The URL can be used to link to this page

Home My WebLink About2009 03_Adoption of Red Flag Rules_2009.05.19OWASSO CITY COUNCIL OWASSO PUBLIC WORKS AUTHORITY OWASSO PUBLIC GOLF AUTHORITY RESOLUTION NO.2009-03 WHEREAS, The City of Owasso and the Owasso Public Works and Public Golf Authorities, Tulsa County, Oklahoma organized under Title 60, Oklahoma Statutes 2001, Sections 176-180.4, as amended, for the purpose of furthering the public functions of the City of Owasso, Oklahoma; and, WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108-159, "Red Flag Rule" requires certain financial institutions and creditors with "covered accounts" to prepare, adopt, and implement an identity theft program to identify, detect, respond to and mitigate patterns, practices or specific activities which could indicate theft; and, WHEREAS, the City of Owasso, Owasso Public Works and Owasso Public Golf Authorities maintain certain continuing accounts with customers and for other purposes which involve multiple payments or transactions, and such accounts are "covered accounts" within the meaning of the Red Flag Rule; and, WHEREAS, to comply with the Red Flags Rule, City Staff has prepared an identity theft prevention program in the form attached hereto as Exhibit "A" and incorporated herein by this reference (the "ITTP" or the "Program") and have recommended that the Program now be approved by the City of Owasso and the Owasso Public Works and Public Golf Authorities Trustees for implementation. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF OWAS50 AND TRUSTEES OF THE OWASSO PUBLIC WORKS AUTHORITY AND OWASSO PUBLIC GOLF AUTHORITY; THAT, Section 1. (a) The Program is hereby approved and adopted effective the date set forth below. (b) City of Owasso, Owasso Public Works Authority, and Owasso Public Golf Authority Staff are hereby authorized and directed to implement the program in accordance with its terms. ADOPTED AND APPROVED THIS 19th DAY Qh ~ AY 2009 ATTEST: Sherry Bishd~, City (SEAL) APPROVED AS TO ,/ ' , /^ ~ ~te~ie Cat~xt ella yor / airman C ~:a~~`~ ~ u~ OFFICIAL O s~~~ ~~~-AHOMP ~~ J ie Lombardi, City Attorney .~ •• O.' S •s~c _ y . EAL ..~ -_ ~d~ _~- .. : o :30~ :~; ~ 1 r~. y ~ i,~~' `~A ;OMp, ``tee `,~111111~~~~~~ ~~~~ ~alic G ~~,~ ~~ Q .....M %• ~~ ~yOt.~pfft% .9 ~~Z O~ Gr„ :. o ~ Sea1 ~ o - ~ y ~ i ~i •: t~Ohot~.~` ~~~~ MEMORANDUM TO: THE HONORABLE MAYOR AND COUNCIL CITY OF OWASO THE HONORABLE CHAIR AND TRUSTEES OWASSO PUBLIC WORKS AUTHORITY THE HONORABLE CHAIR AND TRUSTEES OWASSO PUBLIC GOLF AUTHORITY FROM: ANGELA HESS FINANCE DIRECTOR SUBJECT: RESOLUTION N0.2009-03 RED FLAG RULES IDENTITY THEFT PREVENTION DATE: May 15, 2009 BACKGROUND: Pursuant to federal law, the Federal Trade Commission adopted Identity Theft Rules requiring the creation of certain policies relating to the use of consumer reports, address discrepancy and the detection, prevention and mitigation of identity theft. The Federal Trade Commission regulations adopted as 16 CFR § 681.2 require creditors, as defined by 15 U.S.C. § 681(a)(5) to adopt red flag policies to prevent and mitigate identity theft with respect to covered accounts. 15 U.S.C. § 1681a(r)(5) cites 15 U.S.C. § 1691a, which defines a creditor as a person that extends, renews or continues credit, and defines "credit" in part as the right to purchase property or services and defer payment therefore. The Federal Trade Commission regulations include utility companies in the definition of creditor. The City of Owasso and the Owasso Public Works and Public Golf Authorities are creditors with respect to 16 CFR § 681.2 by virtue of providing utility services or by otherwise accepting payment for municipal services in arrears. The Federal Trade Commission regulations define "covered account" in part as an account that a creditor provides for personal, family or household purposes that is designed to allow multiple payments or transactions and specifies that a utility account is a covered account. The Federal Trade Commission regulations require each creditor to adopt an Identity Theft Prevention Program which will use red flags to detect, prevent and mitigate identity theft related to information used in covered accounts. OPWA residential customer accounts for water, sewer, and sanitation services for which payment is made after the product is consumed or the service has otherwise been provided are covered accounts by virtue of being for household purposes and allowing for multiple payments or transactions. The Federal Trade Commission regulations adopted as 16 CFR 681.2, require users of consumer credit reports to develop policies and procedures relating to address discrepancies between information provided by the consumer and information provided by a consumer credit company. The City of Owasso, OPWA and OPGA currently do not use consumer credit reports to establish various customer accounts, but may at some time in the future begin using consumer credit reports. Accordingly, the City of Owasso, OPWA, and OPGA have enacted an Identity Theft Prevention Program in compliance with federal law. ADDITIONAL INFORMATION: The Rules require that each entity: • Identify patterns, practices and specific forms of activity that indicate the possible existence of identity theft. • Perform a risk assessment of all internal operations where identity theft is possible. • Develop a written Identity Theft Prevention Program. The plan must be customized to be appropriate to the size and complexity of the nature and scope of activities performed by the municipality. • Update the program periodically to reflect changes in risks. The program is considered a living document and must be reviewed and modified to reflect changes in risk and experience with the workings of the program. Program administration requires: • Governing Body to approve the written ITPP. • Governing Body to