Identity Theft Prevention Program UpdateTHE CITY OF
Dui
Masterpiece on the Mississippi
TO: The Honorable Mayor and City Council Members
FROM: Michael C. Van Milligen, City Manager
SUBJECT: Identity Theft Prevention Program
DATE: August 26, 2014
Dubuque
band
AI -America City
r
2007 • 2012 • 2013
The City of Dubuque implemented an Identity Theft Prevention Program on
November 1, 2008, related to City utilities. The program objectives are to detect,
prevent and mitigate identity theft.
Finance Director Ken TeKippe is recommending City Council approval of an update to
the City's Identity Theft Prevention Program to include areas of City operation in
addition to utilities.
I concur with the recommendation and respectfully request Mayor and City Council
approval.
bat44 .,
Mic ael C. Van Milligen
MCVM:jh
Attachment
cc: Barry Lindahl, City Attorney
Cindy Steinhauser, Assistant City Manager
Teri Goodmann, Assistant City Manager
Ken TeKippe, Finance Director
THE CITY OF
Dui
Masterpiece on the Mississippi
TO: Michael C. Van Milligen, City Manager
FROM: Ken TeKippe, Finance Director
SUBJECT: Identity Theft Prevention Program
DATE: August 15, 2014
Dubuque
bitetri
All -America City
1 r
2007 • 2012 • 2013
The City of Dubuque is required to have an Identity Theft Prevention Program pursuant
to the Federal Trade Commission's ("FTC") Red Flag Rule, which implements Section
114 of the Fair and Accurate Credit Transaction Act of 2003. 16 C. F. R. § 681.2. The
program was implemented November 1, 2008. Assistant City Attorney, Crenna
Brumwell, initially developed our program working with Finance and Utility Billing staff.
Municipal utilities are among the entities covered by the Federal Trade Commission's
(FTC) "Red Flags Rules," which is part of the Fair and Accurate Credit Transactions Act
(FACTA) of 2003. Our program has been expanded to include areas in addition to
utilities. The program objectives are to detect, prevent, and mitigate identity theft. A
program established by utilities or City must be approved by the Utility's Board or City
Council and receive senior management oversight, implementation and administration.
Initial approval was at the October 20, 2008 City Council meeting.
An internal committee has been established to periodically review our Identity Theft
Prevention Program. The committee meets semi-annually. The program has been
updated to include areas of City operation in addition to utilities.
If you have any questions on this program, please feel free to contact me. The action
requested is to submit to City Council for their approval at the August 18, 2014 meeting.
KT/em I
Enclosure
cc: Crenna Brumwell, Assistant City Attorney
City of Dubuque
Identity Theft Prevention Program
Implemented as of October 21, 2008
Amended on
City of Dubuque Identity Theft Prevention Program
I. INTRODUCTION
The City of Dubuque Identity Theft Committee (the "City") developed this Identity
Theft Prevention Program ("Program") pursuant to the Federal Trade
Commission's ("FTC") Red Flag Rule, which implements Section 114 of the Fair
and Accurate Credit Transaction Act of 2003. 16 C. F. R. § 681.2. This Program
is designed to detect, prevent, and mitigate Identity Theft in connection with the
opening and maintenance of certain City accounts. For purposes of this Program,
"Identity Theft" is considered to be "fraud committed using the identifying
information of another person." The accounts addressed by the Program, (the
"Accounts"), are defined as:
1. An account the City offers or maintains primarily for personal,
family, or household purposes, that involves multiple payments or
transactions; and
2. Any other account the City offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness
of the City from Identity Theft.
This Program was developed with oversight and approval of the City Council.
After consideration of the size and complexity of the Utility's operations and
Account systems, and the nature and scope of the Utility's activities, the City
Council determined that this Program was appropriate for the City of Dubuque
Utilities, and therefore approved this Program on October 20, 2008.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling Requirements of the Red Flags Rule
Under the Red Flag Rule, every financial institution and creditor is required to
establish an "Identity Theft Prevention Program" tailored to its size, complexity,
and the nature of its operation. Each program must contain reasonable policies
and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts
and incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to
prevent and mitigate Identity Theft; and
Page 2 of 8
City of Dubuque Identity Theft Prevention Program
4. Ensure the Program is updated periodically, to reflect changes in
risks to customers or to the safety and soundness of the creditor from
Identity Theft.
