HomeMy Public PortalAboutResolution 1585VILLAGE OF PLAINFIELD
RESOLUTION NO. 1585
A RESOLUTION ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM
FOR THE VILLAGE OF PLAINFIELD, ILLINOIS
WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, an amendment to
the Fair Credit Reporting Act, required rules regarding identity theft protection to be
promulgated; and
WHEREAS, Those rules become effective May 1, 2009, and require municipal utilities
and other departments to implement an identity theft program and policy; and
WHEREAS, The Village desires to implement a written identity theft prevention
program in compliance with the rules and to protect the Village's customers from identity theft;
and
WHEREAS, The Village of Plainfield that the following policy is in the best interest of
the municipality, its residents and customers.
NOW, THEREFORE, BE IT RESOLVED by the Village Board of Trustees of the Village of
Plainfield, Illinois, that the Identity Theft Prevention Program is hereby adopted.
ADOPTED this 20th day of April, 2009 by a roll call vote as follows:
AYES: Vaupel, Dement, Fay, Lamb, Manning, Racich
NAYS: None
ABSENT: None
..~~"
Village Clerk
Atte
_-
. . V ~~
_. .-..... -c•
Village Clerk _ .~ - ~ ~ 4
v _ r .' (Seal) ~ v
~'~.~--
-__~ `•~
Approved: Apri120, 2009
VILLAGE OF PLAINFIELD
IDENTITY THEFT PREVENTION PROGRAM
This Identity Theft Prevention Program is hereby adopted by the Village of Plainfield
pursuant to and in compliance with the identity Theft Rules of the Federal Trade
Commission (FTC), Part 681 of Title 16 of the Code of Federal Regulations (16 CFR Part
681).
Purpose
The Village of Plainfield developed this Identity Theft Prevention Program ("Program")
pursuant to the Federal Trade Commission's Red Flags Rule, which implements Section 114 of
the Fair and Accurate Credit Transactions Act of 2003. The purpose of this Program is to protect
customers of the Village of Plainfield's utility services from identity theft. The Program is
intended to establish reasonable policies and procedures to facilitate the detection, prevention
and mitigation of identity theft in connection with the opening of new Covered Accounts and
activity on existing Covered Accounts. The Program is intended to assist Village Staff in
identifying a potential identity theft situation, and does not ensure prevention of all instances of
identity theft.
Scope
This Program applies to the creation, modification anal access to Identifying Information of a
customer of one or more of the utilities operated by the Village of Plainfield (water, waste water,
and refuse) by any and all personnel of the Village, including management personnel. According
to the Rule, the Village is a creditor potentially subject to the Rule requirements if it defers
payment far goods and/or services rendered by the Village. This Program does not replace or
repeal any previously existing policies or programs addressing same or all of the activities that
are the subject of this Program, but rather it is intended to supplement any such existing policies
and programs.
Definitions
When used in this Program, the following terms have the meanings set forth opposite their name,
unless the context clearly requires that the term be given a different meaning:
ldenti Theft: The term "identity theft" means a fraud committed or attempted using the
identifying information of another person without authority. (16 CFR §681.2(b)(8) and 16 CFR
§603.2(a)).
_Red Flay: The term "red flag" means a pattern, practice, or specific activity that indicates the
possible existence of Identity Theft (16 CFR 681.2(b)(9).
Covered Account:. The term "covered account" means an account the Village offers or
maintains, primarily far personal, family or household purposes, that involves multiple payments
or transactions. (16 CFR 681.2(b)(3)(i)). A utility account is a "covered account." The term
"covered account" also includes other accounts offered or maintained by the Village for which
4/ 14/2009 1
there is a reasonably foreseeable risk to the Village or its customers from identity theft. (16 CFR
681.2(b)(3)(ii)).
Identi in Information: The term "identifying information" means any name or number that
may be used, alone or in conjunction with any other information, to identify a specific person.,
including any name, social security number, date of birth, official State or government issued
driver's license or identification number, alien registration number, government passport number,
employer or taxpayer identification number. Additional examples of "identifying information"
are set forth in 16 CFR §603.2(a).
