RED FLAG RULES ANNUAL REPORT TO MAYOR AND COUNCIL

BOISE CITY RISK AND SAFETY SERVICESDIVISION DEPARTMENT OF FINANCE AND ADMINISTRATION RED FLAG RULES ANNUAL REPORT TO MAYOR AND COUNCIL AS REQUIRED BY SECTIONS 114 AND 315 OF THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 (FACTA). PURSUANT TO 16 CFR 681 2

Red Flag Rules Annual Report to Mayor and Council BACKGROUND The City has developed an Identity Theft Prevention Program pursuant to the Federal Trade Commission s ( FTC ) Red Flag Rule which implements section 114 of the Fair and accurate Credit Transaction Act of 2003 (FACTA), pursuant to 16 CFR 681 2. Originally scheduled to be implemented by May 1, 2009, the implementation dates have been delayed until June 2010. However, the City is already in compliance with this rule. Under the rule the Program Administrator is required to submit an annual report to the Mayor and City Council. Boise City Resolution No. 20453 designates the City Risk Manager as the Program Administrator. This report is produced in compliance with that requirement. Definitions: Identity Theft: Fraud committed using the identifying information of another person. Identifying Information: The name, address, telephone number, driver s license number, social security number, place of employment, employee identification number, mother s maiden name, checking account number, savings account number, financial transaction card number, or personal identification code of an individual person, or any other numbers or information which can be used to access a person s financial resources. Accounts (also known as Covered Accounts"): 1. A continuing relationship with an individual through an account offered or maintained primarily for personal, family or household purposes, that involves multiple payments or transactions; and 2. Any other account the City of Boise offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the City from Identity Theft. IMPLEMENTATION ACTIVITIES During the spring of 2009, the City Attorney s Office initiated a process to begin coming into compliance with the Red Flag Rules. A resolution establishing the structure and stating the City management s commitment to compliance was developed and adopted by the City Council on March 31, 2009 as Resolution No. 20453. A copy is attached as Attachment 1. The FTC s rules require that each entity which collects information that could be used to steal an identity must establish a plan and procedures to protect that information, train staff, record suspicious activities and provide an annual report to the governing body. - 1 -

PLAN DEVELOPMENT Subsequent to the passage of Resolution No. 20453, during the summer of 2009, the Division of Financial Management developed policy (Attachment 2) and regulations (Attachments 3 and 4) to implement the resolution. These were approved in August of 2009. The resolution, policies and regulations all established specific requirements for departments to identify areas of their operations that present risk of identity theft and develop protocols to identify and prevent identity theft. The Program Administrator created a SharePoint site that contains copies of legal documents, an incident log, department identity protection plans and links to several related websites. A screenshot of the home page is shown below. TRAINING Early in 2009, the City Attorney s office met with key departments to develop the Council resolution, then, as noted, in May presented half hour basic training. Subsequently, on September 3, DFA provided two hour-long training sessions taught by Daniel Kline a Consumer Credit Examiner/Investigator with the State Department of Finance. On October 14, DFA coordinated the viewing of a 90 minute training webinar sponsored by Electric Utility Consultants, Inc. and presented by the Keller and Heckman law firm located in Washington, D.C. - 2 -

The Program Administrator has provided for ongoing individualized training, counseling and advice. The SharePoint site also contains a link to the FTC s training guides and videos and to training materials published by the Association of Idaho Cities. DEPARTMENT PROCEDURE DEVELOPMENT Departments were directed to conduct a risk assessment as to whether they conducted operations that were subject to the Red Flag Rules and then, where necessary implement their own procedures to comply. We have made the following determinations: Airport Airport completed a risk assessment and it was determined that they have little or no risk of identity theft in their operations. However, they have developed procedures for handling suspicious events if they do occur. Arts & History Arts and History completed a risk assessment and it was determined that they have no operations that are subject to Red Flag Rules. Fire Department Fire Department completed a risk assessment and it was determined that they have no operations that are subject to Red Flag Rules. Public Works Public Works completed a risk assessment and it was determined that they have several areas with significant risk of identity theft in their operations. They have developed written telephone scripts, and procedures to address the impacted areas. Housing and Community Development Housing and Community Development completed a risk assessment and it was determined that their accounts are covered accounts and they have significant risk of identity theft in their operations. They have developed specific procedures for handling suspected incidents of attempted identity theft. Library Library has performed a risk assessment and is still working on their write-up. In general, they do not keep accounts or obtain credit reports. They do keep some information to identify library card holders. That information is also available on to other members of the library consortium. The Library staff will work with the Library Consortium to put measures in place. Parks & Recreation Parks and Recreation is a cash-and-carry operation, so they do not keep accounts. - 3 -

