Resolution No. 09961 1 RESOLUTION NO. 9961
2 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF
3 VERNON APPROVING AND ADOPTING A CITY OF VERNON
UTILITY BILLING IDENTITY THEFT PREVENTION PROGRAM
4
5 .WHEREAS, the City of Vernon ("City") is a chartered
6' municipal corporation of the State of California that owns and
7 operates a system for the generation, purchase, distribution and sale
8 of electric capacity and energy; .and
9 WHEREAS, in November 2007, the Federal Trade: Commission
10 ("FTC") adopted regulations which implement Section 114 of the Fair
11 and Accurate Credit Transactions Act of 2003 (".FACT Act") requiring
12 all utility companies and other entities to adopt a "Red Flag Rule
13 Policy" aimed at protecting consumer utility billing. information; and.
14 WHEREAS, by memo dated April 29, 2009, the Director of Light
15 & Power recommended that the City Council approve a program to be
16 followed by City personnel that is designed to detect, prevent and.
17 mitigate identity theft by "red flagging" certain patterns and
18 routines; and
19 WHEREAS, in an effort to protect the identities of City of
20 Vernon Utility Billing Customers, the City Council of the City of
21 Vernon desires to approve and adopts a City of Vernon Utility Billing
22 Identity Theft Prevention Program. effective May 1, 2009.
23 NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE
24 CITY OF VERNON AS FOLLOWS:
25 SECTION 1: The City Council of the City of Vernon hereby
26 finds and determines that the recitals contained hereinabove are
27 true and correct.
28 / / /
1 SECTION 2: -The City Council. of the City of Vernon hereby,
2 approves and adopts the City of Vernon Utility Billing Identity Theft
3 Prevention Program effective beginning May 1, 2009, a copy of which is
4 attached hereto as Exhibit A and incorporated by reference.
5 SECTION 3: The City Council o.f the City of Vernon hereby
6 authorizes and empowers the City Administrator, or his designee, to
7 make whatever nonsubstantive and administrative changes, upon advice
8 of counsel, to the Program as are necessary from time-to-time in order
9 to conform with state and federal laws and to carry out the intent of
10 this Resolution.
11 SECTION 4: The City Clerk of the City of Vernon shall
12 certify to the passage of this. resolution, and thereupon and
13 thereafter the. same shall be in full force and effect.
14 APPROVED AND ADOPTED this 18th day of May, 2009.
15
Name• Hilario Gonzales
17 ~ '
18 Title: Mayor / Mayor Pro-Tem
19 ATT ST:
20
21 M NUELA GIRON, Ci y Clerk
22
23
24
25
26
27
28
- 2 -
1 STATE OF CALIFORNIA )
ss
2 COUNTY OF LOS ANGELES )
3
4 I, MANUELA GIRON, City Clerk of the City of Vernon, do hereby
5 certify that the foregoing Resolution, being Resolution No. 9961 was
6 duly adopted by the City Council of the City of Vernon at a regular
7 meeting of the City Council duly held on Monday, May 18, 2009, and
8 thereafter was duly signed by the. Mayor or Mayor Pro-Tem of the City of
9 Vernon.
10
11
12 MANUELA GIRO C'ty Clerk
13 (SEAL)
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
_ 3 _
EXHIBIT A
r~ ay~ ~
t~ 1:~;
~4a
z
,
p':i- .n~,
l
~
CITY OF vERNON
Utility Billing
Identity Theft .Prevention Program
Effective beginning May 1st, 2009
i
I. PROGRAM ADOPTION
The City of Vernon ("City") developed this City of Vernon Utility Billing Identity Theft
Prevention Program ("Program") pursuant to the Federal Trade Commission's Red. Flags Rule
("Rule"), which implements Section 114 of the Fair and Accurate Credit Transactions Act of
2003. 16 C. F. R. §.681.2. This Program was developed for the Utility Department of the City
("Utility") with oversight- and approval of the Director of Light and Power ("Utility Director").
After consideration of the size and- complexity of the Utility's operations and account systems,
and the nature and. scope of the Utility's activities, `the Utility Director determined that this
Program was appropriate for the City's Utility, and therefore approved. this Program to be
effective on May 1st, 2009. .
