HomeMy WebLinkAbout9 ID Theft Prevention Agenda item--# 9
Public Utility District
CONSENT
To: Board of Directors
From: Rosana Matlock
Date: November 03, 2010
Subject: Consideration of the Annual Identification Theft Prevention Policy
1. WHY THIS MATTER IS BEFORE THE BOARD
On October 1, 2008, The Board passed a Resolution to adopt an Identity Theft
Prevention Policy. This policy (Attachment 1) requires an annual review.
2. HISTORY
The Fair and Accurate Credit Transaction Act (Fact Act) requires that utilities follow an
Identity Theft Prevention Policy. The purpose of the FACT Act is to detect, prevent
and mitigate identity theft. The FACT Act requirements are referred to as "Red Flag
Rules" which are defined as "A pattern, practice or specific activity that indicates the
possible existence of identity theft." Indentity theft is defined as "The illegal use of
someone else's personal information (such as a social security number) in order to
obtain money or credit."
The Identification Theft Prevention Policy requires that all new customers provide valid
photo ID if they are applying in person or that their identification be validated through
their social security number when applying via mail, phone or e-mail. The District
uses Online Utility Exchange to validate identity using social security numbers.
The FACT Act requires formation of a Privacy Committee, and distribution of an
annual report to the General Manager and Board of Directors.
The Board adopted the Identity Theft Prevention Policy and appointed a Privacy
Committee on October 1, 2008.
The policy was implemented on November 1, 2008.
3. NEW INFORMATION
Between October 1, 2009 and September 30, 2010 staff has validated 1,022
identifications. six hundred fifty eight were validated through OnLine Utility Exchange
and 364 were validated at the counter via photo ID.
Staff has encountered no red flags that would indicate the probability of identity theft.
The only red flags encountered were "no record" and If to other name'. "No
record" means that the individual 1) has not established sufficient credit to be listed in
the database or 2) the customer service representative mis-keyed the social security
number. "Match to other name" means that the individual 1) gave a shortened version
of their legal name (i.e. Bob instead of Robert) or 2) the name also matches to a
maiden name. In each instance, the customers were required to provide photo ID or
the social security number was re-keyed.
4. FISCAL IMPACT
The 2010 - 2011 budgets include funding for processing validation checks through
OnLine Utility Exchange.
5. RECOMMENDATION
Accept this report.
Mary Ch a Michael D. Holley
Administrative Services Manager General Manager
TRUCKEE DONNER PUBLIC UTILITY DISTRICT
IDENTITY THEFT PREVENTION POLICY
I. POLICY OBJECTIVE
Pursuant to federal law, the Truckee Donner Public Utility District("District")
shall adopt and implement reasonable policies and procedures to identify, detect, prevent
and mitigate the theft of its customer's personal account information—commonly known
as "Identity Theft". The District hereby adopts the following policy for identifying
detectors known as "Red Flags"that will alert the District to potential misuse or theft of
customer account information.
II. DEFINITIONS
Identity Theft—a fraud committed or attempted using the identifying information
of another person without authority.
Red Flag—a pattern, practice or specific activity that indicates the possible
existence of Identity Theft.
Identifying information—any name or number that may be used, alone or in
conjunction with any other information, to identify a specific person, including name,
Social Security Number, date of birth, official State or government issued driver's license
or identification number, alien registration number, government passport number,
employer or taxpayer identification number or address.
Covered Account—customer service accounts that the District offers or maintains
for which there is a reasonably foreseeable risk to customers or to the safety and
soundness of the District from identity theft, including financial, operational, compliance,
reputation, or litigation risks.
Management—_General Manager, Administrative Services Manager, Human
Resources Administrator, Finance and Accounting Manager and/or Customer Services
Manager and other positions as decided and approved by the Board from time to time.
Service Providers—means a person that provides a service directly to the District,
such as fraud detection services.
IT— Information Technology
III. POLICY RATIONALE
Under federal law and regulations, the District is required to adopt an Identity
Theft Red Flag Prevention policy no later than October 1, 2008. The policy must be
implemented no later than the compliance deadline of November 1, 2008. This is
TDPUD ID THEFT POLICY 1
required under the Federal Trade Commission ("FTC") Red Flag prevention rules of the
Fair and Accurate Credit Transactions Act("FACT Act") (Federal Register 16CFR 681).