Planning & Development Services Planning & Development Services is a cash & carry operation, so they do not keep accounts. IDENTITY THEFT LOG As required, the City has maintained an Identity Theft Log on the SharePoint site where staff can record any events that may have been attempts to steal someone s identity. Only two events have been recorded during the past year. The report is attached as Table 1. CONCLUSION The City became compliant with this regulation in November of 2009, 7 months prior to the extended compliance date of June 1, 2010. City staff has implemented a Citywide plan. Affected departments have been trained and have developed written procedures. - 4 -

Table 1 Red Flag Log Event Date Submitter Event Customer Name July 31, 2009 Kent Rock Unrecognized charge on her credit card Dara Lee Howerton Action Taken Gave her information regarding whose parking ticket was paid Notes Ms. Howerton called about an unrecognized charge against her credit card by Parking Services on June 20, 2009. The name on the ticket Justin Janzen turned out to be her grandson. She wondered where the ticket was given, but I told her that I did not have that information. I gave her the Parking Services phone number. She said she was going to confront her grandson before she spoke with Parking Services. January 9, 2010 William Nation Unusual charges on credit card from pay phone in front of library Michael? Contacted Qwest A customer contacted me today to let me know that his credit card had been charged approximately $40 after a 2 minute call made on the pay phone in front of the Library. The credit card company will investigate this as fraud after the payment is fully processed. Customer wanted the City to be aware of this suspicious charge. Qwest informs me that another company handles calling, billing, etc. related to this phone and I have not yet been able to speak to anyone at the other company, but I will attempt to reach them again tomorrow. - 5 -

Attachment 1 Identity Theft Resolution No. 20453-6 -

- 7 -

- 8 -

- 9 -

- 10 -

- 11 -

- 12 -

- 13 -

- 14 -

Attachment 2 Identity Theft Policy Number B5.01-15 -

Document Type: Policy Number: B5.01 Effective: Revised: Legal References: Section 114 and Section 315 of the Fair and Accurate Credit Transaction Act of 2003, pursuant to 15 U.S.C. 1681m(e) and 15 U.S.C. 1681c(h); City of Boise R-90-09 IDENTITY THEFT PREVENTION POLICY Employees shall comply with the City of Boise s regulations and procedures designed to detect, prevent, and mitigate Identity Theft in connection with the opening and maintenance of certain accounts pursuant Section 114 (Red Flags Rule) and Section 315 (Address Discrepancy) of the Fair and Accurate Credit Transaction Act of 2003 (FACT act), pursuant to 15 U.S.C. 1681m(e) and 15 U.S.C. 1681c(h) as issued by the Federal Trade Commission ( FTC ). - 16 -

