HomeMy Public PortalAbout2008-036 c: -;;DO
ORDINANCE NO. 36 -2008
AN ORDINANCE TO AMEND THE CODE OF ORDINANCES FOR
THE CITY OF TYBEE ISLAND TO PROVIDE A NEW ARTICLE
, IDENTITY THEFT PREVENTION PROGRAM; TO
COMPLY WITH FEDERAL REGULATIONS RELATING TO ADDRESS
DESCREPANCIES; TO COMPLY WITH FEDERAL REGULATIONS
RELATING TO RED FLAGS AND IDENTITY THEFT; TO PROVIDE
FOR CODIFICATION; TO PROVIDE FOR SEVERABILITY; TO
PROVIDE FOR AN ADOPTION DATE; TO PROVIDE AN EFFECTIVE
DATE; AND FOR OTHER PURPOSES ALLOWED BY LAW
WHEREAS pursuant to federal law the Federal Trade Commission adopted Identity Theft Rules
requiring the creation of certain policies relating to the use of consumer reports, address
discrepancy and the detection, prevention and mitigation of identity theft;
WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR § 681.2 require
creditors, as defined by 15 U.S.C. § 1681a(r)(5) to adopt red flag policies to prevent and mitigate
identity theft with respect to covered accounts;
WHEREAS 15 U.S.C. § 1681a(r)(5) cites 15 U.S.C. § 1691a, which defines a creditor as a
person that extends, renews or continues credit, and defines `credit' in part as the right to
purchase property or services and defer payment therefore;
WHEREAS the Federal Trade Commission regulations include utility companies in the
definition of creditor;
WHEREAS the City of Tybee Island is a creditor with respect to 16 CFR § 681.2 by virtue of
providing utility services or by otherwise accepting payment for municipal services in arrears;
WHEREAS the Federal Trade Commission regulations define `covered account' in part as an
account that a creditor provides for personal, family or household purposes that is designed to
allow multiple payments or transactions and specifies that a utility account is a covered account;
WHEREAS the Federal Trade Commission regulations require each creditor to adopt an Identity
Theft Prevention Program which will use red flags to detect, prevent and mitigate identity theft
related to information used in covered accounts;
WHEREAS the City provides water, sewer, and waste management services for which payment
is made after the product is consumed or the service has otherwise been provided which by virtue
of being utility accounts are covered accounts;
WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR 681.1, require users
of consumer credit reports to develop policies and procedures relating to address discrepancies
between information provided by a consumer and information provided by a consumer credit
company;
1
WHEREAS the City of Tybee Island uses consumer credit reports to establish various customer
accounts; and
WHEREAS the duly elected governing authority of the City of Tybee Island is the Mayor and
council thereof;
Now therefore be it ordained that the City of Tybee Island adopts the following Identity Theft
Prevention Program:
SECTION I
The Code of the City of Tybee Island is hereby amended by adding an Article to be numbered
, which said Article reads as follows:
"Article
Identity Theft Prevention Program
Section -1. Short Title.
This article shall be known as the Identity Theft Prevention Program.
Section -2. Purpose.
The purpose of this Article is to comply with 16 CFR § 681.2 in order to detect, prevent and
mitigate identity theft by identifying and detecting identity theft red flags and by responding to
such red flags in a manner that will prevent identity theft.
Section -3. Definitions.
For purposes of this Article, the following definitions apply:
(a) `City' means the City of Tybee Island.
(b) `Covered account' means (1) An account that a financial institution or creditor offers or
maintains, primarily for personal, family, or household purposes, that involves or is
designed to permit multiple payments or transactions, such as a credit card account,
mortgage loan, automobile loan, margin account, cell phone account, utility account,
checking account, or savings account; and (if) Any other account that the financial
institution or creditor offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the financial institution or creditor from
identity theft, including financial, operational, compliance, reputation, or litigation risks.
(c) `Credit' means the right granted by a creditor to a debtor to defer payment of debt or to
incur debts and defer its payment or to purchase property or services and defer payment
therefore.
