CITY OF ELK CITY IDENTITY THEFT PREVENTION POLICY
PURPOSE
Identity theft, the fraudulent use of an individual’s personal identifying information, is a high-level risk to consumers and therefore to our city and our customers. This policy reaffirms and formalizes the actions and processes our city will take with respect to identity theft.
This policy includes the final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act.
The rules implementing section 114 require each creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or existing covered accounts.
In addition, the agencies issued joint rules under section 315 that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.
The agencies also issued guidelines to assist creditors in the formulation and maintenance of a Program that satisfies the requirements of these rules.
OBJECTIVES
The guidance and standards set forth in this policy are intended to take specific steps to:
– Comply with the Interagency Final Rule Regarding Sections 114 and 3 I 5 of the Fair and Accurate Credit Transactions Act of 2003″.
– Minimize the threat of identity theft through disclosure or compromise of customer information held by the city.
– Respond to known or suspected identity theft involving our city or its customers.
– Provide assistance to city customers who may have been victims of identity theft.
– Establish processes or procedures for the training of city personnel.
– Establish processes or procedures for the education of city customers
DEFINITIONS
For the purposes of this policy, the following definitions apply:
Creditor means
– Any person or firm who regularly extends, renews, or continues credit
– Any person or firm who regularly arranges for the extension, renewal or continuation of credit, or
– Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
Account means a continuing relationship established by a person with the city to obtain a product or service for personal, family, household or business purposes. Account includes:
– An extension of credit, such as the utility billing (water, electricity, sewer, garbage and internet) involving a deferred payment, and
– A deposit account.
Covered Account means:
– An account that our city offers or maintains primarily for personal, family or household purposes that involve or are designed to permit multiple payments or transactions such as utility billing (water. electricity, sewer, garbage and internet) or the purchase of property.
– Any other account that our city offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the city from identity theft, including financial, operational, compliance, reputation or litigation risks.
– This definition may include accounts established for business purposes and covers any relationship the account holder has with the city, including deposit relationships, utility relationships, and include fiduciary, agency, custodial, and other advisory relationships.
Customer means a person that has a covered account with the city. This includes not only consumers but also other types of persons for which our city believes there is a reasonably foreseeable risk to its customers or to the city’s safety and soundness from identity theft.
Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.
Identity Theft means a fraud committed or attempted using the identifying information of another person without authority.
Identifying Information means “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including any:
– Name, social security number, date of birth, official state or governmental issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
– Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
– Unique electronic identification number, address, or routing code; or
– Telecommunication identifying information or access device.
Notice of address discrepancy means a notice sent to a user by a consumer reporting agency pursuant to the law that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.
Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
Service Provider means a person that provides a service directly to the city.
ELEMENTS OF THE IDENTITY THEFT PREVENTION PROGRAM
– Identify relevant red flags and incorporate them into the Program
– Detect red flags that are part of the Program
– Respond appropriately to any red flags that are detected
– Ensure the Program is updated periodically to address changing risks.
GUIDELINES OF THE IDENTITY THEFT PREVENTION PROGRAM
– Incorporate all existing anti-fraud policies and procedures into the Program.
– Program to be approved by the Elk City Commission , Elk City Public Works Authority, Elk City Industrial Authority and Elk City Airport Authority
– Ensure oversight of the Program by the City Manager, City Treasurer and City Clerk
– Train appropriate staff
– Oversee any service provider arrangements made
ADMINISTRATION OF THE IDENTITY THEFT PREVENTION PROGRAM
– The city’s Identity Theft Prevention Program will be administered by the City Clerk.
– The Program will be monitored at least annually.
– Service provider’s activities will be conducted in accordance with the city’s Program.
REPORTING REQUIREMENTS
– The City Manager will make a report to the Elk City Commission, the Elk City Public Works Authority, the Elk City Industrial Authority and the Elk City Airport Authority at least on an annual basis.
– Significant incidents involving identity theft will be reported as they happen.
– The Program will be reviewed and critiqued to determine the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the city’s covered accounts.
– All service providers’ activities will be conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
IDENTIFICATION OF COVERED ACCOUNTS INCLUDING A RISK ASSESSMENT
The city performed an initial risk assessment of the likelihood that we offer covered accounts taking into consideration:
– The types of covered accounts that we offer
– The methods we use to open accounts
– The methods we use to provide access to our accounts
– Previous experiences with identity theft
To assist us in this process, we used the illustrative examples of Red Flags that are contained in the FACT Act.
PERIODIC UPDATES OF THE IDENTITY THEFT PREVENTION PROGRAM
The city will review its existing, Identity Theft Prevention Program at least annually and make such revision and amendments, as it deems appropriate to reflect changes in risks to customers and to the safety and soundness of the city from identity theft.