Attachment 3 Address Descrepancy Regulation Number B5.01b - 17 -

Document Type: Regulation Number: B5.01b Effective: 9/01/2009 Revised: Legal Reference: I. INTRODUCTION ADDRESS DISCREPANCY REGULATION This regulation is intended to comply with the requirements of Identity Theft Rules (16 C.R.F. part 681), issued by the Federal Trade Commission (FTC) in compliance with Section 315 (Address Discrepancy Rule) of the Fair and Accurate Credit Transactions Act (FACTA), 15 U.S.C. 1681c(h). II. DEFINITIONS Consumer Report - A consumer report is defined as any report that includes information obtained from a consumer reporting agency that is used or expected to be used in establishing a consumer s eligibility for credit, employment, or insurance, among other purposes. Credit reports and credit scores are consumer reports. Additionally, reports used by the City with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history are defined as consumer reports. III. ADDRESS DISCREPANCY The City of Boise has a responsibility to verify address information. FACTA requires credit reporting agencies to provide a Notice of Address Discrepancy when the address on file is substantially different from the address provided by the person requesting a consumer report (or user). IV. FOLLOWING RECEIPT OF A NOTICE OF ADDRESS DISCREPANCY When the City receives a Notice of Address Discrepancy, the following procedures will be observed: The consumer report shall not be used to open an account or for any other purposes unless and until the following steps are completed: A. Follow all Red Flag detection methods specified in the City s Red Flag Regulation, including but not limited to the identity verification procedures, and compare the information obtained by following those methods with the information contained in the consumer report provided by the consumer reporting agency. B. If the information from these two sources is sufficiently consistent to support a reasonable belief that the consumer report relates to the consumer about whom the City requested the report, the report may be used and, subject to all other provisions of this regulation, the account may be opened. - 18 -

C. If the information from these two sources is not sufficiently consistent to support a reasonable belief that the consumer report relates to the consumer about whom the City requested the report, the report may not be used and the account may not be opened. The Program Administrator should be informed of this situation and should take any additional prevention or mitigation responses as may be appropriate under this regulation. V. FURNISHING CORRECT ADDRESS TO A CONSUMER REPORTING AGENCY Once the City verifies a customer s identity, the results may be reported back to the consumer reporting agency that issued the Notice of Address Discrepancy to the City. However, this additional step is required only if all of the following conditions are met: A. The City regularly and in the ordinary course of business furnishes information to the consumer reporting agency (primarily credit experience information). B. The City can form a reasonable belief that the consumer report relates to the consumer about whom the City requested the report. C. The City establishes a continuing relationship with the consumer. D. The City reasonably confirms a correct address for the consumer by one of the following means: 1. Verifying the address with the consumer about whom it has requested the report. 2. Reviewing its own records to verify the address of the consumer. 3. Verifying the address through third-party sources. 4. Using other reasonable means. The City will provide the reasonably confirmed consumer address to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which the City establishes a relationship with the consumer-that is, the period within which the account is opened. 19

Attachment 4 Red Flag Regulation Number B5.01c 20

Document Type: Regulation Number: B5.01c Effective: 9/01/2009 Revised: Legal Reference: I. INTRODUCTION RED FLAG REGULATION This regulation is intended to comply with the requirements of Identity Theft Rules (16 C.R.F. part 681) issued by Federal Trade Commission (FTC) in compliance with Section 114 (Red Flags Rule) of the Fair and Accurate Credit Transactions Act (FACTA), 15 U.S.C. 1681m(e). II. DEFINITIONS A. Account - Any extension of credit to a consumer (i.e. for personal, family, or household purposes) or business to obtain a product or service, except those extensions of credit not involving a continuing relationship. An example of a transaction that would not constitute an account under the regulation because it lacks a continuing relationship would be the acceptance of a check for a simple purchase. However, the Red Flags Rule applies to the opening of an account as well as account maintenance, so an account may exist in situations where the City extends credit but assigns the credit contract to a third party, such as housing loans. B. Consumer Report - A consumer report is defined as any report that includes information obtained from a consumer reporting agency that is used or expected to be used in establishing a consumer s eligibility for credit, employment, or insurance, among other purposes. Credit reports and credit scores are consumer reports. Additionally, reports used by the City with information relating to employment background, check-writing history, insurance claims, residential or tenant history, or medical history are defined as consumer reports. C. Covered Account An account (1) that the City offers or maintains primarily for personal, family, or household purposes, and that involves or is designed to permit multiple payments or transactions, such as utility accounts; and (2) any other account that the City offers or maintains for which there is a reasonably foreseeable risk from identity theft. D. Customer - A person or entity that has a "covered account" with the City of Boise. E. Fraud Alert/Active Duty Alert - A statement in the file of a consumer that (1) notifies all prospective users of a consumer report that the consumer may be a victim of fraud, including identity theft, or is an active duty military consumer, as applicable; and (2) is presented in a manner that facilitates a clear and conspicuous view of the statement by any person requesting such consumer report. F. Identity Theft - A fraud committed or attempted using the identifying information of another person without authority. The FTC defines the term "identifying information" to mean "any name or number that may be used, 21

