R-10417City Council Meeting 07-14-2009
Santa Monica, California
RESOLUTION NUMBER 10417 (CCS)
(City Council Series)
A RESOLUTION OF THE CITY COUNCIL
OF THE CITY OF SANTA MONICA ESTABLISHING AN
IDENTITY THEFT PREVENTION PROGRAM
WHEREAS, pursuant to Section 114 of the Fair and Accurate Credit
Transactions (FACT) Act of 2003 (15 U.S.C. §§ 1681 et seq.), the Federal Trade
Commission (FTC) and other federal agencies are required to issue regulations and
guidelines regarding the detection, prevention and mitigation of identity theft; and
WHEREAS, in accordance with the FACT Act, the FTC adopted the Red Flags
Rule (16 C.F.R. pt. 681), which requires financial institutions and creditors that offer or
maintain covered accounts to develop and implement a written identity theft prevention
program; and
WHEREAS, local government entities that defer payment for goods or services
are considered creditors under the Red Flags Rule; and
WHEREAS, a covered account is defined as an account used primarily for
personal, family or household purposes and that involves or is designed to permit
multiple payments or transactions, or an account used for personal, family or business
purposes for which there is a reasonably foreseeable risk of identity theft; and
1
WHEREAS, the City of Santa Monica's Public Works Department, in conjunction
with the Finance Department, provides water, sewer and refuse services to customers
and defers payment for such utility services, and is therefore considered a creditor that
offers and maintains covered accounts, and accordingly, must implement a written
identity theft prevention program in compliance with the Red Flags Rule; and
WHEREAS, the Community Recreation Division of the City of Santa Monica's
Community and Cultural Services Department in offering the use of its recreational
facilities to customers and deferring payment for such services, is considered a creditor
that offers and maintains covered accounts and therefore, must implement a written
identity theft prevention program in compliance with the Red Flags Rule; and
WHEREAS, the City of Santa Monica's Housing and Economic Development
Department in administering loan programs under which loans are provided to
customers and maintaining accounts for the repayment of such loans, is considered a
creditor that offers and maintains covered accounts and therefore, must implement a
written identity theft prevention program in compliance with the Red Flags Rule; and
WHEREAS, based on the requirements of the Red Flags Rule, City staff has
drafted an Identity Theft Prevention Program to be implemented by the foregoing City
departments and divisions; and
WHEREAS, based on the foregoing, the City Council finds that it is mandatory for
the City to adopt and implement an Identity Theft Prevention Program;
2
NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF SANTA MONICA
DOES RESOLVE AS FOLLOWS:
SECTION 1. Adoption of Identity Theft Prevention Program. The City Council
hereby approves and adopts, and requires that the City departments that offer or
maintain covered accounts and defer payment for goods and services on those covered
accounts comply with the Identity Theft Prevention Program set forth in Exhibit A,
attached hereto and incorporated by reference.
SECTION 2. Effective Date. The Identity Theft Prevention Program shall
become effective as of the date of adoption of this Resolution.
SECTION 3. The City Clerk shall certify to the adoption of this Resolution, and
thenceforth and thereafter the same shall be in full force and effect.
APPROVED AS TO FORM:
MA SHA NES M ~UTRIE
City ttor e
3
EXHIBIT A
City of Santa Monica Identity Theft Prevention Program
1. PURPOSE
The purpose of this Identity Theft Prevention Program ("Program") is to comply
with 16 C.F.R. § 681.2 by identifying patterns, practices and specific activities that
indicate the possible existence of identity theft; and taking steps to detect, prevent and
mitigate the occurrence of identity theft. This Program is intended to supplement and
strengthen the City's existing internal operating procedures with respect to maintaining
the confidentiality of customer information, verifying customer identities and securing
the City's software systems used to manage covered accounts.
