The URL can be used to link to this page

Home My WebLink About8 Identity Theft prevention policy Agenda Item # 8 Public Utilit y District 1: ACTION To: Board of Directors From: Mary Chapman Date: October 01, 2008 Subject: Consideration of a Resolution Adopting a Policy on Identity Theft Prevention 1. WHY THIS MATTER IS BEFORE THE BOARD The District is required to adopt an Identity Theft Prevention Policy. Only the Board of Directors can adopt that policy. 2. HISTORY Earlier this year the Fair and Accurate Credit Transaction Act (FACT Act) was adopted requiring utilities to have adopted an Identity Theft Prevention Policy by October 1, 2008 and implement the Policy by November 1, 2008. This policy must meet the standards outlined by Federal Agencies including the Federal Trade Commission. The purpose of the act is to detect, prevent and mitigate identity theft activity which has become a significant worldwide problem. To date, we are not aware of any identity theft incidences that have occurred in our utility. 3. NEW INFORMATION The FACT Act requirements are referred to as "Red Flag Rules". A Red Flag is defined as "A pattern, practice, or specific activity that indicates the possible existence of identity theft." Identity Theft is defined as "The illegal use of someone else's personal information (as a social security number) in order to obtain money or credit." There are numerous steps the FACT Act requires the District to take to further strengthen our procedures to protect both our customers' data and employee data. The first step is for the District to adopt an Identity Theft Prevention Policy. Exhibit 1 (attached) is a copy of the proposed policy. The proposed policy addresses the following requirements. • Identify relevant Red Flags for applicable accounts • Detect Red Flags for new and existing accounts • Respond appropriately to detected Red Flags • Ensure the program is updated to reflect changes in risk In addition to adopting an Identity Theft Prevention Policy, the District needs to Establish a Privacy Committee of employees from different areas of the organization to participate in developing the Identity Theft program and procedures and to administer the program. The administration _ includes periodically reviewing the program, making recommendation for changes, arranging for annual employee training and providing the Board with an annual report. Exhibit 2 (attached) is a list of those employees who have been selected to participate on the committee because of their involvement in accessing confidential customer and/or employee data. We would like the Board to formally create the committee and appoint the listed employees to serve for one year on the committee. Finally, the District needs to appoint a Privacy Officer. The Privacy Officer will be responsible for coordinating audit studies and reviewing patterns of incidents. The Privacy Officer will also coordinate the activities of the Privacy Committee including completion of the annual report to the Board of Directors. 4. FISCAL IMPACT While the total cost is unknown at this time, the majority of the cost will come from internal staff time serving on the Privacy Committee and performing assigned tasks while the program is being developed. Additional costs will be incurred in performing credit checks to determine if customers have fraud alerts on their credit accounts. The cost of running credit checks on new customers was included in the 2009 budget. It is yet to be determined if it will be necessary to run credit checks for fraud alerts on existing customers. 5. RECOMMENDATION That the Board of Directors take the following action: 1) Adopt the attached resolution adopting the Identity Theft Prevention Policy. 2) Establish the Privacy Committee, appointing the Administrative Services Manager, the Customer Services Manager, the Human Resources Administrator, the Credit and Collections Supervisor, the Work Order Accounting Supervisor and the Contracts Administration Clerk as members of the Committee to serve a one year term. 3) To appoint the Customer Services Manager to act as the Privacy Officer. Mary Chapman ichael D. Holley Administrative Services Manager General Manager :71 ~G yy k r Pubkc Utility District Resolution No. 2008 - XX ADOPTING AN IDENTITY THEFT PREVENTION POLICY WHEREAS, under revisions to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), each utility is required to adopt an Identity Theft Prevention Policy by October 1, 2008 and implement such policy by November 1, 2008; and WHEREAS, the Board of Directors of the Truckee Donner Public Utility District wishes to comply with the Fair and Accurate Credit Transaction Act as it relates to protecting customer and employee privacy; and WHEREAS, the attached Identity Theft Prevention Policy addresses the requirements of the standards outlined by Federal Agencies including the Federal Trade Commission (Exhibit 1); and WHEREAS, one of the requirements is the formation of a Privacy Committee to assist in the development and administration of the program and procedures and the appointment of members to the committee (Exhibit 2), and WHEREAS, the District is also required to appoint a Privacy Officer to coordinate audit studies and review patterns of identity theft incidents. NOW THEREFORE, BE IT RESOLVED, that the Board of Directors does hereby adopt the Identity Theft Prevention Policy; and BE IT FURTHER RESOLVED that the Board of Directors establishes a Privacy Committee and appoints the Administrative Services Manager, the Customer