STAFF TRAINING
Our staff will be trained to recognize and properly react to unauthorized or fraudulent attempts to obtain customer information. Employees will also be trained to protect customer information through appropriate measures, such as taking additional steps to verify that a caller is a bonafide customer.
Employees will also be trained to implement the city’s written policies and procedures governing the disclosure of customer information, and will be informed and reminded on a periodic basis not to deviate from them. Moreover, employees must also know to whom and how they should report suspicious activity.
OVERSIGHT OF SERVICE PROVIDERS
The City will adopt and implement an information security program that establishes adequate administrative, technical and physical safeguards to protect customer information against misuse, alteration, destruction, or unauthorized disclosure. The City will perform due diligence on service providers and will require that all contracts with service providers, who have access to customer non-public personal information in the course of providing services to our city, have a clause that requires the provider to maintain an information security program designed to achieve these objectives.
PREVENTION AND DETERRENCE OF IDENTITY THEFT
Our city will employ a variety of methods to safeguard customer information and reduce the risk of loss from identity theft, including:
– Verification of personal information to establish the identity of individuals applying for new or addition services.
– Consumer reports can be an important source for preventing fraud. When processing an application for a new account, the city may rely on a consumer report from a consumer reporting agency. Our city will not process an application when there is an existing fraud alert without contacting the individual in accordance with instructions that usually accompany a fraud alert (i.e., a victim’s statement), or otherwise employing additional steps to verify the individual’s identity. Consumer reports may also be a source for detecting fraud. Signs of possible fraudulent activity that may appear on consumer reports may include late payments on a consumer’s accounts in the absence of a previous history of late payments, numerous credit inquiries in a short period of time, higher-than-usual monthly credit balances, and a recent change of address in conjunction with other signs. The city will institute procedures to share a fraud alert across our various lines of business.
– When an applicant fails to provide all requested information on an application, our city will not process the incomplete application without further explanation.
– Inasmuch as a change of address request on an existing account may be a sign of fraudulent activity, our city will verify the customer information before executing an address change.
– Our city will implement appropriate controls and procedures to limit access to customer records. We will also ensure that our service providers adopt similar controls.
– Because insiders could be identity thieves, our city will consider conducting background checks for its employees, in accordance with applicable law.
– Our city will also monitor its service providers to confirm that they have implemented appropriate measures to limit access to customer records.
– Appropriate protective measure will also be taken for disclosing information through other communication channels (e.g., e-mail or wireless devices) which our city may use. It is our policy that in most cases e-mail is not an appropriate channel to communicate certain types of account information unless it is secure e-mail.
– Our city will implement appropriate controls and procedures to limit access to customer records which are to be destroyed by shredding. We will also ensure that our service providers adopt similar controls.
RESPONSE TO SUSPECTED IDENTITY THEFT SCHEMES
In order to properly respond to instances of suspected identity theft, we will:
– Incorporate notification of known email-related frauds into the response program to alert customers of fraudulent requests for information and to caution them against responding.
– Notify Internet service providers, domain name issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that are being used to facilitate phishing or other fraudulent e-mail practices.
– Increase suspicious activity monitoring and employ addition identity verification controls.
– If fraud is detected in connection with customer accounts, we will report the fraud and offer our customers assistance consistent with regulatory guidance on this subject.
– In the event that our city is a victim of an email-related scam, we will promptly notify law enforcement by filing a Suspicious Activity Report (SAR).
RESPONSE PROGRAM FOR KNOVN IDENTITY THEFT
The city will take all necessary steps to prevent unauthorized access to or use of sensitive customer information. Sensitive customer information includes the customer’s name, address or telephone number in conjunction with the customer’ s Social Security number, driver’s license number, account number, and their credit or debit card number. It also includes any combination of customer information that would allow someone to log on or access a customer’s account, such as the user name and personal identification number (PIN) or password.
In the event that sensitive customer information is accessed or used, the city will:
– Assess the nature ad the scope of the incident and identify what customer information systems and types of customer information have been misused or accessed;
– Notify our law enforcement and file a SAR as the city becomes aware of the incident;
– Promptly notify the appropriate law enforcement authorities when a reportable violation is ongoing;
– Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information;
– Notify customers of the incident.
INCIDENT INVOLVING A SERVICE PROVIDER
The City will notify our customers and when an incident of unauthorized access to sensitive customer information involves our customer information systems maintained by a service provider. The city may, however, elect to authorize or contract with the service provider to notify our customers on our behalf.
CUSTOMER NOTICE OF UNAUTHORIZED ACCESS TO CUSTOMER INFORMATION
The City will notify customers when we become aware of an incident of unauthorized access to customer information and at the conclusion of our investigation if the city determines that misuse of information has occurred or the city believes it is reasonably possible that misuse will occur.
