HomeMy WebLinkAboutORD 7101 IDENITY THEFT CITY CODE
ORDINANCE NO. 7101
AN ORDINANCE TO AMEND THE AUGUST A-RICHMOND COUNTY CODE; TO
CREATE NEW CHAPTER 5 TO TITLE II (FINANCE AND TAXATION), CALLED
"CHAPTER 5 THEFT PREVENTION"; TO CREATE A NEW ARTICLE 1 TO THE NEW
CHAPTER 5, CALLED "ARTICLE 1 IDENTITY THEFT PREVENTION PROGRAM"; TO
CREATE A NEW ARTICLE 2 TO THE NEW CHAPTER 5, CALLED "ARTICLE 2
TREATMENT OF ADDRESS DISCREPANCIES"; TO COMPLY WITH FEDERAL
REGULATIONS RELATING TO ADDRESS DESCREPANCIES; TO COMPLY WITH
FEDERAL REGULATIONS RELATING TO RED FLAGS AND IDENTITY THEFT; TO
PROVIDE FOR CODIFICATION; TO PROVIDE FOR SEVERABILITY; TO PROVIDE
FOR AN ADOPTION DATE; TO PROVIDE AN EFFECTIVE DATE; AND FOR OTHER
PURPOSES ALLOWED BY LAW.
BE IT ORDAINED BY THE AUGUSTA-RICHMOND COUNTY COMMISSION AND IT IS
HEREBY ORDAINED BY THE AUTHORITY OF SAME, THAT THE AUGUSTA-RICHMOND
COUNTY CODE BE AMENDED AS FOLLOWS:
WHEREAS pursuant to federal law the Federal Trade Commission adopted Identity Theft Rules
requiring the creation of certain policies relating to the use of consumer reports, address discrepancy
and the detection, prevention and mitigation of identity theft;
WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR S 681.2 require creditors, as
defined by 15 D.S.C. S 1681a(r)(5) to adopt red flag policies to prevent and mitigate identity theft with
respect to covered accounts;
WHEREAS 15 U.S.C. S 1681a(r)(5) cites 15 D.S.C. S 1691a, which defines a creditor as a person that
extends, renews or continues credit, and defines "credit" in part as the right to purchase property or
services and defer payment therefore;
WHEREAS the Federal Trade Commission regulations include utility companies in the definition of
creditor;
WHEREAS Augusta-Richmond County is a creditor with respect to 16 CFR S 681.2 by virtue of
providing utility services or by otherwise accepting payment for municipal services in arrears;
WHEREAS the Federal Trade Commission regulations define "covered account" in part as an account
that a creditor provides for personal, family or household purposes that is designed to allow multiple
payments or transactions and specifies that a utility account is a covered account;
WHEREAS the Federal Trade Commission regulations require each creditor to adopt an Identity Theft
Prevention Program which will use red flags to detect, prevent and mitigate identity theft related to
information used in covered accounts;
WHEREAS Augusta-Richmond County provides water, sewer, solid waste, trash, and other services for
which payment is made after the product is consumed or the service has otherwise been provided which
by virtue of being utility accounts are covered accounts;
WHEREAS customer accounts for water, sewer, solid waste, trash, and other services for which
payment is made after the product is consumed or the service has otherwise been provided are covered
accounts by virtue of being for household purposes and allowing for multiple payments or transactions;
WHEREAS the Federal Trade Commission regulations, adopted as 16 CFR 681.1, require users of
consumer credit reports to develop policies and procedures relating to address discrepancies between
information provided by a consumer and information provided by a consumer credit company;
WHEREAS Augusta-Richmond County uses or may use consumer credit reports to establish various
customer accounts; and
WHEREAS the duly elected governing authority of Augusta-Richmond County is the Mayor and
council thereof;
NOW therefore be it ordained that Augusta-Richmond County adopts the following Identity Theft
Prevention Program:
The Code of Augusta-Richmond County is hereby amended by adding a Chapter 5 to Title 2 (Finance
and Tax). Chapter 5 of Title 2 shall be called "Chapter 5, THEFT PREVENTION". Article 1 of
Chapter 5 of Title 2 shall be called: "ARTICLE 1 IDENTITY THEFT PREVENTION
PROGRAM." Article 2 of Chapter 5 of Title 2 shall read as follows: "ARTICLE 2 TREATMENT
OF ADDRESS DISCREPANCIES." The sections of Article 1 shall be as follows:
Sec. 2-5-1. Short Title.
