The URL can be used to link to this page

Home My WebLink AboutResolution 2009-115 Utilities Department Identity Theft Prevention ProgramMARANA RESOLUTION N0.2009-115 RELATING TO UTILITIES; APPROVING AND ADOPTING THE TOWN OF MARANA UTILI- TIES DEPARTMENT IDENTITY THEFT PREVENTION PROGRAM; AND DECLARING AN EMERGENCY WHEREAS the Federal Trade Commission (FTC) has enacted rules pursuant to the Fair and Accurate Credit Transactions Act of 2003 that requires any entity that regularly permits deferred payments for goods or services to develop and implement a written identity theft prevention pro- gram; and WHEREAS the FTC rules, known as the Red Flag Rules, apply to the Town of Marana Utili- ties Department; and WHEREAS the Town Council finds that adoption of the Town of Marana Utilities De- partment Identity Theft Prevention Program as set forth in this resolution is in the best interests of the Town and its residents. NOW, THEREFORE, BE IT RESOLVED BY THE MAYOR AND COUNCIL OF THE TOWN OF MARANA, ARIZONA, AS FOLLOWS: SECTION 1. The Town of Marana Utilities Department Identity Theft Prevention Program, attached to and incorporated by this reference in this resolution as Exhibit A, is hereby approved. SECTION 2. The Town's Manager and staff are hereby directed and authorized to under- take all other and- further tasks required or beneficial to carry out the terms, obligations, and objec- tives of the aforementioned Town of Marana Utilities Department Identity Theft Prevention Pro- gram. SECTION 3. Since it is necessary for the preservation of the peace, health and safety of the Town of Marana that this resolution become immediately effective, an emergency is hereby declared to exist, and this resolution shall be effective immediately upon its passage and adoption. PAS SED AND ADOPTED by the Mayor and Council of the Town of Marana, Arizona, this 21St day of July, 2009. ATTEST: -r„~ ~ ~, _- EAL r~nw+u~ 'Z. 19~~~~ ~f1111,®~ .{ o~ Jocelyn C. Bronson, Town Clerk ;,. ~~~~ May Ed o ea APPROVED AS TO FORM: Town of Marana Utilities Department Identity Theft Prevention Program PURPOSE The purpose of the Town of Marana Utilities Department Identity Theft Prevention Program is to protect the Utilities Department, its customers and Town of Marana residents from identity theft. The Program accomplishes this purpose by: 1. Identifying relevant Red Flags that may indicate the existence of identity theft 2. Establishing policies and procedures for the detection of Red Flags 3. Establishing policies and procedures for responding to any detected or suspected Red Flags 4. Establishing policies and procedures for administering, reviewing and updating the Program DEFINITIONS Identity theft means a fraud committed or attempted using the indentifying information of another person without authority. Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft. IDENTIFYING RELEVANT RED FLAGS The Town of Marana Utilities Department conducted an internal risk assessment and considered the following factors: 1. The types of covered accounts it offers or maintains 2. The methods it provides to open its covered accounts 3. The methods it provides to access its covered accounts 4. Its previous experiences with identity theft 1 EXHIBIT A As a result of the internal risk assessment, the Town of Marana Utilities Department has identified the following relevant Red Flags for its covered accounts: ^ Identification documents appear to be altered or forged ^ Photo and physical description do not match appearance of applicant o Other information is inconsistent with information provided by applicant ^ Social Security number, address, or telephone number is the same as .that of other customer at utility ^ Customer fails to provide all information requested o Personal information provided is inconsistent with information on file for a customer ^ Applicant cannot provide information requested .beyond what could commonly be found in a purse or wallet ^ Identity theft is reported or discovered This list of Red Flags is not intended to be all-inclusive and other suspicious activity may be investigated as necessary. DETECTION OF RED FLAGS The Town of Marana Utilities Department has established policies and procedures for the detection of Red Flags including, but not limited to, the following: • Employees are trained to carefully examine identification that is presented in person at the Utilities Department in order to detect any discrepancies • Employees are trained to obtain all required personal information before opening an account • Known instances of identity theft are logged in a central location so that employees can check new applicants against the log before opening an account RESPONSE TO SUSPECTED OR DETECTED RED FLAGS The Town of Marana Utilities Department has established policies and procedures for responding to Red Flags and other suspected fraud including, but not limited to, the following: ^ Ask applicant for additional documentation ^ Notify the senior management official for the Utilities Department ^ Notify internal manager ^ Notify Utilities Department Technology Coordinator ^ Notify law enforcement: ^ Do not open the account ^ Close the account ^ Do not attempt to collect against the account but notify authorities 2 EXHIBIT A In addition to responding to specific incidents of suspected identity theft, the Town of Marana Utilities Department has established these additional security procedures to prevent and mitigate identity theft: 1. Paper documents, files, and electronic media containing secure information shall be stored in locking capable file cabinets. File cabinets shall be stored in a locked room. 2. Employees shall not leave sensitive papers out on their desks when they are away from their workstations. 3. Employees shall lock file room doors when leaving their work areas. 4. Any sensitive information shipped shall be shipped using a shipping service that allows tracking of the delivery of this information. 5. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the Utilities Department. 6. No visitor will be given any entry codes or allowed unescorted access to the office. 7. Anti-virus and anti-spyware programs shall be run on individual computers and on servers daily. 8. Computer passwords shall be required. 9. The computer network shall have a firewall where the network connects to the Internet. 10. Any wireless network in use shall be secured. 11. Central log files of security-related information shall be maintained to monitor activity on the network. 12. Incoming traffic shall be monitored for signs of a data breach. 13. Outgoing traffic shall be monitored for signs of a data breach. 14. Reference and/or background checks shall be completed before hiring employees who will have access to sensitive data. 15. New employees shall sign an agreement to follow the Utilities Department's confidentiality and security standards for handling sensitive data. 16. Access to customer's personal identity information shall be limited to employees with a "need to know." 3 EXHIBIT A 17. Procedures exist for making sure that workers who leave the company or transfer to another part of the company no longer have access to sensitive information. 18. Employees are required to notify the general manager immediately if there is a potential security breach, such as a lost or stolen laptop. 19. Employees who violate security policy are subjected to discipline, up to and including dismissal. 20. Service providers shall notify the Utilities Department of any security incidents they experience, even if the incidents may not have led to an actual compromise of data/identity. 21. Paper records shall be shredded before being placed into the trash. ADMINISTRATION OF THE IDENTITY THEFT PREVENTION PROGRAM The Town of Marana Utilities Department Identity Theft Prevention Program shall be administered by the Utility Operations Manager. The Utility Operations Manager shall assign appropriate staff to prepare a report on an annual basis regarding the operation of the Program. The report shall be submitted to the Utility Operations Manager. The report shall address material matters related to the Program, including the effectiveness of the policies and procedures, a summary of any identify theft incidents, the response to any identity theft incidents, and recommendations for substantial changes to the program, if any. Recommendations for updating the Program shall be based on the experiences of the Department with identity theft, change in methods of identity theft, changes in methods to detect, prevent and mitigate identity theft and changes in the types of accounts that the Department offers or maintains. Employees who handle sensitive data related to the Department's covered accounts shall be trained on the contents and procedures of this Identity Theft Prevention Program upon its adoption and shall receive an annual update. 4 EXHIBIT A