The URL can be used to link to this page

Home My WebLink About2010-OR-62 • STATE OF INDIANA BEFORE THE JEFFERSONVILLE COMMON COUNCIL Ordinance 2010-OR- 1 I) 2- WHEREAS, pursuant to Federal law, the Federal Trade Commission adopted Identity Theft Rules, known as the Identity Theft Prevention Program (hereinafter called the "Program ") requiring the creation of certain policies relating to the use of consumer reports, addresses discrepancy and the detection, prevention and mitigation of identity theft; and, WHEREAS, the Federal Trade Commission regulations, adopted as 16 CFR 681 to adopt red flag policies to prevent and mitigate identity theft with respect to covered accounts; and, WHIRBAS, the Program specifically includes utility companies, including municipal utilities to comply, and; WHEREAS, the City of Jeffersonville provides Sewer and Stormwater Utility Services; and WHBRBAS, this Program is intended to identify red flags that will alert the City of Jeffersonville employees whcn new or existing accounts are opened using false information; to protect against the establishment of false accounts; establish methods to unsure existing accounts are not opened using false information; establish methods to prevent unauthorized persons from obtaining personal information of account holders; and to establish measures to respond to such events; and WHEREAS, the office responsible for implementing this Program is the Clerk - Treasurer, 500 Quartermaster Court, Suite 300, Jeffersonville, Indiana 47130, (812) 285- 6422. BE IT THEREFORE ORDAINED by the City of Jeffersonville, as follows: a. The attached document entitled "Identity Theft Prevention Program for the City of Jeffersonville" is hereby approved and adopted. b. Employees whose duties and responsibilities include the handling of sensitive personal information of customers of the water and sanitary utilities shall comply with the attached Identity Theft Prevention Program for the City of Jeffersonville. • SO ORDAINDED on the •17 day of2010. Common Council of the City of Jeffersonville JBFFERSONVILLB, INDIANA BY: Laill II N: an Sams!', Prosldeut ATTEST: Pe lder, Clerk-Treasurer • IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF JEFFERSONVILLE November,2010 • Section I. Short Title. This policy shall be known as the Identity Theft Prevention Program (hereinafter "Program"). • Section II. Purpose. This policy is adopted to comply with the Fair and Accurate Credit Transactions Act and federal regulations promulgated at 16 CFR § 681 in order to detect, prevent and mitigate identity theft by identifying and detecting identity theft rcd flags and by responding to such red flags in a manner that will prevent identity theft. Section III. Definitions. For purposes of this policy, the following definitions apply. (a) 'Covered account' means (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. (b) 'Credit' means the right granted by a creditor to a debtor to defe payment of d ebt or to incur debts and defer its payment or to purchase property defer payment therefore. (c) 'Creditor' means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continuo credit and includes utility companies and telecommunications companies. (c) 'Customer' means a person that has a covered account with a creditor. (t) 'Identity theft' means a fraud comtnitted or attempted using identifying information of another person without authority. (g) 'Notice of address discrepancy' means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. § 1681(exh)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) ht the agency's file for the consumer. (1r) 'Person' means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association. (i) 'Personal Identifying Information' means a person's credit card account information, debit card information, bank account information and drivers' license information and for a natural person includes their social security number, mother's birth name, and date of birth. (j) 'Red flag' means a pattern, practice, or specific activity that indicates the possible existence of identity theft. • (lc) 'Service provider' means a person that provides a service directly to the city. Section 1V. Risk Assessment. (1) Risks to the security of personal information of account holders with the City of Jeffersonville for water service and wastewater treatment included the following: (a) New accounts opened in person; (b) Account information accessed in person; or (c) Account information accessed by telephone inquiry. Section V. Findings. (1) The City of Jeffersonville Wastewater Billing Department (known hereafter as the Wastewater Billing Department) is a creditor pursuant to 16 CFlt § 681.2 due to its provision or maintenance of covered accounts for which payment is made in arrears. (2) Covered accounts offered to customers for the provision of services include Sewer Utility and Stormwater Utility (3) The Wastewater Billing Department's previous experience with identity theft related to covered accounts is as follows: No known incidents. an existing covered (4) The processes of opening a new covered account, restoring account, making payments on such accounts, and providing account information, access in person or via phone or wcbsitc have been identified as potential processes in which identity theft could occur. (5) The Wastewater Billing Department limits access to personal identifying