IV. IDENTIFICATION OF ACCOUNTS SUBJECT TO RED FLAG POLICY
The District maintains individual customer accounts that allow customers to pay
for utility services rendered. Customer bills are sent and payments are due on a monthly
basis. These customer accounts are Covered Accounts subject to this Red Flag policy.
V. IDENTIFICATION OF RELEVANT RED FLAGS
A. Risk Factors. In identifying relevant Red Flags associated with the
District's Covered Accounts, the District's Board of Directors has
considered the following Identity Theft risk factors:
1. Types of Covered Accounts. The District provides electric and
water utility services in Truckee, California. The District serves approximately 13,125
customers. Customers turnover is high because the District is located in a tourist,
recreational area with a substantial amount of seasonal homes and property rentals.
Payments for services rendered are due nineteen (19) days after the customer bill is
issued. The District does not provide credit to its customers beyond this monthly account
for utility services. District services are provided to the customer's fixed, physical
location.
2. Methods for Opening Accounts. The District requires service
applicants to present valid government-issued photo identification as proof of identity to
the Customer Service Representative("CSR"), and submit a completed application with
the following information: (1)name and date of birth of applicant and other household
members on the accounts; (2)physical address where service shall be provided; (3)
applicant's contact information and billing address; and (4) applicant's Social Security
Number.
3. Methods for Accessing Accounts. The District currently allows
customers to access their own account information, or plans to in the near future, the
following ways:
(a) in person at the District's office with valid government-
issued photo identification;
(b) over the telephone, fax, or email after verifying his/her
identity using personal information that would only be known to the customer as
reflected in his/her account, such as the customer's date of birth and/or the address and
telephone number of the service location and the last four(4) digits of the customer's
Social Security Number; or
TDPUD ID THEFT POLICY 2
(c) over the Internet using a secure password previously
created by the customer.
4. Previous Experience with Identity Theft. The District is not aware
of any breach or unauthorized access to its systems that are used to store its customer's
Covered Account information. Given the limited types of services and credit provided to
its customers, coupled with the District's existing policies for securing Covered Account
information, the District believes there is a low risk of Identity Theft to its customer
account information.
B. Sources of Red Flags. In identifying relevant Red Flags for its Covered
Accounts, the District's Board of Directors considered the following sources:
1. Past Incidents of Identity Theft. The District is not aware of any
security breach or unauthorized access to its systems that are used to store Covered
Account information. Any future Identity Theft incidents shall be used to identify
additional relevant Red Flags for this policy.
2. Identified Changes in Identity Theft Risk. As provided in Section
VIII below, the District shall, at least annually,review: this Identity Theft Prevention
Policy; the District's operations; Covered Account procedures; and any District
experiences with Identity Theft to update known Identity Theft risks.
3. Applicable Supervisory Guidance. As a part of the District's
periodic review, it shall also review the FTC published Red Flag guidelines,and any
additional regulatory guidance from the FTC and other relevant consumer protection
authorities.
C. Categories of Red Flags. In identifying relevant Red Flags, the District's
Board of Directors considered the following categories:.
1. Alerts,Notifications and Other Warnings. Alerts, notifications or
other warnings received from consumer reporting agencies or Service Providers are Red
Flags. A consumer report that indicates an information discrepancy with the applicant's
provided information shall be reported to Management for further review and
verification, including verifying the applicant's identification at the District's office
before the account can be opened. Such alerts, notifications and other warnings include:
(a) A fraud or active duty alert in a consumer report;
(b) A consumer reporting agency notice of credit freeze
received in response to a consumer report request;
(c) A consumer reporting agency provides a notice of address
discrepancy;
TDPUD ID THEFT POLICY 3
(d) A consumer report indicates a pattern of activity
inconsistent with the applicant or customer's historical and usual pattern of activity, such
as:
(1) A recent and significant increase in the volume of
inquiries;
(2) An unusual number of recently established credit
relationships;
(3) A material change in the use of credit, especially
with respect to recently established credit relationships; or
(4) An account that was closed for cause or identified
for abuse of account privileges.