Services Manager, the Human Resources Administrator, the Credit and Collections Supervisor, the Work Order Accounting Supervisor and the Contracts Administration Clerk to serve a one year term for the purpose of developing and administering the program and procedures required by the Identity Theft Prevention Policy; and BE IT FURTHER RESOLVED that the Board of Directors also appoints the Customer Services Manager to serve as the Privacy Officer with the responsibility of coordinating identity theft audit studies and reviewing patterns of identity theft incidents; and BE IT FURTHER RESOLVED that the Privacy Committee and the Privacy Officer are required to present an annual report to the Board of Directors regarding the administration of the Identity Theft Prevention Policy. Res 2008-XX 1 PASSED AND ADOPTED by the Board of Directors of the Truckee Donner Public Utility District in a meeting duly called and held within said District on the 1 st day of October 2008 by the following roll call vote: AYES: ABSTAIN: NOES: ABSENT: TRUCKEE DONNER PUBLIC UTILITY DISTRICT By Tim F. Taylor, President ATTEST: Michael D. Holley, Clerk of the Board Res 2008-XX 2 EXHIBIT 1 TRUCKEE DONNER PUBLIC UTILITY DISTRICT IDENTITY THEFT PREVENTION POLICY I. POLICY OBJECTIVE It shall be the policy of the Truckee Donner Public Utility District(District) to take all reasonable steps to identify, detect and prevent the theft of its customer's personal information—commonly known as Identity Theft. In order to carry out that policy, the District hereby adopts the following policy for identifying, detecting Red Flags that should raise concerns for the District that a customer's information is potentially being misused or stolen. II. DEFINITIONS Red Flag—a pattern, practice or specific activity that indicates the possible existence of Identity Theft. Identity Theft—a fraud committed or attempted using the identifying information of another person without authority. Identifyin..information— any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, Social Security Number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number or address. District—For the purposes of this policy, Truckee Donner Public Utility District is referred to as the District. IT— Information Technology III. POLICY RATIONALE Under federal law and regulations, the District is required to adopt an Identity Theft Prevention policy no later than October 1, 2008. The policy must be implemented no later than the compliance deadline of November 1, 2008. This is required under the Federal Trade Commission (FTC) Red Flag prevention rules of the Fact Act. (Federal Register 16CFR 681) IV. IDENTIFICATION OF ACCOUNTS SUBJECT TO RED FLAG POLICY The District maintains accounts for its customers that allow customers to pay for service after it has been rendered. Bills are sent and payments are due on a monthly basis. These accounts are covered by this Red Flag policy. TDPUD ID THEFT POLICY—Draft 1 1 EXHIBIT 1 V. IDENTIFICATION OF POTENTIAL RED FLAGS A. Risk Factors. In identifying potential Red Flags associated with the accounts that the District maintains, the District's Board of Directors and management have considered the following Identity Theft risk factors: 1. Types of Covered Accounts. The District provides electric and water utility services in Truckee, California. The District serves approximately 13,125 customers. The District's turnover in customers is high in that we are located in a recreation area and have significant seasonal rentals. Payments from customers for services rendered are due nineteen(19) days after the bill is issued. The District does not provide credit to its customers beyond this monthly account for utility service. Such service is rendered at a fixed physical location known to the District. 2. Methods for Opening Accounts. The District requires the prospective customers who wish to receive utility service submit a service application with the following information: (1)name and date of birth of applicant and other household members on the accounts; (2) address location where service shall be provided; (3) contact and billing information; and (4) Social Security Number. The applicant must also present to the CSR a valid Government issued photo identification as proof of identity. 3. Methods of Accessing Accounts. The District allows members to access information related to their accounts using the following methods, or plans to allow such access in the near future: (a) in person at the District's office with a picture identification; (b) over the telephone after providing the District's Customer Service Representative (CSR) with certain identifying information, such as the caller's date of birth and/or the address and telephone number of the service location and the last four(4) digits of the customer's Social Security Number or (c) over the Internet using a secure password 4. Previous Experience with Identity Theft. The District is not aware of any breach of or unauthorized access to its systems that are used to store customer's personal identifying information. Given the limited amount and types of services and credit provided to its customers, coupled with the District's policies for securing customer's personal information, the District believes the risk of its customers being the subject of Identity Theft through the information collected by the District to be low. TDPUD ID THEFT POLICY—Draft 1 2 EXHIBIT 1 B. Sources of Red Flags. In identifying potential Red Flags associated with the accounts that the District maintains, the District's Board of Directors and management have considered the following sources of Red Flags for Identity Theft: 1. Past Incidents of Identity Theft. The District is not aware of any security breach of or unauthorized access to its systems that are used to store customer's personal identifying information collected by the utility. In the event of incidents of Identity Theft in the future, such incidents shall be used to identify additional Red Flags and added to this policy. 