Certain terms used but not otherwise defined herein shall have the meanings given to them in the
FTC's Identity Theft Rules (16 CFR Part 681) or the Fair Credit Reporting Act of 1970 (l5
U.S.C. § 1681 et seq.), as amended by the Fair and Accurate Credit Transactions Act of 2003 into
law on December 4, 2003. (Public Law 108-159).
Administration of the Program
The initial adoption and approval of the Identity Theft Prevention Program shall be by
Resolution of the Village Board. Thereafter, changes to the Program of a day-to-day operational
character and decisions relating to the interpretation and implementation of the Program may be
made by the Director of Management Services (Program Administratorj. Major changes or
shifts of policy positions under the Program shall only be made by the Village Board.
Development, implementation, administration and oversight of the Program will be the
responsibility of the Program Administrator. Other Program personnel may be designated by the
Program Administrator as needed. The Program Administrator will report at least annually to the
Village Administrator regarding compliance with this Program.
Issues to be addressed in the annual Identity Theft Prevention Report include:
1. The effectiveness of the policies and procedures in addressing the risk of Identity Theft in
connection with the opening of new Covered Accounts and activity with respect to
existing Covered Accounts.
2. Service provider arrangements.
3. Significant incidents involving Identity Theft and management's response.
4. Recommendations for material changes to the Program, if needed for improvement.
Identity Theft Prevention Elements
Identification of Relevant Red Flags
The Village of Plainfield has considered the guidelines and the illustrative examples of possible
Red Flags from the FTC's Identity Theft Rules. The Village has also reviewed the types of
accounts offered and maintained, the methods it provides to open its accounts, the methods it
provides to access its accounts, and its previous experiences with Identity Theft, if any. The
Village hereby determines that the following are the relevant Red Flags for purposes of this
Program given the relative size of the Village of Plainfield and the limited nature and scope of
the services that the Village provides to its citizens:
4/ 14/2009 2
A. Alerts, notifications, or other warnings received fron~a consumer reporting agencies
or service providers.
1. A Consumer Reporting Agency alerts the Village of credit freeze, address disparity,
or that an account has been noted to have been abusive or fraudulent activity.
B. The presentation of suspicious documents.
2. Documents provided for identification appear to have been altered or forged or
inauthentic.
3. The photograph or physical description on the identif cation is not consistent with the
appearance of the applicant ar customer presenting the identification.
4. Other information on the identification is not consistent with information provided by
the person opening a new covered account or customer presenting the identification.
5. Other information on the identification is not consistent with readily accessible
information that is an file with the Village, such as a signature card or a recent check..
6. An application appears to have been altered or forged,. or gives the appearance of
having been destroyed and reassembled.
C. The presentation of suspicious personal identifying information, such as a suspicious
address change.
7. Personal identifying information provided that is inconsistent with other sources of
information. For example, an address not matching an address on a credit report.
$. Personal identifying information provided by the customer is not cansistent with
other personal identifying information provided by the customer. Far example,
inconsistent birth dates.
9. Personal identifying information provided is the same as information shown on other
applications that were known to be fraudulent.
10. Personal identifying information provided is consistent with fraudulent activity, such
as an invalid phone number or fictitious billing address.
1 I .Identifying information presented that is the same as one given by another customer.
12. The person. opening the covered account or the customer fails to provide all required
personal identifying information on an application or in response to notification that
the application is incomplete.
13. Personal identifying information provided is not cansistent with personal identifying
information that is on file with the Village.
14. Tf the Village of Plainf eld uses challenge questions, the person opening the covered
account or the customer cannot provide authenticating information beyond that which
generally would be available from a wallet or consumer report.
D. The unusual use of, or other suspicious activity related to, a Covered Account.
15. Shortly following the notice of a change of address for a covered account, the Village
receives a request for the addition of authorized users on the account.
16. A new utility account is used in a manner commonly associated with known patterns
of fraud patterns. For example: the customer fails to make the first payment or makes
an initial payment but no subsequent payments.