The customer notice will be given in a clear and conspicuous manner and will be delivered in a manner designated to ensure that a customer can reasonably be expected to receive it. Acceptable methods that the city will use include telephone and mail. E-mail notices are acceptable for those customers who have valid e-mail addresses and who have agreed to receive communications with the city electronically.
The notice will contain the following items:
– Description of the incident;
– Type of information subject to unauthorized access;
– Measures taken by the city to protect customer s from further unauthorized access;
– Contact information for the nationwide consumer reporting agencies;
– Telephone number customers can call for information and assistance; and
– A reminder to customer to remain vigilant over the next twelve to twenty four months and to report any suspected identity theft incidents to the city.
EDUCATION OF CUSTOMERS
Educating consumers about preventing identity theft and identifying potential pretext calls may help reduce their vulnerability to these fraudulent practices. We will make available to our customers, brochures in our lobbies or on our Web site, describing preventative measures consumers can take to avoid becoming victims of these types of fraud.
ASSISTANCE FOR VICTIMS
In the event that one of our customers becomes a victim of identity theft, we will take the following steps, as appropriate, to assist them
– Have trained personnel respond to customer calls regarding identity theft or pretext
calling.
– Determine if it is necessary to close the account immediately after a customer reports unauthorized use of that account. Where a customer has multiple accounts with us, we will assess whether any other account has bee the subject of potential fraud.
– Help educate the customer about appropriate steps to take if they have been victimized.
INDEPENDENT TESTING
Periodic unannounced independent testing will be conducted to ensure that city personnel are aware of and abiding by this policy. This testing will include in its activities testing to determine if any city customers have been the victims of ID theft and, if so, where the city took the proper steps thereafter. In addition, this testing will focus on additional modifications that should be made to the city’s identity theft prevention program.
REVIEW OF POLICY
The Elk City Commission, Elk City Public Works Authority, Elk City Industrial Authority, and the Elk City Airport Authority shall review this policy at least annually, making such revisions and amendments, as is deemed appropriate.
ALERTS, NOTIFICATIONS, OR OTHER WARNINGS RECEIVED
The City Will:
– Verify identity of the customer.
– Authenticate customer’s information.
– Monitor transactions on the customer’s accounts.
– Verify validity of address changes or changes in personal information.
Requirement to Form a Reasonable Belief
Whenever our city receives an alert, notification, or other warning of address discrepancy from a consumer reporting agency that has a substantial difference between the address the city submitted to the consumer reporting agency and the address(s) in the agency’s file for the consumer, the city will take steps to form a reasonable belief that the consumer report relates to the consumer about whom the city requested the report.
In order to develop a reasonable belief that the consumer report relates to the consumer about whom we requested a report, we will compare the information in the consumer report provided by the consumer reporting agency with information that the city;
– Obtained and used to verify the consumer’s identity;
– Maintains in our records, such as applications, change of address notifications, other customer account records; (or)
– Obtained from a third-party source(s);
– In addition, the city will verify the information in the consumer report provided by the consumer reporting agency with the customer.
Requirement to Furnish a Consumer’s Address to a Consumer Reporting Agency
The city will furnish an address for the consumer that the city has reasonably confirmed is
accurate to the consumer reporting agency from whom the city received the notice of address
discrepancy whenever the city can form a reasonable belief that the consumer report relates to the
consumer about whom the city requested the report.
The city will furnish this information if the city establishes a continuing relationship with the consumer and if the city regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
Examples of confirmation methods that may be used by the city are:
– Verification of the address with the consumer about whom it has requested the report, or
– Review of its records to verify the address of the consumer, or
– Verification of the address through third-party sources; or
– Use of other reasonable means.
Timing
The city will furnish the consumer’s address that the city has confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which the city established a relationship with the consumer.
DUTIES REGARDING CHANGES OF ADDRESS
The city will assess the validity of a change of address if it receives notification of a change of address for a consumer’s account.
Form of Notice
Any written or electronic notice that the city provides under this paragraph will be clear and conspicuous and provided separately from its regular correspondence with the consumer.
SUSPICIOUS DOCUMENTS
– Documents provided for identification which appear to be altered
– Personal information provided that is inconsistent with external information sources
– Unusual use of the account in a manner that is not consistent with historical patterns of activity
– Notice from customer of unauthorized charges or use
APPROPRIATE RESPONSES TO RED FLAGS
– Monitor accounts
– Contact customer
– Change passwords or sign ons
– Refuse to open an account
– Don’t collect on an account
– Notify law enforcement as deemed appropriate
– No response