The URL can be used to link to this page

Home My WebLink AboutRESOLUTION 14-090RESOLUTION#14-09ARESOLUTIONADOPTINGANIDENTITYTHEFTPREVENTIONPROGRAMFORTHETOWNOFESTESPARK,COLORADOWHEREAS,pursuanttoSection114oftheFairandAccurateCreditTransactionsActof2003(“FACTAct”)andSection615(e)oftheFairCreditReportingAct(“FCRA”),theFederalTradeCommissionadoptedrules,setforthin16C.F.R.Part681,requiringfinancialinstitutionsandcreditorstoestablishanidentitytheftpreventionprogramdesignedtodetect,prevent,andmitigateidentitytheftinconnectionwiththeopeningandmanagingofcoveredaccounts(the“RedFlagRules”);andWHEREAS,theTownofEstesParkmustcomplywiththeRedFlagRulesbecauseit:(i)providesutilityservicestocustomersbeforebillingthemandisthereforea“creditor,”definedundertheRedFlagRulesasanentitythatregularlyextends,renews,orcontinuescredit;and(ii)offersutilityaccounts,whichare“coveredaccounts”forpurposesoftheRedFlagRules;andWHEREAS,theBoardofTrusteesoftheTownofEstesParkdesirestoestablishanidentitytheftpreventionprogramincompliancewiththeRedFlagRules.NOW,THEREFORE,BEITRESOLVEDBYTHEBOARDOFTRUSTEESOFTHETOWNOFESTESPARK,COLORADOASFOLLOWS:1.ThattheTownofEstesPark’sRedFlagPolicyandIdentityTheftPreventionProgram,attachedheretoasExhibitAandincorporatedhereinbyreference,isherebyadopted.Adoptedthis28thdayofJuly,2009.AHEST:Qc_Tow&9lerkMayor 00 0CRedFlagPolicyandIdentityTheftPreventionProgram(AdoptedpursuanttoResolutionoftheBoardofTrusteesoftheTownofEstesParkonJuly28,2009)PurposeToestablishanIdentityTheftPreventionPolicydesignedtodetect,preventandmitigateidentitytheftinconnectionwiththeopeningofacoveredaccountoranexistingcoveredaccountandtoprovideforcontinuedadministrationofthePolicyincompliancewithPart681ofTitle16oftheCodeofFederalRegulationsimplementingSections114and315oftheFairandAccurateCreditTransactionsAct(FACTA)of2003.Definitions1.TownmeanstheTownofEstesPark.2.CoveredAccountmeans:a.Anaccountthatafinancialinstitutionorcreditoroffersormaintains,primarilyforpersonal,family.orhouseholdpurposes,thatinvolvesorisdesignedtopermitmultiplepaymentsortransactions,suchasacreditcardaccount,mortgageloan,automobileloan,marginaccount,cellphoneaccount,utilityaccount,checkingaccount,orsavingsaccount:andb.Anyotheraccountthatthefinancialinstitutionorcreditoroffersormaintainsforwhichthereisareasonablyforeseeablerisktocustomersortothesafetyandsoundnessofthefinancialinstitutionorcreditorfromidentitytheft,includingfinancial,operational,compliance,reputation,orlitigationrisks.3.Creditmeanstherightgrantedbyacreditortoadebtortodeferpaymentofdebtortoincurdebtsanddeferitspaymentortopurchasepropertyorservicesanddeferpaymenttherefore.4.Creditormeansanypersonwhoregularlyextends,renews,orcontinuescredit:anypersonwhoregularlyarrangesfortheextension,renewal,orcontinuationofcredit;oranyassigneeofanoriginalcreditorwhoparticipatesinthedecisiontoextend,renew,orcontinuecreditandincludesutilitycompaniesandtelecommunicationscompanies.5.Customermeansapersonthathasacoveredaccountwithacreditor.6.Identitytheftmeansafraudcommittedorattemptedusingidentifyinginformationofanotherpersonwithoutauthority.7.Noticeofaddressdiscrepancymeansanoticesenttoauserbyaconsumerreportingagencypursuantto15U.S.C.§168l(c)(h)(l),thatinformstheuserofasubstantialdifferencebetweentheaddressfortheconsumerthattheuserprovidedtorequesttheconsumerreportandtheaddress(es)intheagency’sfilefortheconsumer. 