Chapter 3.45
IDENTITY THEFT PREVENTION
Sections:
3.45.050 Detection (red flags).
3.45.070 Personal information security procedures.
3.45.080 Other security procedures.
3.45.010 Program adopted.
The program is hereby approved and adopted effective July 23, 2009. [Res. 822 § 1, 2009.]
3.45.020 Implementation.
District staff are hereby authorized and directed to implement the program in accordance with its terms. [Res. 822 § 2, 2009.]
3.45.030 Purpose.
This program is intended to identify red flags that will alert our employees when new or existing accounts are opened using false information, protect against the establishment of false accounts, methods to ensure existing accounts were not opened using false information, and measures to respond to such events. [Res. 822 (Exh. A), 2009.]
3.45.040 Risk assessment.
The Lake Stevens Sewer District has conducted an internal risk assessment to evaluate how at risk the current procedures are at allowing customers to create a fraudulent account and evaluate if current (existing) accounts are being manipulated. This risk assessment evaluated how new accounts were opened and the methods used to access the account information. Using this information, the utility was able to identify red flags that were appropriate to prevent identity theft:
(1) New accounts opened in person.
(2) New accounts opened via telephone.
(3) New accounts opened via fax.
(4) New accounts opened via web.
(5) Account information accessed in person.
(6) Account information accessed via telephone (person).
(7) Account information is accessed via telephone (automated).
(8) Account information is accessed via website.
(9) Identity theft occurred in the past from someone falsely opening a utility account. [Res. 822 (Exh. A), 2009.]
3.45.050 Detection (red flags).
The Lake Stevens Sewer District adopts the following red flags to detect potential fraud. These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary.
(1) Fraud or active duty alerts included with consumer reports.
(2) Notice of credit freeze provided by consumer reporting agency.
(3) Notice of address discrepancy provided by consumer reporting agency.
(4) Inconsistent activity patterns indicated by consumer report such as:
(a) Recent and significant increase in volume of inquiries.
(b) Unusual number of recent credit applications.
(c) A material change in use of credit.
(d) Accounts closed for cause or abuse.
(5) Identification documents appear to be altered.
(6) Photo and physical description do not match appearance of applicant.
(7) Other information is inconsistent with information provided by applicant.
(8) Other information provided by applicant is inconsistent with information on file.
(9) Application appears altered or destroyed and reassembled.
(10) Personal information provided by applicant does not match other sources of information (e.g., credit reports, Social Security number not issued or listed as deceased).
(11) Lack of correlation between the Social Security number range and date of birth.
(12) Information provided is associated with known fraudulent activity (e.g., address or phone number provided is same as that of a fraudulent application).
(13) Information commonly associated with fraudulent activity is provided by applicant (e.g., address that is a mail drop or prison, nonworking phone number or associated with answering service/pager).
(14) Social Security number, address, or telephone number is the same as that of other customer at utility.
(15) Customer fails to provide all information requested.
(16) Personal information provided is inconsistent with information on file for a customer.
(17) Applicant cannot provide information requested beyond what could commonly be found in a purse or wallet.
(18) Identity theft is reported or discovered. [Res. 822 (Exh. A), 2009.]
3.45.060 Response.
Any employee that may suspect fraud or detect a red flag will implement the following response as applicable. All detections or suspicious red flags shall be reported to the senior management official.
(1) Ask applicant for additional documentation.
(2) Notify Internal Manager. Any utility employee who becomes aware of a suspected or actual fraudulent use of a customer’s or potential customer’s identity must notify senior management.
(3) Notify Law Enforcement. The utility will notify Lake Stevens Police Department at 425-334-9537 of any attempted or actual identity theft.
(4) Do not open the account.
(5) Close the account.
(6) Do not attempt to collect against the account but notify authorities. [Res. 822 (Exh. A), 2009.]
3.45.070 Personal information security procedures.
The Lake Stevens Sewer District adopts the following security procedures:
(1) Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file.
(2) Employees will not leave sensitive papers out on their desks when they are away from their workstations.
(3) Employees log off their computers when leaving their work areas.
(4) Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility. [Res. 822 (Exh. A), 2009.]
3.45.080 Other security procedures.
The following suggestions are not part of or required by the Federal Trade Commission’s “identity theft red flags rule.” The following is a list of other security procedures a utility should consider to protect consumer information and to prevent unauthorized access. Implementation of selected actions below according to the unique circumstances of utilities is a good management practice to protect personal consumer data.
(1) Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets.
(2) Only specially identified employees with a legitimate need will have keys to the room and cabinet.
(3) Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file.
(4) Employees will not leave sensitive papers out on their desks when they are away from their workstations.
(5) Employees store files when leaving their work areas.
(6) Employees log off their computers when leaving their work areas.
(7) Employees lock file cabinets when leaving their work areas.
(8) Access to off-site storage facilities is limited to employees with a legitimate business need.
(9) Any sensitive information shipped using outside carriers or contractors will be encrypted.
(10) Any sensitive information shipped will be shipped using a shipping service that allows tracking of the delivery of this information.
(11) Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility.
(12) No visitor will be given any entry codes or allowed unescorted access to the office.
(13) Access to sensitive information will be controlled using “strong” passwords. Employees will choose passwords with a mix of letters, numbers, and characters. User names and passwords will be different.
(14) Passwords will not be shared or posted near workstations.
(15) Password-activated screen savers will be used to lock employee computers after a period of inactivity.
(16) When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
(17) Sensitive consumer data will not be stored on any computer with an Internet connection.
(18) Anti-virus and anti-spyware programs will be run on individual computers and on servers daily.
(19) When sensitive data is received or transmitted, secure connections will be used.
(20) Computer passwords will be required.
(21) User names and passwords will be different.
(22) Passwords will not be shared or posted near workstations.
(23) Password-activated screen savers will be used to lock employee computers after a period of inactivity.
(24) The use of laptops is restricted to those employees who need them to perform their jobs.
(25) Laptops are stored in a secure place.
(26) Laptop users will not store sensitive information on their laptops.
(27) Employees never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage.
(28) If a laptop must be left in a vehicle, it is locked in a trunk.
(29) The computer network will have a firewall where your network connects to the Internet.
(30) Any wireless network in use is secured.
(31) Maintain central log files of security-related information to monitor activity on your network.
(32) Monitor incoming traffic for signs of a data breach.
(33) Monitor outgoing traffic for signs of a data breach.
(34) Implement a breach response plan.
(35) Check references or do background checks before hiring employees who will have access to sensitive data.
(36) New employees sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data.
(37) Access to customer’s personal identity information is limited to employees with a “need to know.”
(38) Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information.
(39) Implement a regular schedule of employee training.
(40) Employees will be alert to attempts at phone phishing.
(41) Employees are required to notify the general manager immediately if there is a potential security breach, such as a lost or stolen laptop.
(42) Employees who violate security policy are subjected to discipline, up to, and including, dismissal.
(43) Service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of our data.
(44) Paper records will be shredded before being placed into the trash.
(45) Paper shredders will be available in the office, and next to the photocopier.
(46) Any data storage media will be disposed of by shredding, punching holes in, or incineration. [Res. 822 (Exh. A), 2009.]