(A) The Town Council hereby adopts an identity theft prevention program, to be known as the “Town of Orland, Indiana Identity Theft Prevention Program” (the “ITPP”) attached as division (B) below, to comply with the red flags rules implemented by the FTC. The town opens and maintains a minimal number of accounts each year so that red flag opportunities are minimal. The Town Council recognizes that the FTC has allowed for flexibility in creating and implementing a program that fits the size of the entity and, therefore, the Town Council adopts this ITPP to reflect the minimal number of accounts handled by the town.
(B) The Federal Trade Commission (“FTC”) requires every creditor to implement an Identity Theft Prevention Program (“ITPP”). The FTC requirement and regulation is necessary because of § 114 of the Fair and Accurate Credit Transactions Act. The FTC has set forth the ITPP requirement in 16 C.F.R. § 681.2. IDENTITY THEFT is defined as a fraud committed or attempted using identifying information of another person without authority. The town adopts the program set forth below to comply with FTC rules and regulations. In drafting its ITPP, the town has considered: the methods it provides to open its accounts; the methods it provides to access its accounts; and its previous experiences with identity theft. Based on these considerations, the governing authority of the town hereby determines that the town is a low to moderate risk entity and as a result develops and implements the streamlined ITPP set forth here.
(1) Red flags. The following shall be considered red flags for the town that require a response:
(a) When opening an account:
1. The presentation of suspicious documents:
a. Documents or cards appear to be forged, altered or inauthentic;
b. Documents or cards that describe the person are not accurate or consistent with the person presenting them; and
c. Other documents contain information that is not consistent with existing customer information.
2. Information presented is inconsistent with other information the customer provides; and
3. Information presented is invalid or expired.
(b) Suspicious account activity or unusual use of account:
1. Change of address for an account followed by a request to change the account holder’s name;
2. Account used in a way that is not consistent with prior use;
3. Mail sent to the account holder is repeatedly returned as undeliverable;
4. Notice to the town that a customer is not receiving mail sent by the town;
5. Breach in the town’s computer system security; and
6. Unauthorized access to or use of customer account information.
(c) Alerts from others: any notice to the town from a customer, identity theft victim, law enforcement or other person that the town has opened or is maintaining a fraudulent account for a person engaged in identity theft.
(2) Detection of red flags. The detection of a red flag shall require informing the employee’s supervisor, who will then take immediate and appropriate action to document the detection and notify the proper authorities. The following are examples of possible procedures for detecting red flags, not all may be available and each case should be treated according to information available:
(a) New accounts:
1. Require identifying information such as name, date of birth, residential or business address, principal place of business for an entity;
2. Verify the customer’s identity by reviewing the information provided for inconsistencies or signs of forgery;
3. Review any documentation provided as to the existence of a business entity; and
4. Independently contact the customer.
(b) Existing accounts:
1. Verify the identification of customers if they request information (in person, via telephone, via facsimile or via e-mail);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
(3) Response to red flags. The method of response and the timing of response to the detection of a red flag shall be commensurate with the degree of risk posed. Responses may include:
(a) Monitor an account for evidence of identity theft;
(b) Contact the customer;
(c) Change any passwords, security codes or other security devices that permit access to an account;
(d) Reopen a covered account with a new account number;
(e) Not open a new account;
(f) Close an existing account;
(g) Notify supervisor;
(h) Notify law enforcement; and
(i) Determine no response is warranted under the particular circumstances.
(4) Compliance Officer and training. The Compliance Officer for this ITPP shall be the Town Clerk-Treasurer or his or her designee. The Compliance Officer shall conduct training of all town employees that transact business with customers of the town’s utilities. The Compliance Officer shall periodically review this program and recommend any necessary updates to the Town Council.
(5) Annual report. An annual report, as required by FTC regulations, shall be provided by the Compliance Officer to the Town Council President. The contents of the annual report shall address and/or evaluate at least the following:
(a) The effectiveness of the policies and procedures of the town in addressing the risk of identity theft in connection with the opening of accounts and with respect to access to existing accounts;
(b) Incidents involving identity theft with town accounts and the town’s response;
(c) Changes in methods of identity theft and the prevention of identity theft; and
(d) Recommendations for changes to the town’s ITPP.
(Res. 17-09, passed 12-14-2009)