The URL can be used to link to this page

sr-071409-1e~~ c;tYor City Council Report Santa Monica City Council Meeting: July 14, 2009 Agenda Item: ~ °~ To: Mayor and City Council From: Marsha Jones Moutrie, City Attorney Subject: Identity Theft Prevention Program Recommended Action Adopt a resolution establishing an identity theft prevention program to comply with the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Executive Summary The FACT Act directed federal agencies to issue joint regulations and guidelines regarding the detection, prevention and mitigation of identity theft. In compliance with the FACT Act, the Federal Trade Commission (FTC) issued the "Red Flags Rule", which requires certain financial institutions and creditors, including local public agencies, to design and implement- an identity theft prevention program by August 1, 2009. The attached resolution and identity theft prevention program would establish an identity theft prevention program for the City in compliance with these federal regulations. Background The "Red Flags Rule" implements Section 114 of the FACT Act, and applies to financial institutions and creditors that offer new or maintain existing covered accounts. Covered accounts include (1) accounts that are mostly used for personal, family or household purposes, and that involve or are designed to permit multiple payments or transactions, and (2) accounts that are used for personal, family, household or business purposes for which there is a reasonably foreseeable risk of identity theft. Local public agencies are considered creditors under the "Red Flags Rule" if the agencies defer payment for goods and services on covered accounts. Accordingly, all local public agencies that provide goods or services within the applicable definitions of 1 the "Red Flags Rule" must design and implement a written identity theft prevention program tailored to their respective operations. In application, the "Red Flags Rule" most commonly applies to local public agencies. with covered accounts for utility services, loans, and the use of or services related to public facilities. Discussion The purpose of the "Red Flags Rule" is to identify "red flags", i.e., patterns, practices, and specific activities that indicate the possible existence of identity theft. The identity theft prevention program must include reasonable policies and procedures to: (1) identify. red flags and incorporate them into the program; (2) detect red flags that are part of the program; (3) respond to red flags in order to prevent and mitigate identity theft; and (4) ensure periodic updates to the program to reflect changes in the risks of identity theft. The categories of "red flags" identified by the FTC include (1) alerts, notifications or warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious personal identifying information; (4) the unusual use of, or suspicious activity related to, a covered account; and (5) notices from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft. The identity theft prevention program must be initially approved by City Council. Employees at senior management level are responsible for the oversight of development, implementation and administration of the program. Oversight includes reviewing periodic reports prepared by City staff regarding the effectiveness of and compliance with the program, as well as approving material changes to the program as necessary to address changing risks in identity theft. Appropriate City staff must be trained to effectively implement the identity theft prevention program. The "Red Flags Rule" applies to the following City departments: 2 1) The Public Works Department and the Finance Department, which provide water, sewer. and refuse services to customers and defer payment for such utility services, and is therefore considered a creditor that offers and maintains covered accounts; 2) The Community Recreation Division of Community and Cultural Services Department, which offers the use of its recreational facilities to customers and defers payment for such services, and is therefore considered a creditor that offers and maintains covered accounts; and 3) The Housing and Economic Development Department, which administers certain loan programs under which loans are provided to customers and maintains accounts for the repayment of such loans over an extended period of time, and is therefore considered a creditor that offers and maintains covered accounts. Based on the provisions of the "Red Flags Rule", the foregoing City departments and divisions are required to implement an identity theft prevention program. Failure to do so will subject the City to federal and state civil actions and monetary penalties. In addition to the "Red Flags Rule", the FTC issued the "Rule for Notices of Address Discrepancy", which require users of consumer credit reports to adopt policies and procedures relating to the receipt of a notice of address discrepancy from a consumer reporting agency. From discussions with City staff, the City does not utilize consumer credit reports in its operations, and therefore, the City is not presently required to implement policies and procedures in compliance with this rule. // // // 3 Financial Impacts & Budget Actions There are no anticipated financial impacts from the adoption of an identity theft prevention program. No budget actions are necessary. Prepared by: Meishya Yang, Deputy City Attorney Approved: Forwarded to Council: < ~/ Mar ha Jo~~jj~~ Moutri P. nt Ewell Cit ttorn~a'j City Manager 4 Reference Resolution No. 10417 (CCS).