HomeMy WebLinkAboutResolution - 2008-R0414 - Theft Prevention Program Adoption - Electric Utility Board - 10_23_2008Resolution No. 2008—RO414
October 23. 2008
Item No. 5.12
RESOLUTION
WHEREAS, the City of Lubbock ("City") and it's municipally owned electric
utility, Lubbock Power and Light ("LP & L") submits customer information to credit
reporting agencies and maintains covered accounts (an account that involves multiple
payments or transactions or extends services prior to requiring payment); and
WHEREAS, due to the aforementioned facts, the City and LP&L are subject to
administrative enforcement of the Federal Credit Reporting Act by the Federal Trade
Commission pursuant to 15 U.S.C. 1681s(a)(1) and the Fair and Accurate Credit
Transactions Act of 2003 (the "Act"); and
WHEREAS, the Act requires the City to develop and implement a written Identity
Theft Prevention Program ("Program") before November 1, 2008;
WHEREAS, the Program is designed to detect, prevent and mitigate identity theft
by implementing reasonable policies and procedures to identify, detect and respond to
patterns, practices, or specific activity that indicates the possible existence of identity
theft; and
WHEREAS, the Electric Utility Board has approved the attached Program
implementing the policies and procedures to protect against identity theft as required by
the Act; NOW THEREFORE,
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK:
THAT the attached Identity Theft Prevention Program BE and is hereby adopted
and implemented in the form attached hereto for and on behalf of the City of Lubbock
and its utilities including its municipally owned electric utility, Lubbock Power & Light.
Passed by the City Council this 23rd day of October, 2008.
I e5710'1� ///,Ow�
TOM MARTIN, MAYOR
Page 1 of 2
ATTEST:
Rebecok Garza, City Secretary
APPROVED AS TO CONTENT:
Tom Adams, Deputy City Manager
APPROVED AS TO FORM:
Matt h w L. Wade, General Counsel — LP&L
Page 2 of 2
Resolution No. 2008—RO414
City of Lubbock -- Lubbock Power & Light
Identity Theft Program
I. PROGRAM ADOPTION
The City of Lubbock (the "City") and Lubbock Power & Light ("LP&L"), the municipally owned electric
utility of the City of Lubbock, developed this Identity Theft Prevention Program ("Program") pursuant to
the Federal Trade Commission Red Flag Rules ("Rules"), which implement Section 114 of the Fair and
Accurate Credit Transactions Act of 2003. 16 C. F. R. § 681.2. After consideration of the size and
complexity of the City's/LP&L's operations and account systems, and the nature and scope of the
City's/LP&L's activities, the City/LP&L determined that this Program was appropriate for it, and therefore
the Electric Utility Board approved this Program on October 16, 2008 and the City Council of the City of
Lubbock approved it on October 23, 2008.
II. APPLICABILITY
According to the Rule, a utility is a creditor subject to the Rule requirements. The Rule defines creditors
"to include finance companies, automobile dealers, mortgage brokers, utility companies, and
telecommunications companies. Where non-profit and government entities defer payment for goods or
services, they, too, are to be considered creditors."
M.
A. "Covered Account" is defined as (1) any account the City/LP&L offers or maintains primarily for
personal, family or household purposes, that involves multiple payments or transactions; and (2)
any other account the City/LP&L offers or maintains for which there is a reasonably foreseeable
risk to customers of identity theft or to the safety and soundness of the City/LP&L from identity
theft.
All of the City's/LP&L's utility accounts that are individual utility service accounts held by
customers of the City/LP&L whether residential, commercial or industrial are covered by
the Rule and this Program.
B. "Identity Theft' is defined as fraud committed using the identifying information of another person.
C. "Red Flag" is defined as a pattern, practice, or specific activity that indicates the possible
existence of identity theft.