information to those employees responsible for or otherwise involved in opening or restoring covered swamis or accepting payment for use of covered accounts. Information provided to such employees is entered directly into the Utility Department's computer• system and is not otherwise recorded. (6) The Wastewater Billing Department determines that there is a low risk of identity theft occurring in the following ways (litany): a. rise by an applicant of another person's personal identifying information to establish a new covered account; b person in an previous ffort to have service g ored n previous customer's another c. payment by another customer person's to ay such customer's covered account or accounts; d. another person's covered of credit card, bank account, or other mcthodof payment Section VI. Process of Establishing a Covered Account. As a precondition to oponing a covered account, each applicant shall provide name, address, telephone number, owner of property and occupancy date with personal identifying information of the customer. Such information shall be entered directly into the Utility Department's computer system and shall not otherwise be recorded. Each account shall be assigned an account number and personal identification number (PIN) which shall be unique to that account. The Utility Department account numbers and PINS. software to randomly generate assigned PINS and to encrypt Section VII. personal Information Security Procedures. The City of Jeffersonville adopts the following security Procedures (1) Access to customer accounts shall be password protected and shall be limited to authorized personnel• personal information shall (2) Paper documents, filed, and electronic media containing pe . rs be stored in locked file cabinets. (3) Employees shall not leave sensitive documents on their desks when they leave their workstations. (4) Employees shall store files when leaving their work areas. (5) Employees shall log off their computes when leaving their work areas. (6) Visitors who must enter areas where sensitive documents aro kept must be escorted by a City employee. (7) No visitor shall be given any entrance codes or allowed unescorted access to the City Office. (8) Password(s) shall be changed on a regular basis by each individual user, shall be at least 8 characters in length, and shall contain letters, numbers and symbols. (9) Passwords shall not be shared or posted near workstations. (10) Anti -vims and anti -spy ware programs will be run on individual computes and servers regularly. (11) When installing new software, vendor supplied default passwords will be changed immediately. (12) The City's computer network will have a finewall where the network connects to the Internet. (13) References will bo checked and background checks will be done before hiring employees who will have access to sensitive information. • (14) Access to a customer's personal identity information will be limited to employees with a "need to know" status. (15) the Cit Procedures ransfer to bo developed to ensure another department no that have access to employ of to sen tive information. (16) Employees will he trained on a regular basis on the details of this Program (at least two (2) times per year). (17) Employees will be alerted to attempts at phone phishing. (18) Paper records will be shredded before placed in the trash. (19) The disposal of any data media will consist of shredding, punching holes in, or incineration. (20) The City shall insist that all vendors and billing agents shall have adopted its own Identity Theft Prevention Program to the extent sensitive personal information is shared between the City and the vendor and/or billing agent. (21) City employees shall not divulge any personal information of any account holder • without the express authorization of the Clerk- Treasurer. (22) Any unauthorized access to or other breach of customer accounts is to be reported immediately to the Utility Billing Supervisor and the password changed immediately. (23) Personal identifying information included in customer accounts is considered confidential (to the extent allowed by law) and any request or demand for such information shall be inmiediately forwarded to the Utility Billing Supervisor. Section VII. Credit Card Payments. (1) In the event that credit card payments that are made over the Internet are processed • through a third party service provider, such third party service provider shall certify that it has an adequate identity theft prevention program in place that is applicable to such payments. (2) All credit card payments made ova the telephone or the City of Jeffersonville's wobsite shall be entered directly into the customer's account information in the computer data base. (3) digits of the credit or debit covered ard or tl ban c bank account used for payment of the covered account. Section VIII. Sources and Types of Red flags. All employees responsible for or involved in the process of opening a covered account, restoring a covered account, or accepting payment for a covered account shall check for red flags as indicators of possible identity theft. Such red flags shall include, but not be limited o: (1) Alerts front consumer reporting agencies, fraud detection agencies or service providers. Examples of such alerts are: a. A fraud or active duty alert that is included with a consumer report b. A