The URL can be used to link to this page

Home My WebLink AboutR-2818-4-09RESOLUTION NO. 2818-4-09(R) ' A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF ALLEN, COLLIN COUNTY, TEXAS, ESTABLISHING AN IDENTITY THEFT PREVENTION, DETECTION AND MITIGATION PROGRAM; AND PROVIDING AN EFFECTIVE DATE. WHEREAS, the Federal Trade commission (FTC) and other regulatory agencies have documented the prevalence and dangers of identity theft; and, WHEREAS, in response to this growing problem, Congress, in the Fair and Accurate Credit Transactions Act of 2008 ("FACT Act'), directed the FTC and certain bank regulatory agencies to promulgate regulations addressing identity theft; and, WHEREAS, pursuant to the FACT Act, the FTC and bank regulatory agencies have enacted regulations, commonly known as the "Red Flag Rules" ("Rules"), requiring that creditors who maintain covered accounts implement a program to detect, prevent and mitigate identity theft; and, WHEREAS, pursuant to FTC interpretations, the City of Allen is subject to the Rules. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF ALLEN, COLLIN COUNTY, TEXAS, THAT: SECTION 1. The City of Allen hereby adopts the attached Policy/Procedure for Identity Theft Prevention, Detection and Mitigation Program as required by the Rules. ' SECTION 2. The City of Allen hereby authorizes the City Manager to appoint a senior level manager as the official responsible for oversight, ongoing development, implementation and administration of the program. SECTION 3. This Resolution shall be in force and effect from and after its passage on the date shown below. DULY PASSED AND APPROVED BY THE CITY COUNCIL OF THE CITY OF ALLEN, COLLIN COUNTY, TEXAS, ON THIS THE 28TH DAY OF APRIL, 2009. ATTEST: Shelley B. George,`CAY SECRETARY 1 APPROVED: Q. Step en errell, MAYOR ' CITY OF ALLEN IDENTITY THEFT PREVENTION, DETECTION AND MITIGATION PROGRAM Purpose and Overview Identity thieves use people's personal identification information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses. In response to the growing prevalence and dangers of identity theft, Congress, in the Fav and Accurate Credit Transactions Act of 2008 directed the Federal Trade Commission (FTC) and certain bank regulatory agencies to enact regulations addressing identity theft, commonly known as the "Red Flag Rules". Under the regulation only financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written program, approved by the governing body, by May 1, 2009. A "covered account' is defined as: (I) an account primarily used for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of thefinancial institution or creditor from identity theft. The FTC guidelines state that government entities that defer payment for goods and services are creditors. As ' such City staff has determined that utility billing accounts and ambulance billing services meet the criteria of "covered account". The Identity Theft program addresses the needs of both areas and sets forth the steps City staff will take in implementing a program for detecting, preventing and mitigating identity theft. The program outlines the following steps: • risk assessment conducted at the inception of the program and annually thereafter, • identification of the warning signs that may alert personnel to the possible existence of identity theft in the course of day to day operations, • procedures employees will follow in attempting to detect those red flags, • procedures employees will follow in responding appropriately to Red Flags that are detected, in order to prevent and mitigate identify theft, • procedures employees will take in responding to a claim by an individual that he/she has been a victim of identity theft, • administration of the program and • annual updating of the program. Risk Assessment On an annual basis the City shall determine whether it maintains "Covered Accounts" that carry a reasonably foreseeable risk of identity theft, including financial, operational, compliance, reputation or litigation risks. The risk assessment will take into consideration: 1. The types of covered accounts the City offers or maintains, ' 2. The methods employees are provided to: • Open new accounts; Resolution No. 2818-4-09(R), Page 2 • Access existing account; • Modify existing accounts; and/or • Close existing accounts. 3. The methods the City provides customers to access its accounts: • Open a new account; • Access an existing account; • Modify an existing account; and/or • Close an existing account. 4. Previous experiences with identity theft. Identification and Detection of Red Flaes A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of Identity Theft. The following items have been identified as Red Flag warnings that should alert personnel to the possibility of identity theft. (See Exhibit A for illustrative examples in connection with covered accounts.) 1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services., 2. The presentation of suspicious documents, 3. The presentation of suspicious personal identifying information, such as suspicious address change, 4. The unusual use of, or other suspicious activity related to a covered account, and 5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with covered accounts held by the City of Allen. NOTE: The process of confirming a patient's identity should never delay the delivery of urgent or emergency medical care. When a patient's condition permits collection of demographic information and documentation, medical transport crews shall request, in addition to an insurance card, a driver's license or other form of government issued photographic personal identification. If the patient lacks such photographic identification, medical transport personnel shall request other forms of identification, such as a credit card; and/or ask a family member or other person at the scene who knows the patient to verify the patient's identity. Prevention and Mitieation of Identity The If it appears that Identity Theft has occurred, the following steps should be considered and taken, as appropriate: 1. Except in cases where there appears to be obvious complicity by the individual whose identity was used, promptly notify the victim of Identity Theft, by certified mail. Notification may also be provided by telephone, to be followed by a mailed letter. 2. Place an Identity Theft Alert on all reports and accounts that may have inaccurate information as a ' result of the Identity Theft. 3. Discontinue billing on the account and/or close the account. Resolution No. 28184-09(R), Page 3 4. Reopen the account with appropriate modifications, including anew account number. ' 5. Change any passwords, security codes, or other security devices that permit access to a covered account. 6. If the account has been referred to collection agencies or attorneys, instruct the collection agency or attorneys to cease collection activity. 7. Notify law enforcement and cooperate in any investigation by law enforcement. 8. If an adverse report has been made to a consumer credit reporting agency regarding a person whose identity has been stolen, notify the agency that the account was not the responsibility of the individual. 