R-1028 - 10/28/2008 - GOVERNMENT LEGISLATION FEDERAL - ResolutionsRESOLUTION 2008 -GL- FED - FIN -R -1028
A RESOLUTION ADOPTING AND IMPLEMENTING
AN IDENTITY THEFT PREVENTION POLICY
WITHIN THE VILLAGE OF OAK BROOK,
COOK AND DUPAGE COUNTIES, ILLINOIS
WHEREAS, pursuant to the Fair and Accurate Credit Transactions Act of 2003, the Federal
Trade Commission adopted Identity Theft Rules requiring the creation of certain policies relating to the
prevention and mitigation of identity theft (the "FTC Regulations "); and
WHEREAS, the FTC Regulations require creditors to adopt red flag policies to identify, detect,
prevent and mitigate such identity theft with respect to information used in covered accounts; and
WHEREAS, the Village of Oak Brook (the "Village ") is a creditor, with respect to the FTC
Regulations, by virtue of providing utility services and by providing services to citizens and accepting
multiple payments for such services in arrears; and
WHEREAS, pursuant to the FTC Regulations, such an arrangement between the Village and its
citizens constitutes a covered account; and
WHEREAS, the President and the Board of Trustees, after due consideration, find and determine
that it is in the best interests of the health, safety and welfare of its residents to approve and adopt red
flag policies to identify, detect, prevent and mitigate identity theft with respect to information used in
covered accounts.
NOW, THEREFORE, BE IT RESOLVED by the President and the Board of Trustees of the
Village of Oak Brook, Cook and DuPage Counties, Illinois, as follows:
Section 1. Incorporation. That the recitals set forth above are incorporated herein and made a
part hereof.
Section 2. Identity Theft Prevention Policy. The Village adopts this Identity Theft Prevention
Policy, identified herein, in order to prevent and mitigate identity theft by identifying and detecting identity
theft red flags and by responding to such red flags in a manner that will prevent such identity theft.
Section 3. Definitions. For the purposes of this policy, the following words and phrases shall
have the following meanings when used herein:
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 2 of 6
a. "Covered Account" means i) an account the Village offers or maintains primarily for personal,
family or household purposes that involves multiple payments or transactions; and ii) any
other account the Village offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the Village from Identity Theft.
b. Identity Theft" means fraud committed using Identifying Information of another person.
c. "Identifying Information" means any name or number that may be used alone or in
conjunction with any other information, to identify a specific person, including but not limited
to: name, address, telephone number, social security number, date of birth, government
issued driver's license, employer or taxpayer identification number, credit card account
information, debit card information, and bank account information.
d. "Policy" means the Identity Theft Prevention Policy, identified herein.
e. "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence
of identity theft.
f. "Village" means the Village of Oak Brook.
Section 4. Identification of Red Flags. In order to identify relevant Red Flags, the Village
considers the types of covered accounts that it offers and maintains, the methods it provides to open such
covered accounts, the methods it provides to access such covered accounts, and its previous
experiences with Identity Theft. The Village identifies the following Red Flags, in each of the listed
categories:
a. Notifications and Warnings From Credit Report Agencies.
1. Report of fraud accompanying a credit report;
2. Notice or report from a credit agency of a credit freeze on a customer or applicant;
3. Notice or report from a credit agency of an active duty alert for an applicant; and
4. Indication from a credit report of activity that is inconsistent with a customer's usual
pattern or activity.
b. Suspicious Documents.
1. Identification document or card that appears to be forged, altered or inauthentic;
2. Identification document or card on which a person's photograph or physical
description is not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing customer
information (such as if a person's signature on a check appears forged); and
4. Application for service that appears to have been altered or forged.
c. Suspicious Personal Identifying Information.
2
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 3 of 6
1. Identifying information presented that is inconsistent with other information the
customer provides (example: inconsistent birth dates);
2. Identifying information presented that is inconsistent with other sources of
information (for instance, an address not matching an address on a credit report);
3. Identifying information presented that is the same as information shown on other
applications that were found to be fraudulent;
4. Identifying information presented that is consistent with fraudulent activity (such as an
invalid phone number or fictitious billing address);
5. Social security number presented that is the same as one given by another customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete personal identifying information on an application
when reminded to do so (however, by law social security numbers must not be
required); and
8. A person's identifying information is not consistent with the information that is on file
for the customer.
d. Suspicious Account Activity or Unusual Use of Covered Accounts.
1. Change of address for a covered account followed by a request to change the
covered account holder's name;
2. Payments stop on an otherwise consistently up -to -date covered account;
3. Covered account used in a way that is not consistent with prior use (example: very
high activity);
4. Mail sent to the covered account holder is repeatedly returned as undeliverable;
5. Notice to the Village that a customer is not receiving mail sent by the City;
6. Notice to the Village that a covered account has unauthorized activity;
7. Breach in the Village's computer system security; and
8. Unauthorized access to or use of identifying information.
e. Alerts from Others.