2. Identified Changes in Identity Theft Risk. As provided in Section VIII below, the District will at least annually review this policy, the utility's operations and the utility's experience with Identity Theft for changes in Identity Theft risk. 3. Applicable Supervisory Guidance. In addition to considering the guidelines initially published with the FTC's Red Flag regulations, as a part of its annual review, the District will review additional regulatory guidance from the FTC and other consumer protection authorities. C. Categories of Red Flags. In identifying potential Red Flags associated with the accounts the District maintains, the District's Board of Directors and management have considered the following categories of Red Flags for Identity Theft. 1. Alerts, Notifications and Warnings. Alerts, notifications or other warnings received from consumer reporting agencies or service providers, such as fraud detection services can be Red Flags for Identity Theft. Such alerts, notifications and warnings include: (a) A fraud or active duty alert is included in a consumer report (b) A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. (c) A consumer reporting agency provides a notice of address discrepancy. (d) A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as: (1) A recent and significant increase in the volume of inquiries; (2) An unusual number of recently established credit relationships; TDPUD ID THEFT POLICY—Draft 1 3 EXHIBIT 1 (3) A material change in the use of credit, especially with respect to recently established credit relationships; or (4) An account that was closed for cause or identified for abuse of account privileges. In the event a consumer report indicates an information discrepancy, it shall be the policy of the District to report any such information to management for further review and verification of the potential customer's information, including verifying identification in person at the utility's office. 2. Suspicious Documents. The presentation of suspicious documents can be a Red Flag for Identity Theft. Suspicious documents include: (a) Documents provided for identification that appear to have been altered or forged. (b) The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. (c) Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification. (d) Other information on the identification is not consistent with readily accessible information that is on file with the District, such as a service application. (e) An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Customer Service Representatives and other personnel of the District shall report to management when it appears that account documents have been altered or forged when compared to other documents in a customer's file. It shall also be brought to management's attention immediately if any customer presents an invalid identification, or identification that appears forged for the purpose of obtaining access to account information. 3. Suspicious Personal Identifying Information. The presentation of suspicious personal identifying information such as a suspicious address change, can be a Red Flag for Identity Theft. Presentation of suspicious information occurs when: TDPUD ID THEFT POLICY—Draft 1 4 EXHIBIT 1 (a) Personal identifying information provided is inconsistent when compared against external information sources used by the District. For example: (1) The address does not match the address in the consumer report; or (2) The Social Security Number has not been issued, or is listed on the Social Security Administration's Death Master File. (b) Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the Social Security Number range and date of birth. (c) Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources by the District. For example: (1) The address on an application is fictitious, a mail drop or a prison; or (2) The phone number is invalid, or is associated with a pager or answering service. (d) The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. (e) Personal identifying information provided is not consistent with personal identifying''information that is on file with the District. (f) If the District uses challenge questions,the person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. The District shall provide customers access to their account information in person at the utility's office only after verifying the customer's identity through photo identification. Access to customer account information via telephone, fax or e-mail shall require the customer to verify his or her identity using information that would only be known to the customer as reflected in the customer's account. Customer Service Representatives shall be trained to make note in a customer's file when there is a lack of correlation between information provided by the member and information contained in a file for the purposes of gaining access to account information. The District is not to provide account information without first clearing any discrepancies in the information provided. TDPUD ID