The URL can be used to link to this page

Home My WebLink About1806Resolution No. 1806 (Amending or Repealing Resolutions) CFN = 104 -Fmance Passed -4/21/2009 Identity Theft Prevent1on Program -Red Flag Rules , I REsoLuTioN No. I Fo? A RESOLUTION of the City Council of the City of Kent, Washington, approving and adopting an Identity Theft Prevention Program as required by the Fa1r and Accurate Credit Transactions Act of 2003, and the Federal Trade CommiSSion's Identity Theft Rules. RECITALS A. In 2003, Congress adopted The Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952 (codified 1n scattered sect1ons of Titles 15 and 20 of the United States Code), which requires certam financial institutions and creditors with certain accounts that extend credit or involve deferred payments to prepare, adopt, and implement an identity theft prevention program. The purpose of th1s program 1s to identify, detect, respond to, and m1t1gate patterns, practices, or specific act1v1t1es that could 1nd1cate identity theft. Congress delegated the adm1n1stration of the Act to the Federal Trade Commission, wh1ch adopted further rules regarding identity theft programs at 16 C.F.R. § 681, et seq. Together, the proviSions adopted by Congress and the Federal Trade Commission are referred to as "Red Flag Rules." B. Because the City maintams various continuing accounts where customers defer payment on the serv1ces they receive, these accounts appear to be "covered accounts" under the legislation and subject to the 1 Identity Theft Prevention Program -Red Flag Rules Red Flag Rules. In order to comply w1th the Red Flag Rules, the City must establish an Identity Theft Prevention Program, through 1ts City Council, that JS designed to detect, prevent, and m1t1gate 1dent1ty theft in connection w1th the City's covered accounts. This program was ongmally to be in place by November 2008, however, the Federal Trade CommiSSion agreed to suspend enforcement until May 1, 2009, in order to g1ve creditors additional t1me during which to develop and implement a conformmg program. C. In meeting its obligations under the Red Flag Rules, staff prepared an Ident1ty Theft Prevention Program in the form attached and incorporated as Exhibit "A." After reviewmg the program, the Kent City Counc1l determined to adopt the Ident1ty Theft Prevention Program and d1rects staff to begm its immediate Implementation. NOW THEREFORE, THE CITY COUNCIL OF THE CITY OF KENT, WASHINGTON, DOES HEREBY RESOLVE AS FOLLOWS: RESOLUTION SECnON 1. -Program Adootion. The Identity Theft Prevent1on Program, attached and mcorporated as Exhibit A, Js hereby approved by the Kent City CounCJI and adopted for Implementation in the City of Kent for its accounts covered under the Red Flag Program, such as its water, storm/surface water, and sewer utility accounts; local improvement d1stnct assessment accounts; and potentially some parks program and other cred1tor accounts. SEmON 2. -Authorization and Direction. The Kent City Council authorizes and directs staff to Implement the Identity Theft Prevention Program m accordance w1th its terms. Additionally, staff shall annually report to the City's Finance Director as the Program Administrator on the 2 Identity Theft Prevention Program -Red Flag Rules effectiveness of the program, any significant incidents involving Identity theft, and any recommendations for matenal program changes. After considering these factors, the Program Administrator will determine whether changes to the Program, including the spec1f1c Red Flags 1dent1fied in the program, are warranted. If warranted, the Program Administrator will update the Program as he or she so determines. SECTION 3. -Severability. If any section, subsection, paragraph, sentence, clause or phrase of this resolution is declared unconstitutional or invalid for any reason, such decision shall not affect the validity of the remaining portions of this resolution. SECTION 4. -Ratification. Any act consistent with the authority and prior to the effective date of th1s resolution IS hereby ratified and affirmed. SECTION 5. -Effecttve Date. This resolution shall take effect and be in force Immediately upon 1ts passage. PASSED at a regular open public meeting by the City Council of the City of Kent, Washmgton, th1s :;;..1 day of Apnl, 2009. CONCURRED in by the Mayor of the City of Kent this ...:l I day of April, 2009. 3 Identity Theft Prevention Program -Red Flag Rules ATIEST: - . - ~ -. ..... ..:. .: --. ..... ·- I hereby certify that this is a true and correct copy of Resolut1on No. /?? 6 ?:-passed by the City Council of the City of Kent, Wash1ngton, the d I day of April, 2009. P•\Civii\Resolutlon\RedFiagRules-ResolutlonAdoptlngProgram.doc BRENDA JACOBER, -- ..:. :... ..:. -••• ..... j .. ,..._ .... :--... 