Identity Theft Prevention Program2007
TO: The Honorable Mayor and City Council Members
FROM: Michael C. Van Milligen, City Manager
SUBJECT: Identity Theft Prevention Program
DATE: October 13, 2008
Finance Director Ken TeKippe recommends City Council approval of the City of
Dubuque's Identity Theft Prevention Program. The Federal Trade Commission's Red
Flag Rules require the City to implement an Identity Theft Prevention Program by
November 1, 2008.
concur with the recommendation and respectfully request Mayor and City Council
approval.
~~/"~_
Michael C. Van Milligen
MCVM/jh
Attachment
cc: Barry Lindahl, City Attorney
Cindy Steinhauser, Assistant City Manager
Ken TeKippe, Finance Director
THE CITY OF
DuB E
~~
Memorandum
TO: Michael C. Van Milligen, City Manager
FROM: Ken TeKippe, Finance Director ~~- V ~
SUBJECT: Identity Theft Prevention Program
DATE: October 9, 2008
The City of Dubuque is required to implement an Identity Theft Prevention Program
pursuant to the Federal Trade Commission's ("FTC") Red Flag Rule, which implements
Section 114 of the Fair and Accurate Credit Transaction Act of 2003. 16 C. F. R. §
681.2. The program is required to be implemented by November 1, 2008. Assistant
City Attorney, Crenna Brumwell, developed our program working with Finance and
Utility Billing staff. Information was received at a program hosted by the Iowa
Association of Municipal Utilities (IAMU) in Waverly Iowa on September 22, 2008
attended by Finance and Information Services staff. In addition, reference information
was gathered from LexisNexis , Bankrate, and the Minnesota Municipal Utilities
Association.
Municipal utilities are among the entities covered by the Federal Trade Commission's
(FTC) "Red Flags Rules," which is part of the Fair and Accurate Credit Transactions Act
of 2003 (FACTA). Under these rules, municipal utilities must have written identity theft
protection plans for covered accounts, including utility accounts, in place by November
1, 2008. The program objectives are to detect, prevent, and mitigate identity theft. A
program established by a utility must be approved by the utility's Board or City Council
and receive senior management oversight, implementation and administration.
The internal committee established to periodically review our Identity Theft Prevention
Program includes:
Crenna Brumwell, Assistant City Attorney
Rose Hoerner, Utility Billing Coordinator
Jean Nachtman, Assistant Finance Director
Joe Pregler, Lead Application/Network Analyst
Ken TeKippe, Finance Director
Rick Till, Financial Analyst
If you have any questions on this program, please feel free to contact me. The action
requested is to submit to City Council for their approval at the October 20, 2008
meeting.
KT/jg
Enclosure
City of Dubuque Utilities
Identity Theft Prevention Program
Implemented as of October 21, 2008
City of Dubuque Dubuque Utilities
I. INTRODUCTION
Identity Theft Prevention Program
The City of Dubuque Utilities (the "Utility") developed this Identity Theft
Prevention Program ("Program") pursuant to the Federal Trade Commission's
("FTC") Red Flag Rule, which implements Section 114 of the Fair and Accurate
Credit Transaction Act of 2003. 16 C. F. R. § 681.2. This Program is designed to
detect, prevent, and mitigate Identity Theft in connection with the opening and
maintenance of certain utility accounts. For purposes of this Program, "Identity
Theft" is considered to be "fraud committed using the identifying information of
another person." The accounts addressed by the Program, (the "Accounts"), are
defined as:
1. An account the Utility offers or maintains primarily for personal,
family, or household purposes, that involves multiple payments or
transactions; and
2. Any other account the Utility offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness
of the Utility from Identity Theft.
This Program was developed with oversight and approval of the City Council.
After consideration of the size and complexity of the Utility's operations and
Account systems, and the nature and scope of the Utility's activities, the City
Council determined that this Program was appropriate for the City of Dubuque
Utilities, and therefore approved this Program on October 20, 2008.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling Requirements of the Red Flags Rule
Under the Red Flag Rule, every financial institution and creditor is required to
establish an "Identity Theft Prevention Program" tailored to its size, complexity,
and the nature of its operation. Each program must contain reasonable policies
and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts
and incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to
prevent and mitigate Identity Theft; and
4. Ensure the Program is updated periodically, to reflect changes in
risks to customers or to the safety and soundness of the creditor from
Identity Theft.