1.7. A covered account with a stable history shows irregularities.
4/ 14/2009
18. A covered account that has been inactive for a reasonably lengthy period of time is
used (taking into consideration the type of account, the expected pattern of usage and
other relevant factors).
19. Mail sent to the customer is returned repeatedly as undeliverable although usage of
utility products or services continues in connection with the customer's covered
account.
20. The Village is notified that the customer is not receiving paper account statements.
21. The Village is notified of unauthorized usage of utility products or services in
connection with a customer's covered account.
E. Notice of Possible Identity Theft.
22. The Village is notified by a customer, a victim of identity theft, a law enforcement
authority, or any other person that it has opened a fraudulent account for a person
engaged in identity theft.
Detection of Red Flags
The employees of the Village of Plainfield that interact directly with customers on a day-to-day
basis shall have the initial responsibility for monitoring the information and documentation
provided by the customer and any third-party service provider in connection with the opening of
new accounts and the modification of or access to existing accounts and the detection of any Red
Flags that might arise. Management shall see to it that all employees who might be called upon
to assist a customer with the opening of a new account or with modifying or otherwise accessing
an existing account are properly trained such that they have a working familiarity with the
relevant ,Red Flags identified in this Program so as to be able to recognize any Red Flags that
might surface in connection with the transaction.
An Employee who is not sufficiently trained to recognize the Red Flags identified in this
Program shall not open a new account for any customer, modify any existing account or
otherwise provide any customer with access to information in an existing account without the
direct supervision and specific approval of a management employee. Management employees
shall be properly trained such that they can recognize the relevant Red Flags identified in this
Program and exercise sound judgment in connection with the response to any unresolved Red
Flags that may present themselves in connection with the opening of a new account or with
modifying or accessing of an existing account. Management employees shall be responsible for
making the f nal decision on any such unresolved Red Flags:
The Program Administrator shall establish from time to time a written policy setting forth the
manner in which a prospective new customer may apply fox service, the .information and
documentation to be provided by the prospective customer in connection with an application for
a new utility service account, the steps to be taken by the employee assisting the customer with
the application in verifying the customer's identity and the manner in which the information and
documentation provided by .the customer .and any third-party service provider shall be
maintained. Such policy shall be generally consistent with the spirit of the Customer
Identification Program. rules (31 CFR 103.121) implementing Section 326(x) of the USA
PATRIOT Act but need not be as detailed. The Program Administrator shall establish from time
to time a written policy setting forth the manner in which customers with existing accounts shall
4/14/2009 4
establish their identity before being allowed to make modifications to or otherwise gain access to
existing accounts.
Response to Detected Red Flags
If the responsible employees of the Village of Plainfield as set forth in the previous section are
unable, after making a good faith effort, to form a reasonable belief that they know the true
identity of a customer attempting to open a new account or modify or otherwise access an
existing account based on the information and documentation provided by the customer and any
third-party service provider, the Village shall not open the new account or modify or otherwise
provide access to the existing account as the case may be: Opening new accounts or the
modification or access to existing accounts will be on anon-discriminatory basis based on the
Village's policies.
The Program Administrator shall establish from time to time a written policy setting forth the
steps to be taken in the event of an unresolved Red Flag situation. Consideration should be given
to aggravating factors that may heighten the risk of Identity Theft, such as a data security
incident that results in uanautharized access to a customer's account, or a notice that a customer
has provided account information to a fraudulent individual or website. Appropriate responses to
prevent or mitigate Identity Theft when a Red Flag is detected. include:
1. Monitoring a Covered Account for evidence of Identity Theft.
2. Contacting the customer.
3. Changing any passwords, security codes, or other security devices that permit access to a
Covered Account.