D. "Identifying, information" is defined as any name or number that may be used, alone or in
conjunction with any other information, to identify a specific person, including: name, address,
telephone number, social security number, date of birth, government issued driver's license or
identification number, alien registration number, government passport number, employer or
taxpayer identification number, unique electronic identification number, computer's Internet
Protocol address, or routing code.
1. The following information is collected by this utility:
a. Name
b. Social Security Number
c. Date of Birth
d. Address
e. Telephone number
Page 1 of 5
f. Driver's license identification number
g. Employer or taxpayer identification number
2. Customer personal identifying information is collected by the following methods:
a. Presentation by customer at office
b. Telephone
c. Facsimile
d. E-mail
e. Internet
f. Mail
IV. IDENTIFICATION OF RED FLAGS.
In order to identify relevant Red Flags, the City/LP&L considers the following incidents and/or
activities as Red Flags for purposes of this Program:
A. Notifications and Warnings From Credit Reporting Agencies
1. Report of fraud accompanying a credit report;
2. Notice or report from a credit agency of a credit freeze on a customer or applicant;
3. Notice or report from a credit agency of an active duty alert for an applicant; and
4. Indication from a credit report of activity that is inconsistent with a customer's usual
pattern or activity.
B. Suspicious Documents
1. Identification document or card that appears to be forged, altered or inauthentic;
2. Identification document or card on which a person's photograph or physical description is
not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing customer
information (such as if a person's signature on a check appears forged); and
4. Application for service that appears to have been altered or forged.
C. Suspicious Personal Identifying Information
1. Identifying information presented that is inconsistent with other information the customer
provides (example: inconsistent birth dates);
2. Identifying information presented that is inconsistent with other sources of information
(example: an address not matching an address on a credit report);
3. Identifying information presented that is the same as information shown on other
applications that were found to be fraudulent;
4. Identifying information presented that is consistent with fraudulent activity (such as an
invalid phone number or fictitious billing address);
5. Social security number presented that is the same as one given by another customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete personal identifying information on an application
when reminded to do so; and
8. A person's identifying information is not consistent with the information that is on file
for the customer.
D. Suspicious Account Activity or Unusual Use of Account
Change of address for an account followed by a request to change the account holder's
name;
Page 2 of 5
2. Payments stop on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example: very high activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to the City/LP&L that a customer is not receiving mail sent by the City/LP&L;
6. Notice to the City/LP&L that an account has unauthorized activity;
7. Breach in the City/LP&L's computer system security; and
8. Unauthorized access to or use of customer account information.
E. Alerts from Others
Notice to the City/LP&L from a customer, identity theft victim, law enforcement or other
person that it has opened or is maintaining a fraudulent account for a person engaged in
identity theft.
V. DETECTING RED FLAGS.
A. New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new
account, the City/LP&L personnel will take the following steps to obtain and verify the identity of the
person opening the account:
Detect
I. Require certain identifying information such as name, date of birth, residential or
business address, principal place of business for an entity, driver's license or other
identification;
2. Verify the customer's identity (for instance, review a driver's license or other
identification card);
3. Review documentation showing the existence of a business entity; and
4. Independently contact the customer.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, the City/LP&L
personnel will take the following steps to monitor transactions with an account:
Detect
1. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes.
VI. PREVENTING AND MITIGATING IDENTITY THEFT
In the event the City/LP&L personnel detect any identified Red Flags, such personnel shall take
one or more of the following steps, depending on the degree of risk posed by the Red Flag:
A. Prevent and Mitigate
1. Continue to monitor an account for evidence of identity theft;
2. Contact the customer;
Page 3 of 5
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5. Close an existing account;