alone or in conjunction with any other information, to identify a specific person, including: 1. Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number 2. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation 3. Unique electronic identification number, address, or routing code 4. Telecommunication identifying information or access device. In addition, under the FTC's regulation, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of "identity theft" because such a fraud involves "using the identifying information of another person without authority." G. Program Administrator - The City's Identity Theft Prevention Program will be overseen by a Program Administrator. The Program Administrator shall be the Risk Manager or his/her designee. The Program Administrator has the authority and responsibility to oversee and manage the development, implementation, and administration of the City s Identity Theft Prevention Program. Specifically, the Program Administrator will be responsible for ensuring appropriate training of City staff on the Program, reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, reviewing and, if necessary, approving changes to the Program. H. Red Flag - A pattern, practice, or specific activity that indicates the possible existence of Identity Theft. I. Red Flag Log - A report format to be used by City employees to document all necessary details related to possible identity theft occurrences including management s response. J. Service Provider - Any person or entity (1) that provides a service directly to the City or (2) that maintains, processes, or otherwise is permitted access to customer or consumer information through the provision of services directly to the City. III. RISK ASSESSMENT Each department will conduct a risk assessment of its accounts and, at a minimum, will take the following factors into consideration: A. The type of accounts it offers or maintains. B. The methods it employs to open its accounts. C. The methods it employs to access its accounts. D. The department s previous experiences with identity theft. Departments are to report those types of accounts that would be classified as covered accounts to the Program Administrator based on a risk assessment and review of activities with respect to its accounts, subject to revision on periodic review and updating. All covered accounts are subject to the Red 22

IV. COVERED ACCOUNTS Based on a preliminary risk assessment of the City s activities with respect to its accounts, the City offers or maintains the following types of covered accounts: A. Personal and business utility accounts B. Personal housing loans C. Personal and business sewer connection loans D. Personal and business lease contracts E. Other qualifying personal or business accounts maintained by the City for the purchase of a product or service whereby there is an installment payment arrangement or risk of identity theft. V. RELEVANT RED FLAGS The following are identified as Red Flags, which are potential indicators of fraud and should be investigated for verification: A. Alerts, Notifications, or Warnings from a Consumer Reporting Agency: 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a creditor. B. Suspicious Documents: 1. Documents provided for identification appear to have been altered or forged. 23

2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 3. Other information on the identification is not consistent with information provided by the person opening a new covered account or the customer presenting the identification. 4. Other information on the identification is not consistent with readily accessible information that is on file with the City, such as a signature on an application, contract, or a recent check. 5. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. C. Suspicious Personal Identifying Information: 1. Personal identifying information provided is inconsistent when compared against external information sources used by the City. For example: (a) the address does not match any address in the consumer report; or (b) the Social Security Number (SSN) has not been issued or is listed on the Social Security Administration's Death Master File. 2. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. 3. Personal identifying information provided is commonly associated with known fraudulent activity as indicated in alerts or warnings from a credit reporting agency. For example: (a) the address on an application is fictitious, a mail drop, or a prison; or (b) the phone number is invalid or is associated with a pager or answering service. 4. The SSN provided is the same as that submitted by other persons opening an account or other customers. 5. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 6. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 7. Personal identifying information provided is not consistent with personal identifying information that is on file with the City. 8. If the City uses challenge questions for certain covered accounts, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. D. Unusual Use of, or Suspicious Activity Related to, the Covered Account: 1. Shortly following the notice of a change of address for a covered account, the City receives a request for a new or additional account, or for the addition of authorized users on the account. 2. A new covered account is used in a manner commonly associated with known patterns of fraud. For example: (a) the majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or (b) the customer fails to make the first payment or makes an initial payment but no subsequent payments. 3. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; or c. A material change in purchasing or spending patterns.

4. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage, and other relevant factors). 5. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 6. The City is notified that the customer is not receiving paper account statements. 7. The City is notified of unauthorized charges or transactions in connection with a customer's covered account. E. The City is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. VI. METHODS FOR DETECTION OF RELEVANT RED FLAGS The City will employ the following methods to verify the identity of persons opening a covered account and to detect any Red Flags incorporated in this regulation. A. In-Person Methods for Identification Verification and Detection of Red Flags Before opening the account, obtain, inspect, and photocopy the consumer s current driver s license or other government-issued photo identification. For a business entity customer, obtain, inspect, and photocopy the business representative s current driver s license or other government-issued photo identification, documents indicating his/her relationship to the business as its representative, as well as documents showing the existence of the business entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument. 1. Review the identification documents for signs of alteration or forgery, using available information on forgery detection, if any, supplied by the agency that issued the identification document(s). 2. Compare the photo and physical appearance information on the identification with the consumer s in-person appearance. 3. Obtain the customer s signed credit application, registration, or other application form, if applicable, that includes at a minimum: a. the customer s name b. date of birth (or of formation if a legal entity) c. residential or business street address (or principal place of business if a legal entity) d. Social Security number, Taxpayer Identification Number, or driver s license number. e. Review the credit application, registration, or other application form for signs of alteration or forgery. f. Review the information on the credit application, registration, or other application form for completeness. 4. If applicable to the type of covered account and degree of credit risk, obtain a consumer report. 2

1. Check for any fraud or active duty alerts. 2. Be alert for any notice of a credit freeze from the credit reporting agency. 3. Check for a notice from the credit reporting agency of an address discrepancy. 4. Review the report for activity inconsistent with the history and usual pattern activity of City customers generally. 5. Review the address and other information on the credit application, registration, or other application form for consistency with information provided in the consumer report. 6. Review any alerts or notifications of unusual activity, conditions, or events issued by the credit reporting agency or otherwise provided with the consumer report. 5. Verify through a source other than the representative himself or herself (such as by contacting the business customer s office) that the business representative appearing has authority to act on behalf of the business customer. B. Telephone Methods for Identification Verification and Detection of Red Flags 1. Before opening an account, obtain at a minimum: a. the name of the customer or the business customer s representative, which should be the person on the telephone requesting the new account b. date of birth (or of formation if a legal entity) c. residential or business street address (or principal place of business if a legal entity) d. Social Security number, Taxpayer Identification Number, or driver s license number e. For a business customer, identifying information for a legal entity such as date of certified articles of incorporation, a government-issued business license number, date of a partnership agreement, or date of a trust instrument. In-person verification for business customers is the preferred method and least time-consuming. 2. Obtain a credit report, a driver s license inquiry, or some other source to verify the information provided by the customer. a. Review the address and other information, such as the date of birth, on the consumer report for consistency with information provided by the customer. b. Check for any fraud or active duty alerts. c. Be alert for any notice of a credit freeze from the credit reporting agency. d. Check for a notice from the credit reporting agency of an address discrepancy. e. Review the report for activity inconsistent with the history and usual pattern activity of City customers generally. f. Review any alerts or notifications of unusual activity, conditions, or events issued by the credit reporting agency or otherwise provided with the consumer report. g. The information obtained for a business entity should then be compared to the information on the service agreement or other contractual agreement. 3