designate a senior manager to oversee the implementation, and administration of the program. • Staff to receive formal training on the implementation of the program. Reporting Requirements: • On or around May 1, a mid-year review of the Program's operations must be completed. • Conduct an Incident Review of all Red Flag events that occurred during the last 6 months to include actions taken to limit customer exposure and any preventive measures put in place. • Write an Annual Report to the Governing Body to report findings and actions taken during the year. FTC Enforcement: • Compliance checks should be anticipated within the next 24 months by the FTC or Office of the Attorney General. • In the event of a knowing violation that constitutes a pattern or practice of violations, the FTC may commence a civil penalty of up to $3500 per violation with provisions made for increased penalties based on inflation. REQUESTED ACTION: On October 21, 2008, the City Council appointed the City Manager as the Senior Administrator of the Identity Theft Prevention Program. The city staff has since developed a written program in accordance with the federal law. This request is for Council and Trustee approval of the Resolution formally adopting the City of Owasso Identity Theft Prevention Program and directing city staff to implement the program in accordance with its terms. An item has been placed on the City Council, OPWA, and OPGA agendas requesting action on such Resolution. RECOMMENDATION: Staff recommends Trustee approval of Resolution No. 2009-03, formally adopting the Identity Theft Prevention Program. ATTACHMENTS: 1) Resolution No. 2009-03 s~ QTh-MCAYW,t out Limits. COFIP001: City of Owasso Identity Theft Prevention Program Purpose of Program Definitions 1 Findings... Process of Establishing a Covered Account 4 Access to Covered Account Information ......................................5 6 Credit Card Payments. . . Sources and Types of Red Flags... 6 Prevention and Mitigation of Identity Theft... 7 Program Administration . . Updating the Program 11 Outside Service Providers..... 12 ......._12 Treatment of Address Discrepancies ....................................................................................12 Furnishing Consumer's Address to Consumer Reporting Agency., - 13 Methods of Confirming Consumer Addresses 13 Identity Theft Prevention Program / Signatures 14 Document Control Page 15 Purpose of Program Pursuant to federal law the Federal Trade Commission adopted Identity Theft Rules requiring the creation of certain policies relating to the use of consumer reports, address discrepancy and the detection, prevention and mitigation of identity theft. The Federal Trade Commission regulations adopted as 16 CFR § 681.2 require creditors, as defined by 15 U.S.C. § 681(a)(5) to adopt red flag policies to prevent and mitigate identity theft with respect to covered accounts. 15 U.S.G. § 1681a(r)(5) cites 15 U.S.C. § 1691a, which defines a creditor as a person that extends, renews or continues credit, and defines "credit" in part as the right to purchase property or services and defer payment therefore. The Federal Trade Commission regulations include utility companies in the definition of creditor. The City of Owasso is a creditor with respect to 16 CFR § 681.2 by virtue of providing utility services or by otherwise accepting payment for municipal services in arrears. The Federal Trade Commission regulations define "covered account" in part as an account that a creditor provides for personal, family or household purposes that is designed to allow multiple payments or transactions and specifies that a utility account is a covered account. The Federal Trade Commission regulations require each creditor to adopt an Identity Theft Prevention Program (ITPP) which will use red flags to detect, prevent and mitigate identity theft related to information used in covered accounts. The Page 1 of 15 s~ TWit out limits. City of Owasso provides water, sewer, and sanitation services for which payment is made after the product is consumed or the service has otherwise been provided which by virtue of being utility accounts are covered accounts. The City of Owasso residential customer accounts for water, sewer, sanitation services, and ambulance services for which payment is made after the product is consumed or the service has otherwise been provided are covered accounts by virtue of being for household purposes and allowing for multiple payments or transactions. The Federal Trade Commission regulations adopted as 16 CFR § 681.2, require users of consumer credit reports to develop policies and procedures relating to address discrepancies between information provided by the consumer and information provided by a consumer credit company. The City of Owasso does not now use consumer credit reports to establish various customer accounts, but may at some time in the future begin using consumer credit reports. Accordingly, The City of Owasso has enacted this Identity Theft Prevention Program in compliance with federal law. The purpose of this Program is to comply with 16 CFR § 681.2 in order to detect, prevent and mitigate identity theft by identifying and detecting identity theft red flags and by responding to such red flags in a manner that will prevent identity theft. Definitions For purposes of this Program, the following definitions shall apply 1. 'City' means the City of Owasso, Oklahoma. 2. 'Covered Account' means (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; (ii) Any other account that the financial institution or creditor offers or maintains or which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. 3. 'Credit' means the right granted by the creditor to a debtor to defer payment of debt to incur debts and defer its payment or to purchase property or services and defer payment therefore. 