The URL can be used to link to this page

R-09-05-28-12C1 - 5/28/2009RESOLUTION NO. R -09-05-28-12C1 WHEREAS, pursuant to the Federal Trade Commission's (Red Flag) Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003 ("the Act") the City Council desires to adopt a written identity theft prevention program to mandate the identity theft controls within the City of Round Rock, and WHEREAS, the City Council has reviewed the attached identity theft prevention program and has determined same to be in compliance with the Act, Now Therefore BE IT RESOLVED BY THE COUNCIL OF THE CITY OF ROUND ROCK, TEXAS, That the Identity Theft Prevention Program, attached hereto as Exhibit "A" and incorporated herein, is hereby approved and adopted. The City Council hereby finds and declares that written notice of the date, hour, place and subject of the meeting at which this Resolution was adopted was posted and that such meeting was open to the public as required by law at all times during which this Resolution and the subject matter hereof were discussed, considered and formally acted upon, all as required by the Open Meetings Act, Chapter 551, Texas Government Code, as amended. RESOLVED this 28th day of May, 2009. ALAN MCGRAW, Mayor City of Round Rock, Texas ATTEST: .1144Ait, ttecoia- SARA L. WHITE, City Secretary O:\wdox\SCC1nts\0112\0905\MUNICIPAL\R90528C1.DOC/rmc ROUND ROCK. TEXAS PURPOSE. PASSION_ PROSPERITY. City of Round Rock Identity Theft Prevention Program Management Statement The City of Round Rock developed and adopted this Identity Theft Prevention Program with all the listed components pursuant to the Federal Trade Commission's (Red Flag) Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. The implementation of the program requirements and components will mandate the Identity Theft controls within the City of Round Rock, therefore enhancing the overall security practices and reducing the likelihood of unauthorized individuals gaining access to customer's sensitive information. mes R. Nuse, P.E. City Manager Hassan Farhat Risk Manager/ Program Administrator October 2008 1 a a EXHIBIT ttAll WI um, ROUND ROCK, TEXAS PURPOSE. PASSION. PROSPERITY. CITY OF ROUND ROCK IDENTITY THEFT PREVENTION PROGRAM RED FLAGS City of Round Rock Identity Theft Prevention Program — Red Flags TABLE OF CONTENTS Title Page • Table of Contents 2 • Statutory Requirement 3 • Adoption and Implementation 3 • Rule Objective 3 • Expected Desirable Results 3 • Identity Theft Program Administration and Oversight 3 • Employee Training and Updates 4 • Covered Utility Accounts 4 • What is Identity Theft? 4 • What is Identifying Information? 5 • What is a "Red Flag"? 5 • Identifying and Detecting "Red Flags" 5 • City Employee and Supervisor's Responsibility 6 • City of Round Rock Policy Statement on Security 7 • Related City Policies 7 • Customer's Information and Records Protection 7 • Incident (Red Flag) Reporting and Fraud Investigation 7 • Program Review and Revision 8 • Program Recordkeeping System 8 • Compliance and Practices 9 • Disciplinary Action 9 • Appendixes 9 • Department/Division Security Guidelines • Department/Division Red Flags • ID Theft Red Flag Worksheet • City Employee Personal Identity Theft Awareness 10 - 2 Identity Theft Prevention Program — Red Flags Statutory Requirement: Federal Trade Commission (FTC) — Identity Theft "Red Flags" The Federal Trade Commission and other regulatory agencies have published the rules and guidelines for regulating the fraudulent attempts to use private and personal information without authority. The new regulations implemented Section 114 (Red Flag Guidelines) and Section 315 (Reconciling address Discrepancies) of the Fair and Accurate Credit Transaction Act (FACTA). Adoption and Implementation: The final rulemaking was released by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, The Federal Trade Commission, The National Credit Union Administration, the Office of the Comptroller of Currency, and the Office of Thrift Supervision. The final rules became effective on January 1, 2008; covered financial institutions and creditors must comply with the rules by November 1, 2008. The published rules apply to utilities as "creditors" which call for financial institutions and creditors to adopt written Identity Theft Program "Red Flags" by November], 2008. Rule Objective: The objective of the Identity Theft "Red Flags" Rule is to establish, implement, and document a prevention program to achieve a common minimum security level that protects customer accounts information. This will be accomplished through continuous information/data and gap analysis, risk assessment, policies and procedures, and Identity Theft Program implementation. Expected Desirable Results: • Identity Theft controls will prevent information exposure and help identify attempts of criminal activities and reduces the probability of success; • The damage to the City's and Department's reputation, image, and level of trust is significant in comparison to the cost of correcting a successful fraudulent activity; • Local management assurance that proper safeguards are in place and ensuring compliance with the statutory requirements; • "The big picture" — the continuous prevention