R-1028 - 10/28/2008 - GENERAL LEGISLATION FEDERAL - Resolutions Supporting Documents•o
v�
07E
0UNT
AGENDA ITEM
Regular Board of Trustees Meeting
of
October 28, 2008
SUBJECT: Idendity Theft Prevention ( "Red Flag ") Policy
FROM: Darrell Langlois
BUDGET SOURCE/BUDGET IMPACT: N/A
ITEM 10.B -2)
es o °i� it
RECOMMENDED MOTION: I move that the Village Board adopt Resolution 2008 -GL-
FED- FIN -R -1028, A Resolution Adopting and Implementing an Identity Theft Prevention
Policy.
Background/History:
The Village of Oak Brook is required by law to adopt an Identity Theft Prevention ( "Red Flag ")
Policy by November 1, 2008. Attached is a memorandum from Mark Sterk that provides
background information on this subject as well as the proposed resolution. Once approved by
the Village Board, the appropriate Village staff will be trained on this new policy. As a practical
matter, we take very little personal information from water utility customers so this new policy
should not have a big impact on our operations.
Recommendation:
I recommend approval of Resolution 2008 -GL- FED -FIN -R -1028, A Resolution Adopting and
Implementing an Identity Theft Prevention Policy.
Last saved by Default J \WORD \redflagboardcover doc
Last printed 10/22/2008 2 15 PM
We kon
ANEYS AT LAW
k f Ltd.
TO: David Niemeyer
Darrell Langlois
FROM: Mark H. Sterk
Matthew Welch
DATE: October 21, 2008
RE: Federal Identity Theft Prevention Regulations
3318 WEST 95TH STREET
EVERGREEN PARK, IL 60805
(708) 424 -5678
FAX (708) 425 -1898
%,nmodelsonstak.com
The purpose of this memorandum is to provide a brief overview of the Identity Theft
Prevention Regulations, 16 C.F.R. Part 661, ( "Regulations ") promulgated by the Federal Trade
Commission. Covered municipalities are required to implement the Regulations by November
1, 2008. Attached is an Identity Theft Policy implementing the Regulations. Please review the
following for general guidance in the implementation of the Regulations.
I. Purpose
The Regulations require creditors to develop and implement a written Identity Theft
Prevention Policy ( "Policy ") to detect, prevent, and mitigate identity theft in connection with the
opening of certain accounts or certain existing accounts. The mandatory compliance date for
the Regulations is November 1, 2008. Each creditor must incorporate into its Policy relevant
indicators of a possible risk of identity theft ( "Red Flags "). The Policy must contain reasonable
policies and procedures to:
• Identify relevant Red Flags for covered accounts and incorporate those Red
Flags into the Policy;
• Detect Red Flags that have been incorporated into the Policy;
• Respond appropriately to any Red Flags that are detected to prevent and
mitigate Identity Theft; and
• Ensure the Policy is updated periodically, to reflect changes in risks to customers
or to the safety and soundness of the financial institution or creditor from identity
theft.
There is no private right of action against a municipality for failure to enact a Policy by
November 1, 2008. However, the Federal Trade Commission is authorized to commence action
in a federal district court in the event of a knowing violation of the Regulations. Finally, civil
penalties for violations are capped at $2,500.00 per offense.
II.
Why Are Certain Municipalities Considered Creditors?
The Regulations apply to "financial institutions" and "creditors" that have "covered
accounts ". Therefore, a municipality will be subject to the Regulations if it is a "creditor" with
"covered accounts ".
0 cjQMp day
coe;w--,,
ATTORNEYS AT LAW
Ltd.
Federal statute defines the term "creditor" as any person who regularly extends, renews,
or continues credit, or any person who regularly arranges for the extension, renewal, or
continuation of credit. "Person" means a natural person, a corporation, government or
governmental subdivision or agency, trust, estate, partnership, cooperative, or association.
"Credit" is defined as any right granted to defer payment of debt. Accordingly, where
governmental entities defer payment for goods or services, they are considered creditors.'
A "covered account" is an account used mostly for personal, family, or household
purposes, and that involves multiple payments or transactions, or any other account a creditor
offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety
and soundness of the Village from Identity Theft.
Therefore, municipalities that, for example, provide water, sanitary sewer, and/or waste
services and bill for those services are creditors subject to the regulations.
III. The Attached identity Theft Policy
Although the federal regulations do not require the Policy to be adopted in the form of an
ordinance, the Policy must be formally adopted by the governing body by November 1, 2008.
As such, the Attached Identity Theft Policy ( "Attached Policy ") is presented as a resolution in
order to provide the Village with more flexibility in the implementation and enforcement of the
Regulations.
Section two lays out the intent of the policy, which is to implement the four goals
identified above, in order to prevent identity theft and bring the municipality in compliance with
federal law. Section three identifies key definitions necessary to understand the extent of the
policy. Thereafter, Sections four through nine identify specific procedures to implement the four
goals of the Regulations.