3. Verify through a source other than the representative himself or herself (such as by contacting the business customer s office) that the caller of a business customer has authority to act on behalf of that business customer. V. CITY RESPONSES WHEN RELEVANT RED FLAGS ARE DETECTED The City will respond appropriately to relevant Red Flags that are detected in a manner intended to prevent or mitigate identity theft, commensurate with the degree of risk posed. In determining an appropriate response, the City will consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records with the City or a third party. Appropriate responses by the City may include: A. Not opening a new account. B. Not attempting to collect on an account or not selling an account to a debt collector. C. Notifying law enforcement. D. Monitoring an ongoing account for unusual activity that may be evidence of identity theft. E. Contacting the customer. F. Changing any passwords, security codes, or other security devices that permit access to an account. G. Reopening an account with a new account number. H. Closing an existing account. I. Determining that no response is warranted under the particular circumstances. Determining the appropriate response in any particular situation involves considering several factors. Therefore, in cases where the general and specific response procedures set forth below result in the conclusion that there is reasonable basis to believe identity theft may be involved, the Program Administrator and appropriate City manager shall work cooperatively to determine the appropriate response. 1. General Response Procedures when a Red Flag is Detected: The purpose of this general response procedure is to allow detected Red Flags to be cleared, where appropriate, by City employees involved in the opening of covered accounts. If a City employee engaged in opening an account for a customer detects one or more Red Flags, the employee shall notify his or her manager and, before continuing to open the account, shall do the following: a. Conduct a reasonable investigation concerning the Red Flag(s) detected, including obtaining additional information from the customer and third-party sources; and, b. Determine whether the Red Flag(s) detected or other circumstances require a specific response under the section below entitled "Specific Response Procedures to Certain Detected Red Flags." c. Record all relevant information in the Red Flag Log of potential identity theft attempts and notify appropriate management in accordance with department notification procedures. The account shall not be opened unless the manager determines that (a) the investigation adequately assessed the risk presented; (b) all specific response requirements, if any, have been fully and properly completed; and (c) there is no 4

reasonable basis to believe that identity theft is involved. If this determination is not made, the manager shall advise the Program Administrator of all of the circumstances and will work with the Program Administrator to identify and undertake any other appropriate response consistent with applicable law and the regulation of the City set forth at the beginning of Section VII, titled City Responses When Relevant Red Flags are Detected. In addition, if the City learns before assigning an account to a financial institution, if applicable, that the account resulted from identity theft, the City will refrain from assigning that account and the Program Administrator shall work with the appropriate City manager to properly respond. 2. Specific Response Procedures to Certain Detected Red Flags: Detection of the following Red Flags requires the specific response procedures to be followed as indicated below: Fraud or Active Duty Alerts If a fraud or active duty alert appears on a consumer report, Section 605A of the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681cl(h), requires a creditor to take certain steps before extending credit, increasing a credit limit, or adding authorized users to the existing credit account. To comply with this law and to minimize the potential for identity theft, do not open the account until and unless the following verification procedures are completed: a. Contact the consumer using the telephone number or other means of contact stated in the alert, if any, and obtain authorization to proceed with opening the account. b. Take all other appropriate reasonable steps to verify the consumer's identity and to confirm that the application to open the account was not the result of identity theft. c. Obtain governmental photo identification and verify identity using the identification verification requirements described above in this regulation. d. Prepare and sign a written acknowledgment specifying that verification procedures have been completed and detailing how each of the above steps was completed. e. Submit the written and signed acknowledgment to the Program Administrator to be retained in a centralized file. 3. Credit Freeze - Do not open the account unless the consumer causes the freeze to be lifted and a credit report is obtained. Verify the consumer's identity and confirm that the application to open the account was not the result of identity theft using the identification verification requirements described above in this regulation. 4. Suspicious Documents Suspicious documents include documents provided for identification that appear to have been altered or forged, or the photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. Do not open the account until the customer provides a reasonable and verified explanation that is not indicative of identity theft or forgery to explain why the documents appear to be altered or forged. Also, the customer must provide at least one additional non-forged/non-altered form of government-issued photo identification and at least one other non-forged/non-altered form of identification. 5. Co-owners If a co-customer or co-lessee is included on the account but is not present to sign the contract or lease; do not open the account until identification has been verified. Advise the customer who is present that all paperwork, credit report, and identification procedures used by the City apply to all transactions and to each of 5

