Red Flag Policy and Identity Theft Prevention Program

Similar documents
( Utility Name ) Identity Theft Prevention Program

[Utility Name] Identity Theft Prevention Program

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Identity Theft Prevention Program. Effective beginning August 1, 2009

Prevention of Identity Theft in Student Financial Transactions AP 5800

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Ouachita Baptist University. Identity Theft Policy and Program

Red Flags Program. Purpose

Red Flags/Identity Theft Prevention Policy: Purpose

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

Identity Theft Prevention Policy

IDENTITY THEFT PREVENTION PROGRAM

IDENTITY THEFT PREVENTION Policy Statement

Identity Theft Policies and Procedures

University of North Texas System Administration Identity Theft Prevention Program

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM

The Southern Baptist Theological Seminary IDENTITY THEFT RED FLAGS AND RESPONSE INSTRUCTIONS IDENTITY THEFT AND PREVENTION PROGRAM As of June 2010

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Regulation P & GLBA Training

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

ID Theft Information Form - Instructions

Virginia Commonwealth University School of Medicine Information Security Standard

Shaw Privacy Policy. 1- Our commitment to you

Employee Security Awareness Training Program

Consolidated Privacy Notice

Table of Contents. PCI Information Security Policy

Summary Comparison of Current Data Security and Breach Notification Bills

Credit Card Data Compromise: Incident Response Plan

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

Judiciary Judicial Information Systems

Best Practices Guide to Electronic Banking

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Beam Technologies Inc. Privacy Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Security Standards for Electric Market Participants

Data Compromise Notice Procedure Summary and Guide

The University of British Columbia Board of Governors

Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)

Information Technology General Control Review

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Putting It All Together:

Information Security Incident Response Plan

Privacy Policy I. COOKEVILLE COMMUNICATIONS PRIVACY POLICY II. GENERAL PRIVACY GUIDELINES

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Donor Credit Card Security Policy

Online Fraud and Identity Theft Guide. A Guide to Protecting Your Identity and Accounts

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

Subject: Kier Group plc Data Protection Policy

Government-issued identification numbers (e.g., tax identification numbers)

Annual Report on the Status of the Information Security Program

What is a Breach? 8/28/2017

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

Pasco Police Department Policy Manual. CRIME ANALYSIS AND INTELLIGENCE Chapter No. 40. Effective Date: 04/01/2018. Reference:

Information Technology Standards

ANRC II. Eligibility requirements Authority Requirements for accreditation Review of application...

Information Security Incident Response Plan

University Policies and Procedures ELECTRONIC MAIL POLICY

Information Security Incident Response and Reporting

ASSESSMENT LAYERED SECURITY

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Breach Notification Assessment Tool

Data Backup and Contingency Planning Procedure

Virginia Commonwealth University School of Medicine Information Security Standard

Acceptable Use Policy

Conjure Network LLC Privacy Policy

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Privacy Breach Policy

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

NDIS Quality and Safeguards Commission. Incident Management System Guidance

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Incident Response Guidelines

Privacy Policy Effective May 25 th 2018

Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

Electronic Signature Policy

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Policy & Procedure Privacy Policy

Access to University Data Policy

POMONA EUROPE ADVISORS LIMITED

Identity Theft Victim s Complaint and Affidavit

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Department of Public Safety and Correctional Services Information Technology and Communications Division

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT Arapahoe Street Denver, CO

Acceptable Use Policy

Cellular Site Simulator Usage and Privacy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

SECURITY & PRIVACY DOCUMENTATION

UTAH VALLEY UNIVERSITY Policies and Procedures

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Transcription:

