The URL can be used to link to this page

Home My WebLink About15-Finance CITY OF SAN BERNARDINO - REQUEST FOR COUNCIL Q~b~JNAL Dept: Finance Subject: Resolution Adopting the City of San Bernardino's Red Flag Rules, Policies, and Procedures for the Identity Theft Prevention Program From: Barbara Pachon, Finance Director Date: 3/31/09 Council Date: 4/20/09 Synopsis of Previous Council Action: None Recommended motions: Adopt Resolution. eV~<<,:ll ~L~ Signa ure Contact person: Barbara Pachon, Director of Finance Phone: 5242 Supporting data attached: Staff Report, Attachment Ward: All FUNDING REQUIREMENTS: Amount: None Source: Finance: Council Notes: ~50 Z-C'CI 9 -.P~ Agenda Item No. -1"- Lf.. 2.O-O'f CITY OF SAN BERNARDINO - REQUEST FOR COUNCIL ACTION STAFF REPORT SUBJECT: Resolution adopting the City of San Bernardino's Red Flag Rules, Policies, and Procedures for the Identity Theft Prevention Program. BACKGROUND: On November 9, 2007, the Federal Trade Commission ("FTC"), the federal bank regulatory agencies, and the National Credit Union Administration, published the final "Identity Theft Red Flags" regulations and guidelines. This rule, promulgated pursuant to the Fair and Accurate Credit Transactions Act of2003 CF ACT A"), requires financial institutions and creditors to develop and implement written "identity theft prevention programs." The programs must provide for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. Although the final rule became effective on January I, 2008, full compliance with the rule was to originally start on November 1,2008. The FTC then pushed back the actual enforcement of the regulations to begin on May 1, 2009 in order to give entities more time to adopt and implement their policies. Under FACTA, "creditor" is defined the same way as in the Equal Credit Opportunity Act ("ECOA") which the City of San Bernardino meets the criteria. A "creditor" is any entity that regularly extends, renews, or continues credit or arranges for the extension, renewal, or continuation of credit. The ECOA definition of "credit" includes a right granted to defer payment for any purchase. Thus, any entity that provides a product or service for which the consumer pays for after delivery is a creditor. Since some City Departments such as Refuse provide services that are later billed to the consumer, the City of San Bernardino must adopt Red Flag Rules, Policies, and Procedures for an Identity Theft Prevention Program. Attachment A provides the Red Flag Rules, Policies, and Procedures for the City of San Bernardino that meet the new regulations and guidelines. The proposed procedures provide some basic, common sense red flags for City employees to be aware of to help them become aware of possible identity theft situations. Once formally adopted by the Mayor and Council each City Department will provide the necessary employees in their Department with a copy ofthe guidelines and training to make sure they are being followed and implemented for their operations. On an annual basis, these Red Flag Rules, Policies, and Procedures will be brought back to be reviewed and re-adopted by the Mayor and Council per the regulations. There is staff time that is required by existing Department staff involved in activities that fall under these regulations to make sure implementation of these Red Flag Rules, Policies, and Procedures is accomplished. It is estimated that the additional Department staff time required will be minimal since most of the requirements in the policy are already being done. The City's IT Department has already verified that they will be able to set employees computer screens to lock after a set period of non-activity which is one of the requirements ofthe new policy. FINANCIAL IMP ACT: There is no additional financial impact to the City's budget for adopting the Red Flag Rules, Policies, and Procedures. RECOMMENDATION: Adopt Resolution. (CO)[Py 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 RESOLUTION NO. RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY OF SAN BERNARDINO ADOPTING RED FLAG RULES, POLICIES, AND PROCEDURES FOR AN IDENTITY THEFT PREVENTION PROGRAM IN ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 (FACTA) WHEREAS, The Fair and Accurate Credit Transactions Act of 2003 "FACT A" was passed by Congress on December 4, 2003; and, WHEREAS, On November 9, 2007 the Federal Trade Commission (FTC), federal bank regulatory agencies, and the National Credit Union Administration published the final "Identity Theft Red Flags" regulations and guidelines requiring financial institutions and other creditors to develop and implement written "identity theft prevention" policies and procedures; and WHEREAS, full compliance with the Federal Trade Commission's requirements is required by May I, 2009 NOW, THEREFORE, BE IT RESOLVED BY THE MAYOR AND COMMON COUNCIL OF THE CITY OF SAN BERNARDINO AS FOLLOWS: SECTION 1. That certain document entitled "City of San Bernardino Red Flag Rules, Policies, and Procedures" as attached hereto and incorporated herein as Attachment A is hereby approved and adopted as the City of San Bernardino's official policies and procedures regarding identity theft prevention. III III III III III III ~r5 L/ ~1-0 - 0'1 1 2 3 4 5 RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY OF SAN BERNARDINO ADOPTING RED FLAG RULES, POLICIES, AND PROCEDURES FOR AN IDENTITY THEFT PREVENTION PROGRAM IN ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 (FACTA) 6 I HEREBY CERTIFY that the foregoing Resolution was duly adopted by the Mayor 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 and Common Council of the City of San Bernardino at a meeting thereof, held , 2009 by the following vote, to wit: day of on the Council Members: AYES NAYS ABSTAIN ABSENT ESTRADA BAXTER BRINKER SHORETT KELLEY JOHNSON MCCAMMACK Rachel G. Clark, City Clerk day of The foregoing resolution is hereby approved this 2009. Patrick J. Morris, Mayor City of San Bernardino 25 Approved as to Form: 26 27 28 ey Attachment A CITY OF SAN BERNARDINO RED FLAG RULES, POLICIES AND PROCEDURES In Section 114 of the Fair and Accurate Credit Transaction Act of2003 (FACT Act, 16 C,F,R. S 681.2), the Federal Trade Commission (FTC) has adopted regulations known as "Red Flag Rules." These rules require "creditors" holding consumer or other "covered accounts" (which are defined