VIII. TRAINING them individually. Do not open a joint account if either of the customers directly or indirectly avoids compliance with the identification requirements. The Program Administrator is responsible to ensure that all relevant personnel receive training to effectively implement this regulation and the City s Identity Theft Prevention Program. At a minimum, the training will include the following: A. Ensuring availability of this regulation, the program, or relevant provisions to all employees who have duties that may involve the opening of covered accounts or requesting or using consumer reports. B. Requiring each relevant employee to sign a written acknowledgment of his or her understanding of and agreement to abide by the regulations and program. C. Training of all new employees who have duties that may involve the opening of covered accounts or requesting or using consumer reports. D. Requiring training of all employees who have duties that may involve the opening of covered accounts or requesting or using consumer reports on a recurring, periodic basis (at least once each year) or as otherwise determined by the Program Administrator to be necessary to reflect changes to the regulations and program. At a minimum, such training program shall include the pertinent requirements of the Red Flags and Address Discrepancy Rules, the Red Flag regulation, the policies and procedures set forth in the City s Identity Theft Prevention Program, as updated from time to time, and the importance placed by the City on compliance with the program and the prevention and mitigation of identity theft. IX. OVERSEEING SERVICE PROVIDERS The Program Administrator is responsible for exercising appropriate and effective oversight of service provider arrangements/agreements regarding the detection, prevention, and mitigation of identity theft. A service provider means a person or entity that provides a service directly to the City in connection with one or more covered accounts, such as Allied Waste Services. All service providers to the City that perform activities in connection with covered accounts, if any, must conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft even for a person who is not yet, and may not become, a "customer." Specifically, the City will, by contract, require its service providers that perform activities in connection with one or more of the City's covered accounts to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities and to take appropriate steps to prevent or mitigate identity theft. Additionally, by contract, the service providers are required to review the City s program and Red Flags regulation and report any Red Flags to the Program Administrator. X. REPORTS AND UPDATES A. Reports: The Program Administrator and other staff responsible for the development, implementation, and administration of the City s Identity Theft Prevention 6

Program shall report to the Mayor and City Council at least annually, on the City s compliance with the Red Flags Rule and its program. The report shall address material matters related to the program and evaluate all material issues arising in connection with the program since its inception or the most recent prior report. In any event, the following issues shall be addressed in each report: 1. The effectiveness of the policy, regulations, and procedures of the City in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, if and when applicable. 2. Service provider arrangements. 3. Significant incidents involving identity theft and management's response. 4. A summary of entries in the Red Flag Log. 5. Recommendations for material changes to the program. B. Periodic Updates The Program Administrator is responsible for ensuring that the program is updated periodically. In addition to regular updates, the Program Administrator may direct that a program update or modification takes place at any time, based on the existence of appropriate circumstances, such as regulatory guidance being issued, experience with identity theft, or new methods of identity theft being discovered. Prior to the regular periodic update, the following shall be completed as part of this regulation and the City s program: 1. An updated Risk Assessment. 2. An updated Identification of Covered Accounts. 3. An updated Identification of Relevant Red Flags. 4. Any necessary changes to the City's Red Flags detection and response procedures. All relevant information learned since the inception or prior update of the program will be considered in performing the update, including, without limitation, the following: 1. The experiences of the City with identity theft. 2. Changes in methods of identity theft. 3. Changes in methods to detect, prevent, and mitigate identity theft. 4. Changes in the types of accounts that the City offers or maintains. 5. Changes in the business arrangements of the City. Material changes to the program must be approved by the Mayor and City Council upon recommendations from the Program Administrator. XI. CONSEQUENCE FOR NONCOMPLIANCE FACTA states that if the City s action or inaction results in the loss of employee or customer information, then the City can be fined by the federal and state governments, as well as sued in civil court by the individual whose information was stolen. Therefore, failure to comply with the City s Identity Theft Prevention Program and the Red Flag regulation may result in employee disciplinary action up to and including termination of employment with the City. 7