(A) Risk assessment. The city has conducted an internal risk assessment to evaluate how at risk the current procedures are at allowing customers to create a fraudulent account and evaluate if current (existing) accounts are being manipulated. This risk assessment evaluated how new accounts were opened and the methods used to access the account information. Using this information the utility was able to identify red flags that were appropriate to prevent identity theft:
(1) New accounts opened in person;
(2) New accounts opened via fax;
(3) New accounts opened via U.S. mail;
(4) Account information accessed in person;
(5) Account information accessed via telephone (person) - require verification;
(6) Account information accessed via U.S. mail.
(B) Detection (red flags). The city adopts the following red flags to detect potential fraud. These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary.
(1) Identification documents appear to be altered.
(2) Photo and physical description do not match appearance of applicant.
(3) Other information is inconsistent with information provided by applicant.
(4) Other information provided by applicant is inconsistent with information on file.
(5) Application appears altered or destroyed and reassembled.
(6) Personal information provided by applicant does not match other sources of information (such as credit reports, social security number not issued or listed as deceased).
(7) Lack of correlation between the social security number range (last 4 digits) and date of birth.
(8) Information provided is associated with known fraudulent activity (such as address or phone number provided is same as that of a fraudulent application).
(9) Information commonly associated with fraudulent activity is provided by applicant (such as address that is a mail drop or prison, non-working phone number or associated with answering service/pager).
(10) Social security number, address, or telephone number is the same as that of other customer at utility.
(11) Customer fails to provide all information requested.
(12) Personal information provided is inconsistent with information on file for a customer.
(13) Applicant cannot provide information requested beyond what could commonly be found in a purse or wallet.
(14) Identity theft is reported or discovered.
(C) Response. Any employee that may suspect fraud or detect a red flag will implement the following response as applicable. All detections or suspicious red flags shall be reported to the senior management official.
(1) Ask applicant for additional documentation.
(2) Notify senior management person. Any utility employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customers identity must notify senior management person.
(3) Notify law enforcement: The utility will notify the Eminence Police Department at 45 Depot Avenue, Eminence, KY 40019 of any attempted or actual identity theft.
(4) Do not open the account / close the account.
(5) Do not attempt to collect against the account but notify authorities.
(D) Personal information security procedures. The city adopts the following security procedures:
(1) Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets or the safe.
(2) Only specially identified employees with a legitimate need will have keys to the cabinet.
(3) Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file.
(4) Employees will not leave sensitive papers out on their desks when they are away from their workstations.
(5) Employees store files when leaving their work areas for more than 15 minutes.
(6) Employees log off their computers when leaving their work areas for more than 15 minutes.
(7) Employees lock file cabinets when leaving their work areas for more than 15 minutes.
(8) Visitors who must enter areas where sensitive files are kept must be accompanied by an employee of the utility.
(9) No visitor will be given any entry codes or allowed unaccompanied access to the office.
(10) Access to sensitive information will be controlled using “strong” passwords. Employees will choose passwords with a mix of letters, numbers, and characters.
(11) Passwords will not be shared or posted near workstations.
(12) Password-activated screen savers will be used to lock employee computers after a period of inactivity.
(13) When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
(14) Anti-virus and anti-spy ware programs will be run on individual computers and on servers alternating weekly and monthly with updates daily as available.
(15) When sensitive data is received or transmitted, secure connections will be used.
(16) Computer passwords will be required.
(17) User names and passwords will be different.
(18) The use of laptops is restricted to those employees who need them to perform their jobs.
(19) Laptops are stored in a secure place.
(20) Employees never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage.
(21) If a laptop must be left in a vehicle, it is locked in a trunk.
(22) The computer network will have a firewall where your network connects to the Internet.
(23) Any wireless network in use is secured.
(24) Check references or do background checks before hiring employees who will have access to sensitive data.
(25) New employees sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data.
(26) Access to customer’s personal identify information is limited to employees with a “need to know.”
(27) Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information.
(28) Implement employee training as necessary.
(29) Employees will be alert to attempts at phone phishing.
(30) Employees are required to notify the Mayor immediately if there is a potential security breach, such as a lost or stolen laptop.
(31) Employees who violate security policy are subjected to discipline, up to, and including, dismissal.
(32) Paper records will be shredded before being placed into the trash.
(33) Paper shredders will be available at each desk in the office, next to the photocopier, and at the home of any employee doing work at home.
(34) Any data storage media will be disposed of by shredding, punching holes in, or incineration.
(Res. 2008-004, passed 10-13-08)