2. Suspicious Documents. An applicant or customer presenting
suspicious documents is a relevant Red Flag. CSRs and other District personnel shall
report to Management if account documents appear to be altered or forged when
compared to other documents in the customer's account file. It shall also be immediately
reported to Management if any applicant or customer presents invalid identification, or
identification that reasonably appears altered or forged. Suspicious documents include:
(a) Documents provided for identification that reasonably
appear altered or forged;
(b) The photograph or physical description on the
identification is inconsistent with the applicant or customer's appearance;
(c) Other information on the identification is inconsistent with
information provided by the applicant or customer;
(d) Other information on the identification is inconsistent with
information readily accessible to the District, such as a service application; or
(e) The service application reasonably appears altered or
forged, or gives the appearance of having been destroyed and reassembled..
3. Suspicious Personal Identifying Information. The presentation of
suspicious personal identifying information, such as a suspicious address change, is a
relevant Red Flag. Customers shall have access to their account information at the
District's office only after verifying their identity with valid government-issued photo
identification. Customers can access their account information via telephone, fax or e-
mail only after verifying his/her identity with certain personal information known only to
the customer as reflected in his/her account. CSRs shall be properly trained to recognize,
TDPUD ID THEFT POLICY 4
document, and notify Management of inconsistencies between information provided by
the customer to obtain his/her account and the District's account access information for
that customer. The District shall not provide any account information until it first
resolves any such information discrepancies. Suspicious personal identifying information
includes:
(a) The presented personal identifying information is
inconsistent with the District's Service Provider information. For example:
(1) The address does not match the address in the
consumer report; or
(2) The Social Security Number has not been issued, or
is listed on the Social Security Administration's Death Master File.
(b) The presented personal identifying information is
inconsistent with other personal identifying information that the customer previously
provided. For example, the Social Security Number range does not correlate to the date
of birth.
(c) The type of personal identifying information presented is
commonly associated with fraudulent activity as indicated internally or by Service
Providers. For example:
(1) The address on an application is fictitious, a mail
drop or a prison; or
(2) The phone number is invalid, or associated with a
pager or answering service.
(d) The applicant or customer fails to complete the service
application or to provide the information requested in an incomplete application notice.
(e) The presented personal identifying information is
inconsistent with personal identifying information previously provided to the District.
(f) If the District uses challenge questions, the applicant or
customer fails to provide appropriate authenticating information beyond basic
information generally available from a wallet or consumer report.
4. Suspicious Activity. Unusual use, or other irregular Covered
Account activity is a relevant Red Flag. CSRs shall be trained to recognize, document,
and notify Management of any suspicious activity during periodic reviews of Covered
Accounts. The District shall not provide Social Security Numbers or other identifying
personal information to customers, verbally or in writing, even if the customer is
requesting his/her own information. CSRs shall promptly notify Management of such
TDPUD ID THEFT POLICY 5
activity and additional, reasonable inquiries will be made. CSRs shall also notify
Management if a Covered Account receives an unusually high number of inquiries and
the customer provided inconsistent information. Suspicious activities include:
(a) A customer request to include additional authorized users
on his/her account shortly after notifying the District of a change of address;
(b) District correspondence mailed to the customer is
repeatedly returned as undeliverable,but there is account activity;
(c) The District is notified that the customer is not receiving
paper account statements; or
(d) The customer notifies the District of unauthorized charges,
transactions, or other account activity.
5. Notices. Notification from customers, victims of Identity Theft,
law enforcement authorities or other persons regarding Identity Theft risks to a Covered
Account is a relevant Red Flag. Upon receiving such notice, the District shall directly
contact the appropriate customer to determine what reasonable actions are necessary to
protect the customer's account information. Such actions may include creating a new
account with additional, secure identifying information that only the customer can
provide. The District shall also determine what reasonable actions are necessary to
mitigate any unauthorized release of customer account information.
VI. DETECTING RED FLAGS
A. New Covered Accounts. The District shall first obtain valid identifying
information to verify the applicant's identity. Specifically, the District shall obtain the
applicant's name, date of birth, the physical address for service and billing address (if
different), the applicant's contact information, and Social Security Number(customer's
discretion). The District shall not provide Social Security Numbers or other identifying
information to customers, either verbally or in writing, even when a customer is
requesting their own information.
