The URL can be used to link to this page

R-10417City Council Meeting 07-14-2009 Santa Monica, California RESOLUTION NUMBER 10417 (CCS) (City Council Series) A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SANTA MONICA ESTABLISHING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, pursuant to Section 114 of the Fair and Accurate Credit Transactions (FACT) Act of 2003 (15 U.S.C. §§ 1681 et seq.), the Federal Trade Commission (FTC) and other federal agencies are required to issue regulations and guidelines regarding the detection, prevention and mitigation of identity theft; and WHEREAS, in accordance with the FACT Act, the FTC adopted the Red Flags Rule (16 C.F.R. pt. 681), which requires financial institutions and creditors that offer or maintain covered accounts to develop and implement a written identity theft prevention program; and WHEREAS, local government entities that defer payment for goods or services are considered creditors under the Red Flags Rule; and WHEREAS, a covered account is defined as an account used primarily for personal, family or household purposes and that involves or is designed to permit multiple payments or transactions, or an account used for personal, family or business purposes for which there is a reasonably foreseeable risk of identity theft; and 1 WHEREAS, the City of Santa Monica's Public Works Department, in conjunction with the Finance Department, provides water, sewer and refuse services to customers and defers payment for such utility services, and is therefore considered a creditor that offers and maintains covered accounts, and accordingly, must implement a written identity theft prevention program in compliance with the Red Flags Rule; and WHEREAS, the Community Recreation Division of the City of Santa Monica's Community and Cultural Services Department in offering the use of its recreational facilities to customers and deferring payment for such services, is considered a creditor that offers and maintains covered accounts and therefore, must implement a written identity theft prevention program in compliance with the Red Flags Rule; and WHEREAS, the City of Santa Monica's Housing and Economic Development Department in administering loan programs under which loans are provided to customers and maintaining accounts for the repayment of such loans, is considered a creditor that offers and maintains covered accounts and therefore, must implement a written identity theft prevention program in compliance with the Red Flags Rule; and WHEREAS, based on the requirements of the Red Flags Rule, City staff has drafted an Identity Theft Prevention Program to be implemented by the foregoing City departments and divisions; and WHEREAS, based on the foregoing, the City Council finds that it is mandatory for the City to adopt and implement an Identity Theft Prevention Program; 2 NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF SANTA MONICA DOES RESOLVE AS FOLLOWS: SECTION 1. Adoption of Identity Theft Prevention Program. The City Council hereby approves and adopts, and requires that the City departments that offer or maintain covered accounts and defer payment for goods and services on those covered accounts comply with the Identity Theft Prevention Program set forth in Exhibit A, attached hereto and incorporated by reference. SECTION 2. Effective Date. The Identity Theft Prevention Program shall become effective as of the date of adoption of this Resolution. SECTION 3. The City Clerk shall certify to the adoption of this Resolution, and thenceforth and thereafter the same shall be in full force and effect. APPROVED AS TO FORM: MA SHA NES M ~UTRIE City ttor e 3 EXHIBIT A City of Santa Monica Identity Theft Prevention Program 1. PURPOSE The purpose of this Identity Theft Prevention Program ("Program") is to comply with 16 C.F.R. § 681.2 by identifying patterns, practices and specific activities that indicate the possible existence of identity theft; and taking steps to detect, prevent and mitigate the occurrence of identity theft. This Program is intended to supplement and strengthen the City's existing internal operating procedures with respect to maintaining the confidentiality of customer information, verifying customer identities and securing the City's software systems used to manage covered accounts. 2. DEFINITIONS For purposes of the Program, the following words and phrases shall have the following meanings: (a) "Covered account" includes: (i) Anew or existing account that the City offers or maintains to individuals and entities primarily for personal, family or household purposes, or that involves or is designed to permit multiple payments or transactions; and (ii) Any other new or existing account that the City offers or maintains to individuals and entities primarily for personal, family or business purposes, for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the City from identity theft, .including operational, compliance, reputation or litigation risks. (b) "Creditor" includes the City or any other entity that regularly extends, renews or continues credit; or arranges for the extension, renewal or continuation of credit; and includes the assignee of an original creditor who is involved in the decision to extend, renew or continue credit. (c) "Customer" includes an individual person or an entity that- opens a new or has an existing covered account with the City. (d) "Identifying information" includes any name or number used alone or in conjunction with other information to identify an individual person or entity. (e) "Identity theft" means a fraud attempted or committed using the identifying information of another person or entity without permission. 4 (f) "Red flag" includes any pattern, practice, or specific activity that indicates the possible existence of identity theft. (g) "Service provider" includes a person or entity that provides a service directly to the creditor. 