HomeMy WebLinkAbout08-336
/1 . I..' iA/LJ.//1
lf4<J'f TV . r' PI.:.:/
1=;. J/ltll~
ufd. h'td
RESOLUTION NO. 08-336
A RESOLUTION ESTABLISHING AN IDENTITY THEFT
PREVENTION PROGRAM FOR THE ST. LUCIE COUNTY UTILITIES
DEPARTMENT AND PROVIDING AN EFFECTIVE DATE
WHEREAS, the Bbard of County Commissioners of St. Lucie County, Florida, (the "Board"), has
made the following determinations:
1. The Fair and Accurate Credit Transactions (FACT) Act of 2003 requires financial
institution and creditors, including governmental utilities which provide services for credit accounts,
to develop and implement written identity theft prevention programs on or before November 1,2008.
2. It is necessary to adopt an identity theft prevention program for the st. Lucie County
Utilities Department in order to protect the identity of its customers in accordance with the Fair and
Accurate Credit Transactions (FACT) Act of 2003
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of St. Lucie
County, Florida, asfollows:
1. The Board hereby adopts the St. Lucie County Utilities Department Identity Theft
Protection Program attached hereto and incorporated herein as Exhibit. "A."
2. This resolution shall take effect on November 1, 2008.
After motion and second, the vote on this Resolution was as follows:
Chairman Joseph E. Smith
Vice Chair Paula A. Lewis
Commissioner Doug Coward
Commissioner Charles Grande
CommisSioner Chris Craft
AYE
AYE
AYE
AYE
AYE
PASSED AND DULY ADOPTED this 28th day of October, 2008.
BOARD OF COUNTY COMMISSIONERS
ST. LUCI COUNTY, FLORIDA
BY:
st. Lucie County Utility Billing
Identity Theft Prevention Program
Purpose
The mtent of this program is to fulfill the requirements of the Federal Trade Commission's Red Flags
Rule in compliance with Part 681 of Title 16 of the Code of Federal Regulations implementing Sections
114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
Under the Red Flag Rule, every financial institution and creditor is required to establish an "Identity
Theft Prevention Program" tailored to its size, complexity and the nature of its operation. Each program
must cohtain reasonable policies and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and incorporate
those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate
Identity Theft; and
4. Ensure the Program is updated periodically, to reflect changes in risks to customers
or to the safety ahd soundness of the creditor from Identity Theft.
The program shall, as appropriate, incorporate existing policies and procedures that control reasonably
foreseeable risks.
Definitions
The Red Flags Rule defines "Identity Theft" as "fraud .committed using the identifying information of
another person" and a "Red Flag" as a pattern, practice, or specific activity that indicates the possible
existence of Identity Theft.
According to the Rule, a municipal utility is a creditor subject to the Rule requirements. The Rule defines
creditors "to include finance companies, automobile dealers, mortgage brokers, utility companies, and
telecommunications companies. Where non-profit and government entities defer payment of goods or
services, they, too, are to be considered creditors."
All the Utility's accounts that are individual utility service accounts held by customers of the utility
whether residential, commercial or multi-family are covered by the Rule.
A red flag means a pattern, practice or specific activity that indicates the possible existence of identity
theft.
"Identifying information" is defined under the Rule as "any name or number that may be used, alone
or in conjunction with any other information, to identify a person, "including: name, address, telephone
number, social security number, date of birth, government issued driver's license or identification
number, alien registration number, government passport number, employer or taxpayer identification
number, unique electronic identification number, computer's Internet Protocol address, or routing code.
Administration of Program
1. St. Lucie County Utilities shall be responsible for the development, implementation,
oversight and continued administration of the Program.
2. St. Lucie County Utilities shall train staff, as necessary, to effectively implement the
Program.
3. St. Lucie County Utilities shall exercise appropriate and effective oversight of service
provider arrangements.
L IDENTIFYING RED FLAGS
St. Lucie County Utilities does track Social Security numbers and Driver's License numbers with the
opening of Utility Accounts. Therefore, red flag opportunities' are minimal. The following are
considered red flags that require a response
A. Opening an Account
1. The presentation of suspicious documents;
1. Identification document or card that appears to be forged, altered
or inauthentic;
2. Identificationdocumentor card on which a person's photograph
or physical description is not consistent with the person
presenting the document;
3. Other document with information that is not consistent with
existing customer information (such as a person's signature on
a check appears forged); and
4. Application for service that appears to have been altered or
forged.