and control efforts will reduce ID theft elsewhere and can lead to support other organizations and government agencies with their fight against false identification crimes. Identity Theft Program Administration and Oversight: The City's Risk Manager serves as the Identity Theft Prevention Program Administrator. An Identity Theft Program Privacy Committee will be established and members at management level will be appointed from the Finance Department, Utility Billing Office, and other affected City Departments dealing with various customer accounts information. - 3 - Identity Theft Prevention Program — Red Flags Due to the sensitive nature of the Program, the Committee members will be entrusted to ensure privacy and confidentiality at all times. Employee Training and Updates: Affected City employees will receive initial formal training as an introduction to the Identity Theft Prevention Program elements and mandated requirements. Shortly after, specific training will be scheduled to provide more instructions and clarification on detection of "Red Flags" including the prompt reporting and recoding mechanisms. Employees will be provided with the necessary instructions on any updates pertaining to the new rules and/or the implementation of the program. Supervisors are advised to conduct a review of the related Human Resources Policies and Procedures with all employees Covered Utility Accounts: According to the new Rule, all the utility's accounts that are individual utility service accounts held by customers of the utility whether residential or commercial are covered by the Rule. Identity theft fraud in relation to Utility accounts and/or other City customer's accounts involves obtaining the benefit of service using someone else's Identifyinj In formation. What is Identity Theft? According to the Fair and Accurate Transaction Act (FACTA), Identity Theft is defined as a fraud committed using the identifying information of another person. Note that Identity Theft is fraud, not theft. Two Types of Identity Theft fraud: 1 - Relating to new Customer accounts: o Establishing utility service or other City service using another person's name identifying information; o The suspected individual defaulted on a past accounts — Unable to receive service using the real name; o The suspected individual intends to establish fraudulent proof of residency in an attempt to commit a fraudulent act somewhere else. 2 - Relating to existing Customer accounts: o Continuing utility service under another customer's name after moving out; o The suspected individual attempts to avoid paying for service; o The suspected individual defaulted on past accounts and avoids using the real name. 4 4. Identity Theft Prevention Program — Red Flags What is Identifying Information? Is defined under the Rule as" any name, or number that may be used, alone or in conjunction with any other information, to identify a specific person" including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or tax payer identification number, electronic identification number, internet address, or a routing code. What is a "Red Flag"? "Red Flag" is identified as a pattern, practice, or specific activity that indicates the possible existence of identity theft. Examples provided by regulatory agencies is personal identifying information showing inconsistency when compared against other information sources used by the creditor or the financial institution (Address, Social security numbers, etc.). Identifying and Detecting "Red Flags": In addition to the Utility Billing services, the City of Round Rock provides other services to citizens and manages a variety of customer accounts. In order to identify the Red Flags associated with the nature of the provided services, Utility Billing and other City services must review their type of accounts, the process and mechanism it provides to open an account, the means and methods to access account information, and the City's history with fraud and identity theft. The following Red Flags are identified by categories: • Warnings from Credit Reporting Agencies: ✓ Reports of Fraudulent activities; ✓ Credit agency alert on a customer; ✓ Credit freeze pending investigation; ✓ Unusual pattern of customer activities available to the credit agency. • Suspicious Documents and Provided Information: ✓ Presented documents appear to be forged or altered; ✓ The photograph ID does not match the customer's physical descriptions; ✓ The customer application for service appears to be altered or forged; ✓ Presented documents or information is not consistent with the existing customer information. Identity Theft Prevention Program — Red Flags • Suspicious Personal Identifyinglnformation: ✓ Presented customer Identifying Information is inconsistent with other provided documented information; ✓ Presented customer Identifying Information is inconsistent with information provided by other sources such as government or credit report; ✓ Presented customer Identifying Information is consistent with a suspected fraudulent activity (Invalid phone number or physical address); ✓ The provided social security number matches another customer; ✓ Incomplete application for service in an attempt to avoid