3. THE PROGRAM Those City departments, including but not limited to the Finance Department, the Water Resources Division of the Public Works Department, the Community Recreation Division of the Community and Cultural Services Department, and the Housing and Economic Development Department, and those City employees responsible for opening, maintaining or restoring of covered accounts; verifying or maintaining any identifying information in connection with covered accounts; accepting or processing payments on covered accounts; or who are otherwise involved in transactions occurring on or have access to covered accounts, shall implement this Program as set forth below. This Program is applicable but not limited to the following covered accounts: (a) Utility (water, sewer, refuse) accounts; (b) Customer accounts for Santa Monica Gity College and community organizations and individuals for the use of City recreational facilities; and (c) TORCA, MERL, and Rental Rehabilitation Loan Program accounts. (i) Notwithstanding the above, the Housing and Economic Development Department has conducted a risk assessment regarding the risk of identity theft with respect to covered accounts for other housing and redevelopment loan programs under which loans are made to corporate entities. Considering the complexity of the loan process and that all information regarding such loans are of public record, it has been determined that there is minimal or no risk of identity theft such that the Program would not be practicable in application to those covered accounts. 4. RED FLAGS Employees shall check for the following red flags to the extent applicable: (a) Suspicious documents (i) Documents provided for identification appear altered, forged, invalid, or otherwise inauthentic; 5 (ii) The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification; (iii) Other information on the document is not consistent with the information provided by the applicant or customer; (iv) Other information on the document is not consistent with the information that is already on file for the customer; and (v) The application appears altered, forged, or destroyed and reassembled. (b) Suspicious identifying information (i) Identifying information presented by the applicant or customer is inconsistent when compared to the same information from external sources, such as: (A) The address provided does not match any address listed in a consumer credit report or other documentation; (B) The Social Security Number provided has not been issued or is listed on the Social Security Administration's Death Master File; (C) Inconsistent birth dates; or (D) Inconsistent driver's license numbers. (ii) Identifying information presented by the applicant or customer is inconsistent with other information provided by the applicant or customer, such as: (A) The Social Security Number provided does not correlate to the range and date of birth. (iii) Identifying information presented by the applicant or customer is associated with or commonly known to be associated with fraudulent activity, such as: (A) The address provided is fictitious, a mail drop, or a prison; (B) The telephone number provided is invalid, or is associated with a pager or answer service; or 6 (C) The business license number provided is fictitious or invalid.. (iv) Identifying information presented by an applicant or customer is the same or similar to that of other applicants or customers, such as: (A) The Social Security Number provided is the same as that of other applicants or customers; (B) The address or telephone number provided is the same or similar to that provided by other applicants or customers; or (C) The business license number provided is the same as that of another applicant or customer. (v) The applicant fails to provide all identifying information required on the application when reminded to do so (with the exception being that by law, Social Security Numbers must not be required); and (vi) Identifying information presented by a customer is inconsistent with identifying information on file for that customer. (c) Unusual or suspicious activities (i) A change of address for an account is shortly followed by a request for a change to the account holder's name or the addition of authorized users on the account; (ii) The account is used in a manner that is not. consistent with established patterns of activity on the account, such as: (A) Late payments or nonpayment when there is no history of late or missed payments; (B) A customer makes the first payment on a new account but fails to make any subsequent payments; or (C) A material change in pattern of usage; (iii) Mail -sent to the customer is repeatedly returned as undeliverable while customer's account remains active in usage; (iv) Notice that the customer is not receiving mail sent by the City; (v) Notice that a customer's account has unauthorized activity; 7 (vi) A breach in security of the computer system used to maintain customer account information, including the Online Account Management system for utility services; (vii) A breach in security of the filing systems used to maintain paper documentation of customer account information; (viii) Notice of unauthorized access to or use of customer account information: and (ix) Notice that an account has been opened for a person engaged in identity theft. (d) Notices from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft. 5. DETECTION OF RED FLAGS Employees shall take the following steps to the extent applicable to detect whether a red flag or a combination of red flags indicating possible identity theft exists: (a) Opening new covered accounts (i) Obtain identifying information to the extent necessary and practicable to verify the identity of the applicant; (ii) Obtain copies of applicable documents to verify the identifying information presented by the applicant, such as a valid driver's license or aCity-issued business license; (iii) Review identifying information and documents for red flags; and (iv) If the applicant submits an application other than in-person, contact the applicant to verify identifying information. (b) Maintaining existing covered accounts (i) Verify to the extent reasonable and practicable the identity of each customer requesting account information; (ii) Require the customer to verify identifying information on file for that customer's covered account for any transactions; (iii) Monitor and track activities on covered accounts to detect any red flags; and 8 (iv) Verify the validity of any requests to change the address, billing information, account holder's name, or authorized users on the account by contacting the customer and by comparing identifying information provided in such requests to identifying information on file for the customer. 