6. Reopen an account with a new number;
7. Notify the Program Administrator for determination of the appropriate step(s) to take;
8. Notify local law enforcement; and
9. Determine that no response is warranted under the particular circumstances.
B. Protect Customer Identifying Information
In order to further prevent the likelihood of identity theft occurring with respect to the City/LP&L
accounts, the City/LP&L will take the following steps with respect to its internal operating procedures to
protect customer identifying information:
1. Ensure that the portions of any website containing identifying information is secure or
provide clear notice that the website is not secure;
2. Require records containing sensitive information be shredded before placement in trash
and ensure complete and secure destruction computers, computer files and discarded
computer drives containing customer information;
3. Require and keep only the kinds of customer information that are necessary for the
City/LP&L purposes;
4. Ensure that employees will follow all appropriate City/LP&L policies regarding sensitive
papers on their desks when not at workstations;
5. Visitors entering areas where sensitive files are kept will be escorted by an employee;
6. Require that entry codes or unescorted access will only be given to visitors when
necessary;
7. Take measures to protect and encrypt sensitive information stored on computers.
8. Encrypt email transmissions with personally identifying information;
9. Install anti -virus and anti-spyware programs on any computers that run on the City/LP&L
servers or networks and ensure that programs are periodically updated;
10. Ensure access to sensitive information will be controlled using passwords considered
"strong" and passwords must be periodically changed;
11. Require that passwords not to be shared or posted;
12. Follow all City of Lubbock policies and procedures regarding computer workstation
passwords including any Information Technology policies and procedures to lock down
workstations and secure computers with password access;
13. Any newly -installed software will have default passwords immediately changed.
VII. PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in risks to customers
and the soundness of the City/LP&L from identity theft. At least annually, the Program Administrator will
consider the City's/LP&L's experiences with identity theft situation, changes in identity theft methods,
changes in identity theft detection and prevention methods, changes in types of accounts the City/LP&L
maintains and changes in the City's/LP&L's business arrangements with other entities. After considering
these factors, the Program Administrator will determine whether changes to the Program, including the
listing of Red Flags, are warranted. If warranted, the Program Administrator will update the Program or
present the governing body with any recommended changes and the governing body will make a
determination of whether to accept, modify or reject those changes to the Program.
Page 4 of 5
VH. PROGRAM ADMINISTRATION.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with an Identity Theft
Prevention Committee for the City/LP&L. The Committee is headed by a Program Administrator who is
the Director of Electric Utilities or the Director's appointee. Two or more other individuals appointed by
the Program Administrator comprise the remainder of the committee membership one of which shall be the
City Manager or the City Manager's appointee. The Program Administrator will be responsible for the
Program administration, for ensuring appropriate training of the City/LP&L staff on the Program, for
reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating
Identity Theft, determining which steps of prevention and mitigation should be taken in particular
circumstances and considering periodic changes to the Program.
B. Staff Training and Reports
The City/LP&L staff responsible for implementing the Program shall be trained either by or under
the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be
taken when a Red Flag is detected.- Initial training will occur at the time of hiring by the City/LP&L.
Additional training will occur annually after the governing body adopts the updated Identity Theft
Prevention Program each year.
The following specific measures will ensure the protection of individual information through staff
training and procedures:
1. Check references and/or do background checks of any new hires who will have access to
sensitive information;
2. Require new employees to to follow all City and/or LP&Lpolicies governing
confidentiality and security standards for handling sensitive data;
3. Limit access to sensitive information to necessary employees only;
4. Ensure that former employees no longer have access to sensitive information, such as
collecting keys and terminating passwords;
5. Employees required to notify management immediately if there is a potential security
breach;
6. Implement appropriate disciplinary action in accordance with the City/LP&L Personnel
Policy up to and including, if warranted, dismissal for those employees who violate
security policies.
C. Service Provider Arrangements
In the event the City/LP&L engages a service provider to perform an activity in connection with
one or more accounts, the City/LP&L will take the following steps to ensure the service provider performs
its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate
the risk of identity theft:
1. Require, by contract, that service providers have such policies and procedures in place;
and
2. Require, by contract, that service providers review the City's/LP&L's Program and report
any Red Flags to the Program Administrator;
3. Require, by contract, that service providers notify the Program Administrator of any
security incidents, even if such incidents had not led to any confirmed compromise of the
City's/LP&L's data.
Page 5 of 5