4 Identity Theft Prevention Program -Red Flag Rules EXHIBIT A -~ "-"'" KENT WA 5 "'' N GT 0 N CITY OF KENT IDENTITY THEFT PREVENTION PROGRAM (RED FLAG PROGRAM) Effective Beginning May 1, 2009 I. PROGRAM ADOPTION The City of Kent ("City") developed this Identity Theft Prevention Program ("Program") pursuant to the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. No. 108-159, 117 Stat. 1952 (cod1f1ed 1n scattered sect1ons of Titles 15 and 20 of the Un1ted States Code)), and the Federal Trade Comm1ss1on's Ident1ty Theft Rules (16 C.F.R. § 681, et seq.) (collectively "Red Flag Rules"). This Program was developed by the City of Kent's Finance Director ("Program Administrator") with the oversight and approval of the Mayor and the City Counc1l. After cons1derat1on of the s1ze and complexity of the City's operations and account systems, and the nature and scope of the City's act1v1t1es, the City Council determined that th1s Program was appropriate for the City of Kent, and therefore approved th1s Program by the adoption of Resolution No. I f' 0 b on April 21, 2009. II. PROGRAM PURPOSE AND DEFINITIONS A. Fulfilling requirements of the Red Flag Rules Under the Red Flag Rules, every financial institution and cred1tor is required to establish an "Identity Theft Prevent1on Program" that is tailored to 1ts s1ze, complexity, and the nature of its operation. The Program must contain reasonable policies and procedures to: 1. Identify relevant Red Flags, as that term is defined in 16 C.F.R. pt. 681, for new and existing covered accounts, and Incorporate those Red Flags mto the Program; 2. Detect Red Flags that have been incorporated into the Program; 3. Respond appropnately to any Red Flags that are detected in order to prevent and mitigate ident1ty theft; and 4. Ensure the Program is updated periodically, to reflect changes in nsks to customers or to the safety and soundness of the City from Ident1ty Theft. All of the City's individual utility service accounts are covered by the Red Flag Rules, mcludmg 1ts water, storm/surface water, and sewer utilities. In add1t1on, other City accounts may const1tute "covered accounts" under -1- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version April 21, 2009 ---------- the Red Flag Rules, for example, Local Improvement District assessment accounts and any parks program accounts that require or allow scheduled payments. B. Red Flag Rule defm1t1ons used m th1s Program For the purposes of this Program, the following definitions apply and are denved from 16 C.F.R. pt. 681: 1. Account. "Account" means a continuing relationship established by a person with a cred1tor to obtam a product or serv1ce for personal, family, household or busmess purposes, and 1ncludes an extension of credit involving a deferred payment. 2. Covered Account. A "covered account" means: a. Any account the City offers or maintains primarily for personal, fam1ly or household purposes, that Involves multiple payments or transactions such as a ut1l1ty account; and b. Any other account the City offers or mamtains for which there IS a reasonably foreseeable risk to customers or to the safety and soundness of the City from ident1ty theft, includmg financial, operational, compliance, reputation, or litigation risks. 3. Creditor. "Creditor," as provided for 1n Sect1on 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a, means any person who regularly extends, renews, or continues cred1t; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an ongmal creditor who participates m the decision to extend, renew, or contmue credit. 4. Customer. A "customer" means a person or busmess ent1ty that has a covered account with a creditor. 5. Ident1fymg Information. As defined in 16 C.F.R. § 603.2, "1dent1fying information" means any name or number that may be used, alone or m conjunction w1th any other Information, to 1dent1fy a spec1f1c person, mclud 1ng: (1) Name, soc1al secunty number, date of birth, official state or government 1ssued driver's l1cense or ident1f1cation number, al1en registration number, government passport number, employer or taxpayer ldent1f1cat1on number; (ii) Umque biometnc data, such as f1ngerpnnt, voice print, retina or 1ns image, or other un1que physical representation; -2- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version. April 21, 2009 (iii) Unique electronic ident1f1cation number, address, or routing code; or (1v) Telecommumcat1on 1dent1fymg information or access deVICe. 6. Identity Theft. "Identity Theft" means fraud committed using the identifying information of another person. 7. Red Flag. A "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence of identity theft. 8. Service Provider. "Serv1ce provider" means a person or business entity that prov1des a serv1ce directly to a f1nanc1al 1nstitut1on or cred1tor relatmg to or connection w1th a covered account. III. IDENTIFICATION OF RED FLAGS In order to 1dent1fy relevant Red Flags, the City shall rev1ew and cons1der the types of covered accounts that it offers and mamtams, the methods 1t prov1des to open covered accounts, the methods 1t provides to access 1ts covered accounts, and 1ts previous expenences with 1dent1ty theft. The City Identifies the follow1ng Red Flags and w1ll train appropnate staff to recogn1ze these Red Flags for those accounts subJect to the Red Flag Rules as they are encountered in the ordmary course of City business : A. Red Flags Related to Alerts. Not1f1cat1ons. and Warnmqs from Credit Reportmg Agencies 1. Report of fraud accompanymg a credit report; 2. Notice or report from a cred1t agency of a credit freeze on a customer or applicant; 3. Not1ce