INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such establishes this Identity Theft Prevention Program to detect the warning signs or red-flags of identity theft in the County s day to day operations. PROGRAM Section 1 PURPOSE To establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program in compliance with the Fair and Accurate Credit Transactions Act (FACTA) of 2003, Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Section 2 DEFINITIONS A. Covered account is defined as a continuing relationship between a person and a creditor in which the creditor maintains or offers the account for the purchase of goods or services that involves or is designed to permit multiple payments or transactions. B. Credit means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment. C. Creditor means the County who regularly offers payment plans or allows customers to pay in installments where it extends, renews, or continues credit. D. Customer means a person that has a covered account with the County E. Identity theft means fraud committed or attempted using the identifying information of another person without authority. F. Red flag means a pattern, practice or specific activity that indicated the possible existence of identity theft. SECTION 3 PROGRAM ADMINISTRATION A. Osceola County Comptroller s Office shall be responsible for the development, implementation, oversight and continued administration of the Program. B. The Program shall train staff, as necessary to effectively implement the Program; and C. The Program shall exercise appropriate and effective oversight of service provider arrangements. 1
SECTION 4 APPLICABILITY This program shall be applicable to all customer accounts that are subject to the Red Flags Rule issued by the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the Office of the Comptroller of the Currency and the Office of Thrift Supervision. These accounts shall include any consumer account that the County defers payments for goods or services that allows multiple payments or transaction. Such accounts may include without limitation medical billing accounts. SECTION 5 IDENTIFYING RED FLAGS The following have been identified as Red Flags: A. Alerts, Notifications or Warnings from a Consumer Reporting Agency- Changes in a credit report or consumer credit activity that may signal identity theft. 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. B. Suspicious Documents- Red Flags involving documents. 1. Documents provided for identification appear to have been altered or forged. 2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 3. Information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 4. Information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 2
5. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. C. Suspicious Personal Identifying Information- Red Flags involving identifying information. 1. Personal identifying information provided is inconsistent when compared against external information sources used by the County. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration s Death Master File. 2. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 4. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 5. The SSN provided is the same as that submitted by other persons opening an account or other customers. 6. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 7. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 8. Personal identifying information provided is not consistent with personal identifying information that is on file with the County. 3
9. For accounts that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. D. Unusual Use of, or Suspicious Activity Related to, the Covered Account- These are Red Flags associated with account activity 1. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material change in telephone cell patterns in connection with a cellular phone account. 2. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 3. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer s covered account. 4. The County is notified that the customer is not receiving paper account statements. 5. The County is notified of unauthorized charges or transactions in connection with a customer s covered account. E. Notice from other Sources, Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor. The County is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. SECTION 6 IDENTITY RESPONSE TO ATTEMPTED/SUSPECTED FRAUDULENT USE OF A. Internal Notification. Any County employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customers identity must notify their department director or his/her designee. B. External Notification. Affected Individual The department director or his/her designee will notify the affected individual(s), if possible, of any actual identity theft. The following information will be included in the notice: C. General information about the incident; 1. The type of identifying information involved; 2. The telephone number that the person can call for further information and assistance. 3. Contact information for the Osceola County Sheriff Department. 4
4. Federal Trade Commission: (877)-438-4338 or www.consumer.gov/idtheft 5. Credit Reporting Agencies: Place fraud alerts on your credit reports by contacting credit bureaus. 6. Equifax: (800) 525-6285 or http://www.equifax.com 7. Experian (800) 397-3742 or http://www.experian.com 8. TransUnion (800) 916-8800 or http://www.transunion.com D. Method of Contact: 1. Written notice, certified mail. 2. By telephone, provided the contact is made directly with the affected person and appropriately documented. E. Local Law Enforcement Notification The department director or his/her designee will notify the Osceola County Sheriff Office of any attempted or actual identity theft. SECTION 7 PERIODIC UPDATES TO THE PROGRAM The County Manager s designee will review the program at least annually, or after each and every attempt at identity theft. Any proposed changes will be presented to the Board of County Commissioners for approval. Section 8 REPORTING The County Manager s designee will report to the County Manager prior to May 31st of each year except no report is required the year that this program is adopted, on compliance with the Red Flags Rule. The report will include any material matters and issues regarding this program, such as: Initial implementation of the program; Employee training; Effectiveness of policies and procedures in addressing risk in how accounts are opened and maintained; Service provider (third party) arrangements; Significant incidents involving identity theft and management response; Recommendations for changes. Section 9 CUSTOMER PERSONAL IDENTIFICATION INFORMATION 5
