(a) Purpose. The purpose of this section is to comply with 16 CFR §681.2 in order to establish procedures to detect, prevent and mitigate identity theft by identifying and detecting identity theft red flags and by responding to such red flags in a manner that will prevent identity theft.
(b) Definitions. For purposes of this section, the following definitions apply:
(1) “City” means the City of Ontario, Richland County, Ohio.
(2) “Covered account” means:
A. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
B. Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(3) “Credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.
(4) “Creditor” means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes utility companies and telecommunications companies.
(5) “Customer” means a person that has a covered account with a creditor.
(6) “Identity theft” means a fraud committed or attempted using identifying information of another person without authority.
(7) “Person” means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative or association.
(8) “Personal identifying information” means a person’s credit card account information, debit card information, bank account information, and drivers’ license information and for a natural person includes their social security number, mother’s birth name, and date of birth.
(9) “Red flag” means a pattern, practice or specific activity that indicates the possible existence of identity theft.
(10) “Service provider” means a person that provides a service directly to the City.
(c) Findings.
(1) The City is a creditor pursuant to 16 CFR §681.2 due to providing or maintaining covered accounts for which payment is made in arrears.
(2) The covered accounts offered to customers for the provision of the City services are water accounts and sewer accounts.
(3) The City’s previous experience with identity theft related to covered accounts is as follows: The City has never had a reported incident of identity theft involving one of its water accounts or sewer accounts.
(4) The processes of opening a new covered account and managing an existing covered account have been identified as potential processes in which identity theft could occur.
(5) The City limits access to Personal Identifying Information to those employees responsible for or otherwise involved in opening, managing or accepting payments on covered accounts.
(6) The City does not currently provide any electronic access to covered accounts by customers.
(7) The City establishes primary responsibility for its water accounts and sewer accounts with the record owner of the property. The City will, at the owner’s request, bill a tenant as the owner’s agent for billing purposes and without releasing the owner from primary liability for payment. The primary exception to limiting sewer accounts to the record owner of the property is that the City will establish an account with a land contract vendee whose interest appears on the public records.
(8) The City determines that there is a low risk of identity theft occurring in the following ways (if any):
A. Use by an applicant of another person’s personal identifying information to establish a new covered account;
B. Use of a previous customer’s personal identifying information by another person in an effort to have service restored in the previous customer’s name;
C. Use of another person’s credit card, bank account, or other method of payment by a customer to pay such customer’s covered account or accounts; and
D. Use by a customer desiring to restore such customer’s covered account of another person’s credit card, bank account, or other method of payment.
(d) Sources, Types and Identification of Red Flags. Based upon the methods by which the City opens and manages accounts, and the lack of any past experience with identity theft, the following events or occurrences shall be considered as “Red Flags” and indicators of possible identity theft. Although the City does not currently use all of the methods or services described below, it has included them as possible Red Flags in the event it chooses to use such reports or services in the future.
(1) Suspicious documents, including, without limitation:
A. Documents that appear to be altered or forged;
B. Documents on which the photograph or physical description is inconsistent with the appearance of the applicant or customer presenting the identification;
C. Documents with information inconsistent with other information provided by the person opening an account or presenting identification.
D. Documents on which the information is inconsistent with readily accessible information that is on file with the City; or
E. An application that appears to have been altered or forged, or appears to have been destroyed and reassembled.
(2) Suspicious personal identification, including, without limitation:
A. Personal identifying information that is inconsistent with external information sources used by the City, such as:
1. The address does not match any address in other records or a consumer report; or
2. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
B. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer, such as a lack of correlation between the SSN range and date of birth.
C. Personal identifying information or a phone number or address, is associated with known fraudulent application or activities as indicated by internal or third-party sources used by the City.
D. Other information provided, such as fictitious mailing address, mail drop addresses, jail addresses, invalid phone numbers, pager numbers or answering services, is associated with fraudulent activity.
E. The SSN provided is the same as that submitted by other applicants or customers.
F. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of applicants or customers.
G. The applicant or customer fails to provide all required identifying information on an application or in response to notification that the application is incomplete.
H. Identifying information is not consistent with identifying information that is on file with the City.
I. The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
(3) Unusual use of or suspicious activity relating to a covered account, including, without limitation:
A. Shortly following the notice of a change of address for an account, the City receives a request to change or add authorized persons on the account.
B. An account is used in a manner that is not consistent with established patterns of activity on the account, such as nonpayment where there is no history or late or missed payments.
C. An account that has been inactive for a long period of time (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
D. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s account.
E. The City is notified that the customer is not receiving paper account statements.
F. The City is notified of unauthorized charges or transactions in connection with a customer’s account.
G. The City is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft.
(4) Notice from customers, law enforcement, victims or other reliable sources regarding possible identity theft or phishing relating to covered accounts.
(5) Alerts, notifications or warnings from a consumer reporting agency or other fraud detection service, including, without limitation:
A. A fraud or active duty alert that is included with a consumer report;
B. A notice of credit freeze in response to a request for a consumer report;
C. A notice of address discrepancy provided by a consumer reporting agency;
D. Indications of a pattern of activity in a consumer report that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
1. A recent and significant increase in the volume of inquiries;
2. An unusual number of recently established credit relationships;
3. A material change in the use of credit, especially with respect to recently established credit relationships; or
4. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
(e) Detecting Red Flags When Opening New Accounts and Managing Existing Accounts. The City’s water and sewer services operations and customers are concentrated in and around the City territorial limits. However, the City also provides water and sewer service to properties owned by persons who do not reside in the local area. The City’s experience reflects that significant or regular face-to-face contact between City staff and customers can be helpful but is not necessary given the nature and scope of its activities. The City has a history of relatively low losses due to nonpayment. The City has never had a reported incident of identity theft related to a covered account. The City will use a combination of documentary and nondocumentary methods to verify the identity of new customers and to authenticate existing customers.
