sr-071409-1e~~
c;tYor City Council Report
Santa Monica
City Council Meeting: July 14, 2009
Agenda Item: ~ °~
To: Mayor and City Council
From: Marsha Jones Moutrie, City Attorney
Subject: Identity Theft Prevention Program
Recommended Action
Adopt a resolution establishing an identity theft prevention program to comply with the
Fair and Accurate Credit Transactions Act of 2003 (FACT Act).
Executive Summary
The FACT Act directed federal agencies to issue joint regulations and guidelines
regarding the detection, prevention and mitigation of identity theft. In compliance with
the FACT Act, the Federal Trade Commission (FTC) issued the "Red Flags Rule", which
requires certain financial institutions and creditors, including local public agencies, to
design and implement- an identity theft prevention program by August 1, 2009. The
attached resolution and identity theft prevention program would establish an identity
theft prevention program for the City in compliance with these federal regulations.
Background
The "Red Flags Rule" implements Section 114 of the FACT Act, and applies to financial
institutions and creditors that offer new or maintain existing covered accounts. Covered
accounts include (1) accounts that are mostly used for personal, family or household
purposes, and that involve or are designed to permit multiple payments or transactions,
and (2) accounts that are used for personal, family, household or business purposes for
which there is a reasonably foreseeable risk of identity theft.
Local public agencies are considered creditors under the "Red Flags Rule" if the
agencies defer payment for goods and services on covered accounts. Accordingly, all
local public agencies that provide goods or services within the applicable definitions of
1
the "Red Flags Rule" must design and implement a written identity theft prevention
program tailored to their respective operations. In application, the "Red Flags Rule"
most commonly applies to local public agencies. with covered accounts for utility
services, loans, and the use of or services related to public facilities.
Discussion
The purpose of the "Red Flags Rule" is to identify "red flags", i.e., patterns, practices,
and specific activities that indicate the possible existence of identity theft. The identity
theft prevention program must include reasonable policies and procedures to: (1)
identify. red flags and incorporate them into the program; (2) detect red flags that are
part of the program; (3) respond to red flags in order to prevent and mitigate identity
theft; and (4) ensure periodic updates to the program to reflect changes in the risks of
identity theft.
The categories of "red flags" identified by the FTC include (1) alerts, notifications or
warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious
personal identifying information; (4) the unusual use of, or suspicious activity related to,
a covered account; and (5) notices from customers, victims of identity theft, law
enforcement authorities or other persons regarding possible identity theft.
The identity theft prevention program must be initially approved by City Council.
Employees at senior management level are responsible for the oversight of
development, implementation and administration of the program. Oversight includes
reviewing periodic reports prepared by City staff regarding the effectiveness of and
compliance with the program, as well as approving material changes to the program as
necessary to address changing risks in identity theft. Appropriate City staff must be
trained to effectively implement the identity theft prevention program.
The "Red Flags Rule" applies to the following City departments:
2
1) The Public Works Department and the Finance Department, which provide
water, sewer. and refuse services to customers and defer payment for such utility
services, and is therefore considered a creditor that offers and maintains covered
accounts;
2) The Community Recreation Division of Community and Cultural Services
Department, which offers the use of its recreational facilities to customers and defers
payment for such services, and is therefore considered a creditor that offers and
maintains covered accounts; and
3) The Housing and Economic Development Department, which administers
certain loan programs under which loans are provided to customers and maintains
accounts for the repayment of such loans over an extended period of time, and is
therefore considered a creditor that offers and maintains covered accounts.
Based on the provisions of the "Red Flags Rule", the foregoing City departments and
divisions are required to implement an identity theft prevention program. Failure to do so
will subject the City to federal and state civil actions and monetary penalties.
In addition to the "Red Flags Rule", the FTC issued the "Rule for Notices of Address
Discrepancy", which require users of consumer credit reports to adopt policies and
procedures relating to the receipt of a notice of address discrepancy from a consumer
reporting agency. From discussions with City staff, the City does not utilize consumer
credit reports in its operations, and therefore, the City is not presently required to
implement policies and procedures in compliance with this rule.
//
//
//
3
Financial Impacts & Budget Actions
There are no anticipated financial impacts from the adoption of an identity theft
prevention program. No budget actions are necessary.
Prepared by: Meishya Yang, Deputy City Attorney
Approved: Forwarded to Council:
< ~/
Mar ha Jo~~jj~~ Moutri P. nt Ewell
Cit ttorn~a'j City Manager
4
Reference Resolution No.
10417 (CCS).