R-2818-4-09RESOLUTION NO. 2818-4-09(R)
' A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF ALLEN, COLLIN
COUNTY, TEXAS, ESTABLISHING AN IDENTITY THEFT PREVENTION,
DETECTION AND MITIGATION PROGRAM; AND PROVIDING AN EFFECTIVE
DATE.
WHEREAS, the Federal Trade commission (FTC) and other regulatory agencies have documented the
prevalence and dangers of identity theft; and,
WHEREAS, in response to this growing problem, Congress, in the Fair and Accurate Credit Transactions
Act of 2008 ("FACT Act'), directed the FTC and certain bank regulatory agencies to promulgate regulations
addressing identity theft; and,
WHEREAS, pursuant to the FACT Act, the FTC and bank regulatory agencies have enacted regulations,
commonly known as the "Red Flag Rules" ("Rules"), requiring that creditors who maintain covered accounts
implement a program to detect, prevent and mitigate identity theft; and,
WHEREAS, pursuant to FTC interpretations, the City of Allen is subject to the Rules.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF ALLEN,
COLLIN COUNTY, TEXAS, THAT:
SECTION 1. The City of Allen hereby adopts the attached Policy/Procedure for Identity Theft Prevention,
Detection and Mitigation Program as required by the Rules.
' SECTION 2. The City of Allen hereby authorizes the City Manager to appoint a senior level manager as
the official responsible for oversight, ongoing development, implementation and administration of the
program.
SECTION 3. This Resolution shall be in force and effect from and after its passage on the date shown
below.
DULY PASSED AND APPROVED BY THE CITY COUNCIL OF THE CITY OF ALLEN, COLLIN
COUNTY, TEXAS, ON THIS THE 28TH DAY OF APRIL, 2009.
ATTEST:
Shelley B. George,`CAY SECRETARY
1
APPROVED:
Q.
Step en errell, MAYOR
' CITY OF ALLEN
IDENTITY THEFT PREVENTION, DETECTION AND MITIGATION PROGRAM
Purpose and Overview
Identity thieves use people's personal identification information to open new accounts and misuse existing
accounts, creating havoc for consumers and businesses. In response to the growing prevalence and dangers of
identity theft, Congress, in the Fav and Accurate Credit Transactions Act of 2008 directed the Federal Trade
Commission (FTC) and certain bank regulatory agencies to enact regulations addressing identity theft,
commonly known as the "Red Flag Rules". Under the regulation only financial institutions and creditors that
offer or maintain "covered accounts" must develop and implement a written program, approved by the
governing body, by May 1, 2009.
A "covered account' is defined as:
(I) an account primarily used for personal, family, or household purposes, that involves or is
designed to permit multiple payments or transactions, and
(2) any other account for which there is a reasonably foreseeable risk to customers or the safety
and soundness of thefinancial institution or creditor from identity theft.
The FTC guidelines state that government entities that defer payment for goods and services are creditors. As
' such City staff has determined that utility billing accounts and ambulance billing services meet the criteria of
"covered account". The Identity Theft program addresses the needs of both areas and sets forth the steps City
staff will take in implementing a program for detecting, preventing and mitigating identity theft. The program
outlines the following steps:
• risk assessment conducted at the inception of the program and annually thereafter,
• identification of the warning signs that may alert personnel to the possible existence of identity theft
in the course of day to day operations,
• procedures employees will follow in attempting to detect those red flags,
• procedures employees will follow in responding appropriately to Red Flags that are detected, in order
to prevent and mitigate identify theft,
• procedures employees will take in responding to a claim by an individual that he/she has been a
victim of identity theft,
• administration of the program and
• annual updating of the program.
Risk Assessment
On an annual basis the City shall determine whether it maintains "Covered Accounts" that carry a reasonably
foreseeable risk of identity theft, including financial, operational, compliance, reputation or litigation risks.
The risk assessment will take into consideration:
1. The types of covered accounts the City offers or maintains,
' 2. The methods employees are provided to:
• Open new accounts;
Resolution No. 2818-4-09(R), Page 2
• Access existing account;
• Modify existing accounts; and/or
• Close existing accounts.
3. The methods the City provides customers to access its accounts:
• Open a new account;
• Access an existing account;
• Modify an existing account; and/or
• Close an existing account.