providing Identifying Information; ✓ Other suspicious document inconsistencies detected during the process of requesting services. • Suspicious Account Activity or Unusual Use of Account: ✓ Returned mail as undeliverable; ✓ Notice of an unauthorized activity; ✓ Detected unusual or very high or very low activity; ✓ Notice by the customer that he/she is not receiving mail sent by Utility billing; ✓ Detected unauthorized access to account information; ✓ Utility Billing computer security system breach; ✓ Unusual request by customer to change the name on the account. • Alert from other parties: ✓ Notice from a Utility Billing Customer; ✓ Notice from Law enforcement; ✓ Notice from another person; ✓ Reporting that an individual, knowingly and willingly, has opened and is maintaining a fraudulent account for a customer engaged in Identity Theft. City Employee and Supervisor's Responsibility: New and existing customer accounts: • Verify the validity of their request for any changes; • Obtain and verify All required customer information; • Verify the financial institution account information; • Verify customer identity; • Review carefully all provided documentation; • Contact the customer for clarification; • Always report and monitor unusual activities or transactions; • Do not underestimate any unusual activity; • When in doubt, check it out. 6 Identity Theft Prevention Program — Red Flags City of Round Rock Policy Statement on Security: "The City makes all efforts to maintain secure operations to safeguard employees, customers, resources, and assets through ongoing risk assessment, loss prevention strategies, and site security of all facilities while respecting civil rights and fundamental freedom" Related City Policies: Human Resources Policies and Procedures Manual Section 1:04 — Maintaining Applicant Files Section 1:11 — Personal Records and Privacy Section 5:02 — Privacy Expectations Section 5:03 — Ethical Standards Section 5:14 — Whistle Blower Policy Section 6:01 — Communication Section 6:02 — Request for Public Information Section 6:03 — Internal and External Electronic Communications Section 7:07 - Reporting Accidents, Incidents, and Unusual Events Department/Division Physical Security Plan and Guidelines Department/Division Policies and Practices Customer's Information and Records Protection: For Employees and Supervisors: In order to protect the customer Identifying Information and to prevent the likelihood of Identity Theft occurring to your customer's accounts (Utility Billing and others), the involved City employees must take several important and critical steps: • Ensure that all employees are trained on the Identity Theft Prevention Program (Red Flags) and on the related City's Policies and Procedures; • Ensure that all employees follow the physical security access procedures and that the electronic workstations and websites are properly secured at all times (computer screens, passwords, etc.); • Ensure that all offices are kept clear of paper with sensitive and identifying information. Secure documents properly or complete destruction of paper documents and computer records containing customer's information; • Keep only customer information and records that are required and necessary for the business transaction at your worksite. Incident (Red Flag) Reporting and Fraud Investigation: If the employee suspects or detects any unusual activities involving potential fraud, the employee must report it immediately to the direct supervisor or the Division supervisor on the provided worksheet. The supervisor informs the Program Administrator immediately for further inquiry and prompt intervention as appropriate. An initial written -7- Identity Theft Prevention Program — Red Flags record (worksheet) of the activity must be completed by the reporting employee and his/her supervisor. The following measures are recommended to prevent and mitigate the situation based on level of risk involved and the available information: • Review and continue to monitor the customer account information; • Consult with your supervisor and the Program Administrator before contacting the affected customer; • The Program Administrator will contact the Round Rock Police Department after establishing adequate information for prompt response; • Avoid opening a new customer account, close the existing account, or reopen the account with a new number. • Record the event and continue to monitor if necessary. Program Review and Revision: The Rule requires that the Identity Theft Prevention Program to be reviewed and evaluated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The City of Round Rock will review the program after three months of implementation and then once every six months to ensure effectiveness, accuracy, and consistency. The Identity Theft Prevention Program Administrator and Privacy Committee members provide guidance and conduct the formal review and update of the program. A review and revision report will be generated and submitted to the City's management staff. Program Recordkeeping System: • Rules Updates • Identity Theft Prevention Program • Employee Training Records • Program Review and Revision Periodic Report • Incident "Red Flag" Reports • Internal Investigation Reports and Case Associated Records • Police Reports • Other Related Records Affected Departments and Divisions will appoint a designee/an office manager (a name and a job title is required) to ensure that all related program records are kept at a centralized location and maintained as appropriate. The Identity Theft Prevention Program Administrator will conduct audits at all identified recordkeeping locations to ensure compliance. 