4. 'Creditor means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes utility companies and telecommunications companies. Page 2 of 15 QT-h-ocity Wi nut Limits. 5. 'Customer' means a person that has a covered account with a creditor. 6. 'Customer Service Representative' (CSR) means an individual working for the City whose principal responsibilities include attending to customers and their needs. 7. 'Finance Director' means the Director of the Finance Department or the designated City staff member that has received the delegation of authority to act on behalf of the Director of the Finance Department on those activities associated with this Identity Theft Prevention Program. 8. 'Identifying Information' means any name or number that may be used alone or in , conjunction with any other information, to identify a specific person, including any, a. Name, social security number, date of birth, official state or government issued driver's license, alien registration number over t , g nmen passport number, employer or taxpayer identification number; b. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; c. Unique electronic identification number, address or routing code; or d. Telecommunication identifying information or access devi ce. 9. 'Identity theft' means a fraud committed or attempted using identifying information of another person without authority. 10. 'Notice of address discrepancy' means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. § 1681(c)(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer. 11. 'Oversight Committee' means the Committee appointed by the City to oversee operation and compliance of the City ITPP in accordance with the requirements of the Fair and Accurate Credit Transaction Act. 12. 'Person' means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association. 13. 'Personal Identifying Information' means a person's credit card account information, debit card account information, bank account information, and drivers' license information and for a natural person includes their social security number, mother's birth name, and date of birth. 14. 'Red flag' means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Page 3 of 15 The City Wit out Limits. 15. 'Service provider' means a person that provides a service directly to the City. Findings The City is a creditor pursuant to 16 CFR § 681.2 due to its provision or maintenance of covered accounts for which payment is made in arrears. 2. Covered accounts offered to customers for the provision of the City services include residential water, sewer and sanitation, and ambulance service accounts. 3. The City has no known prior experience with identity theft related to covered accounts. 4. The processes of opening a new covered account, restoring an existing covered account, making payments on such accounts, and transferring such accounts have been identified as potential processes in which identity theft could occur. 5. The City limits access to personal identifying information to those employees in the Finance Department (with limited inquiry only access to the Police Department and Public Works) who are responsible for or otherwise involved in opening or restoring covered accounts or accepting payment for use of a covered account. All written applications associated with the covered accounts are maintained in a locked file cabinet. Information provided in the written application is entered directly into the City's SunGard software application. The SunGard application is a secured application where only those employees with the approved security access have authorization to access this type of information. 6. The City has determined that there is a low risk, if any, of identity theft occurring in the following ways: a. Use by an applicant of another person's personal identifying information to establish a new covered account; b. Use of a previous customer's personal identifying information by another person in an effort to have service restored in the previous customer's name; c. Use of another person's credit card, bank account, or other method of payment by a customer to pay such customer's covered account or accounts; d. Use by a customer desiring to restore such customer's covered account of another person's credit card, bank account, or other method of payment; and e. Use by a third party of a customer's personal identifying information obtained by overhearing conversations between the City and the customer during the customer's application for service process. 15 OTh-CiY Wi ouf Limits. Process of Establishing a Covered Account As a precondition to opening a covered account in the City, each applicant shall provide the City with personal identifying information of the customer which shall be in the form of a valid state or federal government issued identification card, such as a state issued driver's license, a state issued identification card, a U.S. government issued passport or visa, or a U.S. military identification card, all of which must contain a photograph of the customer. For customers who are not natural persons such as a trust, the customer's agent opening the account must provide a valid state or federal government issued identification card and proof of authority to act on behalf of the trust. 2. If an applicant's name has been changed through marriage, divorce, legal name change, or otherwise, verification of the name change must be provided before an applicant will be allowed to establish a new account or transfer an existing account in a name different from that appearing on the required state or federal government issued identification card. 3. Customer's establishing service for a rental property are required to provide a signed lease and must further provide landlord contact information for use in validating the lease. A copy of the lease agreement is maintained with the customer's original contract and is scanned and attached to the customer's account information in SunGard. 