Loading...
IDENTITY THEFT PREVENTION PROGRAM
(FOR THE UTILITY BILLING DEPARTMENT)
(FOR THE UTILITY BILLING DEPARTMENT)
Under the red flag rules, every financial institution and creditor is required to establish an identity theft prevention program tailored to its size, complexity and the nature of its operation. This program is adopted to comply with the red flags rule, in order to identity relevant red flags (as defined below), to detect red flags, to respond appropriately to red flags and to require the program to be periodically updated.
(Res. 2011-04, passed 3-14-2011)
For the purpose of this subchapter, the following definitions shall apply unless the context clearly indicates or requires a different meaning.
ACCOUNT. A continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes.
COVERED ACCOUNT.
(1) Any account the department offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and
(2) Any other account the Department offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the department from identity theft.
CREDITOR. The same meaning as defined in § 702 of the Equal Credit Opportunity Act, 15 U.S.C. § 1691a, and includes a person or entity that arranges for the extension, renewal or continuation of credit, including the Department.
CUSTOMER. A person or business entity that has a covered account with the Department.
DEPARTMENT. The Utility Billing Department of the town.
IDENTIFYING INFORMATION. Any name or number that may be used, alone or in conjunction with any other information, to identity a specific person, including name, address, telephone number, Social Security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number or unique electronic identification number.
IDENTITY THEFT. Fraud committed using the identifying information of another person.
RED FLAG. A pattern, practice or specific activity that indicates the possible existence of identity theft.
SERVICE PROVIDER. A person or business entity that provides a service directly to the town relating to or connection with a covered account.
(Res. 2011-04, passed 3-14-2011)
(A) Type of accounts. The Department currently offers and maintains the following type(s) of covered accounts: utility service account.
(B) Access to accounts. Customer account information may be accessed in the following ways:
(1) In person;
(2) By phone;
(3) By mail; and
(4) By e-mail.
(Res. 2011-04, passed 3-14-2011)
(A) The Department endeavors to identity relevant red flags as they relate to possible risk of identity theft in connection with the Department’s covered accounts. Inconsistent documents, information or activity encountered when dealing with customer accounts and financial transactions may signal identity theft. In order to identify relevant red flags, the Department shall initially and annually review and consider the types of covered accounts that it offers and maintains, the methods it provides to open covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft.
(B) The town identifies the following relevant red flags at present, which it will consider in detecting identity theft.
(1) Suspicious documents.
(a) Documents provided for identification that appear to be forged or altered;
(b) Documents provided for identification on which a person’s photograph or physical description is inconsistent with the person presenting the document;
(c) Other document with information that is not consistent with existing customer information (for example, a person’s signature on a check appears forged);
(d) Application for services or account setup that appears to have been altered or forged; and
(e) Social Security numbers that are always invalid:
1. The first three digits are in the 772—800 or the 900 range;
2. The first three digits are 666; or
3. The first three digits are 000, or the fourth and fifth digits are 00, or the last four digits are 0000.
(2) Suspicious personal identifying information.
(a) Identifying information presented that is inconsistent with other information the customer provides, or information that is on file for that customer (such as inconsistent birth dates);
(b) Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a driver’s license, or signatures that do not appear to match other documents);
(c) Identifying information presented that is the same as information that is included on applications that are known to be fraudulent (such as a name or Social Security number that has been identified as being fraudulent on other prior applications received for various applicants);
(d) Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
(e) Identifying information presented, such as a Social Security number, phone number or address that is the same as one given by another customer; and
(f) Failing to provide complete personal identifying information on an application when reminded to do so.
(3) Unusual use or suspicious activity of covered account.
(a) Change of billing address for an account followed by a request to change the account holder’s name or add other authorized user(s) on the account;
(b) Payments stop on an otherwise consistently up-to-date account;
(c) Account used in a way that is not consistent with prior use (such as very high activity);
(d) Change of payment method where payment is charged to an individual not listed on the account;
(e) Mail sent to the account holder is repeatedly returned as undeliverable;
(f) Notice to the Department that a customer is not receiving mail sent by the Department;
(g) Notice to the Department that an account has unauthorized activity;
(h) Breach in the Department computer system security; and
(i) Unauthorized access to or use of customer account information.
(4) Alerts from others or past history in incidents of identity theft.
(a) Notice to the Department from a customer, a victim of identity theft, a law enforcement authority or other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft;
(b) Checks returned for insufficient funds or credit card payments or EFTs that are declined, especially when a pattern is noticed or following a change in method of payment; and
(c) Past experiences the Department has had regarding incidents of identity theft, when similar patterns or events are noticed by the town.
(Res. 2011-04, passed 3-14-2011)
The Department hereby establishes the following procedures to assist in detecting red flags in connection with the opening of covered accounts and existing covered accounts.