B. Red Flags Rule Definitions Used in This Program
"Covered Account" is defined as:
1. Any account the City offers or maintains primarily for personal,
family, or household purposes, that involves multiple payments or
transactions; and
2. Any other account the City offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness
of the City from Identity Theft.
All the Utility's accounts that are individual City service accounts held by
customers of the City whether residential, commercial, or industrial are
covered by the Rule.
"Creditors" are defined as finance companies, automobile dealers, mortgage
brokers, City companies, and telecommunications companies. Where non-profit
and government entities defer payment for goods or services, they, too, are to be
considered creditors.
"Identity Theft" is defined as fraud committed using the identifying information of
another person.
"Identifying information" is defined as any name or number that may be used,
alone or in conjunction with any other information, to identify a specific person,
including name, address, telephone number, social security number, date of
birth, government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number, unique electronic identification number, computer's Internet
Protocol address, or routing code.
"Municipal Utility" is defined as a creditor subject to the Rule requirements.
"Red Flag" is defined as a pattern, practice, or specific activity that indicates the
possible existence of Identity Theft.
III. IDENTIFICATION OF RED FLAGS
A "Red Flag" is a pattern, practice, or specific activity that indicates the possible
existence of Identity Theft.
In order to identify relevant Red Flags, the City considered the types of Accounts
that it offers and maintains, the methods it provides to open its Accounts, the
Page 3 of 8
City of Dubuque Identity Theft Prevention Program
methods it provides to access its Accounts, and its previous experiences with
Identity Theft. The City identifies the following Red Flags, in each of the listed
categories:
A. Suspicious Documents
1. Identification document or card that appears to be forged, altered,
or inauthentic;
2. Identification document or card on which a person's photograph or
physical description is not consistent with the person presenting the
documentation;
3. Other documentation with information that is not consistent with
existing customer information (such as if a person's signature on a check
appears forged); and
4. Application for service that appears to have been altered, forged, or
inauthentic.
B. Suspicious Personal Identifying Information
1. Identifying information presented that is inconsistent with other
information the customer provides (such as inconsistent birth dates);
2. Identifying information presented that is the same as information
shown on another application(s) found to be fraudulent;
3. Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address);
4. The Social security number (SSN) presented that is the same as
another customer's SSN;
5. An address or phone number is the same as that of another
person;
6. A person fails to provide complete personal identifying information
on an application when reminded to do so (however, by law, SSNs must
not be required); and
7. A person's identifying information is not consistent with the
information that is on file for the customer.
C. Unusual Use Of or Suspicious Activity Related to an Account
Page 4 of 8
City of Dubuque Identity Theft Prevention Program
1. Change of address for an Account followed by a request to change
the Account holder's name;
2. Mail sent to the Account holder is repeatedly returned as
undeliverable;
3. Notice is received by the City that a customer is not receiving
statements or mad sent by the Utility;
4. Notice is received by the City that an Account has unauthorized
activity;
5. Breach of Utility's computer system security; and
6. Unauthorized access to or use of customer account information.
Based on discussions with City representatives, other Red Flags in this
category may include breaches in a utility's computer system,
unauthorized access to or use of customer account information; and a
utility's plans to take steps with certain data it maintains that contains
customer information (such as destroying computer files).
D. Notice Regarding Possible Identity Theft
1. City receives notice from a customer that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
2. City receives notice from an identity theft victim that it has opened
or is maintaining a fraudulent Account for a person engaged in Identity
Theft.
3. City receives notice from law enforcement that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
4. City receives notice from any other person that it has opened or is
maintaining a fraudulent Account for a person engaged in Identity Theft.