8 Identity Theft Prevention Program — Red Flags Compliance and Practices: Creditors or financial organizations that do not comply with the requirements risk the threats of fines and/or civil litigations. Creditors are subject to future audits and investigations for various reasons. Once an investigation has been conducted and proof of non-compliance was detected, fines and civil litigations usually will follow from a number of regulatory agencies organizations: Federal Trade Commission (FTC) — Is authorized to bring enforcement actions in federal court of violations. In some cases, the FTC may bring an action for up to $2,500 in penalties for each independent violation of the rule. State Enforcement — The states are also authorized to bring actions on behalf of their residents and may recover up to $1,000 for each violation. The States may recover its attorney's fees if successful in each action. Civil Liability — Individual consumers may be entitled to recover actual damages sustained from a violation. This could be very large and consumers may be able to bring a class action suit seeking potentially massive damages. In addition, successful plaintiffs may recover reasonable attorney's fees. Disciplinary Action: All City employees are required to adhere to the City's Human Resources Policies and Procedures and adopted policies and practices. City employees violating the City policies, documented practices, and the applicable statutory rules and regulations are subject to disciplinary actions including termination of employment. Appendixes: • Department/Division Security Guidelines • Department/Division Red Flags • ID Theft Red Flag Worksheet 9 Identity Theft Prevention Program — Red Flags City Employee Personal Identity Theft Awareness: Consistent with the City policies and procedures on managing records and on protecting sensitive employee information and the privacy and confidentiality practices, it is very critical that all Departments and Divisions dealing with employee personal information to adhere to the noted policies. It is advised that supervisors and employees to have a secure and protected recordkeeping system (electronic or paper); properly discard any unnecessary employee personal information; and to consult with the Human Resources Department on any matters pertaining to employee personal information before it is released. The City provides periodic formal and informal Identity Theft Prevention training to all employees in an effort to help protect their personal information. Please consult with the Human Resources Department to provide you with other available resources, support activities and documents for employee assistance. - 10- Security Guidelines Human Resources Security Guidelines Clarification/Guidelines Verbal Communication • Be aware of your surroundings when discussing personnel issues. • Conversations of a confidential nature should not be discussed in the general reception area. • A closed door policy should be enacted when employees are speaking with HR staff about personal/confidential matters. • Persons meeting with HR staff for scheduled/unscheduled appointments should be asked to wait in general reception area until announced to the person they are meeting. There should be very few exceptions to this rule. Electronics • Human Resource employees will be required to lock their computer screens when they will be away from the office for extended periods. • Do not leave copy area when making copies of a confidential document and check copy area to. make sure documents are not left behind. • The above applies to faxes as well. Be sure to send a coversheet on all faxes. • When using speaker phones, be conscious of the nature of the call to ensure confidentiality of your conversation. Confidential Correspondence • Documents should be given to Steven or Delores instead of being left in HR staff offices by other city employees. • Personnel Action Forms, applications, drug test results and criminal background checks should be kept in secure location. • Filing cabinets with employee records should be kept closed during the day and locked at the end of each day. • When sharing confidential documents with other HR staff, place documents in folder or envelope labeled CONFIDENTIAL. • Confidential documents that contain information such as Social Security numbers, home/cell phone numbers and mailing addresses should be shredded in industrial shredder housed in the HR conference room. They should not under any circumstances be placed in the recycle bins in the copier room. Security • All keys to locked file cabinets will be kept in a central location for easy access by all Human Resource personnel. • All locking filing cabinets should have working locks with spare keys placed in the central