Legal Information
Scenic Rivers Energy Cooperative is the recipient of Federal financial assistance from the U.S. Department of Agriculture (USDA).
In accordance with Federal civil rights law and U.S. Department of Agriculture (USDA) civil rights regulations and policies, the USDA, its Agencies, offices, and employees, and institutions participating in or administering USDA programs are prohibited from discriminating based on race, color, national origin, religion, sex, gender identity (including gender expression), sexual orientation, disability, age, marital status, family/parental status, income derived from a public assistance program, political beliefs, or reprisal or retaliation for prior civil rights activity, in any program or activity conducted or funded by USDA (not all bases apply to all programs).
Remedies and complaint filing deadlines vary by program or incident.
Persons with disabilities who require alternative means of communication for program information (e.g., Braille, large print, audiotape , American Sign Language, etc.) should contact the responsible Agency or USDA's TARGET Center at (202)720-2600 (voice and TTY) or contact USDA through the Federal Relay Service at (800)877-8339. Additionally, program information may be made available in languages other than English.
To file a program discrimination complaint, complete the USDA Program Discrimination Complaint Form, AD-3027, found online at How to File a Program Discrimination Complaint and at any USDA office or write a letter addressed to USDA and provide in the letter all of the information requested in the form. To request a copy of the complaint form, call (866) 632-9992. Submit your completed form or letter to USDA by:
(1) mail:
U.S. Department of Agriculture
Office of the Assistant Secretary for Civil Rights
1400 Independence Avenue, SW
Washington, D.C. 20250-9410;
(2) fax: (202) 690-7442; or
(3) email: program.intake@usda.gov
Scenic Rivers Energy Cooperative is an equal opportunity provider and employer.
SCENIC RIVERS ENERGY COOPERATIVE
BOARD POLICY NO. 30-29
IDENTITY THEFT DETECTION
AND PREVENTION
1. PURPOSE
This Policy is being implemented pursuant to regulations promulgated by the Federal Trade Commission in 16 C.F.R. § 681.2 et seq., for the purpose of detecting, preventing and mitigating the theft of Cooperative customers’ personally identifiable information by: (1) limiting the collection of, and access to, personally identifiable information of its customers: (2) verifying the use of personally identifiable information in connection with customers’ accounts; and (3) implementing a protocol for reporting, investigating and resolving “Red Flags” that the Cooperative has determined are indicators of the risk of potential identity theft.
2. DEFINITIONS
“Authorized Personnel” means the following staff persons:
Customer File Documents – Director of Office Services, Member Record Clerk, Accounting Clerk, Clerk, Secretary, Billing Clerk, Operations Representative, Member Communication Representative.
Computer Database – Director of Office Services, Member Record Clerk, Accounting Clerk, Clerk, Secretary, Billing Clerk.
System Administrator – Director of Office Services, Energy Service Supervisor.
“Covered Account” means the electric service account of a Cooperative member.
“Identity Theft” means a fraud committed or attempted using a name or number which may be used alone or in conjunction with any other information to identify a specific Customer, such as name, date of birth, government-issued number, or unique electronic identification number, address or routing code of another person, without authority.
“Customer” means a member of the Cooperative.
“Personally Identifiable Information” means a name, address, or unique number or other information identifying a specific Customer, including but not limited to security code, access code, or password, social security number, alien registration number, government passport number, taxpayer identification number, driver’s license or state identification number, credit or debit account number, bank account and routing numbers, and health insurance account numbers.
“Red Flag” means a pattern, practice, or specific activity listed in Section V herein which the Cooperation has reasonably determined to indicate the possible existence of identity theft.
“Routine Billing Information” means and is limited to the following, alone or in combination: a Customer’s name, service address, billing address, service account number or loan number, and account balance.
3. SCOPE AND APPLICABILITY
The Cooperative has conducted an assessment of the risk of identity theft in three categories of account-related activity: (1) the risk that an applicant may, without authority, use the identity of a third person to open a covered account to obtain services from the Cooperative; (2) the risk that a Customer may use the Personally Identifiable Information of another person to pay for Cooperative services; and (3) the risk that a customer’s Personally Identifiable Information in the possession of the Cooperative may be obtained for an unauthorized or fraudulent purpose.
The Red Flags identified in this Policy are based on an evaluation of the risk potential in all three categories. However, the Cooperative finds that the risk of identity theft in category (1) is substantially mitigated by the fact that electric service requires a fixed location that is generally provided over a span of months or years, and utility customers’ identities are tied to their service address. The Cooperative’s existing policies and procedures for verification of customer identification on new accounts are therefore deemed sufficient to protect against this risk.
This Policy is not intended to constitute or substitute for the Cooperative’s broader privacy and confidentiality policies and procedures, although those policies and procedures are consistent with identity theft prevention practices.