IL PURPOSE AND DEFINITIONS
A. Establish an Identity Theft Prevention Program
To establish an Identity Theft Prevention Program designed to detect, prevent and mitigate
identity theft in connection with the opening of a covered account or an existing covered account
and to provide for continued administration of the Program in compliance with Part 681 of Title
16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and
Accurate Credit Transactions Act (FACIA) of 2003.
S. Establishing and Fulfilling Requirements of the Red Flags Rule ,
The Red Flags Rule ("Rule") defines "Identity Theft" as "fraud committed using the
identifying information of another person" and a "Red Flag" ("Red Flag") as a pattern, practice,
or specific activity that indicates the possible existence of Identity Thefl;.
Under the Rule, every financial institution and creditor, including utilities, are .required to
establish an "Identity Theft Prevention Program" tailored to its size, complexity and the nature of
its operation. The Program must contain reasonable policies and procedures to:
L Identify relevant Red Flags for new and existing covered accounts and incorporate those
Red Flags .into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to-prevent and mitigate Identity
Theft; and
4. Ensure the. Program is updated periodically, to reflect changes in risks to customers. or to
the safety and soundness of the creditor from Identity Theft.
2
C. Red Flags Rule definitions used in this Program
,City: The City of Vernon, California.
Covered Account: Under the Rule, a :"covered account" is:
_ 1. Any account the' Utility offers or maintains primarily for personal, family or household
purposes, that involves multiple payments or transactions; and
2. Any other account the Utility offers or maintains for which there is a reasonably
foreseeable risk. to customers or to the safety and soundness of the Utility from Identity
Theft.
Creditors: The .Rule defines creditors "to include finance companies, automobile dealers,
mortgage brokers, utility companies, and telecommunications companies. Where non-profit and
.government entities defer .payment for goods or services, they, too, are to be considered.
creditors."
Identifying Information is defined under the Rule as "any name or number thatmay be used,
. alone or in conjunction with any other, information, to identify a specific person," including:
name; address, telephone number, social security number, date of birth, government issued
driver's .license or identification number, alien registration number, .government passport
number, employer or taxpayer identification number, unique electronic identification number;
computer's Internet Protocol address,. or routing code.
. Program: The Identity Theft Prevention Program for the City.
Program. Administrator: The Utility Director is .the Program Administrator for the Program.
Utility: The Utility is the Light & Power, Water, Gas, and Fiber Optics. departments of the City
III. IDENTIFICATION OF RED FLAGS.
In order to identify relevant Red. Flags, the Utility considers the types of accounts that it
offers and maintains, the methods it provides to open its accounts, the methods it provides to
access its accounts, and its previous experiences with Identity Theft. The Utility identifies the
following red flags, in each of the listed categories:-
A. Suspicious Documents
Red Flags
1. Identification document or card that appears to be forged; altered or inauthentic;
3
f
2. Identification document or card on which a person's photograph or physical description is
not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing customer
information (such as if a person's signature on a check appears forged); and
4. Application for service that appears to have been altered' or forged.
B. Suspicious Personal Identifying Information
Red Flags
1. Identifying information presented that is inconsistent with other information the customer
provides (example: inconsistent birth dates),
2.. Identifying information presented that is inconsistent with other sources of .information
(for instance, Social Security number or an address not matching an address on a credit
report);
3. Identifying information presented. that is the .same as information shown on other
applications that were found to be_fraudulent;
4. Identifying information presented that is consistent with fraudulent activity (such as an
invalid phone number or fictitious billing address);
5. Social Security number presented that is the same as one given by another customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete personal identifying information on an application
when reminded to do so (however, bylaw social security numbers must not be required)
or an applicant cannot provide information requested beyond what could commonly be
found in a purse or wallet; and.
8. A person's identifying information is not consistent with the information that is on file
for the customer.
C. Suspicious Account Activity or Unusual Use of Account
Red Flags
1. Change of address for an account followed by a request to change the account holder's
name;
2. Payments stop .on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example: very high activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to-the Utility that a customer is not receiving mail sent by the Utility;
6. Notice to the Utility that an account has unauthorized activity;
7. Breach in the Utility's computer system security; and
8. Unauthorized access to or use of customer account information.
D. Alerts from others
4
Red Flag
1. Notice to the Utility from a customer, identity theft .victim, fraud detection, service, law
enforcement or other person that it has opened or is maintaining a fraudulent account for
a person engaged in Identity Theft.---- -
TV. DETECTING RED FLAGS.