THEFT POLICY—Draft 1 5 EXHIBIT 1 4. Suspicious Activity. The unusual use of, or other suspicious activity related to a customer account is also a Red Flag for potential Identity Theft. Suspicious activities include: (a) Shortly following the notice of change of address for a customer account, the District receives a request for the addition of authorized users on the account. (b) Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the member's account. (c) The District is notified that the customer is not receiving paper account statements. (d) The District is notified of unauthorized charges or transactions in connection with the customer's account.. Customer Service Representatives (CSRs) shall be trained to note unusual use of accounts or suspicious activities related to accounts. It shall further be the policy of the District to never provide Social Security Numbers or other identifying information to customers, either verbally or in writing, even where.a customer is asking for their own information. CSRs shall immediately notify management who will conduct further reasonable inquiry, when a customer requests such information. It shall be the policy of the District to train its"CSRs to look for unusual activity when reviewing customer accounts for service. CSRs shall also notify management when there is an unusually high number of inquiries on an account, coupled with a lack of correlation in the information provided by the customer. 5. Notices. Notice from customers, victims of Identity Theft, law enforcement authorities or other persons regarding possible Identity Theft in connection with customer accounts can also be a Red Flag for Identity Theft. Upon notice from a customer, law enforcement authority or other persons that one of its customers may be a victim of Identity Theft, the District shall contact the customer directly in order to determine what steps may be necessary to protect any customer information in the possession of the District. Such steps may include,but are not limited to, setting up a new account for the customer with additional identifying information that may be identified only by the customer, in order to protect the integrity of the customer's account. VI. DETECTING RED FLAGS TDPUD ID THEFT POLICY—Draft 1 6 EXHIBIT 1 A. It shall be the policy of the District to obtain identifying information about, and verify the identity of, a person opening an account. The District will obtain the customer's name, date of birth, address for service location and Social Security Number(if the customer chooses to provide it) to open a new account. It shall be the policy of the District to never provide Social Security Numbers or other identifying information to customers, either verbally or in writing, even where a customer is asking for their own information. B. It shall be the policy of the District to authenticate customers, monitor transactions and verify the validity of change of address requests, in the case of existing accounts. VII. PREVENTING AND MITIGATING IDENTITY THEFT A. If the District discovers that any of its customers have become a victim of Identity Theft through personal information used by the utility in opening or maintaining a customer's account, management shall take appropriate steps that it deems necessary to mitigate the impacts of such Identity Theft. These steps may include, but are not limited to: 1. Monitoring an account for evidence of Identity Theft; 2. Contacting the customer; 3. Changing any passwords, security codes or other security devices that permit access to an account; 4. Reopening an account with a new account number; 5. Notifying the customer; E. Notifying law enforcement; or 7. Determining that no response is warranted under the particular circumstances. B. The District has a business relationship with third party contractors for its Customer Information System(CIS), taking customer payments, collections, credit checks and validations. Under these business relationships, the third party contractor has access to customer information covered under this policy. The General Manager shall ensure that the third party contractors' work for the District is consistent with this policy by(a) amending the contracts to incorporate these requirements, if necessary; or(b)by determining that the third party contractor has reasonable alternative safeguards that provide the same or greater level of protection for customer information as provided by the utility. TDPUD ID THEFT POLICY—Draft 1 7 EXHIBIT 1 VIII. UPDATING AND ADNIINISTERING THE POLICY A. The District shall consider updates at least annually to determine whether it has experienced any Identity Theft of its customer' accounts, whether changes in the methods of Identity Theft require updating to this Policy, or whether changes are necessary to detect, prevent and mitigate Identity Theft. District's management will continue to monitor changes in methods of Identity Theft, and re-evaluate this Policy in light of those changes. B. Administration of the Policy shall be as follows: 1. The Board of Directors has adopted this Policy and will have ultimate oversight of this Policy, but the Policy shall be managed by the General Manager of the District. The General Manager shall have authority to delegate oversight and compliance to other individuals assigned as the Identity Theft Prevention Committee. The General Manager shall be responsible for reviewing staff and management reports regarding compliance with the District's Policy. 