(a) Purpose. The City of Parma and the Parma Municipal Court adopts this sensitive information policy pursuant to the Federal Trade Commission's Red Flags Rule, which is an implementation of Section 114 of the Fair and Accurate Credit Transactions Act of 2003 as regulated in 16 C.F.R. §681. The policy is adopted to help protect employees, customers, contractors and the municipality from damages related to the loss or misuse of sensitive information
(b) Definitions. For the purpose of this section, the following definitions shall apply unless the context clearly indicates or requires a different meaning.
(1) “City” means the City of Parma or the Parma Municipal Court.
(2) “Covered account” means:
A. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
B. Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(3) “Credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.
(4) “Creditor” means any person who regularly extends renews or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes utility companies and telecommunication companies.
(5) “Customer” means a person that has a covered account with a creditor.
(6) “Identity theft” means a fraud committed or attempted using identifying information of another person without authority.
(7) “Person” means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative or association.
(8) “Personal identifying information” means a person's credit card account information, debit card information, bank account information, drivers' license information, social security number, tax identification number, medical insurance or medicare/medicaid number, mother's birth name, date of birth and any other information that may be used to perpetuate an identity theft.
(9) “Red flag” means a pattern, practice or specific activity that indicates the possible existence of identity theft.
(10) “Service provider” means a person that provides a service directly to the City, including third-party billing companies.
(c) Identification of Red Flags.
(1) Notifications and warnings from credit reporting agencies.
A. Report of fraud accompanying a credit report.
B. Notice or report from a credit agency of a credit freeze on customer or applicant.
C. Notice or report from a credit agency of an active duty alert for an applicant.
D. Notice or report from a credit agency of an address discrepancy.
E. Indication from a credit report of activity that is inconsistent with customer's usual pattern or activity.
(2) Suspicious documents.
A. Identification document or card (i.e. driver's license, social security card, insurance card) that appears to be forged, altered or inauthentic.
B. Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document.
C. Other document with information that is not consistent with existing customer information.
D. Application for service which appears to be altered or forged.
(3) Suspicious personal identifying information.
A. Identifying information presented that is inconsistent with other information the customer provides.
B. Identifying information presented that is inconsistent with other sources of information.
C. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent.
D. Identifying information that is consistent with fraudulent activity.
E. Social security number or tax identification number presented that is the same as one given by another customer.
F. A social security number or insurance number without being able to produce documentation with the number on it.
G. An address or phone number presented that is the same as that of another person.
H. A person fails to provide complete personal identifying information on an application when reminded to do so.
I. A person's identifying information is not consistent with the information on file.
(4) Suspicious account activity or unusual use of account.
A. Change of address for an account followed by a request to change the account holder's name.
B. Payments stop on an otherwise consistently up-to-date account.
C. Non-payment of first payment due on an account.
D. Account used in a way that is not consistent with prior use.
E. Mail sent to the account holder is repeatedly returned as undeliverable.
F. Notice to the City that a customer is not receiving mail sent by the City.
G. Notice to the City that an account has unauthorized activity.
H. Breach in the City's computer security system.
I. Unauthorized access to or use of customer account information.
(5) Alerts from others.
A. Notice to the City from a customer, identity theft victim, service provider, law enforcement officer or other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft.
B. Complaint filed or reported for receipt of a bill for services never provided.
(d) Prevention and Mitigation of Identity Theft.
(1) Protecting personal identifying information.
A. Storage spaces containing documents with personal identifying information shall be locked when not in use or when unsupervised.
B. Desks, workstations and common areas shall be cleared of documents containing personal identifying information when not in use.
C. Documents containing personal identifying information shall be completely and securely destroyed pursuant to the departmental records retention schedule.
D. Electronically stored personal identifying information shall be encrypted and/or password protected.
E. Computer virus protection will be kept up-to-date.
F. Verify a person's identification before answering questions about or changing information on a covered account.
(2) Mitigation of identity theft.
A. Once potentially fraudulent activity is detected the personnel handling the transaction shall gather all information and present the transaction to the department head. The department head will review the transaction details and:
1. Determine if no action is warranted because no identity theft has taken place;
2. Contact the actual customer;
3. Cancel the transaction if warranted;
4. Report to the designated authority for determination.
B. The designated authority will review the situation to determine if any of the following is warranted:
1. Not open new account;
2. Close existing account/reopen with new number,
3. Change passwords or security that allows access to covered accounts;
4. Notify law enforcement.
(3) Detection during rescue squad transports.
A. Fire Department Rescue Squad personnel shall watch for suspicious documentation of identification such as an insurance card which appears to be altered or does not match other information about the patient. If possible, the crew shall attempt to confirm identifying information with another person. Care shall not be delayed when verifying the information. Information can be obtained after transport if necessary.
B. Policies promulgated under HIPPA regulations still apply and shall be utilized in conjunction with this Red Flags policy to protect sensitive health information.
(e) Administration and Updates.
(1) Oversight.
A. The Identify Theft Policy is the responsibility of the office of the Treasurer.
B. The Treasurer or appropriate designee is responsible for:
1. Administering the program;
2. Ensuring appropriate training of City staff on the policy;
3. Reviewing departmental reports regarding detection of red flags and determining course of action consistent with the policy;
4. Annually reviewing the policy and annual departmental reports to consider changes to the policy in conjunction with the Law Department.
(2) Training. Training will be conducted for all personnel who are reasonably foreseen to come into contact with covered accounts or personal identifying information Employees will receive annual training in all elements of this policy.
(3) Reporting. Each affected department shall prepare an annual report to the Deputy Treasurer of significant instances involving identity theft and the department's response, evaluation of program effectiveness and recommendations for changes to the policy.
(4) Service providers.
A. It is the responsibility of the City to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
B. A service provider that maintains its own identity theft prevention policy, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
C. Any specific requirements should be specifically addresses in the appropriate contract arrangements.
(5) Updates. The policy will be reviewed annually to assess:
A. Accounts covered by the policy;
B. Revision, deletion or addition of Red Flags;
C. Actions taken upon the detection of a Red Flag.
(Res. 315-08. Passed 8-3-08.)