Page 2 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
B. Red Flags Rule Definitions Used in This Program
"Covered Account" is defined as:
1. Any account the Utility offers or maintains primarily for personal,
family, or household purposes, that involves multiple payments or
transactions; and
2. Any other account the Utility offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness
of the Utility from Identity Theft.
All the Utility's accounts that are individual utility service accounts held by
customers of the Utility whether residential, commercial, or industrial are
covered by the Rule.
"Creditors" are defined as finance companies, automobile dealers, mortgage
brokers, utility companies, and telecommunications companies. Where non-profit
and government entities defer payment for goods or services, they, too, are to be
considered creditors.
"Identity Theft" is defined as fraud committed using the identifying information of
another person.
"Identifying information" is defined as any name or number that may be used,
alone or in conjunction with any other information, to identify a specific person,
including name, address, telephone number, social security number, date of
birth, government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's Internet
Protocol address, or routing code.
"Municipal Utility" is defined as a creditor subject to the Rule requirements.
"Red Flag" is defined as a pattern, practice, or specific activity that indicates the
possible existence of Identity Theft.
III. IDENTIFICATION OF RED FLAGS
A "Red Flag" is a pattern, practice, or specific activity that indicates the possible
existence of Identity Theft.
In order to identify relevant Red Flags, the Utility considered the types of
Accounts that it offers and maintains, the methods it provides to open its
Accounts, the methods it provides to access its Accounts, and its previous
Page 3 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
experiences with Identity Theft. The Utility identifies the following Red Flags, in
each of the listed categories:
A. Suspicious Documents
1. Identification document or card that appears to be forged, altered,
or inauthentic;
2. Identification document or card on which a person's photograph or
physical description is not consistent with the person presenting the
documentation;
3. Other documentation with information that is not consistent with
existing customer information (such as if a person's signature on a check
appears forged); and
4. Application for service that appears to have been altered, forged, or
inauthentic.
B. Suspicious Personal Identifying Information
1. Identifying information presented that is inconsistent with other
information the customer provides (such as inconsistent birth dates);
2. Identifying information presented that is the same as information
shown on another application(s) found to be fraudulent;
3. Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address);
4. The Social security number (SSN) presented that is the same as
another customer's SSN;
5. An address or phone number is the same as that of another
person;
6. A person fails to provide complete personal identifying information
on an application when reminded to do so (however, by law, SSNs must
not be required); and
7. A person's identifying information is not consistent with the
information that is on file for the customer.
C. Unusual Use Of or Suspicious Activity Related to an Account
Page 4 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
1. Change of address for an Account followed by a request to change
the Account holder's name;
2. Mail sent to the Account holder is repeatedly returned as
undeliverable;
3. Notice is received by the Utility that a customer is not receiving
statements or mail sent by the Utility;
4. Notice is received by the Utility that an Account has unauthorized
activity;
5. Breach of Utility's computer system security; and
6. Unauthorized access to or use of customer account information.
Based on discussions with utility representatives, other Red Flags in this
category may include breaches in a utility's computer system,
unauthorized access to or use of customer account information; and a
utility's plans to take steps with certain data it maintains that contains
customer information (such as destroying computer files).
D. Notice Regarding Possible Identity Theft
1. Utility receives notice from a customer that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
2. Utility receives notice from an identity theft victim that it has opened
or is maintaining a fraudulent Account for a person engaged in Identity
Theft.
3. Utility receives notice from law enforcement that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
4. Utility receives notice from any other person that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
IV. DETECTION OF RED FLAGS
A. New Accounts
In order to detect any of the Red Flags identified above with the opening of a new
Account, Utility personnel will take the following steps to obtain and verify the
identity of the person opening the Account:
Page 5 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
1. Require certain identifying information such as name, date of birth,
residential or business address, principal place of business for an entity,
SSN, or government issued identification;
2. Verify the customer's identity, such as by copying and reviewing a
driver's license or other identification card;
3. Review documentation showing the existence of a business entity
(IRS form W-9); and
4. Independently contacting the customer
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing Account,
Utility personnel will take the following steps to monitor transactions with an
Account:
1. Verify the identification of customers if they request information (in
person, via telephone);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment
purposes.