4. Reopening a Covered Account with a new account number.
S. Not opening a new Covered Account.
6. Closing an existing Covered Account.
7. Notifying the Program Administrator for determination of the appropriate step(s) to take.
8. Notifying law enforcement.
9. Determining that no response is warranted under the particular circumstances.
Program Management and Accountability
Initial Risk Assessment -- Covered Accounts
Utility accounts for personal, family and household purposes are specifically included within the
definition of "covered account" in the FTC's Identity Theft Rules. "Therefore, the Village of
Plainfield determines that with respect to its residential utility accounts it offers and/or maintains
covered accounts. 1'he Village also performed an initial risk assessment to determine whether
the utility offers or maintains any other accounts for which there are reasonably foreseeable risks
to customers or the utility from identity theft. In making this determination the Village
considered (1) the methods it uses to open its accounts, (2) the methods it uses to access its
accounts, and (3) its previous experience with identity theft, if any, and it concluded that it does
not offer or maintain any such, other covered accounts.
4/ 14/2009 5
Program Updates -Risk Assessment
The Program, including relevant Red Flags, is to be updated as often as necessary but at least
annually to reflect changes in risks to customers from Identity Theft. Factors to consider in the
Program update include:
1. An assessment of the risk factors identified above.
2. Any identified Red Flag weaknesses in associated account systems or procedures.
3. Changes in methods of Identity Theft.
4. Changes in methods to detect, prevent, and mitigate Identity Theft.
5. Changes in business arrangements, including mergers, acquisitions, alliances, joint
ventures, and service provider arrangements.
Training and Oversight
All staff and third-party service providers performing any activity in connection with one or
more Covered Accounts are to be provided appropriate training and receive effective oversight to
ensure that the activity is conducted in accordance with policies and procedures designed to
detect, prevent, and mitigate the risk of Identity Theft.
Other Legal Requirements
Awareness of the following related legal requirements should be maintained:
• 31 U.S.C. 5318 (g) -Reporting of Suspicious Activities
• 1 S U.S.C. 1681 c-1 (h) -Identity Theft Prevention; Fraud Alerts and Active Duty Alerts
- Limitations on Use of Information for Credit Extensions
• 15 U.S.C. 1681 s-2 -Responsibilities of Furnishers of Information to Consumer
Reporting Agencies
• 1 S U.S.C. 1681 m -Requirements on Use of Consumer Reports
4/ 14/2009 6
Village of Plainfield
Red Flag Table
A B C D E
Alerts, Notifications or Suspicious Suspicious Personal Unusual Use or Notice of Theft
Wargings from Documents LD. Tnfowmation Suspicious Activity
Consumer Reporting related to the Covered
A enc Account
1. A Consumer Repvrting 2. Documents 7. Personal ID is 1 S. Addition of 13. Utility is nviified
Agency alerts the Village provided fvr ID inconsistent with authorized users request by law enforcement
of a credit freeze, address appear to he other sources of shortly following an officials or others, that
disparity, or that an altered, forged or information, address change request. it has opened a
account has been noted to inauthentic. fraudulent account for a
have abusive or fraudulent person engaged in
activity. identity theft.
3. The photo or 8. Personal ID l (. Payments are made
physical provided is not in a manner associated
description is not consistent with other with fraud. 1~'vr example,
consistent with the personal ID a deposit or initial
appearance of the information provided payment is made and no
applicant. by customer. payments are made
thereafter.
4. information 9. Personal ID 17. A covered account
given to open the information provided with a stable history
account is not is the same as shows irregularities.
consistent with the information shown
ID of the on other fraudulent
applicant. applications.
5. Other 10. Personal ID is 1$. A covered account
information is nvt consistent with that has been inactive for
consistent with fraudulent activity, along period of time is
infvrmativn vn file such as fictitious used.
with the Village. address, or phone
number is invalid.
6. Application 11. ID infvrmation is 19. Mail sent to customer
appears to have the same as another is repeatedly returned.
been altered or customer.
forged.
12. The customer 20. Customer notifies
fails to provide all utility that they are not
needed personal ID receiving their bill.
upon request.
13. Personal ID is 21. The utility is notified
inconsistent with of unauthorized charges
utility records. or transactions in
connection with a
customer's account.
14. Challenge
questions cannot be
answered.
4il4izoo9