Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts... 5 Section 5.6 General Security Guidelines... 5 Section 5.7 Administrative Procedures....6 Section 5.8 Examples of Red Flags.7 Section 5.9 Appendix A Other Security Procedures..9 5-1
Section 5.1 Purpose: These procedures are implemented pursuant to Lowell Light & Power s policy to establish and maintain an Identify Theft Prevention Program consistent with the Federal regulations and guidelines for the Fair and Accurate Credit Transaction Act of 2003 (FACT Act). These procedures are designed to supplement existing procedures for transactions involving customer accounts and are not intended to replace them. However, these procedures supersede any other LLP procedures wherever a conflict may exist involving the proper handling and safeguarding of customers personal identification information. The purpose of these procedures is to establish an Identity Theft Prevention Program to detect, prevent, and mitigate identity theft. These procedures are reasonably expected to: A. Identify relevant Red Flags and incorporate them into the Program; B. Detect those Red Flags that have been incorporated into the Program; C. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and D. Ensure the Program is updated periodically to address changing risks. Section 5.2 Definitions Identity Theft: Red Flag: Section 5.3 Fraud that is committed using identifying information of another person. Means a pattern, practice or specific activity that indicates the possible existence of identity theft. It is important that Red Flags be treated as indicators of possible identity theft and not de facto evidence of identity theft. Validation Information The successful implementation of the Identity Theft Prevention Program depends upon the proper training of all employees with access to customers personal identification information. Personal identification information that thieves attempt to steal includes, but is not limited to: A. Full Name B. Phone Number C. Date of Birth (DOB) D. Social Security Number E. Address F. Photo ID, such as Driver s License or other Government Issued ID, including Passports. G. Tax ID Number (TIN) H. Credit Card Number I. Personal Identification Number (PIN) J. Bank Account Number K. Utility Account Number 5-2
Careful validation of identity in the process of opening an account is an effective tool in deterring identity theft. It is also important to be vigilant whenever executing transactions on existing accounts. To assist in validating Personal Identification Information LLP will use the services of a Consumer Reporting Agency (CRA), Utility Exchange. Employees should not confront any individual suspected of committing identity theft. It is our duty to report to the police any suspected patterns of identity theft. It is the duty of the police to conduct the investigations. Section 5.4 Procedures for Opening New Accounts In Person: A. Obtain sufficient personal identification information to allow you to form a reasonable belief that the customer is who they claim to be, including: a. Full name b. Date of Birth (DOB) c. Address d. Phone Number e. Social Security Number (SSN) f. United States Government or State Government issued photo ID, such as a State of Michigan issued driver s license, military ID or passport. Note: Driver s licenses or other photo IDs (except for passports) issued by a foreign government are not acceptable. g. Copy of a Mortgage or Lease Agreement h. Previous Address B. If you take a SSN, then you must validate that information by contacting the CRA (Credit Reporting Agency) before you accept it as proof. SSNs are a preferred form of identification but are not required unless applying by phone. If the customer prefers not to give their SSN, then they must present acceptable photo ID in person. C. Obtain personal identification information in writing from the customer, record the information on the Electric Application and immediately place the Electric Application in the safe, cash drawer, or LLP designated file drawer for safe keeping. D. Check for Red Flags (see attached examples of Red Flags). If a Red Flag is detected follow the prescribed Next Step in the Red Flag check list. If you are unsure of the next step, consult with your supervisor before processing the request for a new account. Red Flags must be resolved before a new account can be established. If necessary, you should contact the CRA to verify the customer s identity. 5-3
E. Avoid taking personal identification information verbally when other customers can overhear the conversation. Have the customer write it down on the application or have the customer present a hard copy of the requested information. Insure that no other customers or non-qualified employees can see the remittance processing or the P.C. monitor at any time. F. Insure that there is no written personal identification information left in view of other customers or non-qualified employees. Any notations on paper, other than the Electric Application, regarding the customer must immediately be shredded. Personal identification information is confidential and should be safeguarded at all times. By Telephone, FAX or Online: A. Obtain sufficient personal identification information to allow you to form a reasonable belief that the person is who they claim to be, including but, not limited to: a. Full Name b. Phone Number c. Date of Birth (DOB) d. Social Security Number (SSN) or Tax ID Number (TIN) e. Address f. Photo ID, such as United States Government or State Government issued photo ID, such as a State of Michigan issued driver s license, military ID, or passport. g. Previous address that matches the CRA data. h. The customer needs to come into the office to sign the Electric Application and have the personal identification information verified. B. Applications for new accounts not made in person must include a SSN/TIN. Before you accept the SSN/TIN as proof of identity you must validate that information by contacting the CRA. C. Check for Red Flags (see attached Examples of Red Flags). If a Red Flag is detected follow the prescribed Next Step in the Red Flag check list. If you are unsure of the Next Step, consult with your supervisor before processing the request for a new account. Red Flags must be resolved before a new account can be established. If necessary, you should contact the CRA to verify the customer s identity. D. FAX machines that receive personal identification information from the customer must be located in a secure area and the transmission must be collected several times an hour. The documents must be safeguarded in a secure place until they can be properly destroyed pursuant to the LLP Records Retention Schedule and Disposal Schedule (Section 6-Accounting). 5-4
