EXHIBIT A

THE SANTA NELLA COUNTY WATER DISTRICT IDENTITY THEFT PREVENTION PROGRAM

I. Purpose. This document was created in order to ensure the Santa Nella County Water District’s (SNCWD) compliance with regulations (“Red Flag Rules”) issued by the Federal Trade Commission (FTC) as part of the implementation of the Fair and Accurate Credit Transaction Act of 2003 (FACTA). FACTA requires financial institutions and creditors to implement written programs that provide for identification, detection, and response to patterns, practices or specific activities that could indicate identity theft (“Red Flags”). The SNCWD must comply with the Red Flag Rules because it is considered a creditor. The SNCWD is considered a creditor because it receives payments for water and sewer service provided to its residential and commercial customers after the service is rendered.

The FTC regulations require that the program must:

  1. Identify relevant Red Flags and incorporate them into the program.
  1. Identify ways to detect Red Flags.
  1. Describe appropriate responses to Red Flags.
  1. Detail a plan for program updates.
  1. Include a process for administration and oversight of the program.

This program shall, as appropriate, incorporate existing SNCWD policies and procedures that control reasonably foreseeable risks related to the protection of customer information.

II. Definitions.

A.  Covered Account means an account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions. Covered Accounts include utility accounts.

B.  Credit means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer their payment or to purchase services on a deferred payment basis.

C.  Creditor means a person or entity that regularly extends, renews, or continues credit including utility service providers.

D.  Identifying Information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, Social Security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol (IP) address, or routing code.

E.  Identity Theft means fraud committed or attempted using the Identifying Information of another person without authority.

F.  Red Flag means a pattern, practice or specific activity that indicates the possible existence of Identity Theft.

III. Program.

A. Relevant Red Flags

Red Flags are warning signs or activities that alert a creditor to potential Identity Theft. The guidelines published by the FTC include 26 examples of Red Flags which fall into the five categories below:

  1. alerts, notifications, or other warnings received from customer reporting agencies or service providers;
  1. suspicious documents;
  1. suspicious personal identifying information;
  1. unusual use of, or other suspicious activity related to, a covered account; and
  1. notice(s) from customers, victims of Identify Theft, or law enforcement authorities about possible Identify Theft in connection with Covered Accounts.

After reviewing the FTC guidelines and examples, the SNCWD determined that the following Red Flags are applicable to the Covered Accounts administered by the SNCWD. These Red Flags, and the appropriate responses, are the focus of this program.

·  A consumer credit reporting agency reports the following in response to a credit check request:

o  Fraud or active duty alert.

o  Credit freeze.

o  The Social Security Number (SSN) in invalid or belongs to a deceased person.

o  The age or gender on the credit report is clearly inconsistent with information provided by the customer.

·  Suspicious Documents and Activities:

o  Documents provided for identification appear to have been altered or forged.

o  The photograph on the identification is not consistent with the physical appearance of the customer.

o  Other information on the identification is not consistent with information provided by the customer.

o  A customer does not provide required identification documents when attempting to establish a utility account or make a payment.

o  A customer’s responses to specific questions are not consistent with account or other information on record.

o  A customer refuses to provide proof of identity when discussing an established utility account.

o  A person other than the account holder or co-applicant requests information or asks to make changes to an established utility account.

o  A title company or financial institution provides information that is not consistent with the information on the utility account.

o  An employee requests access to the SNCWDs Customer Information System (CIS) or otherwise requests information about a utility account when no valid business purpose has been established.

·  A customer notifies the SNCWD of any of the following activities:

o  Utility statements are not being received.

o  Unauthorized changes were made to a utility account.

o  Unauthorized charges were made on a utility account.

o  Fraudulent activity on the customer’s bank account or credit card that is used to pay utility charges.

·  The SNCWD is notified by a customer, a victim of Identity Theft, or a member of law enforcement that a utility account has been opened for a person engaged in Identity Theft.

B. Detecting and Responding to Red Flags

Red Flags will be detected as customer service representatives (CSR) interact with customers or persons authorized by the customer to act on their behalf. A CSR will be alerted to these Red Flags during the following processes:

  1. Establishing a new utility account: When establishing a new account, a customer is asked to provide information regarding a pending or completed escrow or Identifying Information necessary to open a new account. The customer refuses to provide this information.

Response: Do not establish the utility account unless the information can be obtained from another source (seller, realtor, property manager, etc) and is reviewed by the General Manager to confirm its accuracy. Even if such information is confirmed, the General Manager will have the discretion, after assessing all applicable facts and this Program, to refuse to establish a new utility account for any customer who refused to provide requested information necessary to establish a new account. If deemed appropriate, the General Manager may take any of the actions listed below in paragraph 5.