B. Existing Covered Accounts. The District shall verify customer
identification before providing account access, monitor Covered Account activity, and
verify change of address requests.
VII. PREVENTING AND MITIGATING IDENTITY THEFT
TDPUD ID THEFT POLICY 6
A. Pursuant to this policy, if the District determines that Identity Theft has
occurred, then Management shall immediately take reasonable actions it deems necessary
to mitigate the Identity Theft. These actions may include without limitation:
l. Monitoring a Covered Account for evidence of Identity Theft;
2. Contacting the customer;
3. Changing any passwords, security codes or other security devices
that permit access to an account;
4. Reopening an account with a new account number and secure
identifying customer information;
5. Notifying law enforcement; or
6. Determining that no response is warranted under the
circumstances.
B. The District has business relationships with third party contractors for its
Customer Information System("CIS"), customer payment acceptance, debt collections,
and applicant credit checks and validations. Under these business relationships, the third
party contractors have access to Covered Account information. To ensure that the third
party contractors' performance is consistent with the District's Identity Theft Prevention
Policy, the District's General Manager shall: (a) amend the third party contracts to
incorporate this Policy, if necessary; or(b) determine that the third party contractor has
implemented reasonable alternative safeguards that provide the same or greater level of
protection for Covered Account information.
VIII. UPDATING AND ADMINISTERING THE POLICY
A. Updating. The District shall continue to monitor changes in Identity
Theft methods and re-evaluate this Policy accordingly. Specifically, the District shall
conduct periodic reviews at least annually to discover any instances of Identity Theft and
to determine if new methods of Identity Theft necessitate policy revisions to adequately
detect, prevent and mitigate Identity Theft.
B. Administration of the Policy shall be as follows:
l. The Board of Directors has adopted this Policy and has ultimate
oversight,but the General Manager shall be primarily responsible for implementing the
Policy. The Board of Directors expressly authorizes the General Manager to delegate
oversight and compliance responsibilities to the Identity Theft Prevention Committee.
The General Manager shall also be responsible for reviewing staff and Management
Identity Theft Prevention Policy compliance reports.
TDPUD ID THEFT POLICY 7
2. The Identity Theft Prevention Committee shall meet at least
annually to review and give the Board of Directors its recommendation on any proposed
changes to the Policy. Any material changes to the Policy that necessitate action prior to
the Committee meeting described above, may instead be reviewed by the General
Manager who may then make a recommendation to the Board of Directors.
3. Oversight of service provider arrangements. Whenever the District
engages a service provider to perform an activity in connection with one or more Covered
Accounts, it will take reasonable steps to ensure that the activity of the service provider is
conducted in accordance with the policies and procedures herein designed to detect,
prevent, and mitigate the risk of identity theft. For example, the District may require the
service provider by contract to have policies and procedures to detect relevant Red Flags
that may arise in the performance of the service provider's activities, and either report the
Red Flags to the General Manager, Management or the Identity Theft Prevention
Committee as appropriate, or the service provider may be required by contract to take
appropriate steps to prevent or mitigate identity theft.
4. Reports
(a) The Identity Theft Prevention Committee, as delegated
by the General Manager, shall prepare a report, at least annually, for the General
Manager's review that accesses the implementation and progress of this Policy. The
General Manager may, at his/her discretion, present any Policy related issues to the
Board of Directors.
(b) The Identity Theft Prevention Committee's report should
address material matters related to the Program and evaluate issues such as: the
effectiveness of the policies and procedures of the District in addressing the risk of
identity theft in connection with the opening of Covered Accounts and with respect to
existing Covered Accounts; service provider arrangements; significant incidents
involving identity theft and the District's response; and recommendations for material
changes to the Policy.
(c) The Identity Theft Prevention Committee shall keep records of
its meetings detailing the dates and topics discussed. The General Manager shall also
maintain or cause to be maintained a file with copies of the five (5)most recent annual
reports prepared under the Policy.
Policy#: Resolution 2008-31
Adopted On: October 1, 2008
Amended On:
TDPUD ID THEFT POLICY 8