Section 5.5 Procedures for Existing Accounts: A. Watch for Red Flags whenever executing transactions on customer accounts. B. Do not share account information with anyone other than the account holder without the account holder s permission and never provide a caller or non-llp employee with any personal identification information. C. A change of mailing address requires the same level of authentication as opening a new account. Customers must provide personal identification to establish a billing address different than the customer s service/account address. D. Safeguard all credit card information at all times. These documents should be stored in a secure location until they can be properly destroyed consistent with the Records Retention and Disposal Schedule. Note: LLP shall comply with Payment Card Industry (PCI) Data Security Standards. E. You must authenticate customer s identification before transacting business with them by telephone. They must give you personal identification information. Section 5.6 General Security Guidelines A. All employees with access to customers personal identification information are required to complete the Identity Theft Prevention Program training and complete an annual update. B. Safeguard our customers personal identification information like it was your own. C. Whenever a work station area is left unattended all personal identification information should be secured out of sight. D. Secure your work station area. Log off your computer whenever leaving your work station area. E. Follow proper user ID and password protocol whenever leaving your work station area. F. Do not leave customer s personal identification information on your computer screen or paper documents longer than necessary to execute transactions. G. Avoid including anyone s SSN in any emails or written communications. If a SSN is included in an electronic or paper document that document becomes confidential and must be handled accordingly. H. Trash containers located in the lobby area near the customer counter where customers write down personal identification information should be secured at all times. The contents should be treated as confidential and shredded. 5-5
I. Suspicious behavior in the lobby/customer area should be reported to a supervisor: a. Eavesdropping on other customers transacting business at the customer counter. b. Searching through the trash container in the lobby. J. All documents containing personal identification information must be stored in a secure location until they can be properly destroyed. The destruction of such material shall be documented. K. Computer printouts containing personal identification information must be safeguarded at all times. There must be an unbroken chain of custody for the documents from the time they are created until they are properly filed in a safe place or destroyed. L. LLP shall comply with Payment Card Industry (PCI) Data Security Standards. M. LLP Information Technology Resource Center (Daffron and Associates) shall adhere to appropriate industry standards for security protocol when protecting our customers personal identification information (see attached, Appendix A-Other Security Procedures). N. LLP employee s personal identification information shall be held to the same security standards as our customers information. O. All new hires that will have access to personal identification information will be screened and receive the appropriate Identity Theft Prevention Program Training. Section 5.7 Administrative Procedures: A. Develop and implement reasonable policies and procedures for an Identity Theft Prevention Program that complies with federal guidelines implementing the FACT Act. B. Insure all supervisors and employees receive the necessary training to effectively implement the Program. C. Receive reports of Red Flags that require mitigation. D. Conduct periodic risk assessments of the Program E. Periodically review and update the Program procedures. F. Insure continued compliance with the FACT Act. G. Prepare annual reports for the Privacy Officer to present to the General Manager and the Board 5-6
Red Flags Identification Examples of Red Flags The Lowell Light & Power identifies the following Red Flags to detect potential fraud. These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary. Notifications and Warnings from Credit Reporting Agencies Report of fraud accompanying a credit report; Notice or report from a credit agency of a credit freeze on a customer or applicant; Identification document or card that appears to be forged, altered or not authentic; Identification document or card on which a person s photograph or physical description is not consistent with the person presenting the document; Other document with information that is not consistent with existing customer information (such as if a person s signature on a check appears forged); Application for service that appears to have been altered or forged. Suspicious Personal Identifying Information Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates); Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report); Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address); Social security number presented that is the same as one given by another customer; A person fails to provide complete personal identifying information on an application when reminded to do so; A person s identifying information is not consistent with the information that is on file for the customer. 5-7