2. Potential changes to the Policy shall be reviewed at least annually at a meeting of the Identity Theft Prevention Committee. Material changes to the Policy that may be needed prior to the meeting described herein shall be brought to the General Manager's attention, and reviewed by the committee and the Board of Directors if deemed necessary by the General Manager. 3. Reports (a) The Identity Theft Prevention Committee,by delegation from the General Manager, shall prepare a report, at least annually, regarding the implementation and progress of the District's Policy for review by the General Manager. The General Manager may, at his or her discretion, bring any issues related to the Policy to the attention of theBoard of Directors for review. (b) The above described report prepared by the Identity Theft Prevention Committee shall include discussion of: the progress of implementing and the effectiveness of the Policy; ongoing risk level of Identity Theft of customer information; potential changes to the Policy and other operation practices of the District to further the goal of protecting customer's personal information; and, identification and discussion of instances of Identity Theft of the District's customers. (c) The Identity Theft Prevention Committee shall keep records of its meetings regarding this Policy showing the dates and topics discussed. The General Manager shall also cause to be maintained a file with copies of the five (5) most recent annual reports prepared under the Policy. TDPUD ID THEFT POLICY—Draft 1 8 EXHIBIT 1 Policy#: Adopted On: Amended On: TDPUD ID THEFT POLICY—Draft 1 9 EXHIBIT 2 TRUCKEE DONNER PUD PRIVACY COMMITTEE Truckee Donner Public Utility District has developed an Identity Theft Program designed to detect, prevent and mitigate theft in connection with the opening or maintaining of any covered account. The program is consistent with the utility's mission to provide excellent customer service while protecting the integrity of customer information. PRIVACY COMMITTEE On September 16, 2008, the Privacy Committee was formed under the leadership of Rosana Matlock. Representation from key areas included: Name/Title Department Responsibilities/Areas of Expertise Privacy Officer Will coordinate activities of the committee/development and Rosana Matlock evaluation of program Customer Services Mgr Customer Services Reports to Sr M mt/BOD Customer Service/Collections. Day Mark Schlesinger to day processes in opening new Cust Svc, Credit & accounts and monitoring activity on Collections Supervisor Customer Services existing accounts. Tami McCollum Work Order Accounting Supervisor Accounting New services/construction Sara Owens Contracts Administration Document preparation/Developer and Clerk Water lContractor relations Mary Chapman Billing, collections, accounting. Administrative Services Resource for establishing proactive Manager Administrative Services identity theft program. Senior Mgr Nancy Waters Human Resources Personnel information. Identity theft Administrator Human Resources Itraining. Agenda Item # 8 Truckee Donner Public Utility District Board of Directors Joseph R. Aguera J. Ronald Hemig Patricia S. Sutton Tim Taylor MEMORANDUM William L. Thomason General Manager To: Board of Directors Michael D. Holley From: Mary Chapman, Administrative Services Manager Subject: Revised Identity Theft Prevention Policy Date: September 29, 2008 Attached is a revised copy of the draft Identity Theft Prevention Policy. Last week I sent a copy of the draft policy to Steve Gross to review. Jill Vacchini reviewed the regulations and guidelines for the FACT Act and added some additional language for items that were recommended. She also added two definitions for terms that were used throughout the document and made several changes to improve readability. This draft should replace the one that was included in the Board packet. It will be the one that we ask the Board to approve. Cc: Michael Holley, General Manager Rosana Matlock, Customer Services Manager P. O. Box 309 —Truckee, CA 96160 — Phone 530-587-3896 — Fax 530-587-5056 -www.tdpud.org EXHIBIT 1 TRUCKEE DONNER PUBLIC UTILITY DISTRICT IDENTITY THEFT PREVENTION POLICY I. POLICY OBJECTIVE Pursuant to federal law, the Truckee Donner Public Utility District("District") shall adopt and implement reasonable policies and procedures to identify, detect, prevent and mitigate the theft of its customer's personal account information—commonly known as "Identity Theft". The District hereby adopts the following policy for identifying detectors known as "Red Flags" that will alert the District to potential misuse or theft of customer account information. II. DEFINITIONS Identity Theft— a fraud committed or attempted using the identifying information of another person without authority. Red Flag—a pattern, practice or specific activity that indicates the possible existence of Identity Theft. Identifying information—any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, Social Security Number, date of birth, official State or government issued driver's license or identification number, mien registration number, government passport number, employer or taxpayer identification number or address. Covered Account-customer service accounts that the District offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the District from identity theft,including financial, operational, compliance, reputation, or litigation risks. Management— General Manager, Administrative Services Manager, Human Resources Administrator, Finan.