2. DEFINITIONS
For purposes of the Program, the following words and phrases shall have the
following meanings:
(a) "Covered account" includes:
(i) Anew or existing account that the City offers or maintains to
individuals and entities primarily for personal, family or household
purposes, or that involves or is designed to permit multiple
payments or transactions; and
(ii) Any other new or existing account that the City offers or maintains
to individuals and entities primarily for personal, family or business
purposes, for which there is a reasonably foreseeable risk to
customers or to the safety and soundness of the City from identity
theft, .including operational, compliance, reputation or litigation
risks.
(b) "Creditor" includes the City or any other entity that regularly extends,
renews or continues credit; or arranges for the extension, renewal or
continuation of credit; and includes the assignee of an original creditor
who is involved in the decision to extend, renew or continue credit.
(c) "Customer" includes an individual person or an entity that- opens a new or
has an existing covered account with the City.
(d) "Identifying information" includes any name or number used alone or in
conjunction with other information to identify an individual person or entity.
(e) "Identity theft" means a fraud attempted or committed using the identifying
information of another person or entity without permission.
4
(f) "Red flag" includes any pattern, practice, or specific activity that indicates
the possible existence of identity theft.
(g) "Service provider" includes a person or entity that provides a service
directly to the creditor.
3. THE PROGRAM
Those City departments, including but not limited to the Finance Department, the
Water Resources Division of the Public Works Department, the Community Recreation
Division of the Community and Cultural Services Department, and the Housing and
Economic Development Department, and those City employees responsible for
opening, maintaining or restoring of covered accounts; verifying or maintaining any
identifying information in connection with covered accounts; accepting or processing
payments on covered accounts; or who are otherwise involved in transactions occurring
on or have access to covered accounts, shall implement this Program as set forth
below.
This Program is applicable but not limited to the following covered accounts:
(a) Utility (water, sewer, refuse) accounts;
(b) Customer accounts for Santa Monica Gity College and community
organizations and individuals for the use of City recreational facilities; and
(c) TORCA, MERL, and Rental Rehabilitation Loan Program accounts.
(i) Notwithstanding the above, the Housing and Economic
Development Department has conducted a risk assessment
regarding the risk of identity theft with respect to covered accounts
for other housing and redevelopment loan programs under which
loans are made to corporate entities. Considering the complexity of
the loan process and that all information regarding such loans are
of public record, it has been determined that there is minimal or no
risk of identity theft such that the Program would not be practicable
in application to those covered accounts.
4. RED FLAGS
Employees shall check for the following red flags to the extent applicable:
(a) Suspicious documents
(i) Documents provided for identification appear altered, forged,
invalid, or otherwise inauthentic;
5
(ii) The photograph or physical description on the identification is not
consistent with the appearance of the applicant or customer
presenting the identification;
(iii) Other information on the document is not consistent with the
information provided by the applicant or customer;
(iv) Other information on the document is not consistent with the
information that is already on file for the customer; and
(v) The application appears altered, forged, or destroyed and
reassembled.
(b) Suspicious identifying information
(i) Identifying information presented by the applicant or customer is
inconsistent when compared to the same information from external
sources, such as:
(A) The address provided does not match any address listed in
a consumer credit report or other documentation;
(B) The Social Security Number provided has not been issued or
is listed on the Social Security Administration's Death Master
File;
(C) Inconsistent birth dates; or
(D) Inconsistent driver's license numbers.
(ii) Identifying information presented by the applicant or customer is
inconsistent with other information provided by the applicant or
customer, such as:
(A) The Social Security Number provided does not correlate to
the range and date of birth.
(iii) Identifying information presented by the applicant or customer is
associated with or commonly known to be associated with
fraudulent activity, such as:
(A) The address provided is fictitious, a mail drop, or a prison;
(B) The telephone number provided is invalid, or is associated
with a pager or answer service; or
6
(C) The business license number provided is fictitious or invalid..
(iv) Identifying information presented by an applicant or customer is the
same or similar to that of other applicants or customers, such as:
(A) The Social Security Number provided is the same as that of
other applicants or customers;
(B) The address or telephone number provided is the same or
similar to that provided by other applicants or customers; or
(C) The business license number provided is the same as that of
another applicant or customer.
(v) The applicant fails to provide all identifying information required on
the application when reminded to do so (with the exception being
that by law, Social Security Numbers must not be required); and
(vi) Identifying information presented by a customer is inconsistent with
identifying information on file for that customer.
(c) Unusual or suspicious activities
(i) A change of address for an account is shortly followed by a request
for a change to the account holder's name or the addition of
authorized users on the account;
(ii) The account is used in a manner that is not. consistent with
established patterns of activity on the account, such as:
(A) Late payments or nonpayment when there is no history of
late or missed payments;
(B) A customer makes the first payment on a new account but
fails to make any subsequent payments; or
(C) A material change in pattern of usage;
(iii) Mail -sent to the customer is repeatedly returned as undeliverable
while customer's account remains active in usage;
(iv) Notice that the customer is not receiving mail sent by the City;
(v) Notice that a customer's account has unauthorized activity;
7
(vi) A breach in security of the computer system used to maintain
customer account information, including the Online Account
Management system for utility services;
(vii) A breach in security of the filing systems used to maintain paper
documentation of customer account information;
(viii) Notice of unauthorized access to or use of customer account
information: and
(ix) Notice that an account has been opened for a person engaged in
identity theft.
(d) Notices from customers, victims of identity theft, law enforcement
authorities or other persons regarding possible identity theft.
5. DETECTION OF RED FLAGS
Employees shall take the following steps to the extent applicable to detect
whether a red flag or a combination of red flags indicating possible identity theft exists:
(a) Opening new covered accounts
(i) Obtain identifying information to the extent necessary and
practicable to verify the identity of the applicant;
(ii) Obtain copies of applicable documents to verify the identifying
information presented by the applicant, such as a valid driver's
license or aCity-issued business license;
(iii) Review identifying information and documents for red flags; and
(iv) If the applicant submits an application other than in-person, contact
the applicant to verify identifying information.
(b) Maintaining existing covered accounts
(i) Verify to the extent reasonable and practicable the identity of each
customer requesting account information;
(ii) Require the customer to verify identifying information on file for that
customer's covered account for any transactions;
(iii) Monitor and track activities on covered accounts to detect any red
flags; and
8
(iv) Verify the validity of any requests to change the address, billing
information, account holder's name, or authorized users on the
account by contacting the customer and by comparing identifying
information provided in such requests to identifying information on
file for the customer.
6. PREVENT AND MITIGATE IDENTITY THEFT :RESPONSES TO RED FLAGS
In the event that an employee detects a red flag or combination of red flags on a
covered account, the employee shall use his or her discretion to determine whether
such red flag(s) pose a risk of identity theft, and take one or more of the responses
below, commensurate with the risk of identity theft presented. The response(s) taken
shall be reported to the appropriate Director of Manager (i.e., the Finance Director,
Water Resources Manager, Community Recreation Manager, or Housing Manager.)
In the event that the Director or Manager determines in his or her discretion that
additional or different responses are warranted, the employee shall undertake such
additional or different responses. All responses or no response and the results or
resolution thereof shall be included in the annual report required under Section 8(b)
below.
(a) Monitor the customer's account for evidence of identity theft;
(b) Contact the customer;
(c) Change the customer's account number, password, security codes or
other security devices that permit either employee or customer access to
the account;
(i) Change the customer's PIN number for the Online Account
Management system for utility services; or
(ii) Change the customer's a-mail address that is linked to the Online
Account Management system for utility services.
(d) Deactivate or close the customer's account;
(e) Cease attempts to collect payment on a covered account and decline to
sell a covered account to a debt collector in the event of unauthorized
access to the account that has caused additional charges to accrue;
(f) Notify law enforcement;
(g) Determine that no response is warranted under the circumstances
presented; or
(h) Take any other appropriate action to prevent or mitigate identity theft.
9
To further prevent identity theft, employees shall take. the following steps with
respect to internal operating. procedures:
(a) Ensure that office computers are password-protected and that computers
lock after a set period of time;
(b) Keep papers containing customers' account and identifying information
confidential and in a secure and locked place, out of public view;
(c) Ensure that computer virus protection is up to date;
(d) Ensure complete and secure destruction, as appropriate, of paper
documents and computer files containing customers' account and
identifying information; and
(e) Restrict access to customers' account and identifying information to
authorized personnel and on a "need to know" basis.