4. Previous experiences with identity theft.
Identification and Detection of Red Flaes
A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of Identity Theft.
The following items have been identified as Red Flag warnings that should alert personnel to the possibility
of identity theft. (See Exhibit A for illustrative examples in connection with covered accounts.)
1. Alerts, notifications, or other warnings received from consumer reporting agencies or service
providers, such as fraud detection services.,
2. The presentation of suspicious documents,
3. The presentation of suspicious personal identifying information, such as suspicious address
change,
4. The unusual use of, or other suspicious activity related to a covered account, and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons
regarding possible Identity Theft in connection with covered accounts held by the City of Allen.
NOTE: The process of confirming a patient's identity should never delay the delivery of urgent or emergency
medical care. When a patient's condition permits collection of demographic information and documentation,
medical transport crews shall request, in addition to an insurance card, a driver's license or other form of
government issued photographic personal identification. If the patient lacks such photographic identification,
medical transport personnel shall request other forms of identification, such as a credit card; and/or ask a
family member or other person at the scene who knows the patient to verify the patient's identity.
Prevention and Mitieation of Identity The
If it appears that Identity Theft has occurred, the following steps should be considered and taken, as
appropriate:
1. Except in cases where there appears to be obvious complicity by the individual whose identity was
used, promptly notify the victim of Identity Theft, by certified mail. Notification may also be
provided by telephone, to be followed by a mailed letter.
2. Place an Identity Theft Alert on all reports and accounts that may have inaccurate information as a
' result of the Identity Theft.
3. Discontinue billing on the account and/or close the account.
Resolution No. 28184-09(R), Page 3
4. Reopen the account with appropriate modifications, including anew account number.
' 5. Change any passwords, security codes, or other security devices that permit access to a covered
account.
6. If the account has been referred to collection agencies or attorneys, instruct the collection agency or
attorneys to cease collection activity.
7. Notify law enforcement and cooperate in any investigation by law enforcement.
8. If an adverse report has been made to a consumer credit reporting agency regarding a person whose
identity has been stolen, notify the agency that the account was not the responsibility of the
individual.
9. If the circumstances indicate that there is no action that would prevent or mitigate the Identity Theft,
no action need be taken.
Additional steps for ambulance services are:
10. Place an Identity Theft Alert on all patient care reports and financial accounts that may have
inaccurate information as a result of the Identity Theft.
11. If a claim has been submitted to an insurance carrier or government program ("Payor") in the name of
the patient whose identity has been stolen, notify the Payor, withdraw the claim and refund any
charges previously collected from the Payor and/or the patient.
t 12. Request that law enforcement notify any health facility to which the patient using the false identity
has been transported regarding the Identity Theft.
13. Correct the medical record of any patient of Provider whose identity was stolen, with the assistance of
the patient as needed.
Proeram Administration
A designated employee at the level of senior management shall be designated by the City Manager as the
Program Compliance Officer and shall be responsible for the oversight, development, and implementation of
the Identity Theft Program, Each City department responsible for "covered accounts" will assign a
management level staff member to assist the Program Compliance Officer.
An annual report will be provided to the City Manager by July 1 on the effectiveness of the policies and
procedures, significant incidents involving Identity Theft, service provider arrangements and management's
recommendations for changes to the Program.
The program will be reviewed, revised and updated on an annual basis based on factors such as:
• The City's experiences with Identity Theft over the period since the last revision;
• Changes in methods of Identity Theft or methods to detect, prevent and mitigate Identity Theft;
• Changes in the types of accounts the City offers or maintains;
• Changes in City technology and operations, including any new electronic health record or
' financiaWilling software programs
• Changes in business arrangements including mergers, acquisitions, alliances, joint ventures, and
service provider arrangements.
Resolution No. 2818-4-09(R), Page 4
To effectively implement and maintain the program, all management personnel, all billing office personnel
and all medical transport personnel will be provided training on an annual basis. Initial training will occur no
' later than May 1, 2009 for all current personnel. Newly hired personnel shall be trained in the
implementation of the program as part of their standard compliance and HIPAA training. "Refresher"
training will be included in the annual compliance and HIPAA training given to employees and may be given
to specific employees from time to time on an "as needed" basis. Employees will also be trained on proper
record destruction procedures per the City's records retention policy.