This article shall be known as the Identity Theft Prevention Program.
Sec. 2-5-2. Purpose.
The purpose of this Article is to comply with 16 CFR S 681.2 in order to detect, prevent and
mitigate identity theft by identifying and detecting identity theft red flags and by responding to such red
flags in a manner that will prevent identity theft.
Sec. 2-5-3. Definitions.
For purposes of this Article, the following definitions apply!:
(a) "Augusta" means Augusta-Richmond County.
(b) "Covered account" means:
(i) An account that a financial institution or creditor offers or maintains, primarily for personal,
family, or household purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan, margin account,
cell phone account, utility account, checking account, or savings account; and
I Other than "Augusta" and "personal identifYing information", definitions provided in this section are based on the
definitions provided in 16 CFR ~ 681.2.
(ii) Any other account that the financial institution or creditor offers or maintains for which
there is a reasonably foreseeable risk to customers or to the safety and soundness of the
financial institution or creditor from identity theft, including financial, operational,
compliance, reputation, or litigation risks.
(c) "Credit" means the right granted by a creditor to a debtor to defer payment of debt or to incur
debts and defer its payment or to purchase property or services and defer payment therefore.
(d) "Creditor" means any person who regularly extends, renews, or continues credit; any person
who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of
an original creditor who participates in the decision to extend, renew, or continue credit and
includes utility companies and telecommunications companies.
(e) "Customer" means a person that has a covered account with a creditor.
(t) "Identity theft" means a fraud committed or attempted using identifying information of another
person without authority.
(g) "Person" means a natural person, a corporation, government or governmental subdivision or
agency, trust, estate, partnership, cooperative, or association.
(h) "Personal Identifying Information" means a person's credit card account information, debit card
information bank account information and drivers' license information and for a natural person
includes their social security number, mother's birth name, and date of birth.
(i) "Red flag" means a pattern, practice, or specific activity that indicates the possible existence of
identity theft.
(j) "Service provider" means a person that provides a service directly to Augusta-Richmond
County.
Sec. 2-5-4. Findings.
(1) Augusta-Richmond County is a creditor pursuant to 16 CFR S 681.2 due to its provision or
maintenance of covered accounts for which payment is made in arrears.
(2) Covered accounts offered to customers for the provision of Augusta-Richmond County services
include water, sewer, solid waste, trash, and other services.
(3) Augusta-Richmond County's previous experience with identity theft related to covered accounts is
as follows: There has been an overall increase in such activity.
(4) The processes of opening a new covered account, restoring an existing covered account, making
payments on such accounts, and collecting procedures for overdue accounts have been identified as
potential processes in which identity theft could occur.
(5) Augusta-Richmond County limits access to personal identifying information to those employees
responsible for or otherwise involved in opening or restoring covered accounts or accepting payment
for use of covered accounts. Information provided to such employees is, where possible, entered
directly into Augusta-Richmond County's computer system and not otherwise recorded.
(6) Augusta-Richmond County determines that there is a risk of identity theft occurring in the following
ways:
a. Use by an applicant of another person's personal identifying information to establish a new
covered account;
b. Use of a previous customer's personal identifying information by another person in an effort to
have service restored in the previous customer's name;
c. Use of another person's credit card, bank account, or other method of payment by a customer to
pay such customer's covered account or accounts;
d. Use by a customer desiring to restore such customer's covered account of another person's credit
card, bank account, or other method of payment; and
Sec. 2-5-5. Process of Establishing a Covered Account.