A. Information Collected - Identifying information is defined as any name or number that may be used, alone or in conjunction with any other information, to identify a specific person. The following identifying information may be collected by the County. Name Physical and/or mailing address(es) Social Security Number Date of Birth Official State/government issued driver s license or identification number, Alien registration number Government passport number Employer or taxpayer identification number B. Personal identifying information is collected by: Presentation by customer at the office; Presentation at incident/facility locations; Telephone; Internet; and Mail. Any other methods of collection are not acceptable. SECTION 10 PHYSICAL SECURITY OF PERSONAL IDENTIFYING INFORMATION IS PROTECTED A. Papers, Documents & Files. All paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing personal identifiable information will be stored in a locked file cabinet. 1. File cabinets containing personally identifiable information will be stored in locked room. 2. The Division Director of his/her designee will control keys to the file cabinet and room, make any copies of the keys, and distribute those keys only to employees with a legitimate need. 3. Files containing personal identifiable information are kept in locked file cabinets except when an employee is working on the file. 4. Employees will not to leave sensitive papers out on their desks when they are away from their workstations. 6
5. At the end of the day, employees put files away, log off their computers, and lock their file cabinets and office doors at the end of the day. 6. Access to offsite storage facilities is limited to employees with a legitimate business need. Access keys/codes will only be given to those employees. All employees who enter these facilities will document their visit. 7. Any sensitive information shipped using outside carriers or contractors will be encrypted and an inventory of the information being shipped will be kept. It will be shipped using an overnight shipping service that will allow tracking of the delivery of this information. B. Building Access 1. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the county. 2. No visitor will be given any entry codes or allowed unescorted access in areas where sensitive files are kept. Section 11 SECURITY OF ELECTRONIC RECORDS A. General Network Security 1. Sensitive consumer data will not be stored on any computer with an internet connection unless it s essential for conducting your business. 2. Sensitive information that is sent to third parties over public networks will be encrypted. 3. Sensitive information that is stored on the County s computer network or on disks or portable storage devices used by a County employee will be encrypted. 4. Email transmissions within the County will be encrypted if they contain personally identifying information. 5. Anti-virus and anti-spy ware programs will be run on individual computers and on servers on your network daily. 6. When credit card information or other sensitive financial data is received or transmitted, use Secure Sockets Layer (SSL) or another secure connection that protects the information in transit. B. Password Management 1. Access to sensitive information will be controlled using strong passwords. Employees will choose passwords with a mix of letters, numbers and characters. User name and passwords will be different. Passwords will be changed at least every 90 days. 2. Passwords will not be shared or posted near workstation. 3. Password-activated screen savers will be used to lock employee computers after a period of inactivity. 7
4. When installing new software, immediately change vendor-supplied default passwords to a more secure strong password. C. Laptop Security 1. The use of laptops is restricted to those employees who need them to perform their jobs. 2. Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a wiping program that overwrites data on the laptop. 3. Laptops are to be stored in secure place. 4. Laptop users will only have access to sensitive information, but not to store the information on their laptops. 5. Laptops which contain sensitive data will be encrypted and configured so that users cannot download any software or change the security settings without approval from the Information Technology Department. 6. All laptops will be configured with an auto-destroy function so that data on a computer that is reported stolen will be destroyed when the thief uses it to try to get on the internet. 7. Employees are never to leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. 8. If a laptop must be left in a vehicle, it should be locked in a trunk D. Firewalls. The computer network will have a border firewall where your network connects to the internet with the fire wall settings being reviewed periodically. E. Wireless and Remote Access. Any wireless network in use shall be secured. F. Detecting Breaches. The Information Technology Department will: 1. use an intrusion detection system to detect network breaches when they occur; 2. maintain central log files of security-related information to monitor activity on County s network; 3. monitor incoming traffic for signs that someone is trying to hack in; 4. monitor outgoing traffic for signs of a data breach; and 5. implement a breach response plan. Section 12 EMPLOYEE TRAINING A. Copies of this program shall be made available to those who handle applicable accounts. B. The County shall have a procedure in place to check references or do a background check before hiring employees who will have access to sensitive data. 8
C. Access to customer s personal identify information is limited to employees with a need to know. D. The County shall have a procedure in place for making sure that workers who leave the County s employ or transfer to another department within the County will no longer have access to sensitive information. E. Employees will be alert to attempts at phone phishing. F. Employees are required to notify the department director or his/her designee immediately if there is a potential security breach, such as a lost or stolen laptop. G. Employees who violate security policy are subject to discipline, up to, and including termination. SECTION 13 DISPOSAL OF SENSITIVE INFORMATION A. Paper Records. Paper records that contain sensitive information will be shredded before being placed into the trash. B. Computers and Portable Storage Devices. When disposing of old computers and portable storage devices, use a Department of Defense-compliant disc wiping utility program. C. Any compact disc (CD or DVD) will be disposed of by shredding, punching holes in, or incineration. History 06/07/10, Res #10-075R,created un-numbered Chapter; 9