V. PREVENTING AND MITIGATING IDENTITY THEFT
In the event Utility personnel detect any identified Red Flags, such personnel
shall take one or more of the following steps, depending on the degree of risk
posed by the Red Flag:
Prevent and Mitigate
1. Flag the account to watch for suspicious activity;
2. Contact the customer;
3. Change any passwords or other security devices that permit access
to Accounts;
4. Reopen an account with a new number;
5. Do not open a new account;
6. Close an existing account;
Page 6 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
7. Notify law enforcement;
8. Determine that no response is warranted under the particular
circumstances.
Protect Customer Identifying Information
In order to further prevent the likelihood of identity theft occurring with respect to
Utility accounts, the Utility will take the following steps with respect to its internal
operating procedures to protect customer identifying information:
1. Ensure that its website is secure or provide a clear notice that
website is not secure;
2. Ensure complete and secure destruction of paper documents and
computer files containing customer information in compliance with
document retention and destruction plan;
3. Ensure that office computers are password protected and that
computer screens lock when unattended; and
4. Ensure that office computers are shut down at night;
VI. PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in
risks to customers and the soundness of the Utility from Identity Theft. At least
annually the Identity Theft Committee will consider the Utility's experiences with
Identity Theft situations, changes in Identity Theft methods, changes in Identity
Theft detection and prevention methods, changes in types of Accounts the Utility
maintains, and changes in the Utility's business arrangements with other entities.
After considering these factors, the Identity Theft Committee will determine
whether changes to the Program, including the listing of Red Flags, are
warranted. If warranted, the Identity Theft Committee will present the City Council
with its recommended changes and the City Council will make a determination of
whether to accept, modify, or reject those changes to the Program.
VII. PROGRAM ADMINISTRATION
A. Oversight
An Identity Theft Committee will be responsible for developing, implementing,
and updating this program. The Committee is headed by the Director of Finance.
Two or more individuals appointed by the Director of Finance shall comprise the
remainder of the committee membership. The' Director of Finance will be
responsible for the Program's administration, for ensuring appropriate training of
Page 7 of 8
City of Dubuque Dubuque Utilities Identity Theft Prevention Program
Utility staff on the Program, for reviewing any staff reports regarding the detection
of Red Flags and the steps for preventing and mitigating Identity Theft,
determining which. steps of prevention and mitigation should be taken in
particular circumstances, reviewing and, if necessary, approving changes to the
Program.
B. Staff Training and Reports
Utility staff responsible for implementing the Program shall be trained either by or
under the direction of the Director of Finance in the detection of Red Flags, and
the responsive steps to be taken when a Red Flag is detected. All new
employees will receive the policies and procedures for preventing Identity Theft.
Incidents of suspicious activity of Identity Theft shall be reported to the Director of
Finance.
C. Service Provider Arrangements
In the event the Utility engages a service provider to perform an activity in
connection with one or more Accounts, the Utility will take the following steps to
ensure the service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of
Identity Theft:
1. Require, by contract, that service providers have such policies and
procedures in place;
2. Require, by contract, that service providers review the Utility's
Program and report any Red Flags to the Director of Finance.
D. Specific Program Elements and Confidentiality
For the effectiveness of Identify Theft prevention Programs, the Red Flag Rule
envisions a degree of confidentiality regarding the Utility's specific practices
relating to Identity Theft detection, prevention and mitigation. Therefore, under
this Program, knowledge of such specific practices is limited to the Identity Theft
Committee and those employees who need to know them for purposes of
preventing Identity Theft. Because this Program is to be adopted by a public
body and thus publicly available, it would be counterproductive to list these
specific practices here. Therefore, only the Program's general red flag detection,
implementation, and prevention practices are listed in this document.
Page 8 of 8