(1) As a precondition to opening a covered account in Augusta-Richmond County, each applicant shall
provide Augusta-Richmond County with personal identifying information of the customer: a valid
government issued identification card containing a photograph of the customer or, for customers who
are not natural persons, a photograph of the customer's agent opening the account. In addition, if
requested by an Augusta-Richmond County department, such applicant shall also provide any
information necessary for the department providing the service for which the covered account is created
to access the applicant's consumer credit report. To the extent possible, such information shall be
entered directly into Augusta-Richmond County's computer system and shall not otherwise be
recorded.
(2) Each account shall be assigned an account number and personal identification number (PIN) which
shall be unique to that account. Augusta-Richmond County may utilize computer software to randomly
generate assigned PINs and to encrypt account numbers and PINs.
Sec. 2-5-6. Access to Covered Account Information.
(1) Access to customer accounts shall be password protected and shall be limited to authorized
Augusta-Richmond County personnel.
(2) Such password(s) shall be changed by the director of the department providing the service for which
the covered account is created, or the Director of Finance (or his or her designee) or by the Director of
Information Technology on a regular basis. Each password shall be at least 8 characters in length and
shall contain letters, numbers and symbols.
(3) Any unauthorized access to or other breach of customer accounts is to be reported immediately to
the Augusta-Richmond County Director of Finance or his or her designee and the department director
responsible for that service and the password should be changed immediately.
(4) Personal identifying information included in customer accounts is considered confidential and any
request or demand for such information shall be immediately forwarded to the Director of Finance or
his or her designee, the department director responsible for that service and the General Counsel of
Augusta-Richmond County.
Sec. 2-5-7. Credit Card Payments.
(1) In the event that credit card payments that are made over the Internet are processed through a third
party service provider, such third party service provider shall certify that it has an adequate identity
theft prevention program in place that is applicable to such payments.
(2) To the extent possible, all credit card payments made over the telephone or Augusta-Richmond
County's website shall be entered directly into the customer's account information in the computer data
base.
(3) Account statements and receipts for covered accounts shall include only the last four digits of the
credit or debit card or the bank account used for payment of the covered account.
Sec. 2-5-8. Sources and Types of Red Flags.
All employees responsible for or involved in the process of opening a covered account, restoring a
covered account or accepting payment for a covered account shall check for red flags as indicators of
possible identity theft and such red flags may include:
(1) Alerts from consumer reporting agencies, fraud detection agencies or service providers. Examples of
alerts include but are not limited to:
a. A fraud or active duty alert that is included with a consumer report;
b. A notice of credit freeze in response to a request for a consumer report;
c. A notice of address discrepancy provided by a consumer reporting agency;
d. Indications of a pattern of activity in a consumer report that is inconsistent with the history and
usual pattern of activity of an applicant or customer, such as:
i. A recent and significant increase in the volume of inquiries;
ii. An unusual number of recently established credit relationships;
iii. A material change in the use of credit, especially with respect to recently established credit
relationships; or
iv. An account that was closed for cause or identified for abuse of account privileges by a
financial institution or creditor.
(2) Suspicious documents. Examples of suspicious documents include:
a. Documents provided for identification that appear to be altered or forged;
b. Identification on which the photograph or physical description is inconsistent with the appearance
of the applicant or customer;
c. Identification on which the information is inconsistent with information provided by the applicant
or customer;
d. Identification on which the information is inconsistent with readily accessible information that is
on file with the financial institution or creditor, such as a signature card or a recent check; or
e. An application that appears to have been altered or forged, or appears to have been destroyed and
reassembled.
(3) Suspicious personal identification, such as SUSpICIOUS address change. Examples of suspicious
identifying information include:
a. Personal identifying information that is inconsistent with external information sources used by
the financial institution or creditor. For example:
i. The address does not match any address in the consumer report; or
ii. The Social Security Number (SSN) has not been issued, or is listed on the Social Security
Administration's Death Master File.
b. Personal identifying information provided by the customer is not consistent with other personal
identifying information provided by the customer, such as a lack of correlation between the
SSN range and date of birth.
c. Personal identifying information or a phone number or address, is associated with known
fraudulent applications or activities as indicated by internal or third-party sources used by the
financial institution or creditor.
d. Other information provided, such as fictitious mailing address, mail drop addresses, jail
addresses, invalid phone numbers, pager numbers or answering services, is associated with
fraudulent activity.
e. The SSN provided is the same as that submitted by other applicants or customers.
f. The address or telephone number provided is the same as or similar to the account number or
telephone number submitted by an unusually large number of applicants or customers.
g. The applicant or customer fails to provide all required personal identifying information on an
application or in response to notification that the application is incomplete.
h. Personal identifying information is not consistent with personal identifying information that is on
file with the financial institution or creditor.
i. The applicant or customer cannot provide authenticating information beyond that which generally
would be available from a wallet or consumer report.