IV. Summary
It is possible that provisions in the Attached Policy will not be applicable to the
operations of the municipality, or that additional measures may be required. Accordingly, we
recommend that the Attached Policy be reviewed by the responsible personnel to ensure it
meets the needs of the municipality's internal operations.
Please call either of us if you have any questions.
S:Wanetl0ak BraaklCortmemo to niemeyer re identity theft.doc
�
FTC Business Alert, June 2008, http./hvww.ftc gov /bcp cdu/ Rubs /business/alerts /alt05O.shtm
Page 2 of 2
® at'= 445
RESOLUTION 2008 -GL- FED - FIN -R -1028
A RESOLUTION ADOPTING AND IMPLEMENTING
AN IDENTITY THEFT PREVENTION POLICY
WITHIN THE VILLAGE OF OAK BROOK,
COOK AND DUPAGE COUNTIES, ILLINOIS
WHEREAS, pursuant to the Fair and Accurate Credit Transactions Act of 2003, the Federal
Trade Commission adopted Identity Theft Rules requiring the creation of certain policies relating to the
prevention and mitigation of identity theft (the "FTC Regulations "), and
WHEREAS, the FTC Regulations require creditors to adopt red flag policies to identify, detect,
prevent and mitigate such identity theft with respect to information used in covered accounts, and
WHEREAS, the Village of Oak Brook (the "Village ") is a creditor, with respect to the FTC
Regulations, by virtue of providing utility services and by providing services to citizens and accepting
multiple payments for such services in arrears, and
WHEREAS, pursuant to the FTC Regulations, such an arrangement between the Village and its
citizens constitutes a covered account, and
WHEREAS, the President and the Board of Trustees, after due consideration, find and determine
that it is in the best interests of the health, safety and welfare of its residents to approve and adopt red
flag policies to identify, detect, prevent and mitigate identity theft with respect to information used in
covered accounts
NOW, THEREFORE, BE IT RESOLVED by the President and the Board of Trustees of the
Village of Oak Brook, Cook and DuPage Counties, Illinois, as follows
Section 1 Incorporation That the recitals set forth above are incorporated herein and made a
part hereof
Section 2 Identity Theft Prevention Policy The Village adopts this Identity Theft Prevention
Policy, identified herein, in order to prevent and mitigate identity theft by identifying and detecting identity
theft red flags and by responding to such red flags in a manner that will prevent such identity theft
Section 3 Definitions For the purposes of this policy, the following words and phrases shall
have the following meanings when used herein
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 2 of 6
a "Covered Account" means i) an account the Village offers or maintains primarily for personal,
family or household purposes that involves multiple payments or transactions, and ii) any
other account the Village offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the Village from Identity Theft
b Identity Theft" means fraud committed using Identifying Information of another person
c "Identifying Information" means any name or number that may be used alone or in
conjunction with any other information, to identify a specific person, including but not limited
to name, address, telephone number, social security number, date of birth, government
issued driver's license, employer or taxpayer identification number, credit card account
information, debit card information, and bank account information
d "Policy" means the Identity Theft Prevention Policy, identified herein
e "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence
of identity theft
f "Village" means the Village of Oak Brook
Section 4 Identification of Red Flags In order to identify relevant Red Flags, the Village
considers the types of covered accounts that it offers and maintains, the methods it provides to open such
covered accounts, the methods it provides to access such covered accounts, and its previous
experiences with Identity Theft The Village identifies the following Red Flags, in each of the listed
categories
a Notifications and Warnings From Credit Report Agencies
1 Report of fraud accompanying a credit report,
2 Notice or report from a credit agency of a credit freeze on a customer or applicant,
3 Notice or report from a credit agency of an active duty alert for an applicant, and
4 Indication from a credit report of activity that is inconsistent with a customer's usual
pattern or activity
b Suspicious Documents
1 Identification document or card that appears to be forged, altered or inauthentic,
2 Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document,
3 Other document with information that is not consistent with existing customer
information (such as if a person's signature on a check appears forged), and
4 Application for service that appears to have been altered or forged
c Suspicious Personal Identifying Information
2
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 3 of 6
1 Identifying Information presented that is Inconsistent with other information the
customer provides (example Inconsistent birth dates),
2 Identifying Information presented that Is Inconsistent with other sources of
Information (for Instance, an address not matching an address on a credit report),
3 Identifying information presented that is the same as information shown on other
applications that were found to be fraudulent,
4 Identifying information presented that is consistent with fraudulent activity (such as an
invalid phone number or fictitious billing address),
5 Social security number presented that is the same as one given by another customer,
6 An address or phone number presented that is the same as that of another person,
7 A person falls to provide complete personal identifying Information on an application
when reminded to do so (however, by law social security numbers must not be
required), and
8 A person's Identifying information is not consistent with the information that is on file
for the customer
d Suspicious Account Activity or Unusual Use of Covered Accounts
1 Change of address for a covered account followed by a request to change the
covered account holder's name,
2 Payments stop on an otherwise consistently up -to -date covered account,
3 Covered account used in a way that is not consistent with prior use (example very