9. If the circumstances indicate that there is no action that would prevent or mitigate the Identity Theft, no action need be taken. Additional steps for ambulance services are: 10. Place an Identity Theft Alert on all patient care reports and financial accounts that may have inaccurate information as a result of the Identity Theft. 11. If a claim has been submitted to an insurance carrier or government program ("Payor") in the name of the patient whose identity has been stolen, notify the Payor, withdraw the claim and refund any charges previously collected from the Payor and/or the patient. t 12. Request that law enforcement notify any health facility to which the patient using the false identity has been transported regarding the Identity Theft. 13. Correct the medical record of any patient of Provider whose identity was stolen, with the assistance of the patient as needed. Proeram Administration A designated employee at the level of senior management shall be designated by the City Manager as the Program Compliance Officer and shall be responsible for the oversight, development, and implementation of the Identity Theft Program, Each City department responsible for "covered accounts" will assign a management level staff member to assist the Program Compliance Officer. An annual report will be provided to the City Manager by July 1 on the effectiveness of the policies and procedures, significant incidents involving Identity Theft, service provider arrangements and management's recommendations for changes to the Program. The program will be reviewed, revised and updated on an annual basis based on factors such as: • The City's experiences with Identity Theft over the period since the last revision; • Changes in methods of Identity Theft or methods to detect, prevent and mitigate Identity Theft; • Changes in the types of accounts the City offers or maintains; • Changes in City technology and operations, including any new electronic health record or ' financiaWilling software programs • Changes in business arrangements including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. Resolution No. 2818-4-09(R), Page 4 To effectively implement and maintain the program, all management personnel, all billing office personnel and all medical transport personnel will be provided training on an annual basis. Initial training will occur no ' later than May 1, 2009 for all current personnel. Newly hired personnel shall be trained in the implementation of the program as part of their standard compliance and HIPAA training. "Refresher" training will be included in the annual compliance and HIPAA training given to employees and may be given to specific employees from time to time on an "as needed" basis. Employees will also be trained on proper record destruction procedures per the City's records retention policy. 1 1 The City shall exercise appropriate and effective oversight of all arrangements involving a Service Provider whose duties include opening, monitoring or processing customer accounts or performing other activities which place them in a position to prevent, detect or mitigate Identity Theft. Each Service Provider shall be required to execute an amendment or addendum to its service agreement or business associate agreement which requires it to: • Implement a written Identity Theft Program that meets the requirements of the "Red Flag Rule"; • Provide a copy of such program to the City no later than May 1, 2009; • Provide copies of all material changes to such program on an annual basis; and • Either report to the City all Red Flags which it encounters or take appropriate steps to prevent or mitigate identity Theft itself. Resolution No. 2818-4-09(R), Page 5 Exhibit A Illustrative Red Flae Examples In addition to incorporating Red Flags from the sources recommended in the Identity Theft Prevention, Detection and Mitigation Program, the following illustrated examples may be considered Red Flags, whether singly or in combination, in connection with covered accounts. Alerts. Notifications or Warnines from a Consumer Reporting Aeencv I. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. a recent and significant increase in the volume of inquiries; b. an unusual number of recently established credit relationships; c. a material change in the use of credit, especially with respect to recently established credit relationships; or d. an account that was closed for cause or indentified for abuse of account privileges by a financial institution or creditor. ' Suspicious Documents 1. Documents provided for identification appear to have been altered or forged. 2. The photograph or physical description is not consistent with the appearance of the applicant or customer presenting the identification. 3. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting identification. 4. Other information on the identification is not consistent with readily accessible inforrnation that is on file, such as a signature card or recent check. S. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 1. Personal identifying information provided is inconsistent when compared against external information sources used by the City of Allen. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security ' Administration's Death Master File. Resoluth m No. 2818-4-09(R), Page 6 2. Personal identifying information provided by the customer is not consistent with the other personal identifying information provided by the customer. For example, there is a lack of correlation between ' the SSN range and date of birth. 3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third -party sources used by the City. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 4. Personal indentifying information provided is of a type commonly associated with fraudulent application. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 5. The SSN provided is the same as that submitted by other persons opening an account or other customers. 6. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 7. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification the application is incomplete. 8. Personal indentifying information provided is not consistent with personal indentifying information that is on file with the City of Allen. 9. When using challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 1. Shortly following the notice of change of address for a covered account, the City receives a request for new, additional, or replacement of goods or services, or for the addition of authorized users on the account 2. A new account is used in a manner commonly associated with known patterns of fraud patterns, such as failing to make the first payment or only makes an initial payment but no subsequent payment. 3. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of services; I4. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). Resolution No. 2818-4-09(R), Page 7 S. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. ' 6. The City is notified that the customer is not receiving paper account statements. 7. The City is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice from Customers. Victims of Identity Theft, Law Enforcement Authorities. or Other Persons Reeardine Possible Identity Theft in Connection With Covered Accounts Held by the City of Allen The City is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. Resolution No. 2818.4-09(R), Page 8