(4) Unusual use of or suspicious activity relating to a covered account. Examples of suspicious activity
include:
a. Shortly following the notice of a change of address for an account, Augusta-Richmond County
receives a request for the addition of authorized users on the account.
b. A new revolving credit account is used in a manner commonly associated with known patterns of
fraud patterns. For example:
i. The customer fails to make the first payment or makes an initial payment but no subsequent
payments.
c. An account is used in a manner that is not consistent with established patterns of activity on the
account. There is, for example:
i. Nonpayment when there is no history of late or missed payments;
ii. A material change in purchasing or spending patterns;
d. An account that has been inactive for a long period of time is used (taking into consideration the
type of account, the expected pattern of usage and other relevant factors).
e. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue
to be conducted in connection with the customer's account.
f. Augusta-Richmond County is notified that the customer IS not recelvmg paper account
statements.
g. Augusta-Richmond County is notified of unauthorized charges or transactions in connection with
a customer's account.
h. Augusta-Richmond County is notified by a customer, law enforcement or another person that it
has opened a fraudulent account for a person engaged in identity theft.
(5) Notice from customers, law enforcement, victims or other reliable sources regarding possible
identity theft or phishing relating to covered accounts.
Sec. 2-5-9. Prevention and Mitigation of Identity Theft.
(1) In the event that any Augusta-Richmond County employee responsible for or involved in restoring
an existing covered account or accepting payment for a covered account becomes aware of red flags
indicating possible identity theft with respect to existing covered accounts, such employee shall use his
or her discretion to determine whether such red flag or combination of red flags suggests a threat of
identity theft. If, in his or her discretion, such employee determines that identity theft or attempted
identity theft is likely or probable, such employee shall immediately report such red flags to the
Director of Finance or his or her designee and the director of the department providing the service at
issue. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable
information is available to reconcile red flags, the employee shall convey this information to the
Director of Finance or his or her designee and the director of the department providing the service at
issue, who should consult regarding the issue and may in their discretion determine that no further
action is necessary. If either the Director of Finance or his or her designee or the director of the
department providing the service at issue, in his or her discretion, determines that further action is
necessary, a Augusta-Richmond County employee shall perform one or more of the following
responses, as determined to be appropriate by either the Director of Finance or his or her designee or the
director of the department providing the service at issue:
a. Contact the customer;
b. Make the following changes to the account if, after contacting the customer, it is apparent that
someone other than the customer has accessed the customer's covered account:
i. change any account numbers, passwords, security codes, or other security devices that permit
access to an account; or
ii. close the account;
c. Cease attempts to collect additional charges from the customer and decline to sell the customer's
account to a debt collector in the event that the customer's account has been accessed without
authorization and such access has caused additional charges to accrue;
d. Notify a debt collector within 48 hours of the discovery of likely or probable identity theft
relating to a customer account that has been sold to such debt collector in the event that a
customer's account has been sold to a debt collector prior to the discovery of the likelihood or
probability of identity theft relating to such account;
e. Notify law enforcement, in the event that someone other than the customer has accessed the
customer's account causing additional charges to accrue or accessing personal identifying
information; or
f. Take other appropriate action to prevent or mitigate identity theft.