00 008.Personmeansanaturalperson,acorporation,governmentorgovernmentalsubdivisionoragency,trust,estate,partnership,cooperative,orassociation.9.PersonalIdentifyingInformationmeansaperson’screditcardaccountinformation,debitcardinformation,bankaccountinformationanddrivers’licenseinformationandforanaturalpersonincludestheirsocialsecuritynumberanddateofbirth.10.Redflagmeansapattern,practice,orspecificactivitythatindicatesthepossibleexistenceofidentitytheft.II.ServiceprovidermeansapersonthatprovidesaservicedirectlytotheTown.FindingsLTheTownisacreditorpursuantto16CFR§681.2duetoitsprovisionformaintenanceofcoveredaccountsforwhichpaymentismadeinarrears.2.CoveredaccountsofferedtocustomersfortheprovisionofTownservicesincludeutilityaccounts,Museum,CVBandtheFairgrounds.3.Theprocessofopeninganewcoveredaccountandmakingpaymentsonsuchaccountshavebeenidentifiedaspotentialprocessesinwhichidentitytheftcouldoccur.4.TheTownlimitsaccesstopersonalidentifyinginformationtothoseemployeesresponsiblefororotherwiseinvolvedinopeningcoveredaccountsoracceptingpaymentforuseofcoveredaccounts.InformationprovidedtosuchemployeesisentereddirectlyintotheTown’scomputersystemandisnototherwiserecorded.5.TheTowndeterminesthatthereisalowriskofidentitytheftoccurringinthefollowingways:a.Usebyanapplicantofanotherperson’spersonalidentifyinginformationtoestablishanewcoveredaccount;andb.Useofanotherperson’screditcard,bankaccount,orothermethodofpaymentbyacustomertopaysuchcustomer’scoveredaccountoraccounts.ProcessofEstablishingaCoveredAccountAsapreconditiontoopeningacoveredaccountintheTown,eachapplicantshallprovidetheTownwithavalidgovernmentissuedidentificationcardcontainingaphotographoftheapplicant.Theidentificationnumberonthecardshallberecordedontheapplicationforservice.AccesstoCoveredAccountInformationI.AccesstocustomeraccountsshallbepasswordprotectedandshallbelimitedtoauthorizedTownpersonnel.2 00 002.AnyunauthorizedaccesstoorotherbreachofcustomeraccountsistobereportedimmediatelytotheAccountingManagerandthepasswordchangedimmediately.3.PersonalidentifyinginformationincludedincustomeraccountsisconsideredconfidentialandanyrequestordemandforsuchinformationshallbeimmediatelyfonvardedtotheAccountingManager.CreditCardPaymentsI.IntheeventthatcreditcardpaymentsthataremadeovertheInternetareprocessedthroughathirdpartyserviceprovider,suchthirdpartyserviceprovidershallcertifythatithasanadequateidentitytheftpreventionprograminplacethatisapplicabletosuchpayments.2.Allcreditcardpaymentsmadeshallbeentereddirectlyintothecustomer’saccountinformationinthecomputerdatabase.3.Accountstatementsandreceiptsforcoveredaccountsshallincludeonlythelastfourdigitsofthecreditordebitcardorthebankaccountusedforpaymentofthecoveredaccount.SourcesandTypesofRedFlagsAllemployeesresponsiblefororinvolvedintheprocessofopeningacoveredaccountoracceptingpaymentforacoveredaccountshallcheckforredflagsasindicatorsofpossibleidentitytheftandsuchredflagsmayinclude:I.Alertsfromconsumerreportingagencies,frauddetectionagenciesorserviceproviders.Examplesofalertsincludebutarenotlimitedto:a.Afraudoractivedutyalertthatisincludedwithaconsumerreport;b.Anoticeofcreditfreezeinresponsetoarequestforaconsumerreport:c.Anoticeofaddressdiscrepancyprovidedbyaconsumerreportingagency;d.Indicationsofapatternofactivityinaconsumerreportthatisinconsistentwiththehistoryandusualpatternofactivityofanapplicantorcustomer,suchas:i.Arecentandsignificantincreaseinthevolumeofinquiries;ii.Anunusualnumberofrecentlyestablishedcreditrelationships;iii.Amaterialchangeintheuseofcredit,especiallywithrespecttorecentlyestablishedcreditrelationships:oriv.Anaccountthatwasclosedforcauseoridentifiedforabuseofaccountprivilegesbyafinancialinstitutionorcreditor.2.Suspiciousdocuments.Examplesofsuspiciousdocumentsinclude:a.Documentsprovidedforidentificationthatappeartobealteredorforged;3 00 