(A) New accounts. New accounts may be opened in person, by fax or by mail or phone. In all cases, a potential customer must submit all of the following information:
(1) Full legal name;
(2) Telephone number;
(3) Mailing address;
(4) Social Security number; and
(5) Must be on the lease if a rental property.
(B) Existing accounts. When handling a transaction regarding an existing account, the Department staff will take the following steps to monitor transactions with an account in order to detect possible red flags as listed above:
(1) Verify the identification of customers if they request information (in person, via telephone, via facsimile or via e-mail);
(2) Verify the validity of requests to change billing addresses: and
(3) Verify changes in banking and credit card information given for billing and payment purposes.
(Res. 2011-04, passed 3-14-2011)
In the event a town employee detects any identified red flags, the employee shall respond by taking one or more of the following steps to investigate, prevent and mitigate possible identity theft, depending on the degree of risk posed by the red flag.
(A) Investigate, prevent and mitigate identity theft.
(1) Upon detecting a red flag, employees must take the following action:
(a) Gather relevant documentation regarding the suspect covered account;
(b) Report the identified red flag to the Program Administrator;
(c) Contact the customer with the covered account; and
(d) Assist Program Administrator in investigating the red flag issue.
(2) After receiving a red flag report, the Program Administrator may take one or more of the following actions as warranted under the particular circumstances in the discretion of the Program Administrator:
(a) Monitor a covered account for evidence of identity theft;
(b) Change any passwords or other security codes and devices that permit access to a covered account;
(c) Close the existing covered account;
(d) Open a new covered account with a new number;
(e) Put a hold on attempting to collect payment on a covered account; and/or
(f) Notify the Town Police Department.
(B) Ongoing protection of customer identifying information. The Department shall take the following steps with respect to its internal operating procedures in order to take an active role in the ongoing protection of customer identifying information from identity theft.
(1) Paper documents.
(a) Storage. Documents containing customer identifying information must be stored in locked file cabinets contained within a locked room except when an employee is working on the file. Only specially identified employees with a legitimate need shall have keys or swipe card to the file cabinets and storage room.
(b) Use of documents. Department employees must not leave documents containing customer identifying information out on their desks when they are away from their workstations. Department employees must store documents containing customer identifying information in locked areas when leaving their work areas.
(2) Computers and electronic media.
(a) Passwords. All computers must be set to require passwords. Each employee must have a unique username and password, which must be different from each other, and shall not be posted at his or her workstation. When new software is installed, the default passwords must be changed. Department employees must log off their computers when leaving their workstations, and computer screens must be set to lock after a set period of time.
(b) Firewalls and anti-virus. The town’s website and network systems must be secured with adequate firewalls and regularly updated anti-virus and anti-theft software. Anti-virus and anti-spyware programs must be run on the server daily. The town’s website must provide clear notice to customers that the website is not a “secure” website.
(3) Destruction of documents and other media,
(a) Paper records. All paper records containing customer identifying information that are designated for disposal must be shredded before being placed into a trash bin. A paper shredder or shredding bin provided by a shredding company must be located in each department containing customer identifying information.
(b) Other media. Any other data storage media containing customer identifying information that are designated for disposal must be destroyed by shredding, hole punching or incineration.
(4) Visitors and access.
(a) Access. Department employees must lock office doors when leaving their work areas. Access to any offsite facilities is limited to Department employees with a legitimate business need.
(b) Visitors. Visitors who enter any area where records containing customer identifying information are kept must be escorted by an authorized Department employee. No visitor shall be given any entry code, key or swipe card, or allowed unescorted access to any such area.
(5) Employment practices.
(a) New hires. Before hiring any new employee who will have access to customer identifying information, the Human Resource Department must first complete a reference and background check of such potential employee. All employees must also sign an agreement to follow the town’s confidentiality and security standards for handling customer identifying information.
(b) Exit requirements. If an employee leaves the Department’s employ or is reassigned duties that no longer require access to customer identifying information, the employee must return all keys and swipe cards to the Program Administrator. Immediately upon the employee’s departure or reassignment, the Program Administrator shall ensure that all of such employee’s passwords allowing access to customer identifying information are changed.
(c) Policy violations. Any employee who violates this identity theft prevention program and any security policy or procedure adopted hereunder will be subject to immediate discipline, which may include dismissal.
(Res. 2011-04, passed 3-14-2011)
The Program Administrator, and the Town Council will at least annually evaluate and revise the program to reflect changes in risks to covered accounts and to the safety and soundness of the town from identity theft. The annual program review and evaluation process shall consider the town’s experiences with identity theft, changes in identity theft detection and prevention methods, changes in types of account that the town maintains and changes in the town’s business arrangements with other entities and service providers. Following the review and consideration of those factors, the Program Administrator shall revise the program as necessary. If warranted, the Program Administrator shall update and implement the revised program and obtain Town Council approval of such changes.
(Res. 2011-04, passed 3-14-2011)
Loading...