2
(d) `Creditor' means any person who regularly extends, renews, or continues credit; any
person who regularly arranges for the extension, renewal, or continuation of credit; or
any assignee of an original creditor who participates in the decision to extend, renew, or
continue credit and includes utility companies and telecommunications companies.
(e) `Customer' means a person that has a covered account with a creditor.
(f) `Identity theft' means a fraud committed or attempted using identifying information of
another person without authority.
(g) Person' means a natural person, a corporation, government or governmental subdivision
or agency, trust, estate, partnership, cooperative, or association.
(h) `Personal Identifying Information' means a person's credit card account information,
debit card information bank account information and drivers' license information and for
a natural person includes their social security number, mother's birth name, and date of
birth.
(i) `Red flag' means a pattern, practice, or specific activity that indicates the possible
existence of identity theft.
(j) `Service provider' means a person that provides a service directly to the city.
Section -4. Findings.
(1) The city is a creditor pursuant to 16 CFR § 681.2 due to its provision or maintenance of
covered accounts for which payment is made in arrears.
(2) Covered accounts offered to customers for the provision of city services include water,
sewer, and waste management.
(3) The city's previous experience with identity theft related to covered accounts is as
follows: None known.
(4) The processes of opening a new covered account, restoring an existing covered account,
making payments on such accounts, have been identified as potential processes in which
identity theft could occur.
(5) The city limits access to personal identifying information to those employees responsible
for or otherwise involved in opening or restoring covered accounts or accepting payment
for use of covered accounts. Information provided to such employees is entered directly
into the city's computer system and is not otherwise recorded.
(6) The city determines that there is a moderate risk of identity theft occurring in the
following ways, if any:
a. Use by an applicant of another person's personal identifying information to
establish a new covered account;
b. Use of a previous customer's personal identifying information by another person
in an effort to have service restored in the previous customer's name;
c. Use of another person's credit card, bank account, or other method of payment by
a customer to pay such customer's covered account or accounts; and
d. Use by a customer desiring to restore such customer's covered account of another
person's credit card, bank account, or other method of payment.
3
Section -5. Process of Establishing a Covered Account.
(1) As a precondition to opening a covered account in the city, each applicant shall provide
the city with personal identifying information of the customer consisting of a valid
government issued identification card containing a photograph of the customer, or for
commercial accounts or non - natural persons, a photograph of the customer's agent
opening the account. Such applicant shall also provide any information necessary for the
department providing the service for which the covered account is created to access the
applicant's consumer credit report. Such information shall be entered directly into the
city's computer system and shall not otherwise be recorded.
(2) Each account shall be assigned an account number and personal identification number
(PIN) which shall be unique to that account. The city may utilize computer software to
randomly generate assigned PINs and to encrypt account numbers and PINs.
Section -6. Access to Covered Account Information.
(1) Access to customer accounts shall be password protected and shall be limited to
authorized city personnel.
(2) Such password(s) shall be changed by the director of the department providing the
service or the finance department, as appropriate, or his/her designee on a regular basis,
shall be at Least 8 characters in length and shall contain letters, numbers and symbols.
(3) Any unauthorized access to or other breach of customer accounts is to be reported
immediately to the City Manager and the password changed immediately.
(4) Personal identifying information included in customer accounts is considered confidential
and any request or demand for such information shall be immediately forwarded to the
City Manager and the City Attorney.
Section -7. Credit Card Payments.
(1) In the event that credit card payments that are made over the Internet are processed
through a third party service provider, such third party service provider shall certify that
it has an adequate identity theft prevention program in place that is applicable to such
payments.
(2) All credit card payments made over the telephone or the city's website shall be entered
directly into the customer's account information in the computer data base.
(3) Account statements and receipts for covered accounts shall include only the last four
digits of the credit or debit card or the bank account used for payment of the covered
account.
Section -8. Sources and Types of Red Flags.
All employees responsible for or involved in the process of opening a covered account, restoring
a covered account or accepting payment for a covered account shall check for red flags as
indicators of possible identity theft and such red flags may include:
4
(1) Alerts from consumer reporting agencies, fraud detection agencies or service providers.