4. IDENTITY THEFT PREVENTION
A. New Account Verification.
Customers shall provide a social security number, driver’s license and previous address in connection with an application for new service. Customer identification shall be verified through Online Utilities Exchange. A copy of the Service Agreement for Online Utilities Exchange, including information security protocols, is incorporated herein by reference.
B. Protection of Customer File Documents.
1. All documents containing Personally Identifiable Information other than Routine Billing Information, including membership applications, authorizations for automatic clearinghouse (“ACH”)/electronic funds transfer (“EFT”) from a bank account or credit/debit card account shall be filed as soon as practicable in a locked location, accessible solely by Authorized Personnel.
2. Telephone notes, Customer correspondence including emails, and notices of one-time bill payments containing Personally Identifiable Information other than Routine Billing Information shall be shredded and permanently deleted from the email program immediately after data entry or other approved use.
3. Personal checks held for deposit shall be maintained in a locked location with access solely by Authorized Personnel.
4. Customer credit reports reviewed in connection with new or existing accounts shall not be retained, copied, saved, or imaged, and shall be shredded immediately after approved use.
C. Computer Database Security. The Cooperative shall take commercially reasonable precautions to prevent unauthorized access or fraudulent use of Personally Identifiable Information in its computer database, including the following:
1. Access to scanned or imaged computer files containing a Customer’s social security number, driver’s license or state identification number shall be limited to Authorized Personnel.
2. The Cooperative’s billing software shall segregate and/or encrypt Customer financial data, including bank account, routing number, and credit card number, such that access to financial data is limited to Authorized Personnel.
3. Remote/virtual computer access to unencrypted Personally Identifiable Information contained in computer data storage media, other than Routine Billing Information, shall be limited to Authorized Personnel.
4. Customer access to account information via the Cooperative’s webpage and to electronic payment services shall require a unique password that is encrypted in the Cooperative’s software.
5.Authorized Personnel shall take reasonable steps to monitor for malicious activities that target the Cooperative or its Customers, including data breaches, firewall vulnerabilities, phishing, viruses, spyware and malware.
D. Point of Sale Payments. Any point of sale “swipe card” system implemented by the Cooperative shall support Payment Card Industry Data Security Standard (PCI-DSS) compliance.
E. Related Policies. The following administrative policies are incorporated herein by reference:
Policy 30-23 Control of Computer Software Policy 30-25 Member access to cooperative records,
5. IDENTITY THEFT DETECTION (“RED FLAGS”)
Circumstances designated as Red Flags under this policy are not conclusive evidence that an incident of identity theft has or will occur. However, notification or discovery of a Red Flag triggers a duty on the part of all Cooperative employees under Section VI.
A. Discrepancy in Identifying Information. Upon attempted verification, Customer name does not correspond with government-issued identification number or does not substantially match address provided. Applicant or Customer’s Personally Identifiable Information is not consistent with readily accessible information on file with the Cooperative.
B. Suspicious Personally Identifiable Information. The Personally Identifiable Information is same or similar to that of another Customer or is the same or similar to that used in previous attempts of identity theft. The social security number has not been issued, is listed on the Social Security Administration’s Death Master File, or lacks a correlation between the social security number range and applicant or Customer’s purported date of birth.
C. Forgery. Identification provided by Applicant or Customer has appearance of forgery. Application appears to have been forged or destroyed and reassembled.
D. Discrepancy in Payment for Utility Service. Information indicating that the Customer has or is attempting to make a payment on their account using the bank account or credit/debit card of another without authority.
E. Consumer Credit Agency Notices. Receipt of fraud or active duty alert included in a consumer report, notice of credit freeze, or receipt of notice of material address discrepancy.
F. Breach of Computer Data Security. Notice and information by employee or service provider of a database security incident resulting in unauthorized access or the potential for unauthorized access to one or more Customer’ s Personally Identifiable Information.
G. Notification of Identity Theft from Affected Consumer. Verbal or written notice from a Customer that the subject has been or is at risk of identity theft as a consequence the unauthorized acquisition of Personally Identifiable Information.
6. IDENTITY THEFT MITIGATION
A. Mandatory Red Flag Response. Upon notification or discovery of circumstances constituting a Red Flag or other incident that the employee reasonably believes to indicate the possible existence of identity theft, a Cooperative employee shall notify the Director of Office Services in writing, including the date, contact person(s) and all relevant details. The Director of Office Services shall, in conjunction with the CEO, determine the appropriate step(s) to undertake investigation, follow-up and mitigation under subparagraph C.
B. Notification Required by Wis. Stat. § 895.507. If the Cooperative knows that a Customer’s social security number, driver’s license or state identification number, or financial account number, including a credit or debit card account number, or any security code, access code or password that would permit access to a financial account has been acquired by a person or entity that was not authorized by the Cooperative to acquire said information, the Cooperative shall make reasonable efforts to notify the Customer as soon as practicable. Notwithstanding the foregoing, the Cooperative is not required to provide notice where the information (a) does not create a material risk of identity theft or fraud to the Customer; or (b) was acquired in good faith by an employee or agent of the Cooperative for a lawful purpose.
