(A) Purpose. This plan is intended to identify red flags that will alert town employees when new or existing accounts are opened using false information, protect against the establishment of false accounts, establish methods to ensure existing accounts were not opened using false information, and establish a method to respond to such actions.
(B) Responsible party. The management person responsible for this plan is the Clerk-Treasurer.
(C) Risk assessment. The town Municipal Utilities has conducted an internal risk assessment to evaluate how at risk the current procedures are at allowing customers to create a fraudulent account and to evaluate if current (existing) accounts are being manipulated. This risk assessment evaluated how new accounts were opened and the methods used to access the account information. Using this information the Office of Municipal Utilities was able to identify red flags that were appropriate to prevent identity theft.
(1) New accounts opened in person.
(2) Account information accessed in person.
(3) Credit, past utility information required.
(4) Social security number required.
(5) Contact information required other than landlord or person at same address.
(6) Photo ID required if not known to staff.
(D) Detection. The town Municipal Utilities adopts the following red flags to detect potential fraud. These are not intended to be all-inclusive as all other suspicious activity may be investigated as necessary.
(1) Identification documents appear to be altered.
(2) Photo and physical appearance do not match applicant.
(3) Information is inconsistent with other information provided by applicant.
(4) Information is inconsistent with other information which is on file.
(5) Application is altered or reassembled prior to submission.
(6) Personal information provided by applicant does not match other sources of information (driver’s license information, employee knowledge of applicant, and the like).
(7) Information provided is associated with known fraudulent activity, (e.g., address or phone number provided is same as that of a fraudulent application).
(8) Information commonly associated with fraudulent activity is provided by applicant (e.g., non-working phone number, answering service or pager number).
(9) Social security number, address, or telephone number is same as that of another customer of the Utilities.
(10) Customer fails to provide all information requested.
(11) Personal information provided is inconsistent with information on file or information known to the employee.
(12) Applicant cannot provide information requested beyond what could commonly be found in a purse or wallet.
(13) Report of identity theft is reported or discovered.
(E) Response. Any employee that may suspect fraud or detect a red flag will implement the following response as applicable. All detections or suspicious red flags shall be reported to the Clerk-Treasurer.
(1) Request applicant to supply further documentation (e.g., driver’s license number).
(2) Refuse to open account.
(3) Close the account.
(4) Any utility employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customer’s identity must notify the Clerk-Treasurer.
(5) Notify law enforcement. The Utility will notify the Town Marshal of any attempted or actual identity theft.
(6) Employers are required to notify the Clerk-Treasurer immediately if a potential security breach is identified (e.g., stolen equipment, phishing, and the like).
(F) Personal information security procedures. The town Municipal Utilities adopts the following security procedures.
(1) Employees shall not leave sensitive papers out on desks when away from the workplace.
(2) Employees shall log off computers when leaving the workplace.
(3) Any sensitive information shipped will be shipped using a shipping service that allows tracking of delivery.
(4) No visitor will be given entry codes or allowed unescorted access to office.
(5) Access to information will be protected by passwords which shall be changed every 30 days.
(6) User names and passwords shall be different.
(7) User names and passwords shall not be written or posted at workstation at any time.
(8) Password-activated screen savers will be used to lock computers after a period of inactivity.
(9) User names and passwords shall be known to employees only, not to vendors.
(10) All user names, passwords and/or other security measures, as necessary, shall be changed upon transfer or termination of employment for any reason.
(11) Personal identifying information shall not be sent by e-mail.
(12) Anti-virus and anti-spyware programs shall be installed and kept current.
(13) Laptop users shall not store sensitive information on the unit.
(14) The computer network will have a firewall.
(15) Any wireless network will be installed with security codes.
(16) References or background checks shall be done before hiring employees who will have access to sensitive information.
(17) New employees shall sign an agreement of confidentiality and security standards.
(18) Access to a customer’s identity shall limited to a need-to-know basis.
(19) Paper records shall be shredded if identity information present.
(20) Paper shredders shall be available at each desk in the office.
(21) Any data storage media will be disposed of by shredding, punching holes, or incineration.
(G) Annual review. This policy shall be reviewed on an annual basis but at all times shall be subject to review and amendment as needed. Amendment to this policy must follow the same procedure as is used in amendment to any portion of the Town Code or policy.
(Res. 1-2009, passed 3-23-09)
Cross-reference:
Public utilities generally, see Chapter 50