Examples of alerts include but are not limited to:
a. A fraud or active duty alert that is included with a consumer report;
b. A notice of credit freeze in response to a request for a consumer report;
c. A notice of address discrepancy provided by a consumer reporting agency;
d. Indications of a pattern of activity in a consumer report that is inconsistent with the
history and usual pattern of activity of an applicant or customer, such as:
i. A recent and significant increase in the volume of inquiries;
ii. An unusual number of recently established credit relationships;
iii. A material change in the use of credit, especially with respect to recently
established credit relationships; or
iv. An account that was closed for cause or identified for abuse of account
privileges by a financial institution or creditor.
(2) Suspicious documents. Examples of suspicious documents include:
a. Documents provided for identification that appear to be altered or forged;
b. Identification on which the photograph or physical description is inconsistent with the
appearance of the applicant or customer;
c. Identification on which the information is inconsistent with information provided by
the applicant or customer;
d. Identification on which the information is inconsistent with readily accessible
information that is on file with the financial institution or creditor, such as a signature
card or a recent check; or
e. An application that appears to have been altered or forged, or appears to have been
destroyed and reassembled.
(3) Suspicious personal identification, such as suspicious address change. Examples of
suspicious identifying information include:
a. Personal identifying information that is inconsistent with external information sources
used by the financial institution or creditor. For example:
i. The address does not match any address in the consumer report; or
ii. The Social Security Number (SSN) has not been issued, or is listed on the
Social Security Administration's Death Master File.
b. Personal identifying information provided by the customer is not consistent with
other personal identifying information provided by the customer, such as a lack of
correlation between the SSN range and date of birth.
c. Personal identifying information or a phone number or address, is associated with
known fraudulent applications or activities as indicated by internal or third -party
sources used by the financial institution or creditor.
d. Other information provided, such as fictitious mailing address, mail drop addresses,
jail addresses, invalid phone numbers, pager numbers or answering services, is
associated with fraudulent activity.
e. The SSN provided is the same as that submitted by other applicants or customers.
f. The address or telephone number provided is the same as or similar to the account
number or telephone number submitted by an unusually large number of applicants or
customers.
5
g. The applicant or customer fails to provide all required personal identifying
information on an application or in response to notification that the application is
incomplete.
h. Personal identifying information is not consistent with personal identifying
information that is on file with the financial institution or creditor.
i. The applicant or customer cannot provide authenticating information beyond that
which generally would be available from a wallet or consumer report.
(4) Unusual use of or suspicious activity relating to a covered account. Examples of suspicious
activity include:
a. Shortly following the notice of a change of address for an account, city receives a
request for the addition of authorized users on the account.
b. A new revolving credit account is used in a manner commonly associated with known
patterns of fraud patterns. For example:
i. The customer fails to make the first payment or makes an initial payment but
no subsequent payments.
c. An account is used in a manner that is not consistent with established patterns of
activity on the account. There is, for example:
i. Nonpayment when there is no history of late or missed payments;
ii. A material change in purchasing or spending patterns;
d. An account that has been inactive for a long period of time is used (taking into
consideration the type of account, the expected pattern of usage and other relevant
factors).
e. Mail sent to the customer is returned repeatedly as undeliverable although
transactions continue to be conducted in connection with the customer's account.
f. The city is notified that the customer is not receiving paper account statements.
g. The city is notified of unauthorized charges or transactions in connection with a
customer's account.
h. The city is notified by a customer, law enforcement or another person that it has
opened a fraudulent account for a person engaged in identity theft.
(5) Notice from customers, law enforcement, victims or other reliable sources regarding possible
identity theft or phishing relating to covered accounts.
Section -9. Prevention and Mitigation of Identity Theft.