C. Investigation and Resolution. Upon notification or discovery of an occurrence constituting a Red Flag, one or a combination of the following steps shall be considered. Selection of the appropriate response or series of responses will depend on the circumstances, including the Cooperative’s knowledge and experience with a particular Customer’s personal situation, the source of information concerning the existence of Red Flags, and subsequent information obtained through investigation in order to verify or authenticate Personally Identifiable Information or to verify that such information is used with authority.
1. Personal contact with the Customer and/or third party for additional authentication or written authorization to use a third party’s Personally Identifiable Information in connection with an account. For example, a Customer may provide a credit card number for payment on the account that belongs to a relative not residing at the service address.
2. Notation on a Customer’s file of a verified authorization to use third-party financial information, for example, where a third party has authorized the use of Personally Identifiable Information such as a credit or debit card account number for payments on the Customer’s account.
3. Require a Customer to present government-issued photo identification in person to authenticate identity.
4. Monitor a Customer’s account and or credit report on a monthly basis for notifications, alerts, delinquencies, or suspicious patterns of activity such as multiple changes of address within a short time frame.
5. Change passwords and other security codes that permit access to Customer account information in the computer database and/or implement updated TLS/SSL encryption protocols.
6. Place a stop payment on any outstanding capital credit refund or utility deposit refund check.
7. Notify consumer credit agencies of verified incidents of attempted identity theft.
8. Make a report to local law enforcement authorities upon discovery of identity theft that was committed with information accessed from the Cooperative.
9. Determine that no response is warranted under the circumstances.
D. Recordkeeping Requirements. A written report of the Red Flag incident and its resolution shall be prepared by the Director of Office Services. The Director of Office Services shall maintain reports of each instance of notification or detection of a Red Flag, and shall propose policy amendment to identify new Red Flags and/or additional prevention and mitigation procedures, if appropriate, based on a specific Red Flag incident.
7. POLICY REVIEW; AMENDMENT
This policy shall be reviewed annually by the CEO who shall take all of the following steps:
A. Review of Cooperative records and information concerning any incidents of identity theft or attempted identity theft experienced by the Cooperative or other electric distribution cooperatives of which it is aware, including an analysis of the mechanism of the theft and any proposal under Section VI.D. for incorporating new Red Flags and/or additional prevention and mitigation measures into the Policy.
B. Review of newly evident or potential computer-based security risks and recommended database security enhancement by information technology staff, consultants, or third-party providers.
C. Review of any updated guidance from the Federal Trade Commission and other consumer protection agencies, including but not limited to the State of Wisconsin Department of Agriculture, Trade and Consumer Protection, concerning strategies for detecting and preventing identity theft.
D. Incorporation of revisions to this Policy consistent with above information and guidelines, if any.
DATE ADOPTED: 10/21/2008
DATE REVISED:
DATE REVIEWED:
Privacy and information Security Agreement
I, _______________________________________working as an employee of Scenic Rivers Energy Cooperative understand that my employer and I must comply with a number of state and federal laws that regulate identity theft as well as the privacy and security of sensitive information. This information includes, but is not limited to, my employer’s former, current and prospective customers and employees.
Applicable laws and regulations include, but are not limited to the:
Fair and Accurate Credit Transactions Act’s (FACT Act)
Disposal Rule
Red Flag Rule
Health Insurance Portability and Accountability Act (HIPAA)
Driver’s Privacy Protection Act
the Identity Theft Assumption and Deterrence Act, the Identity Theft Penalty Enhancement Act, common law and other applicable identity theft, privacy and information security laws, including the Payment Card Industry Data Security Standard (PCI-DSS).
I understand that I must maintain the confidentiality and security of ALL documents and records containing either personally identifiable information (PII), personal health information (PHI) or business identifiable information (BII) of any type and that such information may be used only for the intended business purpose. I acknowledge that any sensitive information I see or hear about at work is confidential.
Any improper use of this sensitive information by me is strictly prohibited.
Should I misuse or compromise this sensitive information, I understand I will be held accountable, which may include, but is not limited to, civil and criminal penalties, prosecution, and civil liability for damages claimed by the victims as a result of my actions.
I agree to follow the policies and procedures that my employer has in place with respect to safeguarding sensitive information and complying with applicable laws and regulations. I acknowledge I have received awareness education on how to prevent identity theft and privacy breaches. I have reviewed and I understand my employer’s Identity Theft Detection and Prevention Policy (30-29) and this Agreement.
__________________________________ __________________________
Employee Date
__________________________________
Witness