HomeMy Public PortalAbout2009-3 - IDENTITY THEFT RED FLAG POLICYORDINANCE 2009--3
AN ORDINANCE CREATING A RED FLAG POLICY TO IDENTIFY AND PREVENT
IDENTITY THEFT
WHEREAS, The Federal Trade commission adopted Identity Theft Rules requiring the
creation of certain policies relating to the use of consumer reports, address discrepancy
and the detection, prevention and mitigation of identity theft;
WHEREAS, the Federal Trade Commission regulations, adopted as 16 CFR 681.2
require creditors, as defined by 15 U.S.C. 168 1 (a)(r)(5) to adopt red flag policies to
prevent and mitigate identity theft with respect to covered accounts;
WHEREAS, the Federal Trade Commission regulations include utility companies in the
definition of creditor; and
WHEREAS the City of Greencastle is a creditor with respect to 16 CFR 681.2 by virtue
of providing utility services or by otherwise accepting payment for municipal services in
arrears.
NOW THEREFORE, BE IT ORDAINED BY THE COMMON COUNCIL OF
GREENCASTLE that it hereby adopts the attached Identity Theft Prevention Program.
Be if further ordained that the Common Council grants the authority to amend the
attached policy, if necessary, to the Greencastle Board of Public Works and Safety upon
passage of a resolution by the Board.
This Ordinance shall have full force and effect upon passage of the Greencastle Common
Council and its approval by the Mayor.
PASS W AND AD TED by the Common Council of the City of Greencastle, Indiana
this day of L j f j � , 2009.
V Lug S
Adaf Cohen Jins S. Bingham
onn i,ame
r.
Identity Theft Prevention Program
For
City of Greencastle
May 2008
A. Purpose. This Plan is intended to identify red flags that will alert our employees
when new or existing accounts are opened using false information, protect against
the establishment of false accounts, establish methods to ensure existing accounts
were not opened using false information, and define measures to respond to such
events.
B. Risk Assessment. Greencastle Utilities has conducted an internal risk assessment
to evaluate how at risk the current procedures are at allowing customers to create a
fraudulent account and evaluate if current (existing accounts) are being
manipulated. This risk assessment evaluated how new accounts were opened and
the methods used to access the account information.
C. Detection (Red Flags). Greencastle Utilities adopts the following red flags to
detect potential fraud. These are not intended to be all- inclusive and other
suspicious activity may be investigated as necessary:
1. Identification documents appear to be altered;
2. Photo and physical description do not match appearance of applicant;
3. Other information is inconsistent with information provided by
applicant;
4. Other information provided by applicant is inconsistent with
information on file;
5. Application appears altered or destroyed and reassembled;
6. Personal information provided by applicant does not match other
sources of information (e.g. credit reports, SS# not issued or listed as
deceased);
7. Lack of correlation between the SS# range and date of birth;
8. Information provided is associated with known fraudulent activity (e.g.
address or phone number provided is same as that of a fraudulent
application);
9. Information conunonly associated with fraudulent activity is provided
by applicant (e.g. address that is a mail drop or prison, non - working
phone number or associated with answering service /pager)
10. SS #, address, or telephone # is the same as that of other customer at
utility;
11. Customer fails to provide all information requested;
12. Personal infonmation provided is inconsistent with information on file
for a customer;
13. Applicant cannot provide information requested beyond what could
commonly be found in a purse or wallet;
14. Identity theft is reported or discovered.
D. Response. Any employee that may suspect fraud or detect a red flag will
implement the following response as applicable:
1. Ask applicant for additional documentation.
2. Monitor account;
3. Notify Greencastle Police Department of any attempted or actual
identity theft;
4. Do not open the account;
5. Close the account; or
6. Do not attempt to collect against the account, but notify authorities.
All detections or suspicious red flags shall be reported to your supervisor
E. Personal Information Security Procedures. Greencastle Utilities shall follow the
following security procedures:
1. All new accounts must be opened in person at Greencastle City Hall,
unless authorized by the Clerk- Treasurer or his/her designee, and only
upon the applicant's provision of sufficient proof of identity.
2. Paper documents, files and electronic media containing secure
information will be stored in locked file cabinets.
3. Employees will not leave sensitive papers out on their desks when they
are away from their work stations. Employees will store files when
leaving their work areas.
4. Employees will log off their computers when leaving their work areas.
5. Visitors who must enter areas where sensitive files are kept must be
escorted by an employee of the City at all times.
6. No visitor shall be given any entry codes or allowed unescorted access
to the office.
7. Access to sensitive information will be controlled using passwords.
Employees will choose passwords with a mix of letters, numbers and
characters. User names and passwords will be different. Passwords
will be changed at least quarterly.
S. Passwords will not be shared or posted near workstations.
9. Anti -virus and anti - spyware programs will be run on individual
computers and on servers regularly.
10. When installing new software, vendor- supplied default passwords will
be changed.
11. The computer network will have a firewall where the network
connects to the Internet.
12. References will be checked and background checks will be done
before hiring employees who will have access to sensitive date.
13. Access to a customer's personal identifying information will be
limited to employees on it need to know basis.
14. Procedures will be developed to ensure that workers who leave the
employment of the city of Greencastle or transfer to another
department no longer have access to sensitive information.
15. Employees will be trained on a regular basis.
16. Employees will be alert to attempts at phone phishing.
17. Paper records will be shredded before being placed into the trash.
18. Any data storage media will be disposed of by shredding or
incineration.
Approved and signed by me this day of 2009, at
o'clock .m.
Sue Murray, Mayor
ATTEST:
Teresa Glenn, Clerk- Treasurer