HomeMy WebLinkAbout2009-086
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
RESOLUTION NO. 2009-86
RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY
OF SAN BERNARDINO ADOPTING RED FLAG RULES, POLICIES, AND
PROCEDURES FOR AN IDENTITY THEFT PREVENTION PROGRAM IN
ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT
OF 2003 (FACTA)
WHEREAS, The Fair and Accurate Credit Transactions Act of 2003 "FACTA" was
passed by Congress on December 4, 2003; and,
WHEREAS, On November 9, 2007 the Federal Trade Commission (FTC), federal bank
regulatory agencies, and the National Credit Union Administration published the final "Identity
Theft Red Flags" regulations and guidelines requiring financial institutions and other creditors
to develop and implement written "identity theft prevention" policies and procedures; and
WHEREAS, full compliance with the Federal Trade Commission's requirements is
required by May 1,2009
NOW, THEREFORE, BE IT RESOLVED BY THE MAYOR AND COMMON
COUNCIL OF THE CITY OF SAN BERNARDINO AS FOLLOWS:
SECTION l. That certain document entitled "City of San Bernardino Red Flag Rules,
Policies, and Procedures" as attached hereto and incorporated herein as Attachment A is hereby
approved and adopted as the City of San Bernardino's official policies and procedures
regarding identity theft prevention,
III
III
III
III
III
III
2009-86
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY
OF SAN BERNARDINO ADOPTING RED FLAG RULES, POLICIES, AND
PROCEDURES FOR AN IDENTITY THEFT PREVENTION PROGRAM IN
ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT
OF 2003 (FACTA)
I HEREBY CERTIFY that the foregoing Resolution was duly adopted by the Mayor
and Common Council of the City of San Bernardino at aj oint regularmeeting thereof, held
on the 20th day of April
, 2009 by the following vote, to wit:
Council Members: AYES
ESTRADA X
-
BAXTER x
BRINKER X
SHORETT x
X
KELLEY
JOHNSON X
-
MCCAMMACK
NAYS
ABSTAIN ABSENT
X
Q~h,~
Radi'el G, Clark, City Clerk
The foregoing resolution is hereby approved this c513-,.( day Gf April
2009.
~o~r
City of San Bernardino
25 Approved as to Form:
26
27
28
ey
2009-86
Attachment A
CITY OF SAN BERNARDINO
RED FLAG RULES,
POLICIES AND PROCEDURES
In Section 114 of the Fair and Accurate Credit Transaction Act of2003 (FACT Act, 16 C,F,R. !l
681.2), the Federal Trade Commission (FTC) has adopted regulations known as "Red Flag Rules,"
These rules require "creditors" holding consumer or other "covered accounts" (which are defined to
mean any account where customer payment information is collected in order to bill for services
rendered) to develop and implement an Identity Theft Prevention Program (Program) that complies
with those regulations,
The FTC considers a govemment entity to be a creditor with covered accounts when it defers
payments for goods and services by its customers, or permits installment payments on fines or costs,
Upon review of the FACT regulations, it has been determined that the City meets the criteria as a
creditor and must comply with the FACT Act by adopting a Program that encompasses all payments
the entity receives, not just those that are deferred payments,
Therefore, in order to comply with the requirements of the FACT Act, the City will adopt the
following Program and direct all applicable City staffto implement it.
Program Goals
The City's Program shall endeavor to achieve the following goals:
. To identify relevant patterns, practices and specific activities ("Red Flags")
that signal possible identity theft relating to information maintained in the
City's customers' accounts;
. To detect Red Flags after the Program has been implemented;
. To respond promptly and appropriately to Red Flags that have been detected,
and to prevent or mitigate identity theft relating to City customer account
information;
. To ensure the Program IS updated periodically to reflect any necessary
changes; and
.
To provide for administration of the Program,
Responsibilitv
Role ofthe Mavor and Common Council:
The Mayor and Common Council will approve and adopt the Identity Theft Prevention Program
and will review reports submitted and consider and approve appropriate changes to the Program,
2009-86
Attachment A
Role of the Director of each Department:
The Director of each department, or hislher designee, shall ensure updated versions of the Program
are included in applicable stafftraining for both existing and new staff members, In addition, the
Director of each department, or hislher designee, will be responsible for oversight of Program
implementation and ensure day-to-day oversight for the security of customer credit information in
conformance with the FACT Act.
Procedures
Identification of Red Flags:
Red Flags are defined as patterns, practices or specific activities that indicate the possible existence
of identity theft, While each department will identify their own specific Red Flags, some examples
of Red Flags are:
. Alerts, notifications, or warnings from a consumer reporting agency such as
notification by credit reporting agency of a credit freeze or inclusion of a
fraud or active duty alert with a consumer report;
. Suspicious documents provided for identification, such as those that appear
altered or forged;
. Suspicious personal identification information, such as a suspicious address,
or a failure to provide all required personaLidentifying information;
. Unusual or suspicious activity relating to a covered account such as
notification of unauthorized charges to a customer's account; and
. Notices from consumers, victims of identity theft, law enforcement, or other
businesses regarding possible identity theft in connection with covered
accounts.
Detection of Red Flags:
Red Flags may be detected at the time an account is first opened or in an existing account.
In order to detect Red Flags when accounts are first opened, City staff should obtain and verify the
identity of the person or business opening the account. To do this, identifying information should
be requested and verified by reviewing a driver's license or other identification. For businesses,
documentation showing the existence of the business entity should be reviewed, If any Red Flags
are detected at the opening of an account, the account should not be established,
For existing accounts, customer identification should be verified when customers request
information, changes in billing addresses, or changes in banking information for billing and
payments purposes,
Attachment A
2009-86
Preventing and Mitigating Identitv Theft
Any time customer identifYing information is retained by a department, the information may be
subject to theft, In order to prevent and mitigate identity theft, City staff should take appropriate
precautions when handling sensitive information,
If a Social Security number (SSN) or Tax Identification number (TIN) is provided as identification
and recorded, the SSN or TIN should be masked, except for the last four digits.
When servicing customers in person, precautions should be taken whenever a customer is giving out
personal or business identification, Customer information should be written down and not stated
aloud for bystanders to hear or record.
Departments accepting payments in person or over the phone via credit card or ATM card should
produce receipts that only contain the last four digits of the card number, In addition, the
expiration date should not be included on the receipt. Any customer information should be
disposed of in a manner that will prevent or mitigate the possibility of identity theft. Any payment
receipts which are not immediately processed and sent to the Cashier's office should be placed in a
secured location for future processing,
Computer virus protection should be kept up to date and the City's website should be secure,
Computers should be password protected and screens should lock after a set period of time
Response to detected Red Flags:
. In the event that City staff detect any potential Red Flags, they..should report it to their supervisor,
Depending on the degree of risk, the supervisor may do one of the following:
. Continue to monitor the account for evidence of identity theft;
. Contact the customer;
. Change any passwords or other security devices that permit access to accounts;
. Close an existing account;
. Reopen an account with a new number;
. NotifY the Department Director for determination of the appropriate step(s) to take;
. NotifY law enforcement; or
. Determine that no response is warranted under the circumstances,
Program update
Material changes in the Program shall be based on the City's experience with identity theft, changes
in methods of identity theft, changes in the types of accounts offered, changes in business
arrangements, or changes in methods to detect, prevent and mitigate identity theft. These will be
reviewed, and the Program will be updated annually,