-.c and Accounting Manager and/or Customer Services Manager and other positions as decided and approved by the Board from time to time. Service Providers—means a person that provides a service directly to the District, such as fraud detection services. IT— Information Technology III. POLICY RATIONALE Under federal law and regulations, the District is required to adopt an Identity Theft Red Flag Prevention policy no later than October 1, 2008. The policy must be implemented no later than the compliance deadline of November 1, 2008. This is TDPUD ID THEFT POLICY—Draft 2 9/29/2008 1 EXHIBIT 1 required under the Federal Trade Commission("FTC")Red Flag prevention rules of the Fair and Accurate Credit Transactions Act("FACT Act") (Federal Register 16CFR 681). IV. IDENTIFICATION OF ACCOUNTS SUBJECT TO RED FLAG POLICY The District maintains individual customer accounts that allow customers to pay for utility services rendered. Customer bills are sent and payments are due on a monthly basis. These customer accounts are Covered Accounts subject to this Red Flag policy. V. IDENTIFICATION OF RELEVANT RED FLAGS A. Risk Factors. In identifying relevant Red Flags associated with the District's Covered Accounts, the District's Board of Directors has considered the following Identity Theft risk factors: 1. Types of Covered Accounts. The District provides electric and water utility services in Truckee, California. The District serves approximately 13,125 customers. Customers turnover is high because the District is located in a tourist, recreational area with a substantial amount of seasonal homes and property rentals. Payments for services rendered are due nineteen(19) days after the customer bill is issued. The District does not provide credit to its customers beyond this monthly account for utility services. District services are provided to the customer's fixed, physical location. 2. Methods for Opening,Accounts. The District requires service applicants to present valid government-issued photo identification as proof of identity to the Customer Service Representative ("CSR") and submit a completed application with the following information: (1) name and date of birth of applicant and other household members on the accounts; (2) physical address where service shall be provided; (3) applicant's contact information and billing address; and (4) applicant's Social Security Number, 3. Methods for Accessing Accounts. The District currently allows customers to access their own account information, or plans to in the near future, the following ways: (a) in person at the District's office with valid government- issued photo identification; (b) over the telephone, fax, or email after verifying his/her identity using personal information that would only be known to the customer as reflected in his/her account, such as the customer's date of birth and/or the address and telephone number of the service location and the last four(4) digits of the customer's Social Security Number; or TDPUD ID THEFT POLICY—Draft 2 9/29/2008 2 EXHIBIT 1 (c) over the Internet using a secure password previously created by the customer. 4. Previous Experience with Identity Theft. The District is not aware of any breach or unauthorized access to its systems that are used to store its customer's Covered Account information. Given the limited types of services and credit provided to its customers, coupled with the District's existing policies for securing Covered Account information, the District believes there is a low risk of Identity Theft to its customer account information. B. Sources of Red Flags. In identifying relevant Red Flags for its Covered Accounts, the District's Board of Directors considered the following sources: 1. Past Incidents of Identity Theft. The District is not aware of any security breach or unauthorized access to its systems that are used to store Covered Account information. Any future Identity Theft incidents shall be used to identify additional relevant Red Flags for this policy. 2. Identified Changes in Identity Theft Risk. As provided in Section VIII below, the District shall, at least annually, review:'this Identity Theft Prevention Policy; the District's operations; Covered Account procedures; and any District experiences with Identity Theft to update known Identity Theft risks. 3. Applicable Supervisory Guidance. As a part of the District's periodic review, it shall also review the FTC published Red Flag guidelines,and any additional regulatory,guidance from the FTC and other relevant consumer protection authorities. C. Categories''of Red Flags. In identifying relevant Red Flags, the District's Board of Directors considered th. elollowing categories:. 1. Alerts, Notifications and Other Warnings. Alerts, notifications or other warnings received from consumer reporting agencies or Service Providers are Red Flags. A consumer report that indicates an information discrepancy with the applicant's provided information shall be reported to Management for further review and verification, including verifying the applicant's identification at the District's office before the account can be opened. Such alerts, notifications and other warnings include: (a) A fraud or active duty alert in a consumer report; (b) A consumer reporting agency notice of credit freeze received in response to a consumer report request; (c) A consumer reporting agency provides a notice of address discrepancy; TDPUD ID THEFT POLICY—Draft 2 9/29/2008 3 EXHIBIT 1 (d) A consumer report indicates a pattern of activity inconsistent with the applicant or customer's historical and usual pattern of activity, such as: (1) A recent and significant increase in the volume of inquiries; (2) An unusual number of recently established credit relationships; (3) A material change in the use of credit, especially with respect to recently established credit relationships; or (4) An account that was closed for cause or identified for abuse of account privileges. 