents with sensitive information are disposed by shredding.
G. Training Employees
A copy of the Identity Theft Detection and Prevention Program will be given to
all utility billing customer service division employees. Initial training sessions
will be set up to help the employee identify "red flags" and explain the policies
and procedures. The Identity Theft Program will be included in the initial
training of all new employees within the City of Winter Springs Utility Billing
Customer Service Division.
H. Handling Reports of Suspected Identity Theft
A zero tolerance policy is in effect for all fraudulent transactions within the
City of Winter Springs Utility Billing Customer Service Division. Once
written notification and verification is received of fraudulent activity from a
customer, banking institution or collection agency, the Utility Billing Division
employee will:
1) Proceed with notating and taking corrective actions on the account; and,
2) Gather all pertinent information that is available and immediately contact
the appropriate law enforcement agency to initiate a criminal investigation.
I. Reports, Reviews and Updates for Policy Enforcement
The Controller will conduct annual review of the current policy and report any
fraudulent activity to the Finance Director. The City Manager will approve any
recommended changes in policy. An annual report reviewing all incidents,
program revisions and goals will be submitted to the City Commission.
9
City of Winter Springs
Identity Theft Prevention Program Incident Report
Date
Prepared by
it is the policy of the City of Winter Springs to provide an Identity Theft Prevention
Program for customers and employees. The purpose of this report is to promote
continued evaluation of effectiveness of current policies and procedures in compliance
with the FACTAct (2003). This document will be used to drive recommendations for
changes to the program due to evolving risk and methods of theft.
Committee Members: Controller
Finance Director
Utility Billing Services Manager
Revenue Officer
Information Technology Coordinator/Security Administrator
Describe strengths of the program:
Describe areas of improvement of the program:
Committee Signatures:
- ----------- - -
(Name)
(Tide)
(Date)
(Name) (Tide) (Date)
(Name) (Title) (Date)
(Name) (Title) (Date)
10
Identity Theft Prevention Program Incident Report
Date Incidentr'Significant Event" Management Response Mitigation
II