(2) In the event that any Augusta-Richmond County employee responsible for or involved in opening a
new covered account becomes aware of red flags indicating possible identity theft with respect an
application for a new account, such employee shall use his or her discretion to determine whether such
red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such
employee determines that identity theft or attempted identity theft is likely or probable, such employee
shall immediately report such red flags to the Director of Finance or his or her designee or the director
of the department providing the service at issue. If, in his or her discretion, such employee deems that
identity theft is unlikely or that reliable information is available to reconcile red flags, the employee
shall convey this information to the Director of Finance or his or her designee or the director of the
department providing the service at issue, who may in his or her discretion determine that no further
action is necessary. If either the Director of Finance or his or her designee or the director of the
department providing the service at issue, in his or her discretion, determines that further action is
necessary, a Augusta-Richmond County employee shall perform one or more of the following
responses, as determined to be appropriate by either the Director of Finance or his or her designee or the
director of the department providing the service at issue:
a. Request additional identifying information from the applicant;
b. Deny the application for the new account;
c. Notify law enforcement of possible identity theft; or
d. Take other appropriate action to prevent or mitigate identity theft.
Sec. 2-5-10. Updating the Program.
Augusta-Richmond County Commission shall annually review and, as deemed necessary by the
Commission, update the Identity Theft Prevention Program along with any relevant red flags in order to
reflect changes in risks to customers or to the safety and soundness of Augusta-Richmond County and
its covered accounts from identity theft. In so doing, Augusta-Richmond County Commission shall
consider the following factors and exercise its discretion in amending the program:
(1) Augusta-Richmond County's experiences with identity theft;
(2) Updates in methods of identity theft;
(3) Updates in customary methods used to detect, prevent, and mitigate identity theft;
(4) Updates in the types of accounts that Augusta-Richmond County offers or maintains; and
(5) Updates in service provider arrangements.
Sec. 2-5-11. Program Administration.
The Director of Finance is responsible for oversight of the program and for program implementation.
The Director of Finance may, at his or her discretion, designate another person to perform one or more
functions of this program. The Augusta-Richmond County Administrator is responsible for reviewing
reports prepared by staff regarding compliance with red flag requirements and with recommending
material changes to the program, as necessary in the opinion of the Augusta-Richmond County
Administrator, to address changing identity theft risks and to identify new or discontinued types of
covered accounts. Any recommended material changes to the program shall be submitted to Augusta-
Richmond County Commission for consideration.
(1) The Director of Finance or his or her designee will report to the Augusta-Richmond County
Administrator at least annually, on compliance with the red flag requirements. The report will address
material matters related to the program and evaluate issues such as:
a. The effectiveness of the policies and procedures of Augusta-Richmond County in addressing the
risk of identity theft in connection with the opening of covered accounts and with respect to
existing covered accounts;
b. Service provider arrangements;
c. Significant incidents involving identity theft and management's response; and
d. Recommendations for material changes to the Program.
(2) The Director of Finance or his or her designee is responsible for providing training to all employees
responsible for or involved in opening a new covered account, restoring an existing covered account or
accepting payment for a covered account with respect to the implementation and requirements of the
Identity Theft Prevention Program. The Director of Finance or his or her designee shall exercise his or
her discretion in determining the amount and substance of training necessary.
Sec. 2-5-12. Outside Service Providers.
In the event that Augusta-Richmond County engages a service provider to perform an activity in
connection with one or more covered accounts the Director of Finance or his or her designee shall
exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her
ability, that the service provider's activities are conducted in accordance with policies and procedures,
agreed upon by contract, that are designed to detect any red flags that may arise in the performance of
the service provider's activities and take appropriate steps to prevent or mitigate identity theft."
Article 2 to the newly created Chapter 5 of Title II shall read as follows:
ARTICLE 2 TREATMENT OF ADDRESS DISCREPANCIES.
Sec. 2-5-13. Purpose.
Pursuant to 16 CFR S 681.1, the purpose of this Article is to establish a process by which Augusta-
Richmond County will be able to form a reasonable belief that a consumer report relates to the
consumer about whom it has requested a consumer credit report when Augusta-Richmond County has
received a notice of address discrepancy.
Sec. 2-5-14. Definitions.
For purposes of this article, the following definitions apply:
(1) "Notice of address discrepancy" means a notice sent to a user by a consumer reporting agency
pursuant to 15 U.S.C. S 1681(c)(h)(1), that informs the user of a substantial difference between the
address for the consumer that the user provided to request the consumer report and the address( es) in
the agency's file for the consumer.2
(2) "Augusta" means Augusta-Richmond County.