Suspicious Account Activity or Unusual Use of Account Payments stop on an otherwise consistently up-to-date account; Account used in a way that is not consistent with prior use (example: very high activity); Mail sent to the account holder is repeatedly returned as undeliverable; Notice to the Utility that a customer is not receiving mail sent by the Utility; Notice to the Utility that an account has unauthorized activity; Breach in the Utility's computer system security; Unauthorized access to or use of customer account information. Alerts from Others Notice to the Utility from a customer, identity theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft. Next Step, New Account: Request additional ID or refuse to open an account. Do not open an account and/or ask applicant to return with better ID (note this on application). Request a verifiable address when bills are requested to be mailed somewhere other than to the service address. Next Step, Existing Account: Close account; discontinue service. Visit or send mailing to new occupant informing need to open a new account. Demand payment from proper party using service. Notify customer of record of unusual usage pattern on alternate residence or other suspicious activity. 5-8
Appendix A Other Security Procedures The following are not part of or required by the Federal Trade Commission s Identity Theft Red Flags Rule. The following is a list of other security procedures used to protect consumer information and to prevent unauthorized access. 1. Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets 2. Only specially identified employees with a legitimate need will have keys to the room and cabinet. 3. Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file. 4. Employees are not to leave sensitive papers out on their desks when they are away from their workstations. 5. Employees should store files when leaving their work areas. 6. Employees log off their computers when leaving their work areas. 5-9
7. Employees lock file cabinets when leaving their work areas. 8. Access to offsite storage facilities is limited to employees with a legitimate business need. 9. Any sensitive information shipped using outside carriers or contractors will be encrypted. 10. Any sensitive information shipped will be shipped using a shipping service that allows tracking of the delivery of this information. 11. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility. 12. No visitor will be given any entry codes or allowed unescorted access to the office. 13. Computer passwords will be required. 14. Access to sensitive information will be controlled using strong passwords. Employees will choose passwords with a mix of letters, numbers, and characters. User names and passwords will be different. 15. User names and passwords will be different. 16. Passwords will be changed at least monthly. 17. Passwords will not be shared or posted near workstations. 18. Password-activated screen savers will be used to lock employee computers after a period of inactivity. 19. When installing new software, immediately change vendor-supplied default passwords to a more secure strong password. 20. Sensitive information that is sent to third parties over public networks will be encrypted. 21. Sensitive information that is stored on computer network or portable storage devices used by your employees will be encrypted. 22. Email transmissions within your business will be encrypted if they contain personally identifying information. 5-10
23. Anti-virus and anti-spyware Policies will be run on individual computers and on servers daily. 24. When sensitive data is received or transmitted, secure connections will be used. 25. The use of laptops is restricted to those employees who need them to perform their jobs. 26. Laptops are stored in a secure place. If a laptop must be left in a vehicle, it is locked in a trunk. 27. Laptop users will not store sensitive information on their laptops. 28. Laptops which contain sensitive data will be encrypted. 29. Employees must never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage. 30. The computer network will have a firewall where your network connects to the Internet. 31. Any wireless network in use is secured. 32. Maintain central log files of security-related information to monitor activity on your network. 33. Monitor incoming and outgoing traffic for signs of a data breach. 34. Implement a breach response plan; see item number 41. 35. Check references or do background checks before hiring employees who will have access to sensitive data. 36. New employees sign an agreement to follow your company s confidentiality and security standards for handling sensitive data. 37. Access to customer s personal identify information is limited to employees with a need to know. 38. Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. 39. Implement a regular schedule of employee training. 5-11
40. Employees will be alert to attempts at phone phishing. 41. Employees are required to notify the general manager immediately if there is a potential security breach, such as a lost or stolen laptop. 42. Service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of our data. 43. Paper records will be shredded before being placed into the trash. 44. Paper shredders will be available in the office, and at the home of any employee doing work at home. 45. Any data storage media will be disposed of by shredding, punching holes in, or by incinerating. 46. Employees who violate security policy are subject to discipline, up to and including discharge. 5-12