(1) To open a water account or sewer account with the City, City personnel will take the following steps to obtain and verify the identity of the person opening the account:
A. Require identifying information, including, without limitation, name, the service address, the billing address if different from the service address, and contact information for the customer.
B. Verify the customer’s identity by documentary or nondocumentary means, or a combination of them;
C. For customers which are not a natural person, identify the person(s) with authority over the account; and
D. Independently contact the customer.
(2) In managing an existing sewer account, City personnel will:
A. Verify the identity of customers if they request information;
B. Verify the validity of requests to change a billing address;
C. Verify the validity of requests to make other modifications regarding the account.
(3) In order to implement the general detection guidelines set forth above for both new and existing accounts, the City has created various verification procedures, which vary depending upon the type of account. See Appendix A attached to original Ordinance 09-16 and incorporated by reference.
(f) Prevention and Mitigation of Identity Theft.
(1) In the event City personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:
A. Continue to monitor an account for evidence of Identity Theft;
B. Contact the customer;
C. Change any passwords or other security devices that permit access to accounts;
D. Not open a New Account when there is strong evidence of Identity Theft;
E. Close an Existing Account when there is strong evidence of Identity Theft;
F. Reopen an account with a new number;
G. Notify the Program Administrator for determination of the appropriate step(s) to take;
H. Notify law enforcement; or
I. Determine that no response is warranted under the particular circumstances.
(2) In the event that any City employee responsible for or involved in managing an existing covered account becomes aware of red flags indicating possible identity theft with respect to existing covered account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to City Service Safety Director. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the City Service Safety Director, who may in his or discretion determine that no further action is necessary. If the City Service Safety Director in his or her discretion determines that further action is necessary, a City employee shall perform one or more of the following responses, as determined to be appropriate by the City Service Safety Director:
A. Contact the customer;
B. Make the following changes to the account if, after contacting the customer, it is apparent that someone other than the customer has accessed the customer’s covered account:
1. Change any account numbers, passwords, security codes, or other security devices that permit access to an account; or
2. Close the account.
C. Cease attempts to collect additional charges from the customer;
D. Notify law enforcement, in the event that someone other than the customer has accessed the customer’s account causing additional charges to accrue or accessing personal identifying information; or
E. Take other appropriate action to prevent or mitigate identity theft.
(3) In the event that any City employee responsible for or involved in opening a new covered account becomes aware of red flags indicating possible identity theft with respect to an application for a new account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the City Service Safety Director. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information if available to reconcile red flags, the employee shall convey this information to the City Service Safety Director, who may in his or her discretion determine that no further action is necessary. If the City Service Safety Director in his or her discretion determines that further action is necessary, a City employee shall perform one or more of the following responses, as determined to be appropriate by the City Service Safety Director:
A. Request additional identifying information from the applicant;
B. Deny the application for the new account;
C. Notify law enforcement of possible identity theft; or
D. Take other appropriate action is prevent or mitigate identity theft.
(4) In order to further prevent the likelihood of identity theft occurring with respect to City accounts, the City will take the following steps with respect to its internal operating procedures to protect customer identifying information:
A. Limit access to customer accounts to authorized City personnel.
B. Ensure that website or other electronic access to account information, if any, is secure or provide clear notice that the website is not secure;
C. Ensure complete and secure destruction of paper documents and computer files containing customer information;
D. Ensure that access to the server accounts and related data are password protected;
E. Keep work area clear of papers containing customer information;
F. Ensure computer virus protection is up to date; and
G. Require and keep only the kinds of customer information that are necessary for utility purposes.
H. Any unauthorized access to or other breach of customer accounts is to be reported immediately to the City Service Safety Director.
I. Personal identifying information included in customer accounts is considered confidential and any request or demand for such information shall be immediately forwarded to the City Service Safety Director and the City Law Director.
(g) Updating the Program. The City Council shall annually review and, as deemed necessary by the Council, update the Identity Theft Prevention Program along with any relevant red flags in order to reflect changes in risks to customers or to the safety and soundness of the City and its covered accounts from identity theft. In so doing, the City Council shall consider the following factors and exercise its discretion in amending the program;
(1) The City’s experiences with identity theft;
(2) Updates in methods of identity theft;
(3) Updates in customary methods used to detect, prevent, and mitigate identity theft;
(4) Updates in the types of accounts that the City offers or maintains; and
(5) Updates in service provider arrangements.
(h) Program Administration. The City Service Safety Director is responsible for oversight of the program, for program implementation and with recommending material changes to the program, as necessary, to address changing identity theft risks and to identify new or discontinued types of covered accounts. Any recommended material changes to the program shall be submitted to City Council for consideration by Council.
(1) The City Service Safety Director will report to the Mayor at least annually, on matters related to the program and evaluate issues such as:
A. The effectiveness of the policies and procedures of the City in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;
B. Service provider arrangements:
C. Significant incidents involving identity theft and management’s response; and
D. Recommendations for material changes to the program.
(2) The City Service Safety Director is responsible for providing training to all employees responsible for or involved in opening a new covered account, restoring an existing covered account or accepting payment for a covered account with respect to the implementation and requirements of the Identity Theft Prevention Program. The City Service Safety Director shall exercise his or her discretion in determining the amount and substance of training necessary.
(i) Outside Service Providers. In the event the City engages a service provider to perform an activity in connection with one or more covered accounts the City Service Safety Director shall exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her ability, that the service provider’s activities are conducted in accordance policies and procedures, agreed upon by contract, that are designed to detect any red flags that may arise in the performance of the service provider’s activities and take appropriate steps to prevent or mitigate identity theft.
(Ord. 09-16. Passed 5-7-09.)