notice of credit freeze in response to a request for a consumer report c. A notice of address discrepancy discovered through the Clark County or City of Jeffersonville Geographic Information System (2) Suspicious documents. Examples of suspicious documents include: a. Documents provided for identification that appear to be altered or forged b. Identification on which the photograph or physical description is inconsistent with the appearance of the applicant or customer c. Identification on which the information is inconsistent with information provided by the applicant or customer d. Identification on which the information is Inconsistent with readily accessible information that is on file, such as a signature card or a recent check or e. An application that appears to have been altered or forged, or appears to have been destroyed and reassembled. (3) Suspicious personal identifying information. Examples include: a. Personal identifying information that is inconsistent with external information sources used by the financial institution or creditor. Vor example: i. The address does not match any address in the consumer report; or b. Personal identifying information or a phone number or address, is associated with known fraudulent applications or activities as indicated by internal or third -party sources used by the financial institution or creditor. c. Other information provided, such as fictitious mailing address, mail drop addresses, jail addresses, invalid phone numbers, pager numbsrs or answering services, is associated with fraudulent activity. d. The SSN provided is the same as that submitted by other applicants or customers. e. number or telephone number nu ber by is the nusually large r nu number of account licants or customers. f. The applicant or customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. g. Personal identifying information is not consistent with personal identifying information that is on file with the financial institution or creditor. h. The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. (4) Unusual use of or suspicious activity relating to a covered account. Examples include: a. Shortly following the notice of a change of address for an account, there is a request for the addition of authorized users on the account. b. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns, such as where the customer fails to make the first payment or makes an initial payment but no subsequent payments. c. An account is used in a manner that is not consistent with established pattems of activity on the account, such as: i. Nonpayment when there is no history of late or missed payments 1 • • d. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's account. • e. The Utility Department is notified that the customer is not receiving paper account statements. f. The Wastewater Billing Department is notified of unauthorized charges or transactions in connection with a customer's account. • g The Wastewater Billing Department is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft. (5) Notice from customers, law enforcement, victims or other reliable sources regarding possible identity theft or pbishing relating to covered accounts. (6) Inconsistent activity patterns indicated by consumer reports such as a. Recent and significant increase in the number of inquiries; b. unusual number a recent a g in applications; use of credit; h. Accounts closed for cause or abuse. Section IX. Preventbn and Mitigation of Identity Theft. (1) In the event that any employee responsible for or involved in restoring an existing covered account or accepting payment for a covered account becomes aware of red flags indicating possible identity theft with respect to existing covered accounts, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Jeffersonville Police Department. If, in his or her discretion, such employee dams that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convoy this information to the Utility Billing Supervisor, who may in his or her discretion determine that no further action is necessary. If the Utility one or me So r e of the fo the following l gee responses i as that further be appropriate by the Utility oe r n: of Billing Supervisor shall be performed: a, Contact the customer; b. i app apparent that son eons other than he customer has accessed t the customer, stomer's covered account: 1. change any account numbers, passwords, security codes, or other security devices that penult access to an account; or fi. close the account; c. Cease attempts to collect additional charges from the customer and decline to sell tho customer's account to a debt collector in the event that the customer's account has been accessed without authorization and such access has caused additional charges to accrue; d. Notify law enforcement in the event that someone other then the customer has accessed the customer's account causing additional charges to accrue or accessing personal identifying information; or e. Take other appropriate action to prevent or mitigate identity theft. (2) In the event that an employee responsible for or involved in opening a new covered aocount becomes aware of red flags indicating possible identity theft with respect to an application for a new account, such employee shall use his or her $ i t � l to determine whether such red flag or combination of red flags e suggests ntity theft identity