key lock box. • All doors should be locked at the end of each business day. Enforcement Violation of this policy may result in disciplinary action. I acknowledge that I have read the Human Resources Security Guidelines and they been explained in detail. Signature Date Security Guidelines Finance Department Security Guidelines Clarification/Guidelines Verbal Communication • Be aware of your surroundings when discussing personnel or customer issues. • Conversations of a confidential nature should not be discussed in any general reception areas. • A closed door policy should be enacted when employees are speaking with Finance staff about personal/confidential matters. • Persons meeting with Finance staff for scheduled/unscheduled appointments should be asked to wait in general reception area until announced to the person they are meeting. There should be very few exceptions to this rule. Electronics • Finance employees will be required to lock their computer screens when they will be away from the office for extended periods. • Do not leave copy area when making copies of a confidential document without checking the copy area to make sure no documents are left behind. • The above applies to faxes as well. Be sure to send a coversheet on all faxes. All fax machines should be checked and cleared at the end of each day. • When using both land line and mobile communication devices, be conscious of the nature of the call and your surroundings to ensure confidentiality of your conversation. • No banking transactions will be carried out on any wireless communication devices at any time. Confidential Correspondence • Confidential documents should be given to the intended employee instead of being left in Finance staff offices by other city employees. • Financial and Purchasing Records as well as personnel action forms, applications, drug test results, criminal background checks and all other sensitive information should be kept in a secure location. • Filing cabinets with financial records and any sensitive employee or customer information should be kept closed during the day and all paperwork with sensitive information should be filed and locked at the end of each day. • When sharing confidential documents with other Finance staff, place documents in folder or envelope labeled CONFIDENTIAL. • Confidential and discarded documents that contain information such as Social Security numbers, home/cell phone numbers and mailing addresses should be shredded that day. They should not under any circumstances be placed in the recycle bins in your office or the copier room. Security • All keys to locked file cabinets will be the responsibility of the personnel responsible for that filing cabinet. • All locking filing cabinets should have working locks with spare keys placed in a secure location. • All office doors should be locked at the end of each business day. Enforcement Violation of the Finance Department Adopted Security Guidelines or any other City of Round Rock Human Resources Policies and Procedures may result in disciplinary action up to and including termination of employment. I acknowledge that I have read the Finance Department Security Guidelines and they have been explained in detail. Signature Date IDENTITY THEFT PROTECTION GUIDELINES Round Rock Public Library 1. Public conversations. a. Confidential conversations will not be held in public areas. Confidential information includes, but is not limited to, the sharing of personal information such as telephone, address, social security number, personal PINS, etc. b. PINS should not be verbally stated to a member of the public when registering them. It should be written down, or a general statement such as, "It is originally set as the last four digits of your phone number," is permissible. c. Texas Driver's License numbers should not be verbally stated. They should be written down with no other identifier on the slip.When renewing library cards, do not read out to the patron "is your address still such -and -such." Get as much as you can off the driver's license without reading anything aloud and then when you need information that isn't on the driver's license like their phone number, ask the patron to tell you what their own phone number is—do not read it off the screen out loud to them. The onus is on them if they want to speak it out loud. Give them the option of writing it down for you. 2. Print documentation with private information. a. Forms that customers fill out to get a library card will be given to the customer after the data is entered b. Receipts given to customers that have identifying information, including addresses, will be shredded once they have been used for whatever purpose they may have. Under no condition will any receipt be held for more than one year. All receipts will be shredded. Though addresses may be in phone books, some individuals have unlisted numbers to protect their privacy. 