HomeMy WebLinkAboutExhibitCity of Miami
Identity Theft Prevention Program
Effective beginning , 2009
I. PROGRAM ADOPTION
The City of Miami ("City") developed this Identity Theft Prevention Program
("Program") pursuant to the Federal Trade Commission's Red Flag Rule ("Rule"),
which implements Section 114 of the Fair and Accurate Credit Transactions Act
of 2003. 16 C. F. R. § 681.2. This Program was developed and approved by the
City Commission pursuant to Resolution . After consideration of the
size and complexity of the City's operations and account systems, and the nature
and scope of the City's activities, the City Commission determined that this
Program was appropriate for the City and therefore adopted this Program on
12009.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling requirements of the Red Flags Rule
Under the Red Flag Rule, every financial institution and creditor is required to
establish an "Identity Theft Prevention Program" tailored to the size, complexity
and nature of its operation. Each program must contain reasonable policies and
procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and
incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and
mitigate Identity Theft; and
4. Ensure the Program is updated periodically, to reflect changes in risks to
customers or to the safety and soundness of the creditor from Identity Theft.
B. Red Flags Rule definitions used in this Program
The Red Flag Rule defines "Identity Theft" as "fraud committed using the
identifying information of another person" and a "Red Flag" as "a pattern,
practice, or specific activity that indicates the possible existence of Identity Theft."
According to the Rule, a municipality is a creditor subject to the Rule
requirements. The Rule defines creditors "to include finance companies,
automobile dealers, mortgage brokers, utility companies, and
gad:Document 178749.doc 1 of 6
telecommunications companies. Where non-profit and government entities defer
payment for goods or services, they, too, are to be considered creditors."
All the City's accounts that are individual city service accounts held by customers
of the city whether residential, commercial or industrial are covered by the Rule.
Under the Rule, a "covered account" is:
1. Any account the City offers or maintains primarily for personal, family or
household purposes, that involves multiple payments or transactions; and
2. Any other account the City offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the City from
Identity Theft.
"Identifying information" is defined under the Rule as "any name or number that
may be used, alone or in conjunction with any other information, to identify a
specific person," including: name, address, telephone number, social security
number, date of birth, government -issued driver's license or identification
number, alien registration number, government passport number, employer or
taxpayer identification number, unique electronic identification number,
computer's Internet Protocol address, or routing code.
III. IDENTIFICATION OF RED FLAGS.
In order to identify relevant Red Flags, the City considers the types of accounts
that it offers and maintains, the methods it provides to open its accounts, the
methods it provides to access its accounts, and its previous experiences with
Identity Theft. The City identifies the following Red Flags and will train
appropriate staff to recognize these Red Flags as they are encountered in the
ordinary course of City business:
A. Suspicious Documents
Red Flags
1. identification document or card that appears to be forged, altered or
inauthentic;
2. Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document;
3. Other information on identification document is not consistent with information
provided by the person opening a new covered account, by the customer
presenting the identification, or with existing customer information on file with the
creditor (such as a signature card or recent check); and
gad:Document 178749.doc 2 of 6
4. Application for service that appears to have been altered or forged.
B. Suspicious Personal Identifying Information
Red Flags
1. Identifying information presented that is inconsistent with other information the
customer provides, for instance, where there is a lack of correlation between the
social security number range and the date of birth;
2. Identifying information presented that is inconsistent with external sources of
information, for instance, an address does not match a consumer report or a
social security number is listed in the Social Security Administration's Death
Master File;
3. Identifying information presented is associated with common types of
fraudulent activity, such as use of a fictitious billing address or phone number;
4. Identifying information presented that is consistent with known fraudulent
activity, such as presentation of an invalid phone number or fictitious billing
address used in previous fraudulent activity;
5. Social security number presented that is the same as one given by another
customer;
6. An address or phone number presented that is the same as that of another
person;
7. A person fails to provide complete personal identifying information on an
application when reminded to do so'; and
8. A person's identifying information is not consistent with the information that is
on file for the customer.
C. Suspicious Account Activity or Unusual Use of Account
Red Flags
1. Change of address for an account followed by a request to change the
account holder's name;
2. Payments stop on an otherwise consistently up-to-date account;
Pursuant to Section 119.071(5)(a), Florida Statutes, an agency may not collect an individual's social security
number unless that agency has stated in writing the purpose for its collection and unless it; 1) is specifically
authorized to do so by law; or 2) it is imperative for the performance of that agency's duties and
responsibilities as prescribed by law.
gad:Document 178749.doc 3 of 6
3. Account used in a way that is not consistent with prior use (example: very high
activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to the City that a customer is not receiving mail sent by the City;
6. Notice to the City that an account has unauthorized activity;
7. Breach in the City's computer system security; and
8. Unauthorized access to or use of customer account information.
D. Alerts from Others
Red Flag
1. Notice to the City from a customer, identity theft victim, law enforcement or
other person that it has opened or is maintaining a fraudulent account for a
person engaged in Identity Theft.
IV. PREVENTING AND MITIGATING IDENTITY THEFT
In the event City personnel detect any identified Red Flags, such personnel must
contact the Finance Director of the City. The Finance Director will then decide
which of the following steps should be taken:
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the customer;
3. Change any passwords or other security devices that permit access to
accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify law enforcement; or
8. Determine that no response is warranted under the particular circumstances.
gad.Documerd 178749.doc 4 of 6
V. PROGRAM UPDATES
The [ ] shall serve as Program Administrator. The Program
Administrator will periodically review and update this Program to reflect changes
in risks to customers and the soundness of the City from Identity Theft. In doing
so, the Program Administrator will consider the City's experiences with Identity
Theft situations, changes in Identity Theft methods, changes in Identity Theft
detection and prevention methods, and changes in the City's business
arrangements with other entities. After considering these factors, the Program
Administrator will determine whether changes to the Program, including the
listing of Red Flags, are warranted. If warranted, the Program Administrator will
update the Program or present the City Commission with his/ her recommended
changes and the City Commission will make a determination of whether to
accept, modify or reject those changes to the Program.
VII. PROGRAM ADMINISTRATION.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with
the Program Administrator. The Program Administrator will be responsible for the
Program's administration, for ensuring appropriate training of City staff, for
reviewing any staff reports regarding the detection of Red Flags and the steps for
preventing and mitigating Identity Theft, for determining which steps of
prevention and mitigation should be taken in particular circumstances, and for
considering periodic changes to the Program.
B. Staff Training and Reports
City staff responsible for implementing the Program shall be trained either by or
under the direction of the Program Administrator in the detection of Red Flags
and the responsive steps to be taken when a Red Flag is detected. Staff should
prepare a report at least annually for the Program Administrator, including an
evaluation of the effectiveness of the Program with respect to opening accounts,
existing covered accounts, service provider arrangements, significant incidents
involving identity theft and responses, and recommendations for changes to the
Program.
C. Service Provider Arrangements
In the event the City engages a service provider to perform an activity in
connection with one or more accounts, the City will take the following steps to
ensure the service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of
Identity Theft.
1. Require, by contract, that service providers have such policies and procedures
in place; and
gad:Document 178749.doc 5 of 6
2. Require, by contract, that service providers review the City's Program and
report any Red Flags to the Program Administrator.
gad:Document 178749.doc 6 of 6