2. Suspicious Documents. An applicant or customer presenting suspicious documents is a relevant Red Flag. CSRs and other District personnel shall report to Management if account documents appear to be altered or forged when compared to other documents in the customer's account file. ,lt shall also be immediately reported to Management if any applicant or customer presents invalid identification, or identification that reasonably appears altered or forged. Suspicious documents include: (a) Documents provided for identification that reasonably appear altered or forged; (b) The photograph or physical description on the identification is inconsistent with the`applicantor customer's appearance; (c) Other information on the identification is inconsistent with information provided by the applicant or customer; (d) Other information on the identification is inconsistent with information readily accessible to the District, such as a service application; or (e) The service application reasonably appears altered or forged, or gives the appearance of having been destroyed and reassembled.. 3. Suspicious Personal Identifying Information. The presentation of suspicious personal identifying information, such as a suspicious address change, is a relevant Red Flag. Customers shall have access to their account information at the District's office only after verifying their identity with valid government-issued photo identification. Customers can access their account information via telephone, fax or e- mail only after verifying his/her identity with certain personal information known only to the customer as reflected in his/her account. CSRs shall be properly trained to recognize, TDPUD ID THEFT POLICY—Draft 2 9/29/2008 4 EXHIBIT 1 document, and notify Management of inconsistencies between information provided by the customer to obtain his/her account and the District's account access information for that customer. The District shall not provide any account information until it first resolves any such information discrepancies. Suspicious personal identifying information includes: (a) The presented personal identifying information is inconsistent with the District's Service Provider information. For example: (1) The address does not match the address in the consumer report; or (2) The Social Security Number has not been issued, or is listed on the Social Security Administration's Death Master File. (b) The presented personal identifying information is inconsistent with other personal identifying information that the customer previously provided. For example, the Social Security Number range does not correlate to the date of birth. (c) The type of personal identifying information presented is commonly associated with fraudulent activity as indicated internally or by Service Providers. For example: (1) The address on an application is fictitious, a mail drop or a prison; or (2) The phone number is invalid, or associated with a pager or answering;service. (d) The applicant or customer fails to complete the service application or to provide the information requested in an incomplete application notice. (e) The presented personal identifying information is inconsistent with personal identifying information previously provided to the District. (f) If the District uses challenge questions, the applicant or customer fails to provide appropriate authenticating information beyond basic information generally available from a wallet or consumer report. 4. Suspicious Activity. Unusual use, or other irregular Covered Account activity is a relevant Red Flag. CSRs shall be trained to recognize, document, and notify Management of any suspicious activity during periodic reviews of Covered Accounts. The District shall not provide Social Security Numbers or other identifying personal information to customers, verbally or in writing, even if the customer is requesting his/her own information. CSRs shall promptly notify Management of such TDPUD ID THEFT POLICY—Draft 2 9/29/2008 5 EXHIBIT I activity and additional, reasonable inquiries will be made. CSRs shall also notify Management if a Covered Account receives an unusually high number of inquiries and the customer provided inconsistent information. Suspicious activities include: (a) A customer request to include additional authorized users on his/her account shortly after notifying the District of a change of address; (b) District correspondence mailed to the customer is repeatedly returned as undeliverable,but there is account activity; (c) The District is notified that the customer is not receiving paper account statements; or (d) The customer notifies the District of unauthorized charges, transactions, or other account activity. 