4. All parties listed on the lease and included on the customer contract are required to provide a photo ID. 5. The City does not now use consumer credit reports. Should the City begin using consumer credit reports, each applicant shall also be required to provide any information necessary for the City to access the applicant's consumer credit report. 6. An applicant's personal identifying information shall be entered directly into the City's SunGard software application and all written applications shall be placed in a locked filing cabinet. 7. The City employees responsible for opening new accounts shall take reasonable precautions to insure that third parties are not attempting to view personal identifying information on a written application as it is being completed by the applicant. 8. The City does allow customers to pay billing statements online. Each account shall be assigned an account number. The City may utilize computer software to randomly generate assigned PIN's. Page 5 of 15 s~ The City - Li m if s. Access to Covered Account Information 1. Access to the City's SunGard software application containing customer accounts shall be password protected and shall be limited to authorized City personnel. a. All passwords will expire 45 days after they are created or changed. b. Notifications will be sent to change system password 15 days before it expires, and continue until the password expires. If your password expires, the system will disable your account. c. All passwords must be at least 8 digits in length. d. All passwords must contain at least 1 number, e. All passwords must contain at least 1 upper case letter. f. All passwords must contain at least 1' lower case letter. g. All passwords must contain at least 1 "special character" (*&A %$#@!) Z City employees are responsible for the proper use and protection of their passwords and must adhere to the following guidelines: a. Passwords must not be disclosed to other City employees or individuals. b. City employees must not allow other City employees or individuals to use their password. c. Passwords must not be written down, posted, or exposed in an unprotected manner such as on a notepad or posted on the workstation. 3. Any unauthorized access to or other breach of customer accounts is to be reported immediately to the Finance Director and the City employee's security access to the City's SunGard software application shall be changed immediately. 4. Personal identifying information included in customer accounts is considered confidential and any request or demand for such information shall be immediately forwarded to the City Manager and the City Attorney. Credit Card Payments In the event that credit card payments that are made over the Internet are processed through a third party service provider such third party service provider shall certify that it has an adequate identity theft prevention program in place that is applicable to such payments. Page 6 of 15 nTity wii auf Limits. 2. All credit card payments made over the telephone or the City's website shall be entered directly into the customer's account information in the SunGard application system database. The 3 digit security code from the back of the customer's credit card is required before accepting for processing. 3. Account statements and receipts for a covered account shall include only the last four digits of the credit or debit card or the bank account used for payment of the covered account. Sources and Types of Red Flags All employees responsible for or involved in the process of opening a covered account, restoring a covered account or accepting payment for a covered account shall check for red flags as indicators of possible identity theft and such red flags may include: 1. Alerts from consumer reporting agencies, fraud detection agencies or service providers (if a consumer credit report is used). Examples of alerts include but are not limited to: a. A fraud or active duty alert that is included with a consumer report; b. A notice of credit freeze in response to a request for a consumer report; c. A notice of address discrepancy provided by a consumer reporting agency; d. Indications of a pattern of activity in a consumer report that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: i. A recent and significant increase in the volume of inquires; ii. An unusual number of recently established credit relationships; iii. A material change in the use of credit, especially with respect to recently established credit relationships; or iv. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. 2. Suspicious documents. Examples of suspicious documents include: a. Documents provided for identification that appears to be altered or forged; Page 7 of The Gify ! wf Li mils. b. Identification on which the photograph or physical description is inconsistent with the appearance of the applicant or customer; c. Identification on which the information is inconsistent with the information provided by the applicant or customer; d. Identification on which the information is inconsistent with readily accessible information that is on file with the City; e. An application that appears to have been altered or forged, or appears to have been destroyed and reassembled. 3. Suspicious personal identification, such as a suspicious address change. Examples of suspicious identifying information include: a. Personal identifying information that is inconsistent with external information sources used by the City. For example: L The address does not match any address in the consumer report (if used by the City); or ii. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File (if used by the City). b. Personal identifying information or a phone number or address, is associated with known fraudulent application or activities as indicated by internal or third party sources used by the City. c. Other information provided, such as fictitious mailing address, mail drop addresses, jail addresses, invalid phone numbers, pager numbers or answering services, is associated with fraudulent activity. d. The social security number provided is the same as the submitted by other applicants or customers. e. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of applicants or customers. f. The applicant or customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 8Of15 0.01A City wi oot Limits. g. Personal identifying information is not consistent with personal identifying information that is on file with the financial institution or creditor. h. The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. f 4. Unusual use of or suspicious activity relating to a covered account. Examples of suspicious activity include: a. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: L Nonpayment when there is no history of late or missed payments; ii. A material change in the water usage, b. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's account. c. The City is notified that the customer is not receiving paper account statements. d. The City is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft. 5. Notice from customers, law enforcement, victims or other reliable sources regarding possible identity theft or phishing relating to covered accounts. Prevention and Mitigation of identity Theft I 1. In the event that any City employee responsible for or involved in restoring an existing covered account or accepting payment for a covered account becomes _ aware of red flags indicating possible identity theft with respect to existing covered accounts, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her i discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Finance Director. If, the employee in his or her discretion deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the Finance Director, who may in his or her discretion determine that no further action is necessary. If the Finance Director in his or her discretion determines that further action is necessary, the City shall perform one or more of the following responses, as determined to be appropriate by the Finance Director: Page 9 Tout Limits. a. Contact the customer; b. Make the following changes to the account if, after contacting the customer, it is apparent that someone other than the customer has accessed the customer's covered account: Change any account numbers, passwords, security codes, or other security devices that permit access to an account; or ii. Close the account; G. Cease attempts to collect additional charges from the customer and decline to sell the customer's account to a debt collector in the event that the customer's account has been accessed without authorization and such access has caused additional charges to accrue; d. Notify a debt collector within two (2) business days of the discovery of likely or probable identity theft relating to a customer account that has been sold to such debt collector in the event that a customer account that has been sold to such debt collector prior to the discovery of the likelihood or probability of identity theft relating to such account; e. Notify law enforcement, in the event that someone other than the customer has accessed the customer's account causing additional charges to accrue or accessing personal identifying information; or f. Take other appropriate action to prevent or mitigate identity theft. 2. In the event that any City employee responsible for or involved in opening a new covered account becomes aware of red flags indicating possible identity theft with respect an application for a new account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Finance Director. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the Finance Director, who may in his or her discretion determine that no further action is necessary. If the Finance Director in his or her discretion determines that further action is necessary, the City shall perform one or more of the following responses, as determined to be appropriate by the Finance Director: a. Request additional identifying information from the applicant; b. Deny the application for the new account; c. Notify law enforcement of possible identity theft; or Page 10 of 15 The City Wit oui Limits. d. Take other appropriate action to prevent or mitigate identity theft. Program Administration 1. In accordance with specified guidelines, the City Council has authorized the City Manager to act as the Senior Administrator of the Identity Theft Prevention Program. 2. The City Manager, Assistant City Managers and the Finance Director will be the Oversight Committee and will ensure the Program's regulatory compliance. The Oversight Committee is responsible for, but not limited to, a. The development and implementation of the Program; b. Approval of the written Program; c. Service provider arrangements (See Section - Outside Service Providers); d. Ensuring compliance with all Program requirements as stated in this policy; e. The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; f. Reviewing recommendations for material changes to the Program; and, g. Conducting a periodic review of all incidents involving one or more red flag events every six months (on or about May 1 and November 1 of each year). h. At least annually, review staff reports regarding compliance with this program and Red Flag events that occurred during the reporting period. 3. The Finance Director is responsible for reviewing reports prepared by staff regarding compliance with red flag requirements and with recommending material changes to the program, as necessary in the opinion of the Oversight Committee, to address changing identity theft risks and to identify new or discontinued types of covered account. 