7. UPDATING THE PROGRAM
The Director or Manager of those City departments with covered accounts,
including but not limited to the Finance Director, Water Resources Manager, Community
Recreation Manager, and Housing Manager, shall, upon receipt of the annual report
described in Section 8(b) below, conduct an annual review and submit to the City
Attorney recommended updates to the Program as necessary to reflect changes in risks
to customers and to the safety and soundness of the City from identity theft. The
Program shall be updated based on a consideration of the following factors:
(a) The City's experiences with identity theft;
(b) Changes in methods of identity theft;
(c) Changes in methods used to detect, prevent and mitigate identity theft;
(d) Changes in the types of covered accounts offered or maintained; and
(e) Changes in the organization or process of City operations, or the
implementation of new systems, new service provider agreements or the
use of consumer credit reports.
8. ADMINISTRATION OF THE PROGRAM
The Director or Manager shall be responsible for the overall implementation and
administration of the Program, as provided below:
10
(a) Oversight. The Director or Manager will provide ongoing oversight to
ensure that the Program is being followed and is effective, including taking
the following measures:
(i) Assign specific duties regarding the Program's development,
implementation and administration to staff;
(ii) Review reports prepared by staff regarding compliance with the
Red Flags Rule and the Program; and
(iii) Approve changes and updates to the Program, in conjunction with
the City Attorney, as necessary to address incidents involving
identity theft and changes in the risks of identity theft.
(b) Annual reports. A designated employee at senior management level will
submit an annual report to the Director or Manager. The report will
address material matters and evaluate any issues related to the Program,
including but not limited to the following:
(i) The effectiveness of the Program in detecting, preventing and
mitigating identity theft;
(ii) Documentation of any significant incidents involving identity theft
and the steps taken in response;
(iii) Items for consideration in updating the Program; and
(iv) Recommendations for any material changes to the Program.
The annual report shall be completed for the annual review and update of
the Program as set forth in Section 7 above.
(c) Training. The Director or Manager is responsible for providing training on
the Program to all employees whose job responsibilities are related to
covered accounts. The Director or Manager shall in his or her discretion
determine the level and substance of training necessary for the effective
implementation of the Program.
9. THIRD PARTY SERVICE PROVIDERS
Where the City engages a third party service provider to perform activities in
connection with covered accounts, the Director or Manager shall review such
arrangements to ensure either that (1) the service provider's activities are conducted in
accordance with the Program, or that (2) the service provider has policies and
procedures ih place substantially similar to the Program to detect, prevent and mitigate
11
identity theft that may arise out of the performance of the service provider's activities
with respect to the covered accounts..
10. NOTICE OF ADDRESS DISCREPANCIES
The City currently does not utilize consumer credit reports from consumer
reporting agencies. Accordingly, the City has determined that compliance with the
FTC's Rule for Notices of Address Discrepancy under 16 C.F.R. § 681.1, implementing
Section 315 of the FACT Act, is not presently required. In the event that the City
decides to use consumer credit reports, the City department(s) utilizing such reports, in
conjunction with the City Attorney, shall develop policies and procedures relating to the
receipt of a notice of address discrepancy from a consumer reporting agency. The
notice of address discrepancy policies and procedures are subject to City Council
approval, and shall thereupon be incorporated into the Program.
12
Adopted and approved this 14th day of July, 2009.
K n Gense Mayor
I, Maria Stewart, City Clerk of the City of Santa Monica, do hereby certify that the
foregoing Resolution No. 10417 (CCS) was duly adopted at a meeting of the Santa
Monica City Council held on the 14th day of July, 2009, by the following vote:
Ayes: Council members: Bloom, Davis, Holbrook
Mayor Genser, Mayor Pro Tem O'Connor
Noes: Council members: None
Abstain: Council members: None
Absent: Council members: McKeown, Shriver
ATTEST:
Maria Stewart, ity Clerk