to mean any account where customer payment information is collected in order to bill for services rendered) to develop and implement an Identity Theft Prevention Program (Program) that complies with those regulations. The FTC considers a government entity to be a creditor with covered accounts when it defers payments for goods and services by its customers, or permits installment payments on fines or costs. Upon review of the FACT regulations, it has been determined that the City meets the criteria as a creditor and must comply with the FACT Act by adopting a Program that encompasses all payments the entity receives, not just those that are deferred payments. Therefore, in order to comply with the requirements of the FACT Act, the City will adopt the following Program and direct all applicable City staff to implement it. Program Goals The City's Program shall endeavor to achieve the following goals: . To identify relevant patterns, practices and specific activities ("Red Flags") that signal possible identity theft relating to information maintained in the City's customers' accounts; . To detect Red Flags after the Program has been implemented; . To respond promptly and appropriately to Red Flags that have been detected, and to prevent or mitigate identity theft relating to City customer account information; . To ensure the Program IS updated periodically to reflect any necessary , changes; and . To provide for administration of the Program. Responsibilitv Role of the Mavor and Common Council: The Mayor and Common Council will approve and adopt the Identity Theft Prevention Program and will review reports submitted and consider and approve appropriate changes to the Program. Attachment A Role of the Director of each Department: The Director of each department, or hislher designee, shall ensure updated versions of the Program are included in applicable staff training for both existing and new staff members. In addition, the Director of each department, or hislher designee, will be responsible for oversight of Program implementation and ensure day-to-day oversight for the security of customer credit information in conformance with the FACT Act. Procedures Identification of Red Flags: Red Flags are defined as patterns, practices or specific activities that indicate the possible existence of identity theft. While each department will identify their own specific Red Flags, some examples of Red Flags are: . Alerts, notifications, or warnings from a consumer reporting agency such as notification by credit reporting agency of a credit freeze or inclusion of a fraud or active duty alert with a consumer report; . Suspicious documents provided for identification, such as those that appear altered or forged; . Suspicious personal identification information, such as a suspicious address, or a failure to provide all required personaLidentifying information; . Unusual or suspicious activity relating to a covered account such as notification of unauthorized charges to a customer's account; and . Notices from consumers, victims of identity theft, law enforcement, or other businesses regarding possible identity theft in connection with covered accounts. Detection of Red Flags: Red Flags may be detected at the time an account is first opened or in an existing account. In order to detect Red Flags when accounts are first opened, City staff should obtain and verify the identity of the person or business opening the account. To do this, identifying information should be requested and verified by reviewing a driver's license or other identification. For businesses, documentation showing the existence of the business entity should be reviewed. If any Red Flags are detected at the opening of an account, the account should not be established. For existing accounts, customer identification should be verified when customers request information, changes in billing addresses, or changes in banking information for billing and payments purposes. Attachment A Preventing and Mitigating Identity Theft Any time customer identifying information is retained by a department, the information may be subject to theft. In order to prevent and mitigate identity theft, City staff should take appropriate precautions when handling sensitive information. If a Social Security number (SSN) or Tax Identification number (TIN) is provided as identification and recorded, the SSN or TIN should be masked, except for the last four digits. When servicing customers in person, precautions should be taken whenever a customer is giving out personal or business identification. Customer information should be written down and not stated aloud for bystanders to hear or record. Departments accepting payments in person or over the phone via credit card or ATM card should produce receipts that only contain the last four digits of the card number. In addition, the expiration date should not be included on the receipt. Any customer information should be disposed of in a manner that will prevent or mitigate the possibility of identity theft. Any payment receipts which are not immediately processed and sent to the Cashier's office should be placed in a secured location for future processing. Computer virus protection should be kept up to date and the City's website should be secure. Computers should be password protected and screens should lock after a set period of time Response to detected Red Flags: In the event that City staff detect any potential Red Flags, they should report it to their supervisor. Depending on the degree of risk, the supervisor may do one of the following: . Continue to monitor the account for evidence of identity theft; . Contact the customer; . Change any passwords or other security devices that permit access to accounts; . Close an existing account; . Reopen an account with a new number; . Notify the Department Director for determination ofthe appropriate step(s) to take; . Notify law enforcement; or . Determine that no response is warranted under the circumstances. Program update Material changes in the Program shall be based on the City's experience with identity theft, changes in methods of identity theft, changes in the types of accounts offered, changes in business arrangements, or changes in methods to detect, prevent and mitigate identity theft. These will be reviewed, and the Program will be updated annually.