IV. DETECTION OF RED FLAGS
A. New Accounts
In order to detect any of the Red Flags identified above with the opening of a new
Account, City staff will take the following steps to obtain and verify the identity of
the person opening the Account:
Page 5 of 8
City of Dubuque Identity Theft Prevention Program
1. Require certain identifying information such as name, date of birth,
residential or business address, principal place of business for an entity,
SSN, or government issued identification;
2. Verify the customer's identity, such as by copying and reviewing a
driver's license or other identification card;
3. Review documentation showing the existence of a business entity
(IRS form W-9); and
4. Independently contacting the customer.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing Account,
City staff will take the following steps to monitor transactions with an Account:
1. Verify the identification of customers if they request information (in
person, via telephone);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment
purposes.
V. PREVENTING AND MITIGATING IDENTITY THEFT
In the event City staff detects any identified Red Flags, such personnel will take
one or more of the following steps, depending on the degree of risk posed by the
Red Flag:
Prevent and Mitigate
1. Flag the account to watch for suspicious activity;
2. Contact the customer;
3. Change any passwords or other security devices that permit access
to Accounts;
4. Reopen an account with a new number;
5. Refuse to open a new account;
6. Close an existing account;
7. Notify law enforcement;
Page 6 of 8
City of Dubuque Identity Theft Prevention Program
8. Determine that no response is warranted under the particular
circumstances.
Protect Customer Identifying Information
In order to further prevent the likelihood of identity theft occurring with respect to
City accounts, the City will take the following steps with respect to its internal
operating procedures to protect customer identifying information:
1. Ensure that its website is secure or provide a clear notice that
website is not secure;
2. Ensure complete and secure destruction of paper documents and
computer files containing customer information in compliance with
document retention and destruction plan;
3. Ensure that office computers are password protected and that
computer screens lock when unattended; and
4. Ensure that office computers are shut down at night;
5. Ensure that physical files are protected in locked cabinets and/or
offices.
VI. PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in
risks to customers and the soundness of the City from Identity Theft. At least
annually the Identity Theft Committee will consider the Utility's experiences with
Identity Theft situations, changes in Identity Theft methods, changes in Identity
Theft detection and prevention methods, changes in types of Accounts the City
maintains, and changes in the Utility's business arrangements with other entities.
After considering these factors, the Identity Theft Committee will determine
whether changes to the Program, including the listing of Red Flags, are
warranted. If warranted, the Identity Theft Committee will present the City Council
with its recommended changes and the City Council will make a determination of
whether to accept, modify, or reject those changes to the Program.
VII. PROGRAM ADMINISTRATION
A. Oversight
An Identity Theft Committee will be responsible for developing, implementing,
and updating this program. The Committee is headed by the Director of Finance.
Two or more individuals appointed by the Director of Finance shall comprise the
remainder of the committee membership. The Director of Finance will be
Page 7 of 8
City of Dubuque Identity Theft Prevention Program
responsible for the Program's administration, for ensuring appropriate training of
City staff on the Program, for reviewing any staff reports regarding the detection
of Red Flags and the steps for preventing and mitigating Identity Theft,
determining which steps of prevention and mitigation should be taken in
particular circumstances, reviewing and, if necessary, approving changes to the
Program.
B. Staff Training and Reports
City staff responsible for implementing the Program will be trained either by or
under the direction of the Director of Finance in the detection of Red Flags, and
the responsive steps to be taken when a Red Flag is detected. All new
employees will receive the policies and procedures for preventing Identity Theft.
Incidents of suspicious activity of Identity Theft will be reported to the Director of
Finance.
C. Service Provider Arrangements
In the event the City engages a service provider to perform an activity in
connection with one or more Accounts, the City will take the following steps to
ensure the service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of
Identity Theft:
1. Require, by contract, that service providers have such policies and
procedures in place;
2. Require, by contract, that service providers review the Utility's
Program and report any Red Flags to the Director of Finance.
D. Specific Program Elements and Confidentiality
For the effectiveness of Identify Theft Prevention Programs, the Red Flag Rule
envisions a degree of confidentiality regarding the Utility's specific practices
relating to Identity Theft detection, prevention and mitigation. Therefore, under
this Program, knowledge of such specific practices is limited to the Identity Theft
Committee and those employees who need to know them for purposes of
preventing Identity Theft. Because this Program is to be adopted by a public
body and thus publicly available, it would be counterproductive to list these
specific practices here. Therefore, only the Program's general red flag detection,
implementation, and prevention practices are listed in this document.
Page 8 of 8