1
1
The City shall exercise appropriate and effective oversight of all arrangements involving a Service Provider
whose duties include opening, monitoring or processing customer accounts or performing other activities
which place them in a position to prevent, detect or mitigate Identity Theft. Each Service Provider shall be
required to execute an amendment or addendum to its service agreement or business associate agreement
which requires it to:
• Implement a written Identity Theft Program that meets the requirements of the "Red Flag Rule";
• Provide a copy of such program to the City no later than May 1, 2009;
• Provide copies of all material changes to such program on an annual basis; and
• Either report to the City all Red Flags which it encounters or take appropriate steps to prevent or
mitigate identity Theft itself.
Resolution No. 2818-4-09(R), Page 5
Exhibit A
Illustrative Red Flae Examples
In addition to incorporating Red Flags from the sources recommended in the Identity Theft Prevention,
Detection and Mitigation Program, the following illustrated examples may be considered Red Flags, whether
singly or in combination, in connection with covered accounts.
Alerts. Notifications or Warnines from a Consumer Reporting Aeencv
I. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a
consumer report.
3. A consumer reporting agency provides a notice of address discrepancy.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern
of activity of an applicant or customer, such as:
a. a recent and significant increase in the volume of inquiries;
b. an unusual number of recently established credit relationships;
c. a material change in the use of credit, especially with respect to recently established credit
relationships; or
d. an account that was closed for cause or indentified for abuse of account privileges by a financial
institution or creditor.
' Suspicious Documents
1. Documents provided for identification appear to have been altered or forged.
2. The photograph or physical description is not consistent with the appearance of the applicant or
customer presenting the identification.
3. Other information on the identification is not consistent with information provided by the person
opening a new covered account or customer presenting identification.
4. Other information on the identification is not consistent with readily accessible inforrnation that is on
file, such as a signature card or recent check.
S. An application appears to have been altered or forged, or gives the appearance of having been
destroyed and reassembled.
Suspicious Personal Identifying Information
1. Personal identifying information provided is inconsistent when compared against external
information sources used by the City of Allen. For example:
a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security
' Administration's Death Master File.
Resoluth m No. 2818-4-09(R), Page 6
2. Personal identifying information provided by the customer is not consistent with the other personal
identifying information provided by the customer. For example, there is a lack of correlation between
' the SSN range and date of birth.
3. Personal identifying information provided is associated with known fraudulent activity as indicated
by internal or third -party sources used by the City. For example:
a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent
application.
4. Personal indentifying information provided is of a type commonly associated with fraudulent
application. For example:
a. The address on an application is fictitious, a mail drop, or a prison; or
b. The phone number is invalid, or is associated with a pager or answering service.
5. The SSN provided is the same as that submitted by other persons opening an account or other
customers.
6. The address or telephone number provided is the same as or similar to the account number or
telephone number submitted by an unusually large number of other persons opening accounts or other
customers.
7. The person opening the covered account or the customer fails to provide all required personal
identifying information on an application or in response to notification the application is incomplete.
8. Personal indentifying information provided is not consistent with personal indentifying information
that is on file with the City of Allen.
9. When using challenge questions, the person opening the covered account or the customer cannot
provide authenticating information beyond that which generally would be available from a wallet or
consumer report.
Unusual Use of, or Suspicious Activity Related to, the Covered Account
1. Shortly following the notice of change of address for a covered account, the City receives a request
for new, additional, or replacement of goods or services, or for the addition of authorized users on the
account
2. A new account is used in a manner commonly associated with known patterns of fraud patterns, such
as failing to make the first payment or only makes an initial payment but no subsequent payment.
3. A covered account is used in a manner that is not consistent with established patterns of activity on
the account. There is, for example:
a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of services;
I4. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into
consideration the type of account, the expected pattern of usage and other relevant factors).
Resolution No. 2818-4-09(R), Page 7
S. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be
conducted in connection with the customer's covered account.
' 6. The City is notified that the customer is not receiving paper account statements.
7. The City is notified of unauthorized charges or transactions in connection with a customer's covered
account.
Notice from Customers. Victims of Identity Theft, Law Enforcement Authorities. or Other Persons
Reeardine Possible Identity Theft in Connection With Covered Accounts Held by the City of Allen
The City is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person
that it has opened a fraudulent account for a person engaged in identity theft.
Resolution No. 2818.4-09(R), Page 8