Unified Government of Wyandotte County and Kansas City, Kansas Adopted: 5/11/2011 Red Flag Policy and Identity Theft Prevention Program Authority: The Mayor and the Board of Commissioners are responsible for legislation, policy formulation, and overall direction setting of the government. This includes the approval of financial policies which establish and direct the operations of Unified Government (UG). The County Administrator is responsible for carrying out the policy directives of the UG Board of Commissioners and managing the day-to-day operations of the executive departments. I. Purpose: The Unified Government of Wyandotte County/Kansas City, Kansas (the "UG") developed this Identity Theft Prevention Program to comply with the Federal Trade Commission's Red Flag Rule, which implements Section 114 of the Fair and Accurate Credit Transaction Act of 2003. See 16 C. F. R. 681.1; 15 U.S.C. 1681c(h). This program is designed to detect, prevent, and mitigate identity theft in connection with the opening and maintenance of the following UG accounts: Any account that the UG offers or maintains primarily for personal, family, or household purposes and that involves multiple payments or transactions; and Any other account that the UG offers or maintains for which there is a reasonably foreseeable risk to customers or to the UG s safety and soundness from identity theft. For the purposes of this program, "identity theft" is defined as fraud committed or attempted using the identifying information of another person without authority. This program was developed with oversight and approval of the chief financial officer. After considering the size and complexity of the UG s operations and account systems and the nature and scope of the UG s activities, the Board of Commissioners determined that this program is appropriate for the UG and approved it on 05/11/2011. II. Identification of Red Flags: A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. To identify relevant red flags, the UG considered the types of accounts that it offers and maintains, the methods that it provides to open accounts, the methods that it provides to access accounts and its previous experiences with identity theft. The UG has identified in the listed categories the following red flags: Category A: Alerts, notifications, or warnings from a consumer reporting agency or service provider A fraud or active duty alert is included with a consumer report. 1

A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. A consumer reporting agency provides a notice of address discrepancy. A consumer report indicates a pattern of activity that is inconsistent with a person s history or usual pattern of activity, such as a recent and significant increase in the volume of inquiries; an unusual number of recently established credit relationships; a material change in the use of credit; or an account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Category B: Suspicious documents Documents provided for identification appear to have been altered or forged. The photograph or physical description on the identification is not information on the identification and is not consistent with other information provided by the person presenting the identification. Other information on the identification is not consistent with readily accessible information on file, such as a previous signature or recent check. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Category C: Suspicious personal identifying information Red Flags: Personal identifying information provided is inconsistent with other sources of information (such as an address not matching an address on a consumer report or a Social Security number [SSN] that was never issued). Personal identifying information provided by a person is inconsistent with other information provided by the person (such as inconsistent SSNs or birth dates). Personal identifying information (for example, address or phone number) is the same as shown on other applications or documents known to be fraudulent. Personal identifying information is of a type commonly associated with fraudulent activity (such as a fictitious billing address or an invalid phone number). The SSN provided is the same as another customer s SSN. The address or phone number provided is the same as or similar to that submitted by an unusually large number of other persons opening accounts or by other customers. A person fails to provide complete personal identifying information on an application or in response to notification that the application is incomplete. Personal identifying information provided is not consistent with information that is on file. Category D: Unusual use of or suspicious activity related to an account A change of address for an account followed by a request to change the account holder's name. 2

An account is used in a way that is not consistent with prior use (such as late or no payments when the account has been timely in the past). Mail sent to the account holder is repeatedly returned as undeliverable even though transactions continue to be conducted in connection with the account. The UG receives notice that a customer is not receiving paper account statements. The UG receives notice that an account has unauthorized activity. The UG receives notice that there has been a breach in the UG s computer system. The UG receives notice that there has been unauthorized access to or use of customer account information. The UG receives notice that there has been unauthorized access to the UG s plans to take steps with certain data it maintains that contains customer information (i.e. destroying computer files). Category E: Notice of possible identity theft The UG receives notice from a customer, an identity theft victim, law enforcement, or any other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft. The UG receives notice from another company or utility that identity fraud is suspected. III. Detection of Red Flags To detect red flags in connection with the opening of a new account, UG personnel will take one or more of the following steps to obtain and verify the identity of the person opening the account: Require identifying information such as name, date of birth, residential or business address, principal place of business for an entity, SSN, driver's license, or other identification; Verify the customer's identity, such as by copying and reviewing a driver's license or other identification card; Verify identity via a consumer reporting agency; Review documentation showing the existence of a business entity; or Independently contact the customer. To detect red flags for an existing account, UG personnel will take the following steps to monitor account transactions: Verify the identification of customers if they request information (in person, via telephone, via facsimile, or via email); Verify the validity of requests to change billing addresses; Do not share identity and banking information with anyone, including the customer, but require the customer to give the information and verify with the information on the account; and Verify changes in banking information given for billing and payment purposes. 3