(1) In the event that any city employee responsible for or involved in restoring an existing
covered account or accepting payment for a covered account becomes aware of red flags
indicating possible identity theft with respect to existing covered accounts, such
employee shall use his or her discretion to determine whether such red flag or
combination of red flags suggests a threat of identity theft. If, in his or her discretion,
such employee determines that identity theft or attempted identity theft is likely or
probable, such employee shall immediately report such red flags to his/her superior. If,
in his or her discretion, such employee deems that identity theft is unlikely or that reliable
information is available to reconcile red flags, the employee shall convey this information
to his/her superior, who may in his or her discretion determine that no further action is
necessary. If the superior in his or her discretion determines that further action is
6
necessary, a city employee shall perform one or more of the following responses, as
determined to be appropriate by him/her:
a. Contact the customer;
b. Make the following changes to the account if, after contacting the customer, it is
apparent that someone other than the customer has accessed the customer's
covered account:
i. change any account numbers, passwords, security codes or other security
devices that permit access to an account; or
ii. close the account;
c. Cease attempts to collect additional charges from the customer and decline to sell
the customer's account to a debt collector in the event that the customer's account
has been accessed without authorization and such access has caused additional
charges to accrue;
d. Notify a debt collector within 24 hours of the discovery of likely or probable
identity theft relating to a customer account that has been sold to such debt
collector in the event that a customer's account has been sold to a debt collector
prior to the discovery of the likelihood or probability of identity theft relating to
such account;
e. Notify law enforcement, in the event that someone other than the customer has
accessed the customer's account causing additional charges to accrue or accessing
personal identifying information; or
f. Take other appropriate action to prevent or mitigate identity theft.
(2) In the event that any city employee responsible for or involved in opening a new covered
account becomes aware of red flags indicating possible identity theft with respect an
application for a new account, such employee shall use his or her discretion to determine
whether such red flag or combination of red flags suggests a threat of identity theft. If, in
his or her discretion, such employee determines that identity theft or attempted identity
theft is likely or probable, such employee shall immediately report such red flags to
his/her superior. If, in his or her discretion, such employee deems that identity theft is
unlikely or that reliable information is available to reconcile red flags, the employee shall
convey this information to his/her superior, who may in his or her discretion determine
that no further action is necessary. If the superior determines that further action is
necessary, a city employee shall perform one or more of the following responses, as
determined to be appropriate by the superior:
a. Request additional identifying information from the applicant;
b. Deny the application for the new account;
c. Notify law enforcement of possible identity theft; or
d. Take other appropriate action to prevent or mitigate identity theft.
Section -10. Updating the Program.
The city council shall annually review and, as deemed necessary by the council, update the
Identity Theft Prevention Program along with any relevant red flags in order to reflect changes in
risks to customers or to the safety and soundness of the city and its covered accounts from
7
identity theft. In so doing, the city council shall consider the following factors and exercise its
discretion in amending the program:
(1) The city's experiences with identity theft;
(2) Updates in methods of identity theft;
(3) Updates in customary methods used to detect, prevent, and mitigate identity theft;
(4) Updates in the types of accounts that the city offers or maintains; and
(5) Updates in service provider arrangements.
Section -11. Program Administration.
The City Manager is responsible for oversight of the program and for program
implementation. The City Manager is responsible for reviewing reports prepared by staff
regarding compliance with red flag requirements and with recommending material changes
to the program, as necessary in the opinion of the City Manager, to address changing identity
theft risks and to identify new or discontinued types of covered accounts. Any recommended
material changes to the program shall be submitted to the city council for consideration by
the council.
(1) The Head Finance Officer will report to the City Manager at least annually, on
compliance with the red flag requirements. The report will address material matters
related to the program and evaluate issues such as:
a. The effectiveness of the policies and procedures of city in addressing the risk of
identity theft in connection with the opening of covered accounts and with respect
to existing covered accounts;
b. Service provider arrangements;
c. Significant incidents involving identity theft and management's response; and
d. Recommendations for material changes to the Program.
(2) The City Manager is responsible for providing training to all employees responsible for
or involved in opening a new covered account, restoring an existing covered account or
accepting payment for a covered account with respect to the implementation and
requirements of the Identity Theft Prevention Program. The City Manager shall exercise
his or her discretion in determining the amount and substance of training necessary.
Section -12. Outside Service Providers.
In the event that the city engages a service provider to perform an activity in connection with one
or more covered accounts the City Manager shall exercise his or her discretion in reviewing such
arrangements in order to ensure, to the best of his or her ability, that the service provider's
activities are conducted in accordance with policies and procedures, agreed upon by contract,
that are designed to detect any red flags that may arise in the performance of the service
provider's activities and take appropriate steps to prevent or mitigate identity theft."
8
SECTION II
The Code of the City of Tybee Island is hereby amended by adding an Article to be numbered
, which said Article reads as follows:
"Article
Treatment of Address Discrepancies.
Section -1. Short Title.
Treatment of Address Discrepancies.
Section -2. Purpose.
Pursuant to 16 CFR § 681.1, the purpose of this Article is to establish a process by which the city
will be able to form a reasonable belief that a consumer report relates to the consumer about
whom it has requested a consumer credit report when the city has received a notice of address
discrepancy.
Section -3. Definitions.
For purposes of this article, the following definitions apply:
(1) `Notice of address discrepancy' means a notice sent to a user by a consumer reporting
agency pursuant to 15 U.S.C. § 1681(c)(h)(1), that informs the user of a substantial
difference between the address for the consumer that the user provided to request the
consumer report and the address(es) in the agency's file for the consumer.
(2) `City' means City of Tybee Island.
Section -4. Policy.
In the event that the city receives a notice of address discrepancy, the city employee responsible
for verifying consumer addresses for the purpose of providing the municipal service or account
sought by the consumer shall perform one or more of the following activities, as determined to
be appropriate by such employee:
(1) Compare the information in the consumer report with:
a. Information the city obtains and uses to verify a consumer's identity in
accordance with the requirements of the Customer Information Program rules
implementing 31 U.S.C. § 5318(1);
b. Information the city maintains in its own records, such as applications for service,
change of address notices, other customer account records or tax records; or
c. Information the city obtains from third -party sources that are deemed reliable by
the relevant city employee; or
(2) Verify the information in the consumer report with the consumer.
9
Section -5. Furnishing Consumer's Address to Consumer Reporting Agency.
(1) In the event that the city reasonably confirms that an address provided by a consumer to
the city is accurate, the city is required to provide such address to the consumer reporting
agency from which the city received a notice of address discrepancy with respect to such
consumer. This information is required to be provided to the consumer reporting agency
when:
a. The city is able to form a reasonable belief that the consumer report relates to the
consumer about whom the city requested the report;
b. The city establishes a continuing relation with the consumer; and
c. The city regularly and in the ordinary course of business provides information to
the consumer reporting agency from which it received the notice of address
discrepancy.
(2) Such information shall be provided to the consumer reporting agency as part of the
information regularly provided by the city to such agency for the reporting period in
which the city establishes a relationship with the customer.
Section -6. Methods of Confirming Consumer Addresses.
The city employee charged with confirming consumer addresses may, in his or her discretion,
confirm the accuracy of an address through one or more of the following methods:
(1) Verifying the address with the consumer;
(2) Reviewing the city's records to verify the consumer's address;
(3) Verifying the address through third party sources; or
(4) Using other reasonable processes.
Section 3
The preamble to this ordinance is hereby incorporated into this ordinance as if set out fully
herein.
Section 4
All ordinances and parts of ordinances in conflict herewith are hereby expressly repealed.
SECTION III
It is the intention of the governing body, and it is hereby ordained, that the provisions of this
ordinance shall become and be made a part of the Code of Ordinances, City of Tybee Island,
Georgia, and the sections of this ordinance may be renumbered if necessary to accomplish such
intention.
This Ordinance shall become effective on the of , 2008
10
ADOPTED THIS DAY OF (0 2008.
AF1 EST:
). AL( A 0414
CLERK OF COUNCIL ��--11
FIRST READING: /
SECOND READING: /a/ f 5 j of
ENACTED: /0/931
G:ITYBEEIORDINANCES12008\FACT Act - Identity Theft 10.01.08
11