A. New .Accounts
In order to detect any of the Red Flags identified above- associated. with the opening of a
new account, Utility personnel will take the following steps to obtain and verify the identity'of
the person opening the account:
Detect
1. Require certain identifying information such as name, date of birth, residential or
business address, principal.: place of business for an entity, driver's license or other
identification;
2. Verify the customer's identity (for instance, xeview a driver's license or other
identification card);
3. Review documentation showing the. existence of a business entity;
4. Request additional documentation if possible to establish identity, (example: 2°d form of
identification);
5. Independently contact the customer or business.
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, Utility
pe~rspnnel will take the following steps to monitor transactions with an account:
Detect ~
1.. Verify the identification of customers if they request information (in person; via
telephone, via facsimile, via email);
2. Verify the validity of requests to close accounts or change billing addresses; and
3. Verify changes in banking information given for billing. and payment purposes.
V. PREVENTING AND NIITIGATING IDENTITY THEFT
In the event Utility personnel detect any identified Red Flags, such personnel shall take
one or more of the following steps, depending on the degree of risk posed by the Red Flag:
5
- ~ - I
Prevent and Mitisate ~
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the customer, sometimes through multiple methods;
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5: Close an existing account;
6. Do not close the account, but monitor or contact authorities;
7. Reopen an account with a new number;
8. Notify the Program Administrator for determination of the appropriate step(s) to take;
9. Notify law enforcement; or
10. Determine that. no response is warranted under the particular circumstances.
Protect customer identifyin~ information
In order to farther prevent the likelihood of identity theft occurring with respect to Utility
accounts, the- Utility will take the following steps with .respect to its nnternal operating. procedures
to protect customer identifying. information:
1. Utility Billing is, located on the internal network behind the firewall and has no external
exposure to customers or city personnel via the Internet ;
2. Where and when allowed, ensure complete and secure destruction of 15aper documents
and computer files containing customer information;
3. Ensure that office- computers are password protected and that computer screens lock after .
a set period of time;
4. Change passwords on office computers. on a regular basis;
5. Ensure all computers are backed up properly and any backup information is secured;.
_ 6: Keep offices clear of papers containing customer information;
7. Social Security numbers and Driver License information is available to authorized
. personnel only and restricted based on the level of security
8. Ensure computer virus protection is up to date; and
9. Require and keep only the kinds of customer information that are necessary for utility
Purposes.
10. All documents will be stored in a secure & locked location;
11. Ensure that all request for information will .done in writing.
VI. PRUGRAM UPDATES
This .Program will be periodically reviewed and updated to reflect changes in risks to
customers and the soundness of the utility from identity theft. At least annually; the Program
Administrator will consider the utility's experiences with identity theft situation, changes in
identity -theft methods, changes in identity theft detection and prevention methods, changes in
6
types of accounts the Utility. maintains and changes in the Utility's business arrangEments with
other entities, .consult with law enforcement authorities, and consult with other City personnel.
.After considering these factors, the Program Administrator will determine whether changes to .
the Program, including the listing of Red ~ Flags, are warranted. If warranted, the Program
Administrator will update the Program.
VII. PROGRAM ADMINISTRATION.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with the
Program .Administrator. The Program .Administrator will be responsible for the Program
administration, for ensuring appropriate training of Utility .staff on the Program, for. reviewing
any staff reports regarding the detection of Red Flags and the steps forpreventing and mitigating
identity theft, determining which. steps of prevention and mitigation should betaken in particular
circumstances and considering periodic changes to the Program.
B. -Staff Training and Reports
Initially, all Customer .Service staff shall be trained either by or under the direction of the
.Program Administrator in the detection of 'Red Flags, and the: responsive steps to be taken-when
a Red Flag is detected. .Thereafter, all Customer Service staff shall undergo update training at
the times updates`are made to the Program.