00b.Identificationonwhichthephotographorphysicaldescriptionisinconsistentwiththeappearanceoftheapplicantorcustomer;c.Identificationonwhichtheinformationisinconsistentwithinformationprovidedbytheapplicantorcustomer;d.Identificationonwhichtheinformationisinconsistentwithreadilyaccessibleinformationthatisonfilewiththecreditor,suchastheapplicationforservice;ore.Anapplicationthatappearstohavebeenalteredorforged,orappearstohavebeendestroyedandreassembled.3.Suspiciouspersonalidentification,suchassuspiciousaddresschange.Examplesofsuspiciousidentifyinginformationinclude:a.Personalidentifyinginformationthatisinconsistentwithexternalinformationsourcesusedbythefinancialinstitutionorcreditor.Forexample:i.Theaddressdoesnotmatchanyaddressintheconsumerreport;orii.TheSocialSecurityNumber(SSN)hasnotbeenissued,orislistedontheSocialSecurityAdministration’sDeathMasterFile.b.Personalidentifyinginformationprovidedbythecustomerisnotconsistentwithotherpersonalidentifyinginformationprovidedbythecustomer,suchasalackofcorrelationbetweentheSSNrangeanddateofbirth.c.Personalidentifyinginformationoraphonenumberoraddress,isassociatedwithknownfraudulentapplicationsoractivitiesasindicatedbyinternalorthird-partysourcesusedbythefinancialinstitutionorcreditor.d.Otherinformationprovided,suchasfictitiousmailingaddress,maildropaddresses,jailaddresses,invalidphonenumbers,pagernumbersoransweringservices,isassociatedwithfraudulentactivity.e.TheSSNprovidedisthesameasthatsubmittedbyotherapplicantsorcustomers.f.Theaddressortelephonenumberprovidedisthesameasorsimilartotheaccountnumberortelephonenumbersubmittedbyanunusuallylargenumberofapplicantsorcustomers.g.Theapplicantorcustomerfailstoprovideallrequiredpersonalidentifyinginformationonanapplicationorinresponsetonotificationthattheapplicationisincomplete.h.Personalidentifyinginformationisnotconsistentwithpersonalidentifyinginformationthatisonfilewiththefinancialinstitutionorcreditor.i.Theapplicantorcustomercannotprovideauthenticatinginformationbeyondthatwhichgenerallywouldbeavailablefromawalletorconsumerreport.4.Unusualuseoforsuspiciousactivityrelatingtoacoveredaccount.Examplesofsuspiciousactivityinclude:a.Shortlyfollowingthenoticeofachangeofaddressforanaccount,Townreceivesarequestfortheadditionofauthorizedusersontheaccount.4 00 00b.Anewrevolvingcreditaccountisusedinamannercommonlyassociatedwithknownpatternsoffraudpatterns.Forexample:i.Thecustomerfailstomakethefirstpaymentormakesaninitialpaymentbutnosubsequentpayments.c.Anaccountisusedinamannerthatisnotconsistentwithestablishedpatternsofactivityontheaccount.Thereis,forexample:i.Nonpaymentwhenthereisnohistoryoflateormissedpayments;ii.Amaterialchangeinpurchasingorspendingpatterns;d.Anaccountthathasbeeninactiveforalongperiodoftimeisused(takingintoconsiderationthetypeofaccount,theexpectedpatternofusageandotherrelevantfactors).e.Mailsenttothecustomerisreturnedrepeatedlyasundeliverablealthoughtransactionscontinuetobeconductedinconnectionwiththecustomer’saccount.f.TheTownisnotifiedthatthecustomerisnotreceivingpaperaccountstatements.g.TheTownisnotifiedofunauthorizedchargesortransactionsinconnectionwithacustomer’saccount.h.TheTownisnotifiedbyacustomer,lawenforcementoranotherpersonthatithasopenedafraudulentaccountforapersonengagedinidentitytheft.5.Noticefromcustomers,lawenforcement,victimsorotherreliablesourcesregardingpossibleidentitytheftorphishingrelatingtocoveredaccounts.PreventionandMitigationofIdentityTheftI.IntheeventthatanyTownemployeeresponsiblefororinvolvedinrestoringanexistingcoveredaccountoracceptingpaymentforacoveredaccountbecomesawareofredflagsindicatingpossibleidentitytheftwithrespecttoexistingcoveredaccounts,suchempLoyeeshallusehisorherdiscretiontodeterminewhethersuchredflagorcombinationofredflagssuggestsathreatofidentitytheft.If,inhisorherdiscretion,suchemployeedeterminesthatidentitytheftorattemptedidentitytheftislikelyorprobable,suchemployeeshallimmediatelyreportsuchredflagstotheAccountingManager.If,inhisorherdiscretion,suchemployeedeemsthatidentitytheftisunlikelyorthatreliableinformationisavailabletoreconcileredflags,theemployeeshallconveythisinformationtotheAccountingManager,whomayinhisorherdiscretiondeterninethatnofurtheractionisnecessary.IftheAccountingManagerinhisorherdiscretiondeterminesthatfurtheractionisnecessary,aTownemployeeshallperformoneormoreofthefollowingresponses,asdeterminedtobeappropriatebytheAccountingManager:a.Contactthecustomer;b.Makethefollowingchangestotheaccountif,aftercontactingthecustomer,itisapparentthatsomeoneotherthanthecustomerhasaccessedthecustomer’scoveredaccount:5 00 00i.changeanyaccountnumbers,passwords,securitycodes,orothersecuritydevicesthatpermitaccesstoanaccount;orii.closetheaccount;e.Ceaseattemptstocollectadditionalchargesfromthecustomeranddeclinetosellthecustomer’saccounttoadebtcollectorintheeventthatthecustomer’saccounthasbeenaccessedwithoutauthorizationandsuchaccesshascausedadditionalchargestoaccrue;d.Notifyadebtcollectorwithin24hoursofthediscoveryoflikelyorprobableidentitytheftrelatingtoacustomeraccountthathasbeensoldtosuchdebtcollectorintheeventthatacustomer’saccounthasbeensoldtoadebtcollectorpriortothediscoveryofthelikelihoodorprobabilityofidentitytheftrelatingtosuchaccount:e.Notifylawenforcement,intheeventthatsomeoneotherthanthecustomerhasaccessedthecustomer’saccountcausingadditionalchargestoaccrueoraccessingpersonalidentifyinginformation;orf.Takeotherappropriateactiontopreventormitigateidentitytheft.2.IntheeventthatanyTownemployeeresponsiblefororinvolvedinopeninganewcoveredaccountbecomesawareofredflagsindicatingpossibleidentitytheftwithrespecttoanapplicationforanewaccount,suchemployeeshallusehisorherdiscretiontodeterminewhethersuchredflagorcombinationofredflagssuggestsathreatofidentitytheft.If,inhisorherdiscretion,suchemployeedeterminesthatidentitytheftorattemptedidentitytheftislikelyorprobable,suchemployeeshallimmediatelyreportsuchredflagstotheAccountingManager.If,inhisorherdiscretion,suchemployeedeemsthatidentitytheftisunlikelyorthatreliableinformationisavailabletoreconcileredflags,theemployeeshallconveythisinformationtotheAccountingManager,whomayinhisorherdiscretiondeterminethatnofurtheractionisnecessary.IftheAccountingManagerinhisorherdiscretiondeterminesthatfurtheractionisnecessary,aTownemployeeshallperformoneormoreofthefollowingresponses,asdeterminedtobeappropriatebytheAccountingManager:a.Requestadditionalidentifyinginformationfromtheapplicant;b.Denytheapplicationforthenewaccount;c.Notifylawenforcementofpossibleidentitytheft;ord.Takeotherappropriateactiontopreventormitigateidentitytheft.UpdatingthePolicyTheAccountingManagershallannuallyreviewand,asdeemednecessarybytheAccountingManager,updatetheIdentityTheftPreventionPolicyalongwithanyrelevantredflagsinordertoreflectchangesinriskstocustomersortothesafetyandsoundnessoftheTownanditscoveredaccountsfromidentitytheft.Insodoing,theAccountingManagershallconsiderthefollowingfactorsandexerciseitsdiscretioninamendingtheprogram:6 00 001.TheTown’sexperienceswithidentitytheft:2.Updatesinmethodsofidentitytheft:3.Updatesincustomarymethodsusedtodetect,prevent,andmitigateidentitytheft:4.UpdatesinthetypesofaccountsthattheTownoffersormaintains;and5.Updatesinserviceproviderarrangements.ProgramAdministrationTheAccountingManagerisresponsibleforoversightoftheprogramandforprogramimplementation.TheFinanceDirectorisresponsibleforreviewingreportspreparedbystaffregardingcompliancewithredflagrequirementsandwithrecommendingmaterialchangestotheprogram,asnecessaryintheopinionoftheFinanceDirector,toaddresschangingidentitytheftrisksandtoidentifynewordiscontinuedtypesofcoveredaccounts.AnyrecommendedmaterialchangestotheprogramshallbesubmittedtotheTownCouncilforconsideration.I.TheAccountingManagerwillreporttotheFinanceDirectoratleastannually,oncompliancewiththeredflagrequirements.Thereportwilladdressmaterialmattersrelatedtotheprogramandevaluateissuessuchas:a.TheeffectivenessofthepoliciesandproceduresoftheTowninaddressingtheriskofidentitytheftinconnectionwiththeopeningofcoveredaccountsandwithrespecttoexistingcoveredaccounts;b.Serviceproviderarrangements:c.Significantincidentsinvolvingidentitytheftandmanagement’sresponse;andd.RecommendationsformaterialchangestothePolicy.2.TheAccountingManagerisresponsibleforprovidingtrainingtoallemployeesresponsiblefororinvolvedinopeninganewcoveredaccountoracceptingpaymentforacoveredaccountwithrespecttotheimplementationandrequirementsoftheIdentityTheftPreventionProgram.TheAccountingManagershallexercisehisorherdiscretionindeterminingtheamountandsubstanceoftrainingnecessary.OutsideServiceProvidersIntheeventthattheTownengagesaserviceprovidertoperformanactivityinconnectionwithoneormorecoveredaccountstheAccountingManagershallexerciselusorherdiscretioninreviewingsucharrangementsinordertoensure,tothebestofhisorherability,thattheserviceprovider’sactivitiesareconductedinaccordancewithpoliciesandprocedures,agreeduponbycontract,thataredesignedtodetectanyredflagsthatmayariseintheperformanceoftheserviceprovider’sactivitiesandtakeappropriatestepstopreventormitigateidentitytheft.TreatmentofAddressDiscrepanciesPursuantto16CFR§681.!,thisestablishesaprocessbywhichtheTownwillbeabletoformareasonablebeliefthataconsumerreportrelatestotheconsumeraboutwhomithasrequestedaconsumercreditreportwhentheTownhasreceivedanoticeofaddressdiscrepancy.Intheevent7 00 00thattheTownreceivesanoticeofaddressdiscrepancy,theTownemployeeresponsibleforverifyingconsumeraddressesforthepurposeofprovidingthemunicipalserviceoraccountsoughtbytheconsumershallperformoneormoreofthefollowingactivities,asdeterminedtobeappropriatebysuchemployee:1.Comparetheinformationintheconsumerreportwith:a.InformationtheTownobtainsandusestoverifyaconsumer’sidentityinaccordancewiththerequirementsoftheCustomerInformationProgramrulesimplementing31U.S.C.§5318W;b.InformationtheTownmaintainsinitsownrecords,suchasapplicationsforservice,changeofaddressnotices,othercustomeraccountrecordsortaxrecords:orc.InformationtheTownobtainsfromthird-partysourcesthataredeemedreliablebytherelevantTownemployee;or2.Verifytheinformationintheconsumerreportwiththeconsumer.FurnishingConsumer’sAddresstoConsumerReportingAgency1.IntheeventthattheTownreasonablyconfirmsthatanaddressprovidedbyaconsumertotheTownisaccurate,theTownisrequiredtoprovidesuchaddresstotheconsumerreportingagencyfromwhichtheTownreceivedanoticeofaddressdiscrepancywithrespecttosuchconsumer.Thisinformationisrequiredtobeprovidedtotheconsumerreportingagencywhen:a.TheTownisabletoformareasonablebeliefthattheconsumerreportrelatestotheconsumeraboutwhomtheTownrequestedthereport;b.TheTownestablishesacontinuingrelationwiththeconsumer;andc.TheTownregularlyandintheordinarycourseofbusinessprovidesinformationtotheconsumerreportingagencyfromwhichitreceivedthenoticeofaddressdiscrepancy.2.SuchinformationshallbeprovidedtotheconsumerreportingagencyaspartoftheinformationregularlyprovidedbytheTowntosuchagencyforthereportingperiodinwhichtheTownestablishesarelationshipwiththecustomer.MethodsofConfirmingConsumerAddressesTheTownemployeechargedwithconfirmingconsumeraddressesmay,inhisorherdiscretion,confirmtheaccuracyofanaddressthroughoneormoreofthefollowingmethods:1.Verifyingtheaddresswiththeconsumer;2.ReviewingtheTown’srecordstoverifytheconsumer’saddress;3.Verifyingtheaddressthroughthirdpartysources;or4.Usingotherreasonableprocesses.8 (D0