6. PREVENT AND MITIGATE IDENTITY THEFT :RESPONSES TO RED FLAGS In the event that an employee detects a red flag or combination of red flags on a covered account, the employee shall use his or her discretion to determine whether such red flag(s) pose a risk of identity theft, and take one or more of the responses below, commensurate with the risk of identity theft presented. The response(s) taken shall be reported to the appropriate Director of Manager (i.e., the Finance Director, Water Resources Manager, Community Recreation Manager, or Housing Manager.) In the event that the Director or Manager determines in his or her discretion that additional or different responses are warranted, the employee shall undertake such additional or different responses. All responses or no response and the results or resolution thereof shall be included in the annual report required under Section 8(b) below. (a) Monitor the customer's account for evidence of identity theft; (b) Contact the customer; (c) Change the customer's account number, password, security codes or other security devices that permit either employee or customer access to the account; (i) Change the customer's PIN number for the Online Account Management system for utility services; or (ii) Change the customer's a-mail address that is linked to the Online Account Management system for utility services. (d) Deactivate or close the customer's account; (e) Cease attempts to collect payment on a covered account and decline to sell a covered account to a debt collector in the event of unauthorized access to the account that has caused additional charges to accrue; (f) Notify law enforcement; (g) Determine that no response is warranted under the circumstances presented; or (h) Take any other appropriate action to prevent or mitigate identity theft. 9 To further prevent identity theft, employees shall take. the following steps with respect to internal operating. procedures: (a) Ensure that office computers are password-protected and that computers lock after a set period of time; (b) Keep papers containing customers' account and identifying information confidential and in a secure and locked place, out of public view; (c) Ensure that computer virus protection is up to date; (d) Ensure complete and secure destruction, as appropriate, of paper documents and computer files containing customers' account and identifying information; and (e) Restrict access to customers' account and identifying information to authorized personnel and on a "need to know" basis. 7. UPDATING THE PROGRAM The Director or Manager of those City departments with covered accounts, including but not limited to the Finance Director, Water Resources Manager, Community Recreation Manager, and Housing Manager, shall, upon receipt of the annual report described in Section 8(b) below, conduct an annual review and submit to the City Attorney recommended updates to the Program as necessary to reflect changes in risks to customers and to the safety and soundness of the City from identity theft. The Program shall be updated based on a consideration of the following factors: (a) The City's experiences with identity theft; (b) Changes in methods of identity theft; (c) Changes in methods used to detect, prevent and mitigate identity theft; (d) Changes in the types of covered accounts offered or maintained; and (e) Changes in the organization or process of City operations, or the implementation of new systems, new service provider agreements or the use of consumer credit reports. 8. ADMINISTRATION OF THE PROGRAM The Director or Manager shall be responsible for the overall implementation and administration of the Program, as provided below: 10 (a) Oversight. The Director or Manager will provide ongoing oversight to ensure that the Program is being followed and is effective, including taking the following measures: (i) Assign specific duties regarding the Program's development, implementation and administration to staff; (ii) Review reports prepared by staff regarding compliance with the Red Flags Rule and the Program; and (iii) Approve changes and updates to the Program, in conjunction with the City Attorney, as necessary to address incidents involving identity theft and changes in the risks of identity theft. (b) Annual reports. A designated employee at senior management level will submit an annual report to the Director or Manager. The report will address material matters and evaluate any issues related to the Program, including but not limited to the following: (i) The effectiveness of the Program in detecting, preventing and mitigating identity theft; (ii) Documentation of any significant incidents involving identity theft and the steps taken in response; (iii) Items for consideration in updating the Program; and (iv) Recommendations for any material changes to the Program. The annual report shall be completed for the annual review and update of the Program as set forth in Section 7 above. (c) Training. The Director or Manager is responsible for providing training on the Program to all employees whose job responsibilities are related to covered accounts. The Director or Manager shall in his or her discretion determine the level and substance of training necessary for the effective implementation of the Program. 9. THIRD PARTY SERVICE PROVIDERS Where the City engages a third party service provider to perform activities in connection with covered accounts, the Director or Manager shall review such arrangements to ensure either that (1) the service provider's activities are conducted in accordance with the Program, or that (2) the service provider has policies and procedures ih place substantially similar to the Program to detect, prevent and mitigate 11 identity theft that may arise out of the performance of the service provider's activities with respect to the covered accounts.. 10. NOTICE OF ADDRESS DISCREPANCIES The City currently does not utilize consumer credit reports from consumer reporting agencies. Accordingly, the City has determined that compliance with the FTC's Rule for Notices of Address Discrepancy under 16 C.F.R. § 681.1, implementing Section 315 of the FACT Act, is not presently required. In the event that the City decides to use consumer credit reports, the City department(s) utilizing such reports, in conjunction with the City Attorney, shall develop policies and procedures relating to the receipt of a notice of address discrepancy from a consumer reporting agency. The notice of address discrepancy policies and procedures are subject to City Council approval, and shall thereupon be incorporated into the Program. 12 Adopted and approved this 14th day of July, 2009. K n Gense Mayor I, Maria Stewart, City Clerk of the City of Santa Monica, do hereby certify that the foregoing Resolution No. 10417 (CCS) was duly adopted at a meeting of the Santa Monica City Council held on the 14th day of July, 2009, by the following vote: Ayes: Council members: Bloom, Davis, Holbrook Mayor Genser, Mayor Pro Tem O'Connor Noes: Council members: None Abstain: Council members: None Absent: Council members: McKeown, Shriver ATTEST: Maria Stewart, ity Clerk