Sec. 2-5-15. Policy.
In the event that Augusta-Richmond County receives a notice of address discrepancy, the Augusta-
Richmond County employee responsible for verifying consumer addresses for the purpose of providing
2 See 16 CFR ~ 681.1(b).
the Augusta-Richmond County service or account sought by the consumer shall perform one or more of
the following activities, as determined to be appropriate by such employee:
(1) Compare the information in the consumer report with:
a. Information Augusta-Richmond County obtains and uses to verify a consumer's identity in
accordance with the requirements of the Customer Information Program rules implementing 31
U.S.c. S 5318(1);
b. Information Augusta-Richmond County maintains in its own records, such as applications for
service, change of address notices, other customer account records or tax records; or
c. Information Augusta-Richmond County obtains from third-party sources that are deemed reliable
by the relevant Augusta-Richmond County employee; or
(2) Verify the information in the consumer report with the consumer.
Sec. 2-5-16. Furnishing Consumer's Address to Consumer Reporting Agency.
(1) In the event that Augusta-Richmond County reasonably confirms that an address provided by a
consumer to Augusta-Richmond County is accurate, Augusta-Richmond County is required to provide
such address to the consumer reporting agency from which Augusta-Richmond County received a
notice of address discrepancy with respect to such consumer. This information is required to be
provided to the consumer reporting agency when:
a. Augusta-Richmond County is able to form a reasonable belief that the consumer report relates to
the consumer about whom Augusta-Richmond County requested the report;
b. Augusta-Richmond County establishes a continuing relation with the consumer; and
c. Augusta-Richmond County regularly and in the ordinary course of business provides information
to the consumer reporting agency from which it received the notice of address discrepancy.
(2) Such information shall be provided to the consumer reporting agency as part of the information
regularly provided by Augusta-Richmond County to such agency for the reporting period in which
Augusta-Richmond County establishes a relationship with the customer.
Sec. 2-5-17. Methods of Confirming Consumer Addresses.
The Augusta-Richmond County employee charged with confirming consumer addresses may, in his or
her discretion, confirm the accuracy of an address through one or more of the following methods:
(1) Verifying the address with the consumer;
(2) Reviewing Augusta-Richmond County's records to verify the consumer's address;
(3) Verifying the address through third party sources; or
(4) Using other reasonable processes.
The preamble to this ordinance is hereby incorporated into this ordinance as if set out fully herein.
All ordinances and parts of ordinances in conflict herewith are hereby expressly repealed.
The adoption date of this ordinance is - n~c"
16
, 2008.
The effective date of this ordinance is Dec 16
,2008.
Adopted this ~ day of ~m.s DEe, 2008.
LQs2/1. C__
David S. Copenhaver
_~ ;~ As its Mayor
,
Seal:
'k' ,~~._:\}l"t't):"I~tt.)'3 ~
"',,,1 ' ,.,J,i".',>, j
F' J.:.a:....~'"'''-'''<\'
,~ C 1\ 01\;') )\~\
-0 ~
" ~"q 0'-1-..
. . ? -. ~ ,~
1ll1llISS1 , " , '".,.t.....
"",,'0, " ~
) :.:' ~
~., W1~ :~~
~ " " , H~--::
,~-c;. ,-" 1Ii"f. ..- P
\"... I
.. ..
December 2 200~"""-" :\~ ;'
\\lM.... GEOllG .."
"'-""''-''~'"
r ,~ -~ I l".~
1st
Reading
'Y".;,.",t"-.
~. ~
CERTIFICATION
The undersigned Clerk of Commission, Lena J. Bonner, hereby certifies that the foregoing
ce was dul adopted by the Augusta-Richmond County Commission on
~ , 2008 and that such Ordinance have not been modified or rescinded as of the
d te hereof and the undersigned further certifies that attached hereto is a true copy of the Ordinance
which as approved d adopted in the foregoing meeting(s).
I.
Published in the Augusta Chronicle.
Date: ~ Jm 'I