2009-17Resolution No. 2009 - 17
COUNCIL MEMBER ABBOTT INTRODUCED THE FOLLOWING RESOLUTION:
WHEREAS, the City of Blair, Nebraska is a utility provider and also makes housing and economic
development loans; and
WHEREAS, Public Law 108 -159 went into effect on December 4, 2003 and amends the Fair Credit
Reporting Act; and
WHEREAS, such amendment, known as the FACT Act, requires creditors, including utility companies
and lenders, to comply with the Act; and
WHEREAS, City is, as defined under 15 U.S.C. § 1681a(r)(5), a creditor that maintains and offers
accounts for which there is a reasonably foreseeable risk of identity theft; and
WHEREAS, compliance with the Act requires a creditor to create and implement a written Identity
Theft Prevention Program.
NOW, THEREFORE, BE 11 RESOLVED by the Mayor and City Council of the City of Blair,
Nebraska, that the City hereby adopts the "City of Blair Identity Theft Prevention Program," which is attached
to this Resolution.
BE IT FURTHER RESOLVED, that said Program is appropriate to the size and complexity and
the scope of City's activities; and that the Program is reasonably calculated to identify and detect relevant Red
Flags indicating a potential risk of identity theft, and includes appropriate responses to such Red Flags that will
help mitigate and prevent identity theft.
BE IT FURTHER RESOLVED, that the City Treasurer will review the Program from time to time in
order to recommend changes to the Program to reflect changes in risks to City's customers.
PASSED AND APPROVED this 26 day of MAY, 2009.
COUNCIL MEMBER FANOELE MOVED THAT THE RESOLUTION BE ADOPTED AS
READ, WHICH SAID MOTION WAS SECONDED BY COUNCIL MEMBER KEPHART.
UPON ROLL CALL, COUNCIL MEMBERS KEPHART, FANOELE, CHRISTIANSEN,
WOLFF, ABBOTT AND JENSEN VOTING "AYE ", AND COUNCIL MEMBERS NONE
VOTING "NAY ", THE MAYOR DECLARED THE FOREGOING RESOLUTION PASSED
AND ADOPTED THIS 26 DAY OF MAY, 2009.
ATTEST:
7
d4 Pa/(- 1
BRENDA R. WHEELER, CITY CLERK
(SEAL)
CITY OF BLAIR, NEBRASKA
B
JA
E. REA ,MAYOR
STATE OF NEBRASKA )
WASHINGTON COUNTY )
:ss:
BRENDA R. WHEELER, hereby certifies that she is the duly appointed, qualified and
acting City Clerk of the City of Blair, Nebraska, and that the above and foregoing Resolution was
passed and adopted at a regular meeting of the Mayor and City Council of said City held on the
26th day of May, 2009.
A P4,,xt
BRENDA R. WHEELER, CITY CLERK
Identity Theft Prevention Program
Implemented as of May 26, 2009
1
I. INTRODUCTION
The City of Blair developed this Identity Theft Prevention Program ( "Program ") pursuant
to the Federal Trade Commission's ( "FTC ") Red Flag Rule, which implements Section 114 of
the Fair and Accurate Credit Transaction Act of 2003. 16 C. F. R. § 681.2. This Program is
designed to detect, prevent and mitigate Identity Theft in connection with the opening and
maintenance of certain utility accounts. For purposes of this Program, "Identity Theft" is
considered to be "fraud committed using the identifying information of another person." The
accounts addressed by the Program, (the "Accounts "), are defined as:
1. An account the Utility offers or maintains primarily for personal, family or
household purposes, that involves multiple payments or transactions; and
2. Any other account the Utility offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the Utility from
Identity Theft.
This Program was developed with oversight and approval of the Board of Directors of the
Utility. After consideration of the size and complexity of the Utility's operations and Account
systems, and the nature and scope of the Utility's activities, the City Council determined that this
Program was appropriate for the City of Blair and therefore approved this Program on May 26,
2009.
The Utility is a retail provider of water & sewer services. The City of Blair directly bills
the customer and directly manage customer account and is the entity responsible for billing the
customer, responding to customer requests regarding customer accounts, and monitoring
accounts for changes or activity that may be indicative of identity theft or the threat thereof.
The City of Blair retains customer data, including name, address, telephone number,
usage and rate history, and Bank Account Number on its mainframe computer; and, select
permanent and no temporary seasonal personnel have access to such data. Thus, the City of
Blair has determined, as required by 16 C. F. R. § 681.2( c ), that it maintains covered accounts
for which there is a reasonably foreseeable risk to customers from identity theft.
Therefore, pursuant to 16 C. F. R. § 681.2( d ), the City of Blair has developed this
Identity Theft Prevention Program, incorporating the required elements of the Program as set out
in 16 C.F. R. § 681.2(d)(2).
IL IDENTIFICAITON OF RED FLAGS.
A "Red Flag" is a pattern, practice, or specific activity that indicates the possible
existence of Identity Theft. In order to identify relevant Red Flags, the Utility considered the
types of Accounts that it offers and maintains, the methods it provides to open its Accounts, the
methods it provides to access its Accounts, and its previous experiences with Identity Theft. The
Utility identifies the following Red Flags, in each of the listed categories:
A. Notifications and Warnings from Consumer Reporting Agencies.
Not applicable to the City of Blair.
B. Suspicious Documents.
2
1) Receiving documentation with information that is not consistent with existing
customer information (such as if a person's signature on an Agency
Agreement appears forged.)