2. Identifying information presented that is inconsistent with other information the
customer provides (example: inconsistent birth dates);
3. Identifying information presented thatisthe same as information shown on other
applications that were found to be fraudulent;
4. Identifying information presented that is consistent with fraudulent activity (such
as a n invalid phone number or fictitiotls address);
5. An address or phone number presented that is the same as that of another
person;
6. A person's identifying information is not consistent with the information that is
on file for the customer.
B. Suspicious Account Activity or Unusual Use of Account
1. Change of address for an account followed by a request to change the accotlnt
holder's name;
2. Account used in a way that is not consistent with prior use (example: very high
activity);
3. Mail sent to the account holder is repeatedly returned as undeliverable;
4. Notice to the Utility that a customer is not receiving mail sent by the Utility;
5. Notice to the Utility that an account has unauthorized activity;
6. Breach in the Utility's computer system security; and
7. Unauthorized access to or use of customer account information.
C. Alerts from Others
1. Notice to the Utility from a customer, identity theft victim, law enforcement or
other person that it has opened or is maintaining a fraudulent account for a
person engaged in Identity Theft.
11.. DETECTING RED FLAGS.
Detection of a red flag shall require an appropriate form that, at a minimum, notes the account, the red
flag, the response taken and the employee's signature and date.
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new
accotlnt, Utility personnel will take the following steps to.obtain and verify the identity of the person
opening the account:
1. Require some iderttifying information such as na.me, date of birth, residential or business
address, principal place of business for an entity;
2. Verify the customer's identity (for instance, review a driver's license or other
identification card);
3. Review documentation showing the existence of a business entity (such as a
Residentialj Commercial Lease);
4, Independently contact the customer.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, Utility personnel will
take the following steps to monitor transactions with an account:
1. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information for billing and payment purposes.
IlL RESPONSE TO REI> FLAGS.
Appropriate responses to any red flags shall be taken within 24 hours of red flag detection.
The response shall be commensurate with the degree of risk posed. Appropriate responses may include:
1. Monitor a covered account for evidence of identity theft;
2. Contact the customer;
3. Change any passwords, security codes or other security devices that permit access to a
covered account;
4. Reopen a covered account with a new account number
5. Not open a neW covered account;
6. Close an existing covered account;
7. Notify Supervisor
8. Notify law enforcement; or
9. Determine no response is warranted under the particular circumstances.
IV. UPDATING THE PROGRAM.
The Program shall be updated periodically to reflect changes in risks to customers or to the safety and
soundness of the organization from identity theft based on factors such as:
1. The experiences of the organization with identity theft;
2. Changes in. methods of identity theft;
3. Changes in methods to detect, prevent and mitigate identity theft;
4. Changes in the types of accounts that the organization offers or maintains;
5. Changes in the business arrangements of the organization,\ including mergers,
acquisitions, alliances, joint ventures and service provider arrangements.
V. OVERSIGHT OF THE PROGRAM.
Oversight of the Program shall be by the Utility Deparbnent and include:
1. Assignment fo specific responsibility for implementation of the Program;
2. Review of annual reports prepared by staff regarding compliance. The report shall
address material matters related to the Program and evaluate issues such as:
a. The effectiveness of the policies and procedures in addressing the risk
of identity theft in connection with the opening of covered accounts and
with respect to existing covered accounts
b. Significant incidents involving identity theft and management's response
c. Recommendations for material changes to the Program
3. Oversight of any contractors. In the. event the Utility engages a service provider to
perform an activity in connection with one or mor accounts, the Utility will require that
se,rvice providers have a satisfactory red flag policy and shall review it annually.
4. Approval of material changes to the Program as necessary to address changing risks of
identity theft.
VI. PROTECTING CUSTOMER INFORMATION.
In order to further prevent the likelihood of identity theft occurring with respect to Utility accounts, the
Utility willtake the following steps with respect to its internal operating procedures to protectcustomer
identifying information: .
1. Ensure that its website is secure or provide clear notice that the website is not secure;
2. Ensure complete artd secure desrruction of paper documents and computer files
containing customer information;
3. Ensure that office computers are password protected and that computer screens lock
after a set period of time;
4. Keep offices clear of papers containing customer information;
5. Ensure computer virus protection is up to date; and
6. Require and keep only the kinds of customer information that are necessary for utility
purposes.