theft. If, in his or her discretion, suck employee s immediately that ident or attempted identity theft is likely or probable, such employee shall report such red flags to the Jeffersonville Police Department. It in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this her information to the Wastewater Billing Supervisor, who may in his o r hg Supery discretion on determine that no Anther action is necessary the one or upe i sthe ned o in his or her discretion determines that furtltoractiioe is te scary, rte or Supervisor following responses as determi to be appropriate Y c shall be performed: a. Request additional identifying information from the applicant; b. Deny the application for the new account; c. Notify saw enforcement of possible identity theft; d. Take other appropriate action to prevent or mitigate identity theft; or e. Refuse to divulge any further information about the existing account holder. Section X. Updating the Program. - The Wastewater Billing Department shall annually review and, as deemed necessary, update the Identity Theft Prevention Program along with any relevant red flags in order to reflect changes in risks to customers or to the safety and soundness of the Utility Department and its covered accounts from identity theft. In so doing, the Utility Department shall consider the following factors and exercise its discretion in amending the program: (1) The Wastewater Billing Department experiences with identity theft; (2) Updates in methods of identity theft; prevent, and mitigate identity theft; (3) Updates in customary methods used to detect, p (4) Updates in the types of accounts that the Wastewater Billing Department offers or maintains; and (5) Updates in service provider arrangements. • Section XI. Program Administration. The Wastewater Billing Supervisor is responsible for oversight of the program and for program implementation. The Utility Billing Supervisor is responsible for and reviewing re prepared by staff regarding compliance with red flag requirements recommending material changes to the program, as necessary in the opinion of the Utility Billing Supervisor, to address changing identity theft risks and to identify new or discontinued types of covered accounts. Any recommended material changes to the program shall be submitted to Clerk- Treasurer. The Wastewater Billing Supervisor will report to Clerk-Treasurer at !cast annually on compliance with the red flag requirements. The report shall be due no later than December 31st each year and shall address material matters related to the program and evaluate issues, including but not limited to: (1) The effectiveness of the program policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; (2) Service provider arrangements; (3) Significant incidents involving identity theft and management's response; and (4) Recommendations for material changes to the Program. The Wastewater Billing Supervisor is responsible for providing training to all employees responsible for or involved in opening a new covered account, restoring an existing covered account or accepting payment for a covered account with respect to the implementation and requirements of the Identity Theft Prevention Program. The Utility Billing Supervisor shall exercise his or her discretion in determining the amount and substance of training necessary. Section XII. Outside Service Providers. In the event that the Wastewater Department engages a service provider to perform an . activity in connection with one or more covered accounts the Wastewater Billing Supervisor shall exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her ability, that the service provider's activities are conducted in accordance with policies and procedures, agreed upon by contract, that are designed to detect any red flags that may arise in due performance of the service provider's activities and take appropriate steps to prevent or mitigate identity theft." Section XIII. Treatment of Address Discrepancies. In the event that the Utility Department receives a notice of address discrepancy, the employee responsible for verifying consumer addresses for the purpose of providing duo service or account sought by the consumer shall perform one or more of the following activities, as determined to bo appropriate by such employee: (1) Compare the information in the consumer report with: a. Information the Utility Department obtains and uses to verify a consumer's identity in accordance with the requirements of the Customer Information Program rules implementing 31 U.S.C. § 5318(1); b. Information the Utility Department maintains in its own records, such as applications for service, change of address notices, other customer account • records or tax records; or sources that c. Information the Utility Department obtains from third -party s are deemed reliable by the relevant employee; or • (2) Verify the information in the consumer report with the consumer. • • Section XIV. Methods of Confirming Consumer Addresses. The employee charged with confirming consumer addresses may, in his or her discretion, confirm the accuracy of an address through one or more of the following methods: (1) Verifying the address with the consumer; (2) Reviewing the Utility Department records to verify the consumer's address; (3) Verifying the address through third party sources; or (4) Using other reasonable processes. • • •