4. The Finance Director is responsible for providing training to all employees responsible for or involved in opening a new covered account restoring an existing covered account or accepting payment for a covered account with respect to the implementation and requirements of the Identity Theft Prevention Program. As a safeguard, all City employees who have access to this type of data will receive an overview of this program to ensure they understand the duties and responsibilities to prevent identity theft. The Finance Director shall exercise his or her discretion in determining the amount, substance, and schedule of training necessary. 11 of 15 OT City wi opt Limits. Updating the Program The Oversight Committee shall annually review and as deemed necessary update the Identity Theft Prevention Program along with any relevant red flags in order to reflect changes in risks to customers or to the safety and soundness of the City and its covered accounts from identity theft. In doing so, the Oversight Committee shall consider the following factors and exercise its discretion in amending the program: 1. The City's experiences with identity theft; 2. Updates in methods of identity theft; 3. Updates in customary methods used to detect, prevent, and mitigate identity theft; 4. Updates in the types of accounts that the City offers or maintains; and 5. Updates in service provider arrangements. Outside Service Providers In the event the City engages a service provider to perform an activity in connection with one or more covered accounts the Finance Director shall exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her ability, that the service provider's activities are conducted in accordance with policies and procedures, agreed upon by contract that are designed to detect any red flags that may arise in the performance of the service provider's activities and take appropriate steps to prevent or mitigate identity theft." The Finance Department will require all service providers to supply compliance documents and/or certification documents in order to be on file with this Program. Treatment of Address Discrepancies At the present time the City is not using consumer credit reports. If in the future the City begins to use consumer credit reports, the City will comply with federal regulations regarding treatment of address discrepancies. In the event that the City receives a notice of address discrepancy, the City employee responsible for verifying consumer addresses for the purpose of providing the municipal service or account sought by the consumer shall perform one or more of the following activities, as determined to be appropriate by such employee: a. Compare the information in the consumer report with: rage 11 of 15 The Cify W, ovY Limits. i. Information the City obtains and uses to verify a consumer's identity in accordance with the requirements for the Customer Information Program rules implementing 31 U.S.C. § 5318(1); ii. Information the City maintains in its own records, such as applications for service, change of address notices, other customer account records d or tax records; or iii. Information the City obtains from third-party sources that are deemed reliable by the relevant City employee; or b. Verify the information in the consumer report with the consumer. Furnishing Consumer's Address to Consumer Reporting Agency 1. In the event that the City reasonably confirms that an address provided by a consumer to the City is accurate, the City is required to provide such address to the consumer reporting agency from which the City received a notice of address discrepancy with respect to such consumer. This information is required to be provided to the consumer reporting agency when: a. The City is able to form a reasonable belief that the consumer report relates to the consumer about whom the City requested the report; b. The City establishes a continuing relation with the consumer; and c. The City regularly and in the ordinary course of business provides information to the consumer reporting agency from which it received the notice of address discrepancy. 2. Such information shall be provided to the consumer reporting agency as part of the information regularly provided by the City to such agency for the reporting period in which the City establishes a relationship with the consumer. s Methods of Confirming Consumer Addresses The City employee charged with confirming consumer addresses may, in his or her discretion, confirm the accuracy of an address through one or more of the following methods: 1. Verifying the address with the consumer; 2. Reviewing City's records to verify the consumer's address; 3. Verifying the address through third party sources; or Page 13 of s~ nTity Wit ool Limits. 4. Using other reasonable processes. I have reviewed the information contained in this Identity Theft Prevention Program and approve the implementation of the program: Rodney J. Ray City Manager/ ITTP Sr. Administrator Timothy Rooney Asst. City Manager 4 1AA33JIC09 Sherry Bishop Asst. City Manager Angela Hess Finance Director End of document - COFIPO01 - 10 1 Owasso Identity Theft Prevention Program Page 14 CT?-MC Y Wit out Limits. Document Control Page k CORP001- City of Owasso Identity Theft Prevention Program Document version: 1.0 3 Document status: Current Release . Owning process: Finance Revision history of this document: Version Number Revision Date Change Description Changed by Name 0.5 2/17/2009 Initial Draft Version David Haverkamp 0.6 3/6/2009 Updates made from review with Sherry Bishop and Angela Hess David Haverkamp 0.7 4/3/2009 Updates made from a second review with Angela Hess David Haverkamp 1.0 4/23/2009 Current Release with Approval. See PDF Version with signatures David Haverkamp EA EE - I Page 15 of 15