The Program Administrator shall prepare periodic reports monthly concerning the
Utility's compliance with the .program, the training that has been .given and the effectiveness.of
the policies and procedures in addressing the risk of identity theft, including recommendations - "
for changes to the Program.
C. Specific Program Elements and Confidentiality
For the effectiveness of identity theft prevention Programs, the Red Flag Rule envisions a
degree of confidentiality regarding the Utility's specific. practices relating to identity theft
detection, prevention and mitigation. Therefore, under this Program, knowledge of such specific
practices are to be limited to the key employees who need to know them for purposes of
preventing identity theft.-
7
CITY CLERK'S OFFICE
INTEROFFICE MEMORANDUM.
DATE: May 20, 2009
TO: Donal O' Callaghan, City Administrator/Director of Light &.Power
FR Nelly Giron; City Clerk
RIJ; Resolution No. 9961 = A Resolution of the City Council of the City of Vernon Approving
and Adopting a City of Vernon Utility Billing Identity Theft Prevention Program
Transmitted herewith is a copy of Resolution No. 9961 referenced above, which was approved by City
Council on May 18, 2009.
Thank you.
NG acm
c: Abraham Alemu
Anthony Serrano
Resolution No. 9961
' ~/i~%~
.%.~OF ti-E1~,
<< ,N;f, P ~IPPROYED h~AY 1 g '04 Cllr C~IINCII"
STAFF REPORT ~~T~ cLE ~ R SON
LIGHT &-POWER ~
DATE: April 29, 2009
TO: Mayor and City Council ~.~M M~1Y 1 3 2009
FROM: Donal O'Callaghan, Director of Light and Power CITYCI.ERK'S OFFICE
RE: CITY OF VERNON IDENTITY THEFT PREVENTION PROGRAM
In November 2007, the Federal Trade- Commission (FTC) adopted .regulations. which
implements Section 114 of Fair and Accurate Credit Transactions Act ("FACT Act") of
2003 requiring all utility companies and other entities to adopt "Red Flag Rule Policy"
aimed at protecting consumer utility billing information.
In compliance with the FTC regulations, the City of Vernon Light & Power Department
developed the "City of Vernon UtilityBilling Identity Theft Prevention Program". The
Program is designed to help protect City of Vernon Utility Billing Customers' identities,
relevant and/or suspicious patterns, and specific routines that can be "red flagged"
which will recognize potential identity theft. This program contains reasonable policies,
rules, and procedures to be followed by City of Vernon personnel
.Recommendation:
The Light and Power Department recommends that the City Council approve the
implementation of the City of Vernon Utility Billing Identity Theft Prevention Program to
be effective May 1, 2009.
DO:AA:eo
Enclosures
i
cc: Abraham Alemu
Anthony Serrano
Document Control
III
O F v~R
~fh {
U 19~ ~
5
GS~VELY iNpV: - _
CITY OF vERNON
Utlhty Bllhllg
Identity Theft Prevention Program
Effective beginning 1VIay 1st, 2009
L PROGRAM ADOPTION
The City of Vernon ("City") developed this City of Vernon Utility Billing Identity Theft
Prevention Program ("Program") pursuant to the Federal Trade Commission's Red Flags Rule.
("Rule"), which implements Section 114 of the Fair and Accurate Credit Transactions Act of
2003. 16 C. F. R. §.681.2. This Program was developed for the Utility Department of the City
("Utility") with oversight and approval of the Director of Light and- Power ("Utility Director").
After consideration of the size and complexity of the Utility's operations and account systems,
and the nature and scope of the Utility's activities, the. Utility Director determined that this
Program was appropriate for the City's Utility, and therefore approved this Program to be
effective on May 1st, 2009. .
II. PURPOSE AND DEFINITIONS
A. Establish an Identity Theft Prevention Program
To establish an Identity Theft Prevention Program designed to detect, prevent and. mitigate
identity theft in connection with the opening of a covered account or an existing covered account
and to provide for continued administration of the Program in compliance with Part 681 of Title
16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and
Accurate Credit Transactions Act (FACTA) of 2003.
B. Establishing and Fulfilling Requirements of the Red Flags Rule
The Red. Flags Rule ("Rule") defines "Identity Theft" as "fraud committed using the
identifying information of another person" and a "Red Flag" ("Red Flag") as a pattern, practice,
or specific activity that indicates the,possible existence of Identity Theft.
Under the Rule, every financial institution and creditor, including utilities, are required to
establish an "Identity Theft Prevention Program" tailored to its size, complexity and the nature of
its operation. The Program must contain reasonable policies and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and incorporate those
Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity
Theft; and
4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to
the safety and soundness ofthe creditor from Identity Theft.
2
C. I2ed Flags Rule defmitions used in this Program
,City: The City of Vernon, California.
Covered Account: Under the Rule, a "covered account" is:
• 1. Any account the Utility offers or maintains primarily for personal, .family or household
purposes; that involves multiple payments or transactions; and
2. Any other account the Utility offers or maintains for -which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the Utility from Identity
Theft.
Credators: The Rule defines .creditors "to include finance companies, automobile dealers,
mortgage brokers, utility companies, and telecommunications companies. Where non:profit and
.government entities defer payment for goods or services, they,. too, axe to be considered
creditors."
Identifying Information is defined under the .Rule as "any name or number that may be used,
alone or in conjunction with any other information, to identify a specific. person," including:
name, address, telephone number, social security number,. date of birth, government issued
driver's license or identification number, alien registration number, .government passport
number, employer or taxpayer identification number, unique electronic identification number;
computer's Internet Protocol address, or routing code.
Program: The Identity Theft Prevention Program for the City.
Program Administrator: The Utility Director is the Program Administrator for the Program.
Utility: The Utility is the Light. & Power, Water, Gas, and Fiber Optics deparhnents of the City
III. IDENTIFICATION OF RED FLAGS.
Ixi-order to identify relevant Red, Flags, the Utility considers the types of accounts that it
offers and maintains, the methods it provides to open its accounts, the methods it provides to
access its accounts, and its previous experiences with Identity Theft. The Utility identifies the
following red flags, in each of the listed categories:-
A. Suspicious Documents
Red Flags
l . Identification document or card that appears to be forged; altered or inauthentic;
3
2. Identification document or card on which a person's photograph or physical description is
not consistent with the person presenting the. document;
3. Other document with information. that is not consistent with existing customer
information (such as if a person's signature on a check appears forged); and
4. Application for service that appears to have been altered or forged.
)I. Suspicious Personal Identifying Information
Red Flags
1. Identifying information presented that is inconsistent with other information the customer
provides (example: inconsistent birth dates),
2. Identifying information presented that. is inconsistent with other sources of information
(for instance, Social Security number or an address not matching an address on a credit
report);
3. Identifying information presented that is the same as information .shown on other
applications that were found to be fraudulent;
4. Identifying information presented that is consistent with fraudulent activity (such as an
invalid phone number or fictitious billing address);
5. Social. Security number presented that is the same as one given by another customer;
6. An address or phone number presented that is the same as that of another person;
7. A person fails to provide complete. personal identifying information on an application
when reminded to do so (however, by law social security numbers must not be required)
or an applicant cannot provide information requested beyond what could commonly be
found in a purse or wallet; and
8. A person's identifying information is not consistent with the information that is on file
.for the customer..
C. Suspicious Account Activity or Unusual Use of Account
Red Flays
1. Change of address for an account followed by a request to change the account holder's
name;
2. Payments stop on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use (example: very high activity);
4. Mail sent to the account holder is repeatedly returned as undeliverable;
5. Notice to the Utility that a customer is not receiving mail sent by the Utility;
6. Notice to the Utility that an account has unauthorized activity;
7. Breach in the Utility's computer system security; and
8. Unauthorized access to or use of customer account information.
D. Alerts from Qthers
4
Red Flag
1. Notice to the Utility from a customer, identity theft victim, fraud detection service, law
enforcement or other person that it has opened or is maintaining a fraudulent account for
a person engaged in Identity Theft.- -
IV. DETECTING RED FLAGS.
A. New Accounts
In order to detect any of the Red Flags identified above. associated with the opening of a
new account, Utility personnel will take the following steps to obtain and verify the identity of
the person opening the account:
Detect
1. Require certain identifying information such as name, date of birth, residential or
business address, principal place of business for an entity, driver's license or other
identification;
2. Verify the customer's identity (for instance, .review a driver's license or other
identification card);
3. Review documentation showing the. existence of a business entity;
4. Request additional documentation if possible to establish identity, (example: 2nd form of
identification);
5. Independently contact the customer or business.
D. Existing Accounts
In order to detect .any of the Red Flags identified above for. an existing account, Utility
personnel will take the following steps to monitor transactions with an account:
Detect
1. Verify the identification of customers if they request information (in person, via
telephone, via facsimile, via email);
2. Verify the validity of requests to close accounts or change billing addresses; and
3. Verify changes in banking information given for billing and payment purposes..
V. PREVENTING AND MITIGATING IDENTITY THEFT
In the event Utility personnel detect any identified Red Flags, such personnel shall take
one or more of the following steps, depending on the degree of risk posed by the Red Flag:
5
Prevent and Mitigate
1. Continue to monitor an account for evidence of Identity Theft;
2. Contact the customer, sometimes through multiple methods;
3. Change any passwords or other security devices that permit access to accounts;
4. Not open a new account;
5. Close an existing account;
6. Do not close the account, but monitor or contact authorities;
7. Reopen an account with a new number;
8. Notify the Program Administrator for determination of the appropriate step(s) to take;
9. Notify law enforcement; or
10. Determine that no response is warranted under the particular circumstances.
Protect customer identifyin~ information
In order to further prevent the likelihood of identity theft occurring with respect to Utility
accounts, the Utility will take the following steps with respect to its internal operating procedures
to protect customer identifying information:
L Utility Billing is located on the internal network behind the firewall and has no external
exposure to customers or city personnel via the Internet ;
2. Where and when allowed,. ensure complete and secure destruction of paper documents
and computer files containing customer information;
3. Ensure that office computers are password protected and that computer screens lock after
a set period: of time;
4. Change passwords on office computers on a regular basis;
5. Ensure all computers are backed up properly and any backup information is secured;
6. Keep offices clear of papers- containing customer information;
7. Social Security numbers and Driver License information is available to authorized
personnel only and restricted based on the level of security ;
8. Ensure computer virus protection is up to date; and-
9. Require and keep only the kinds of customer information that are necessary for utility
purposes.
10. All documents will be stored in a secure & locked location;
11. Ensure that all request for information will-done in writing.
VI. .PROGRAM UPDATES
This Program will be periodically reviewed and updated to reflect changes in risks to
customers and the soundness of the utility from identity theft.. At least annually, the Program
Administrator will consider the utility's experiences with identity theft situation, changes in
identity theft methods, changes in identity theft detection and prevention methods, changes in
6
types of accounts the Utility maintains and changes in the Utility's business arrangements with
other entities, .consult with law enforcement authorities, and consult with other City personnel.
After considering these factors, the Program Administrator will determine whether changes to
the Program, including the listing of Red Flags, are warranted. If warranted, -the Program
Administrator will update the Program.
VII. PROGRAM AD1ViINISTRATION.
A. Oversight
Responsibility for developing, implementing and updating this Program lies with the
Program Administrator. T'he Program Administrator will be responsible for the Program
administration, for ensuring appropriate training of Utility staff on the Program, for reviewing
any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating
identity theft, determining which. steps of prevention and mitigation should be taken in particular
circumstances and considering periodic changes to the Program.
B. Staff Training and Reports
Initially, all Customer Service staff shall be trained either by or under the direction of the
Program Administrator in the detection of Red Flags, and the. responsive steps to be taken when
a Red Flag is detected. Thereafter, all Customer Service staff shall undergo update training at
the times updates-are made to the Program.
The .Program Administrator shall prepare periodic reports monthly concerning the
Utility's compliance with the .program, the training that has been given and the effectiveness. of
the policies and procedures in addressing the risk of identity theft, including recommendations
- for changes to the Program.
C. Specific Program Elements and Confidentiality
For the effectiveness of identity theft prevention Programs, the Red Flag Rule envisions a
degree of confidentiality regarding the Utility's specific. practices relating to identity theft
detection, prevention and mitigation. Therefore, under this Program, knowledge of such specific
practices -are to be limited to the key employees who need to know them for purposes of
preventing identity theft.
7