high activity),
4 Mail sent to the covered account holder is repeatedly returned as undeliverable,
5 Notice to the Village that a customer is not receiving mail sent by the City,
6 Notice to the Village that a covered account has unauthorized activity,
7 Breach in the Village's computer system security, and
8 Unauthorized access to or use of identifying information
e Alerts from Others
1 Notice to the Village from a customer, Identity theft victim, law enforcement or other
person that it has opened or is maintaining a fraudulent covered account for a person
engaged in Identity Theft
Section 5 Detecting Red Flags
a New Covered Accounts. In order to detect any of the Red Flags identified In Section 4
associated with the opening of a new covered account, Village personnel will take the
following steps to obtain and verify the identity of the person opening the account
3
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 4 of 6
1 Require certain identifying information such as name, date of birth, residential or
business address, principal place of business for an entity, driver's license or other
identification,
2 Verify the customer's identity (for instance, review a driver's license or other
identification card),
3 Review documentation showing the existence of a business entity, and
4 Independently contact the customer
b Existing Covered Accounts. In order to detect any of the Red Flags identified in Section 4
for an existing covered account, Village personnel will take the following steps to monitor
transactions with an account
1 Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email),
2 Verify the validity of requests to change billing addresses, and
3 Verify changes in banking information given for billing & payment purposes
Section 6 Preventing and Mitigating Identity Theft In the event Village personnel detect any
identified Red Flags, such personnel shall take one or more of the following steps, depending on the
degree of risk posed by the Red Flag
1 Continue to monitor a covered account for evidence of Identity Theft,
2 Contact the customer,
3 Change any passwords or other security devices that permit access to covered
accounts,
4 Not open a new covered account,
5 Close an existing covered account,
6 Reopen a covered account with a new number,
7 Notify the Finance Director for determination of the appropriate step(s) to take,
8 Notify law enforcement, or
9 Determine that no response is warranted under the particular circumstances
Section 7 Protecting Customer Identifying Information In order to further prevent the likelihood
of Identity Theft occurring with respect to Village covered accounts, the Village will take the following
steps with respect to its internal operating procedures to protect customer identifying information
1 Ensure that its website is secure or provide clear notice that the website is not
secure,
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 5 of 6
2 Ensure complete and secure destruction of paper documents and computer files
containing customer information,
3 Ensure that office computers are password protected and that computer screens lock
after a set period of time,
4 Ensure storage rooms, cabinets, drawers, and other storage space containing
identifying information will be locked when not in use,
5 Keep offices clear of papers containing customer information,
6 Request only the last 4 digits of social security numbers (if any),
7 Ensure computer virus protection is up to date, and
8 Require and keep only the kinds of customer information that are necessary for utility
purposes
Section 8 Program Updates The Finance Director will periodically review and update this Policy
to reflect changes in risks to customers and the soundness of the Village from Identity Theft In doing so,
the Finance Director will consider the Village's experiences with Identity Theft situations, changes in
Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the
Village's business arrangements with other entities After considering these factors, the Finance Director
will determine whether changes to the Policy, including the listing of Red Flags, are warranted if
warranted, the Finance Director will present his or her recommended changes to the President and Board
of Trustees, which will make a determination of whether to accept, modify or reject those changes to the
Policy
Section 9 Policy Administration. Responsibility for developing, implementing and updating this
Policy lies with the Finance Director, subject to approval by the President and Board of Trustees The
Finance Director will be responsible for the Policy administration, for ensuring appropriate training of
Village staff on the Policy, for reviewing any staff reports regarding the detection of Red Flags and the
steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation
should be taken in particular circumstances and considering periodic changes to the Policy
a Staff Training and Reports. Village personnel responsible for implementing the Policy shall
be trained either by or under the direction of the Finance Director in the detection of Red
Flags, and the responsive steps to be taken when a Red Flag is detected
b Service Provider Arrangements In the event the Village engages a service provider to
perform an activity in connection with one or more accounts, the Village will take the following
R
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 6 of 6
steps to ensure the service provider performs Its activity in accordance with the Policy set
forth herein
1 Require, by contract, that service providers have such policies and procedures in
place, and
2 Require, by contract, that service providers review the Village's Policy and report any
Red Flags to the Finance Director
SECTION 10 If any section, paragraph, clause or provision of this resolution shall be held
invalid, the invalidity thereof shall not affect any of the other provisions of this resolution
conflict
SECTION 11 All resolutions in conflict herewith are hereby repealed to the extent of such
SECTION 12 This resolution shall be in full force and effect from and after its passage,
approval and publication as provided by law
APPROVED THIS 28th day of October, 2008
PASSED THIS 28th day of October, 2008
Ayes
Nays
Absent
John W Craig
Village President
ATTEST
Charlotte K Pruss
Village Clerk
rol