3. Internal written correspondence with personal information such as social security numbers, EINs (for businesses), pro -card account numbers, PAs, criminal background checks, etc. a. In general, there should be no reason for the library and its supervisors to ask for social security numbers, birth date (including year), or driver's license number. Birth day and month may be asked for internal library use, usually to recognize birthdays. If you are uncomfortable with such requests, ask the Library Director or the library's Safety Officer for clarification or verification of the request. HR may make such requests, however. In the event that such information must be housed within the library, the information will be secured in cabinets that are locked daily and follow the city's retention schedules. b. All documents that have social security numbers, driver's license numbers, EINs, and similar identifying pieces of information will be shredded once the appropriate city agency has received the information. Under no conditions will such information be placed in the trash unshredded. c. EINs may appear on the documentation of our vendors. Once finance has that number, which is needed on a new vendor form, it should be shredded. We do not need it further. d. Confidential information which must be shared with others will be placed in envelopes which have "confidential" written on them. Documents in those envelopes will stay in those closed envelopes when not in use. All confidential documents will be filed in locked cabinets at the end of daily business. 4. Computer security a. Computer screens will be locked after 10 minutes of inactivity. This includes screens on the public service desks. b. Patron records will be closed as soon as data has been adjusted. Under no condition will a patron record be left open. c. Library staff will follow IT directions on user IDS and passwords. No IDS or passwords will be shared with anyone other than a direct supervisor or library IT representative. 5. Other a. One person is accountable for the safe administration of a locked file cabinet. This includes managing the location of the key and ensuring that the locking mechanism is functioning. b. Spare keys are located in the key closet, along with a complete description of the location of the cabinet and the responsible staff member for each key. c. The key cabinet is locked after use. The key stick is left in a locked file cabinet in the checkin area. d. The door to all offices facing the public area will be locked. Staff members will need their keys to enter the space. e. The doors to all other offices will be locked when staff members leave their individual offices at the end of each business day. f. When there is a sole staff member in the administration area, the door to the public area will be locked. Enforcement Violation of the Library's Security Guidelines, as posted in the Llbrary Policy and Procedure (LIPPS) manual, or any other related City of Round Rock Human Resources Policies and Procedures or the city's records retention policies may result in disciplinary action up to and including termination of employment. I acknowledge that I have read the Library's Security Guidelines and they have been explained in detail. Signature Date Print name above CITY OF ROUND ROCK ID Theft Prevention Program Red Flag Worksheet Date: Customer Name: Customer Name (2): Current Address: City: Acct #: State: Zip: The following RED FLAGS were detected: Alerts, Notifications or Warnings from a Consumer Reporting Agency Explain: Suspicious Documents Explain: ❑ Suspicious Personal Identifying Information Explain: ❑ Unusual Use of / Suspicious Activity Related to, the Covered Account Explain: ❑ Notice From Customers or Others Regarding Customer Accounts Explain: ❑ Other Red Flags Explain: Level 1 ❑ Monitoring the account for evidence of identity theft. Date: Initial: ❑ Contacted the customer. Date: Initial: ❑ Determined that no response is warranted. Date: Initial: ❑ (Required) Contacted ID Theft Program Coordinator. Date: Initial: Form Completed by: If Directed by ID Theft Program Administratorr — Proceed to Level 2 (pg 2). CITY OF ROUND ROCK ID Theft Prevention Program Red Flag Worksheet '.evel 2 RECOMMENDED ACTIONS: ❑ Changed passwords, or other security codes/devices. Date: Initial: ❑ Reopened account with a new account number. Date: Initial: ❑ Did not open the account. Date: Initial: ❑ Closed the existing account. Date: Initial: n Did not attempt to collect/sell account. Date: Initial: ❑ Provided Identity Theft Brochure/Information. Date: Initial: U (Required) Contacted ID Theft Program Coordinator. Date: Initial: For ID Theft Program Administrator Use Only Law Enforcement Notified: ❑ Yes ❑ No Date: Initial: Contact Info: Case Number: Comments: DATE: May 21, 2009 SUBJECT: City Council Meeting — May 28, 2009 ITEM: 12C1. Consider a resolution adopting and implementing the City's Identity Theft Prevention Program (Red Flags) as required by the Federal Trade Commission Rule. Department: Staff Person: Justification: Human Resources Hassan Farhat, Risk Manager The implementation of the Identity Theft Prevention Program will mandate the identity theft controls within the City of Round Rock, therefore enhancing the overall security practices and reducing the likelihood of unauthorized individuals gaining access to customer sensitive information. Funding: Cost: Source of funds: No funds allocation is required N/A Outside Resources: N/A Background Information: N/A Public Comment: N/A