APPENDIX A: IDENTITY THEFT PREVENTION PROGRAM AND POLICIES
   (1)   Purpose. To ensure the city has a program in place to identify, detect, prevent, diminish and respond to identity theft in connection with the opening of water accounts or any other accounts and to establish written procedures for security and storing of personal information, pursuant to the Identity Theft Red Flags Regulation implemented pursuant to § 114 of the Fair and Accurate Credit Transactions (FACT) Act of 2008.
   (2)   Application. This policy applies to all city employees and service providers that have access to personal information for customers of the Utility Billing Department, regardless of medium.
   (3)   Definitions.
      IDENTITY THEFT. A fraud committed using the identifying information of another person.
      IDENTIFYING INFORMATION. Any name or number that may be used alone or with any other information to identify a specific person (includes name, social security number, date of birth, alien registration number, government passport and employer/tax identification number).
      RED FLAGS. A pattern, practice or specific activity that indicates the possible risk of identity theft.
   (4)   Policy.
      (A)   Red flags alert. When opening new accounts, staff needs to carefully scrutinize documents submitted for identification or proof of residency for red flags such as:
         1.   Documents provided for identification appear to be altered or forged;
         2.   The photograph or physical description on the identification is not consistent with the appearance of the customer requesting service;
         3.   Other information on the identification is not consistent with information provided by the person requesting service;
         4.   Other information is not consistent with information that is on file (i.e. previous application submitted with driver’s license);
         5.   Lease or deed submitted to proof of residency appears to be altered or forged;
         6.   Personal information submitted is associated with known fraudulent activity;
         7.   The social security number is the same as another customer’s;
         8.   Notification of a chargeback received from the bank;
         9.   New account requested immediately after disconnection for non-payment;
         10.   Report of fraud accompanying a consumer credit report;
         11.   Notice or report from a consumer credit agency of a credit freeze on a customer or applicant;
         12.   Notice or report from a consumer credit reporting agency of an active duty alert for an applicant;
         13.   Indication from a consumer credit report of activity that is inconsistent with a customer’s usual pattern of activity;
         14.   Change of address for an account followed by a request to change the account holder’s name;
         15.   Payments stop on an otherwise consistently up-to-date account;
         16.   Mail sent to the account holder that is repeatedly returned as undeliverable;
         17.   Notice to the Utility that a customer is not receiving mail sent by the Utility;
         18.   Notice to the Utility that an account has unauthorized activity;
         19.   Breach in the Utility’s computer system security;
         20.   Unauthorized access to or use of customer account information; and/or
         21.   Notice to the Utility from a customer, identity theft victim, fraud detection service, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft.
      (B)   New account application.
         1.   To ensure proper identification verification, effective March 1, 2009, all requests for new service must be completed in person.
         2.   Applicants must show a government issued photo ID (or two forms of picture identification) in person to initiate service.
         3.   Applications may be submitted by fax, e-mail or mail, but will not be processed until proper identification verification is completed in person.
         4.   Applications must be completed by the person seeking to open an account. The name on the application must match the submitted identification and lease agreement/deed.
         5.   The city reserves the right to refuse service in the event of inability to provide sufficient identification.
      (C)   Credit card transactions. The city accepts credit card payments via service vendor official payments. Customers paying with a credit card must show valid identification that matches the name and/or address on the credit card.
      (D)   Data security and storage.
         1.   Employees and confidentiality. Employees are required to maintain a high level of confidentiality as it relates to utility customer’s personal information. Release of information is limited to the account holder(s) or as permitted by law. Customers are given the opportunity to indicate if they wish their account information be kept confidential.
         2.   Access into the billing system. Access into the billing system requires a user name assigned by the System Administrator. A password is also required, which is determined by the user and is CJIS (Criminal Justice Information Systems) compliant based on the city’s IT Security Policy that has been implemented. The system will permit three sign on attempts and then will temporarily disable the password. Upon termination, employee passwords are immediately disabled.
         3.   Disclosure of personal information. Personal information is, or could be used as a means of identification, for internal verification, or administration purposes, credit checks and for debt collection purposes. Information submitted to the city’s debt collection agency is on file in the Utility Billing office.
         4.   Data storage. Hard copy information is stored in filing cabinets in the Utility Billing office. The office is monitored by security cameras and locked doors. Cash receipt information is stored in the locked safe and account storage areas.
      (E)   Data retention/access.
         1.   Records are disposed on in accordance with state and federal law including the local records retention schedule issued by the Texas State Library and Archives Commission and City Code.
         2.   All city records are subject to the Texas Public Information Act. Requests for information that falls within confidentiality conditions are forwarded to the Attorney General’s office for an official ruling for the information to be withheld.
      (F)   Identity theft notification. A zero tolerance policy is in effect for all fraudulent transactions pertaining to the Utility Billing Department. Once written notification and verification is received of fraudulent activity from a customer, banking institution and/or collection agency, the Utility Billing Department will:
         1.   Proceed with notating and taking corrective actions on the account;
         2.   Gather all pertinent information that is available; and
         3.   Immediately contact the Police Department to initiate a criminal investigation.
      (G)   Periodic review and reporting. The City Manager will conduct an annual review of the current policy to determine the existence of any fraudulent activity. The City Manager shall approve any recommended changes in policy.
(Ord. 102-09, passed 2-17-09)