or report from a credit agency of an act1ve duty alert for an appl1cant; 4. Not1ce or report from a credit agency of an address discrepancy; and 5. Indication from a credit report of activity that is inconsistent with a customer's usual pattern or activity, such as an unusual mcrease in the volume of credit mqu1nes, unusual mcrease in the number of established credit relat1onsh1ps, or a matenal change in the use of credit. B. Red Flags Related to Suso1cious Documents 1. Identification document or card that appears to be forged, altered, or mauthentic; 2. Photograph or physical description on the identification document or card IS not consistent With the person presenting the document; -3- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version April 21, 2009 3. Other information on the identification document or card IS not consistent with mformat1on prov1ded by the person openmg a new covered account, by the customer presentmg the 1dent1fication, or w1th existmg customer information on file with the City, such as a recent check; and 4. Application for serv1ce that appears to have been altered or forged, or g1ves the appearance of having been destroyed or reassembled. C. Red Flags Related to Suspicious Personal Identifying Information 1. Identifymg information presented that is mcons1stent w1th other information the customer provides, for mstance, 1ncons1stent b1rth dates; 2. Ident1fy1ng 1nformat1on presented that IS inconsistent with other sources of mformation, for mstance, an address that does not match an address on a driver's license; 3. Ident1fy1ng mformation presented IS associated w1th common types of fraudulent activ1ty, such as use of a fictitious b1llmg address or phone number; 4. Ident1fymg mformat1on presented that is consistent w1th known fraudulent activity, such as presentation of an invalid phone number or fictitious billing address used in prev1ous fraudulent activ1ty; 5. Social security number presented that is the same as one g1ven by another customer; 6. An address or phone number presented that is the same as that of another person; 7. A person falls to provide complete personal 1dent1fymg information on an application when reminded to do so. However, by law social security numbers must not be required; and 8. A person's identifying information which is not consistent with the mformation that IS on file for the customer. D. Red Flags Related to Suspic1ous Account Activity or Unusual Use of Account 1. Change of address for an account followed by a request to change the account holder's name; 2. Payments stop on an otherw1se consistently up-to-date account; 3. Account used 1n a way that IS not cons1stent With pnor use, such as very h1gh act1v1ty or nonpayment when there 1s no h1story of late or m1ssed payments; 4. Ma1l sent to the account holder is repeatedly returned as undeliverable although transactions continue to be conducted in connect1on With the customer's covered account; -4- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Vers1on Apnl 21, 2009 5. Notice to the City that a customer is not receiving mail sent by the City; 6. Notice to the City that an account has unauthorized activity; 7. Breach 1n the City's computer system secunty; and 8. Unauthonzed access to or use of customer account information. E. Red Flags Related to Alerts from Others 1. Notice to the City from a customer, a victim of ident1ty theft, a law enforcement authority or other person that it has opened or is maintaming a fraudulent account for a person engaged 1n ident1ty theft. IV. PREVENTING AND MITIGATING IDENTITY THEFT A. Action Requ1red if Ident1ty Theft Detected. In the event City personnel detect any identified Red Flags, such personnel must not1fy the Program AdminiStrator. The Program Adm1n1strator should then dec1de wh1ch of the following steps should be taken: 1. Continue to mon1tor an account for evidence of ident1ty theft; 2. Contact the customer; 3. Change any passwords or other security devices that permit access to accounts; 4. Not open a new account; 5. Close an existmg account; 6. Reopen an account w1th a new number; 7. Not1fy law enforcement; or 8. Determine that no response IS warranted under the particular Circumstances. B. Specific Red Flag Considerations for New and Existing accounts. The following steps will be taken w1th respect to new and existmg covered accounts: 1. New Account Red Flag Detections. In order to detect any of the Red Flags 1dentif1ed above associated w1th the open1ng of a new account, City personnel, to the extent possible, should endeavor to take the followmg steps to obtain and verify the identity of the person openmg the account: a. Requ1re certam ident1fy1ng information such as name, date of birth, residential or bus1ness address, pnncipal place of busmess for an ent1ty, dnver's l1cense or other ldent1f1cat1on; b. Venfy the customer's identity. For example, reviewing a dnver's license or other photo 1dentificat1on card, and companng 1t against the customer's physical attributes; -5- CllY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version April 21, 2009 c. Review documentation evidencing the ex1stence of a business ent1ty; and d. Independently contact the customer. 