IV. Preventing and Mitigating Identity Theft UG personnel who detect red flags will take one or more of the following steps, depending on the degree of risk posed: Continue to monitor the account for evidence of identity theft; Contact the customer; Change passwords or other security devices that permit access to the account; Reopen the account with a new number; Do not open a new account; Close the existing account; Notify law enforcement; Determine that no response is warranted under the particular circumstances; or Notify the program administrator for determination of the appropriate steps to take. To prevent the likelihood of identity theft occurring with respect to UG accounts, the UG will take the following steps with respect to its internal operating procedures: Provide a secure website or clear notice that a website is not secure; When destroying paper documents or computer files containing customer information, completely and securely destroy the documents or files; Password protect office computers and set computer screens to lock after a set period of time; Require only the last 4 digits of SSNs (if any); Keep offices clear of papers containing customer information; Review reports and documentation and delete unneeded identity information; Keep computer virus protection is up to date; Require and keep only the kinds of customer information that are necessary for program administrative purposes; and Secure information that is being stored for state or federal retention guidelines. V. Duties Regarding Addressing Discrepancies When the UG receives notice from a nationwide consumer reporting agency that the address given by a customer substantially differs from the address contained in the consumer report, the UG may reasonably confirm that the address provided by the customer is accurate by any of the following means: Verifying the address with the customer; Reviewing utility records; Verifying the address through third-party sources; or Other reasonable means. If an accurate address is confirmed, the UG will furnish the address to the nationwide consumer reporting agency from which it received the notice of address discrepancy if the UG establishes a continuing relationship with the customer and regularly and in the ordinary course of business furnishes information to the consumer reporting agency. 4

VI. VII. Updating the Program and Red Flags This program will be periodically reviewed and updated to reflect changes in risks to customers or to the UG s safety and soundness from identity theft. At least annually, the chief financial officer will consider the UG's experiences with identity theft; changes in identity theft methods; changes in identity theft detection, prevention, and mitigation methods; changes in types of accounts that the UG maintains; and changes in the UG's business arrangements with other entities. After considering these factors, the chief financial officer will determine whether changes to this program, including the listing of red flags, are warranted. If the chief financial officer determines that administrative changes are warranted, he or she will implement such changes. Specific policy changes will be presented to the Board of Commissioners with the recommended changes and the Board of Commissioners will determine whether to accept, modify, or reject them. Program Administration a) Oversight. The chief financial officer will act as program administrator and oversee this program. The program administrator will be responsible for the program's implementation and administration, including ensuring appropriate training of staff, reviewing staff compliance reports, determining which preventive or mitigating measures should be taken in particular circumstances and approving changes to the program to address changing identity theft risks. b) Staff reports. UG staff responsible for developing, implementing, and administering this program will report to the program administrator at least annually on compliance by the UG with the Red Flag Rule, 16 C.F.R. 681.1. The report will address material matters related to the program and evaluate issues such as the effectiveness of policies and procedures in addressing the risk of identity theft in connection with the opening of accounts and existing accounts; service provider arrangements; significant incidents involving identity theft and management s response; and recommendations for changes to the program. c) Service provider arrangements. When the UG engages a service provider to perform an activity in connection with one or more accounts, it will take steps to ensure that the service provider conducts its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. These steps may include requiring the service provider by contract to have policies and procedures to detect red flags that may arise in the performance of its activities, to report any red flags to the program administrator, and to take appropriate steps to prevent or mitigate identity theft. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback