Chapter 2.124


2.124.010    Purpose.

2.124.020    Findings.

2.124.030    Red flags.

2.124.040    Proof of ownership.

2.124.050    Confidentiality of applications and account information.

2.124.060    Access to covered account information.

2.124.070    Credit card transactions.

2.124.080    Suspicious transactions.

2.124.090    Notification of law enforcement.

2.124.100    Third party service providers.

2.124.110    Compliance officer and training.

2.124.120    Annual report.

2.124.010 Purpose.

The purpose of this chapter is to implement an identity theft prevention program as required by the Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108-159, and its implementing regulations, known as the Red Flags Rule. (Ord. 19-2009 § 1)

2.124.020 Findings.

The Federal Trade Commission (“FTC”) requires every creditor to implement an identity theft prevention program under Section 114 of the Fair and Accurate Credit Transactions Act. The FTC has set forth the identity theft prevention program requirement in 16 CFR 681.2. Identity theft is defined as a fraud committed or attempted using identifying information of another person without authority. San Juan County adopts this program to comply with FTC rules and regulations. In drafting its identity theft prevention program, the County has considered: (1) the methods it provides to open its accounts; (2) the methods it provides to access its accounts; and (3) its previous experiences with identity theft. Based on these considerations, the San Juan County council hereby determines that the County is a low to moderate risk entity and, as a result, develops and implements the streamlined identity theft prevention program set forth in this chapter. Further, the County determines that the only covered accounts offered by the County are those determined by the County auditor to be “covered accounts” under the Red Flags Rule. (Ord. 19-2009 § 2)

2.124.030 Red flags.

The FTC regulations identify numerous red flags that must be considered in adopting an identity theft prevention program. The FTC has defined a red flag as a pattern, practice, or specific activity that indicates the possible existence of identity theft. The County identifies the following red flags from the examples provided in the regulations of the FTC:

A. Notifications from consumer reporting agencies. The County does not request, receive, obtain or maintain information about its customers from any consumer reporting agency.

B. Suspicious documents. Possible red flags include:

1. Presentation of documents appearing to be altered or forged;

2. Presentation of photographs or physical descriptions that are not consistent with the appearance of the applicant or customer;

3. Presentation of other documentation that is not consistent with the information provided when the account was opened or existing customer information;

4. Presentation of information that is not consistent with the account application; or

5. Presentation of an application that appears to have been altered, forged, destroyed, or reassembled.

C. Suspicious personal identifying information. Possible red flags include:

1. Personal identifying information is being provided by the customer that is not consistent with other personal identifying information provided by the customer or is not consistent with the customer’s account application;

2. Personal identifying information is associated with known fraudulent activity;

3. The Social Security number (if required or obtained) is the same as that submitted by another customer;

4. The telephone number or address is the same as that submitted by another customer;

5. The applicant failed to provide all personal identifying information requested on the application; or

6. The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

D. Unusual use of or suspicious activity related to an account. Possible red flags include:

1. A change of address for an account followed by a request to change the account holder’s name;

2. A change of address for an account followed by a request to add new or additional authorized users or representatives;

3. An account is not being used in a way that is consistent with prior use (such as late or no payments when the account has been timely in the past);

4. A new account is used in a manner commonly associated with known patterns of fraudulent activity (such as customer fails to make the first payment or makes the first payment but no subsequent payments);

5. Mail sent to the account holder is repeatedly returned as undeliverable;

6. The County receives notice that a customer is not receiving his paper statements; or

7. The County receives notice of unauthorized activity on the account.

E. Notice regarding possible identity theft. Possible red flags include:

1. Notice from a customer, an identity theft victim, law enforcement personnel or other reliable sources regarding possible identity theft or phishing related to covered accounts. (Ord. 19-2009 § 3)

2.124.040 Proof of ownership.

Before changing a name and address of an existing covered account, the County requires proof of property ownership such as documentation from escrow, copy of a real estate contract or deed of trust. (Ord. 19-2009 § 4)

2.124.050 Confidentiality of applications and account information.

All personal information, personal identifying information, account applications and account information collected and maintained by the County shall be a confidential record of the County and shall not be subject to disclosure unless otherwise required by state or federal law. Additionally, any employee with access to a customer’s personal information, account applications or account information shall be required to execute and abide by the confidentiality and nondisclosure policy of the County. (Ord. 19-2009 § 5)

2.124.060 Access to covered account information.

Access to covered account information shall be limited to employees that provide customer service and technical support for County departments or offices offering covered accounts. Any computer that has access to customer account or personal identifying information shall be password protected and all computer screens shall lock after no more than 15 minutes of inactivity. All paper and nonelectronic based account or customer personal identifying information shall be stored and maintained in a locked room or cabinet, and access shall only be granted by the compliance officer or his/her designee. (Ord. 19-2009 § 6)

2.124.070 Credit card transactions.

All Internet or telephone credit card payments shall only be processed through a third party service provider which certifies that it has an identity theft prevention program operating and in place. Credit card payments accepted in person shall require a reasonable connection between the person or entity billed for the services and the credit card owner. (Ord. 19-2009 § 7)

2.124.080 Suspicious transactions.

Suspicious transactions include, but are not limited to, the presentation of incomplete applications, unsigned applications, payment by someone other than the person named on the covered account, or presentation of inconsistent signatures, addresses or identification. Suspicious transactions shall not be processed and shall be immediately referred to the compliance officer or his/her designee. (Ord. 19-2009 § 8)

2.124.090 Notification of law enforcement.

The compliance officer or his/her designee shall use his/her discretion on whether to report suspicious transactions to the sheriff’s department or other appropriate law enforcement. (Ord. 19-2009 § 9)

2.124.100 Third party service providers.

All transactions processed through a third party service provider shall be permitted only if the service provider certifies that it has complied with the FTC regulations and has in place a consumer identity theft prevention program. (Ord. 19-2009 § 10)

2.124.110 Compliance officer and training.

The compliance officer for this identity theft prevention program shall be the County auditor or his/her designee. The compliance officer shall conduct training of all County employees that transact business using covered accounts. The compliance officer shall periodically review this program and recommend any necessary updates to the County council. (Ord. 19-2009 § 11)

2.124.120 Annual report.

As required by FTC regulations, the compliance officer shall provide an annual report to the County administrator. The contents of the annual report shall address and evaluate at least the following:

A. The effectiveness of the policies and procedures of the County in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to access to existing covered accounts;

B. Service provider arrangements;

C. Incidents involving identity theft with covered accounts and the County’s response;

D. Changes in methods of identity theft and the prevention of identity theft; and

E. Recommendations for changes to the County’s identity theft prevention program. (Ord. 19-2009 § 12)