2. Ex1sting Account Red Flag Detections. In order to detect any of the Red Flags identified above for an existing account, City personnel should take the following steps to monitor transactions with an account: a. Verify the identification of customers if they request information (in person, v1a telephone, via facs1m1le, via ema1l) before providing information or transacting busmess; b. Verify the valid1ty of requests to change billmg addresses; and c. Verify changes in banking information given for billing and payment purposes. C. Specific Considerations for Protection of Customer Identifymg Information. In order to further prevent the likelihood of 1dent1ty theft occurnng with respect to City accounts, the City will use 1ts best efforts to take the following steps with respect to 1ts mternal operating procedures to protect customer 1dentifymg mformat1on: 1. Reasonably secure customer identifymg mformation that may be accessible through the City's website, but prov1de clear not1ce that the City cannot guarantee 1ts website is entirely secure; [?] 2. Undertake complete and secure destruction of paper documents and computer files containing customer 1dentifymg mformat1on; 3. Make City computers password protected and prov1de that staff computer screens lock after a set penod of t1me; 4. Keep City off1ces clear of papers contam1ng customer identifying information; 5. Only in the event social secunty number mformat1on is required, staff should request only the last 4 dig1ts of social security numbers; 6. Mamta1n staff computer virus protection up to date; and 7. Require and keep only those kmds of customer identifying information that are necessary for City purposes. V. PROGRAM UPDATES Annually, staff shall report to the Program Administrator on the effectiveness of the program, any s1gn1ficant mcidents involv1ng 1dent1ty theft, and any recommendations for matenal program changes. -6- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version Apnl 21, 2009 The Program Administrator will periodically review and update this Program to reflect changes m risks to customers and the soundness of the City from identity theft. In doing so, the Program Administrator w1ll consider the City's experience with identity theft Situations, changes m Identity theft methods, changes m identity theft detection and prevent1on methods, and changes m the City's business arrangements With other ent1t1es. After considering these factors, the Program Administrator w1ll determme whether changes to the Program, mcluding the speCific Red Flags ident1f1ed m the Program, are warranted. If warranted, the Program Administrator will update the Program as he or she so determmes. A copy of the current Program shall remain on f1le w1th the Program Admimstrator and the City Clerk. VI. PROGRAM ADMINISTRATION A. Oversight. The Program Administrator shall be responsible for developmg, implementing, and updatmg this Program. The Program Admmistrator Will also be responsible for the Program's admm1strat1on, for ensunng appropnate tra1n1ng of City staff, for reviewmg any staff reports regarding the detection of Red Flags and the steps for preventmg and mit1gatmg ident1ty theft, for determinmg wh1ch steps of prevention and mit1gat1on should be taken in particular Circumstances, and for considenng penodic changes to the Program. B. Staff Training and Reports. City staff responsible for implementing the Program shall be tramed e1ther by or under the direction of the Program Admimstrator in the detection of Red Flags, and the respons1ve steps to be taken when a Red Flag is detected. Staff should prepare a report at least annually for the Program Administrator, mcluding an evaluation of the effectiveness of the Program w1th respect to open1ng accounts, existing accounts, service provider arrangements, s1gn1ficant Incidents mvolvmg identity theft and responses, and recommendations for changes to the Program. C. Serv1ce Prov1der Arrangements. In the event the City engages a service provider to perform an activity in connection with one or more accounts, the City should take the following steps so that the serv1ce provider performs 1ts act1v1ty in accordance with reasonable policies and procedures des1gned to prevent, detect, and mitigate the nsk of identity theft: 1. Requ1re, by contract, that service providers acknowledge receipt and rev1ew of the Program, and agree to perform the1r activ1t1es with respect to City covered accounts in compliance w1th the terms and cond1t1ons of the Program, and with all instructions and d1rect1ves 1ssued by the Program Admm1strator relat1ve to the Program; and -7- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version April 21, 2009 2. Require, by contract, that service providers agree to report promptly to the Program Administrator, m wnting, if the serv1ce provider in connection with a City covered account detects an incident of actual or attempted ident1ty theft or is unable to resolve one or more Red Flags that the serv1ce prov1der detects in connection w1th a covered account. --------EN 0-------- P \Civii\Resolutlon\RedflagRules~ExAProgramlanguage doc -8- CITY OF KENT RED FLAG IDENTITY THEFT PREVENTION PROGRAM Version: Apnl 21, 2009