C. Suspicious Personal Identifying Information.
1) Customer provides identifying information inconsistent with (a) information
provided by photo ID or other external sources of information, (b) information
on file, or (c) other information the customer provides;
2) Customer's identifying information is the same as shown on other documents
found to be fraudulent;
3) Customer's identifying information is consistent with fraudulent activity (such
as an invalid phone number or fictitious billing address; and
4) Customer's address or phone number is the same as that of another person)
D. Unusual Use Of or Suspicious Activity Related to an Account.
1) Customer calls wishing to alter account information;
2) Mail sent to the account holder is repeatedly returned as undeliverable;
3) Utility receives notice that an account has unauthorized activity;
4) Temporary employee refuses to sign confidentiality agreement, which is
required of all temporary employees;
5) Member of personnel breaches applicable policy regarding confidentiality of
customer information;
6) Suspicious or unusual personnel action is displayed during log -in time to the
mainframe;
7) Unauthorized access to or use of customer account information;
8) Temporary employee shares his or her password to access Cubic Feet; and
9) Utility's computer system is breached such that a customer's personal
information has become accessible
E. Notice regarding possible identity theft.
The utility receives notice from a customer, an identity theft victim, law enforcement
or any other person that it has opened or is maintaining a fraudulent Account for a
person engaged in Identity Theft.
III,
DETECTION OF RED FLAGS.
In order to detect any of the Red Flags identified above for an existing account, Utility
personnel will take the following steps to monitor transactions with an account:
1) Verifying the identification of customers if they request information
3
The Utility is not responsible for the opening of new accounts. Accordingly, the Utility
does not attempt in this document to establish policies or procedures for detection of Red Flags
in connection with the opening of covered accounts.
IV. PREVENTING AND MITIGATING IDENTITY THEFT.
In the event Utility personnel detect any identified Red Flags, such personnel shall take
one or more of the following steps, depending on the degree of risk posed by the Red Flag:
1) Utility personnel refers customer to Assistant Administrator, in the event a
customer calls wishing to alter account information that is questionable;
2) Utility alerts Assistant Administrator and refers customer to him/her, in the
event a customer provides identifying information that is inconsistent with (a)
information on file, (b) information provided by others, or (c) other
information customer provides;
3) Utility alerts Assistant Administrator, in the event Utility receives notice that
an account has unauthorized activity;
4) Employee or member of personnel is not hired or is not retained, in the event
the person refuses to sign a required confidentiality agreement or breaches an
applicable policy regarding confidentiality of customer information;
5) IT personnel monitor employee's computer usage more closely; action up to
and including termination taken if necessary. May apply in the event of
suspicious or unauthorized use of customer information by member of
personnel;
6) In the event of personnel sharing computer system password(s), personnel
reminded that City of Blair policy is to keep computer system passwords
confidential; Change any passwords or other security devices that permit
access to accounts;
7) Notify the customer and change passwords, in the event that Utility's
computer system has been compromised such that a customer's personal
information has become accessible to unauthorized personnel;
8) The City of Blair plans to take steps with certain data it maintains that
contains customer information (i.e. destroying computer files).;
9) Determining that no response is warranted under the particular circumstances;
or
10) Notifying the Program Administrator (as defined below) for determination of
the appropriate step(s) to take.
In order to further prevent the likelihood of identity theft occurring with respect to Utility
accounts, the Utility will take the following steps with respect to its internal operating
procedures:
1) Provide a secure website or clear notice that website is not secure;
4
2) Ensure complete and secure destruction of paper documents and computer
files containing customer information; and
3) Ensure that office computers are password protected and that computer
screens lock after a set period of time
V. UPDATING THE PROGRAM AND THE RED FLAGS
This program will be periodically reviewed and updated to reflect changes in risks to
customers and the soundness of the Utility from Identity Theft. At least once per year, the
Program Administrator will consider the Utility's experiences with Identity Theft, changes in
Identity Theft methods, changes in methods to detect, prevent and mitigate Identity Theft,
changes in the Utility's operations or in the types of accounts the Utility offers or maintains, and
changes in the Utility's business arrangements with other entities. After considering these
factors, the Program Administrator will determine whether changes to the Program, including the
listing of Red Flags, are warranted. If warranted, the Program Administrator will ensure the
warranted changes are adopted in the Program. Significant changes will be reported to the
Utility's Board of Directors.
VI. PROGRAM ADMINISTRATION
A. Oversight.
The Utility's Program will be overseen by a Program Administrator. The Program
Administrator shall be: City Treasurer.
The Program Administrator will be responsible for the Program's administration, for
ensuring appropriate training of Utility staff on the Program, for reviewing any staff reports
regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft,
determining which steps of prevention and mitigation should be taken in particular
circumstances, reviewing and, if necessary, approving changes to the Program.
B. Staff Training and Reports.
Utility staff responsible for implementing the Program shall be trained either by or under
the direction of the Program Administrator in the detection of Red Flags and in the responsive
steps to be taken when a Red Flag is detected. Such staff shall report to the Program
Administrator at least annually on compliance with provisions of the Fair and Accurate Credit
Transaction Act of 2003 requiring the detection, prevention and mitigation of Identity Theft.
The report described above should address material matters related to the Program and
evaluate issues such as: The effectiveness of the policies and procedures of the Utility in
addressing the risk of Identity Theft with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and management's response; and
recommendations for material changes to the Program.
C. Service Provider Arrangements.
In the event the Utility engages a service provider to perform an activity in connection
with one or more accounts, the Utility will take the following steps to ensure the service provider
5
performs its activity in accordance with reasonable policies and procedures designed to detect,
prevent, and mitigate the risk of Identity Theft.
1) Requesting that service providers review the Utility's Program and report any
Red Flags to the Program Administrator.
6