5. Notices. Notification from customers,victims of Identity Theft, law enforcement authorities or other persons regarding Identity Theft risks to a Covered Account is a relevant Red Flag. Upon receiving such notice, the District shall directly contact the appropriate customer to determine what reasonable actions are necessary to protect the customer's account information. Such actions may include creating a new account with additional, secure identifying information that only the customer can provide. The District shall also determine what reasonable actions are necessary to mitigate any unauthorized.'release of customer account information. VI. DETECTING RED FLAGS A. New Covered Accounts. The District shall first obtain valid identifying information to verify the applicant') identity. Specifically, the District shall obtain the applicant's name, date of birth, the physical address for service and billing address (if different),the applicant's contact information, and Social Security Number (customer's discretion). The District shall not provide Social Security Numbers or other identifying information to customers, either verbally or in writing, even when a customer is requesting their own information. B. Existing Covered Accounts. The District shall verify customer identification before providing account access, monitor Covered Account activity, and verify change of address requests. VII. PREVENTING AND MITIGATING IDENTITY THEFT TDPUD ID THEFT POLICY—Draft 2 9/29/2008 6 EXHIBIT 1 A. Pursuant to this policy, if the District determines that Identity Theft has occurred, then Management shall immediately take reasonable actions it deems necessary to mitigate the Identity Theft. These actions may include without limitation: 1. Monitoring a Covered Account for evidence of Identity Theft; 2. Contacting the customer; 3. Changing any passwords, security codes or other security devices that permit access to an account; 4. Reopening an account with a new account number and secure identifying customer information; 5. Notifying law enforcement; or 6. Determining that no response is warranted under the circumstances. B. The District has business relationships with third party contractors for its Customer Information System("CIS"),customer payment acceptance, debt collections, and applicant credit checks and validations. Under these business relationships, the third party contractors have access to Covered Account information. To ensure that the third party contractors' performance is consistent with the District's Identity Theft Prevention Policy, the District's General Manager shall: (a) amend the third party contracts to incorporate this Policy, if necessary; or(b) determine that the third party contractor has implemented reasonable alternative safeguards that provide the same or greater level of protection for Covered Account information. VIII. UPDATING AND ADMINISTERING THE POLICY A. Updating. The District shall continue to monitor changes in Identity Theft methods and re-evaluate this Policy accordingly. Specifically, the District shall conduct periodic reviews at least annually to discover any instances of Identity Theft and to determine if new methods of Identity Theft necessitate policy revisions to adequately detect, prevent and mitigate Identity Theft. B. Administration of the Policy shall be as follows: 1. The Board of Directors has adopted this Policy and has ultimate oversight,but the General Manager shall be primarily responsible for implementing the Policy. The Board of Directors expressly authorizes the General Manager to delegate oversight and compliance responsibilities to the Identity Theft Prevention Committee. The General Manager shall also be responsible for reviewing staff and Management Identity Theft Prevention Policy compliance reports. TDPUD ID THEFT POLICY—Draft 2 9/29/2008 7 EXHIBIT 1 2. The Identity Theft Prevention Committee shall meet at least annually to review and give the Board of Directors its recommendation on any proposed changes to the Policy. Any material changes to the Policy that necessitate action prior to the Committee meeting described above, may instead be reviewed by the General Manager who may then make a recommendation to the Board of Directors. 3. Oversight of service provider arrangements. Whenever the District engages a service provider to perform an activity in connection with one or more Covered Accounts, it will take reasonable steps to ensure that the activity of the service provider is conducted in accordance with the policies and procedures herein designed to detect, prevent, and mitigate the risk of identity theft. For example, the District may require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the General Manager, Management or the Identity Theft Prevention Committee as appropriate, or the service provider may be required by contract to take appropriate steps to prevent or mitigate identity theft. 4. Reports (a) The Identity Theft Prevention Committee, as delegated by the General Manager, shall prepare a report, at least annually; for the General Manager's review that accesses the implementation and progress of this Policy. The General Manager may, at his/her discretion,present any Policy related issues to the Board of Directors. (b) The Identity Theft Prevention Committee's report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the District in addressing the risk of identity theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts; service provider arrangements; significant incidents involving identity theft and the District's response; and recommendations for material changes to the Policy. (c) The Identity Theft Prevention Committee shall keep records of its meetings detailing the dates and topics discussed. The General Manager shall also maintain or cause to be maintained a file with copies of the five (5) most recent annual reports prepared under the Policy. Policy#: Adopted On: Amended On: TDPUD ID THEFT POLICY—Draft 2 9/29/2008 8