1. Notice to the Village from a customer, identity theft victim, law enforcement or other
person that it has opened or is maintaining a fraudulent covered account for a person
engaged in Identity Theft.
Section 5. Detecting Red Flags.
a. New Covered Accounts. In order to detect any of the Red Flags identified in Section 4
associated with the opening of a new covered account, Village personnel will take the
following steps to obtain and verify the identity of the person opening the account:
3
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 4 of 6
1. Require certain identifying information such as name, date of birth, residential or
business address, principal place of business for an entity, driver's license or other
identification;
2. Verify the customer's identity (for instance, review a driver's license or other
identification card);
3. Review documentation showing the existence of a business entity; and
4. Independently contact the customer.
b. Existing Covered Accounts. In order to detect any of the Red Flags identified in Section 4
for an existing covered account, Village personnel will take the following steps to monitor
transactions with an account:
1. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing & payment purposes.
Section 6. Preventing and Mitigating Identity Theft. In the event Village personnel detect any
identified Red Flags, such personnel shall take one or more of the following steps, depending on the
degree of risk posed by the Red Flag:
1. Continue to monitor a covered account for evidence of Identity Theft;
2. Contact the customer;
3. Change any passwords or other security devices that permit access to covered
accounts;
4. Not open a new covered account;
5. Close an existing covered account;
6. Reopen a covered account with a new number;
7. Notify the Finance Director for determination of the appropriate step(s) to take;
8. Notify law enforcement; or
9. Determine that no response is warranted under the particular circumstances.
Section 7. Protecting Customer Identifying Information. In order to further prevent the likelihood
of Identity Theft occurring with respect to Village covered accounts, the Village will take the following
steps with respect to its internal operating procedures to protect customer identifying information:
1. Ensure that its website is secure or provide clear notice that the website is not
secure;
11
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 5 of 6
2. Ensure complete and secure destruction of paper documents and computer files
containing customer information;
3. Ensure that office computers are password protected and that computer screens lock
after a set period of time;
4. Ensure storage rooms, cabinets, drawers, and other storage space containing
identifying information will be locked when not in use;
5. Keep offices clear of papers containing customer information;
6. Request only the last 4 digits of social security numbers (if any);
7. Ensure computer virus protection is up to date; and
8. Require and keep only the kinds of customer information that are necessary for utility
purposes.
Section 8. Program Updates. The Finance Director will periodically review and update this Policy
to reflect changes in risks to customers and the soundness of the Village from Identity Theft. In doing so,
the Finance Director will consider the Village's experiences with Identity Theft situations, changes in
Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the
Village's business arrangements with other entities. After considering these factors, the Finance Director
will determine whether changes to the Policy, including the listing of Red Flags, are warranted. If
warranted, the Finance Director will present his or her recommended changes to the President and Board
of Trustees, which will make a determination of whether to accept, modify or reject those changes to the
Policy.
Section 9. Policy Administration. Responsibility for developing, implementing and updating this
Policy lies with the Finance Director, subject to approval by the President and Board of Trustees. The
Finance Director will be responsible for the Policy administration, for ensuring appropriate training of
Village staff on the Policy, for reviewing any staff reports regarding the detection of Red Flags and the
steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation
should be taken in particular circumstances and considering periodic changes to the Policy.
a. Staff Training and Reports. Village personnel responsible for implementing the Policy shall
be trained either by or under the direction of the Finance Director in the detection of Red
Flags, and the responsive steps to be taken when a Red Flag is detected.
b. Service Provider Arrangements. In the event the Village engages a service provider to
perform an activity in connection with one or more accounts, the Village will take the following
5
RESOLUTION 2008 -GL- FED - FIN -R -1028
Resolution Adopting & Implementing
Identity Theft Prevention Policy
Page 6 of 6
steps to ensure the service provider performs its activity in accordance with the Policy set
forth herein:
1. Require, by contract, that service providers have such policies and procedures in
place; and
2. Require, by contract, that service providers review the Village's Policy and report any
Red Flags to the Finance Director.
SECTION 10: If any section, paragraph, clause or provision of this resolution shall be held
invalid, the invalidity thereof shall not affect any of the other provisions of this resolution.
conflict.
SECTION 11: All resolutions in conflict herewith are hereby repealed to the extent of such
SECTION 12: This resolution shall be in full force and effect from and after its passage,
approval and publication as provided by law.
APPROVED THIS 28th day of October, 2008.
16 W. Craig
age President
PASSED THIS 28th day of October, 2008
Ayes: Trustees Carson, Kennedy, Manofsky, Sanford and Wolin
Nays: None
Absent: Trustee Saived
��� 4''~ `r'� '• °'.•rte'` „' r`; %j
Cf •A* Se.0 �`' .� r7
\� EiT`�ir,'
ATTEST:
Charlotte K. Pruss
Village Clerk
6