  1. Reviewing a written customer authorization in order to establish an account or process a payment: A CSR may be presented with documents that appear altered or inconsistent with the Identifying Information provided by the customer.

Response: Do not establish the utility account or accept payment until the customer’s identity has been confirmed. If the customer cannot satisfactorily establish his or her identity, the CSR should report to the General Manager, who shall consider whether it is appropriate in the circumstances to take any of the actions listed below in paragraph 5.

  1. Answering customer inquiries on the telephone, via email, and at the counter: Someone other than the account holder or co-applicant may ask for Identifying Information on a utility account or may ask to make changes to the Identifying Information on an account. A customer may also refuse to verify their identity when asking about an account.

Response: Inform the customer that the account holder or other designated person or business must give permission for them to receive information about the utility account. Do not make changes to Identifying Information or provide any information about the account.

  1. Requests from SNCWD employees for information in the Customer Information System (CIS) that is not for a valid business purpose.

Response: All requests for direct access to the CIS system must be approved by the General Manager. The information technology (IT) specialists or consultant should reject requests that have not received appropriate approval. All other requests for information from the CIS system should be reviewed to ensure that customer confidentiality and privacy is maintained. Requests for Identifying Information will be denied. Any employee found to be misusing customer Identifying Information will be disciplined in accordance with the SNCWD employee manual, Section BB.

  1. Receiving notification that there is unauthorized activity associated with a utility account: Customers may call to alert the SNCWD about fraudulent activity related to their utility account and/or the bank account or credit card used to make payments on the account.

Response: Verify the customer’s identity, and notify the General Manager immediately. Take the appropriate actions to correct the errors on the account, which may include:

  1. Issuing a service order to connect or disconnect services.

b.  Updating Identifying Information on the utility account.

c.  Updating the mailing address on the utility account.

d.  Updating account notes to document the fraudulent activity.

e.  Adding a password to the account.

f.  Assisting the customer with correcting and updating inaccurate or incomplete information kept by credit reporting agencies and other third parties.

g.  Notifying and working with law enforcement officials.

h.  Filing a Suspicious Activity Report in accordance with 31 USC section 5318(g) and applicable regulations.

i.  Not collecting or sending collection any delinquent charges that are known to have resulted from identity theft.

  1. Receiving notification that a utilities account has been established for a person engaged in Identity Theft.

Response: These issues should be escalated to the General Manager immediately. The claim will be investigated and appropriate action will be taken to resolve the issue as quickly as possible, including taking the actions described above in paragraph 5.

C. Additional procedures that help to protect against Identity Theft include:

  1. The level of CIS system access is based on the role of the user. Only certain job classifications will be approved for access to the entire system, particularly those portions that contain Identifying Information.
  1. Paper receipts generated over the counter during cash or check processing for one-time payments shall not contain any sensitive identity such as Social Security numbers, date of birth, government issued driver’s license or identification numbers, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s IP address, or routing code. Paper receipts will only include the customer name, service address and account number. Paper receipts will be kept as long as required by law in accordance with audit regulations.
  1. SNCWD employee records are kept in locked file cabinets accessible to the General Manager. SNCWD records are given full access to the General Manager and limited access is given to the Administrative Clerk responsible for payables for employee benefit enrollment and payroll information.
  1. Release of any SNCWD employee records requires written authorization from the employee, which release must be processed by the General Manager.
  1. Applications received during a recruitment process are kept in locked file cabinets for a period of three years and accessible to the General Manager.
  1. The SNCWD strictly checks pre-employment reference, and may perform background checks, of all CSRs and has monitoring systems in place to prevent unauthorized access to and theft of Identifying Information.

IV. Administration and Oversight of the Program

The General Manager is required to prepare an annual report which addresses the effectiveness of the program, documents any significant incidents involving Identity Theft and related responses, provides updates related to external service providers, and includes recommendations for material changes to the program. The annual report will be presented to and reviewed by the SNCWDs Board of Directors at it next Regular Board Meeting after the date the annual report is finalized by the General Manager.

The program will be reviewed at least annually and updated as needed on the following events:

·  Experience with Identity Theft.

·  Changes to the types of accounts and/or programs offered.

·  Implementation of new systems and/or new vendor contracts.

·  Update or replace systems used to encrypt protected Identifying Information.

The General Manager shall train all CSRs in the detection of Red Flags, and the responsive steps to be taken when a Red Flat is detected. Training will occur during customer service staff meetings on at least a bi-annual basis. In addition, the General Manager will provide a copy of this program to all newly hired CSRs and provide appropriate introductory training in this program.

1 SNCWD Red Flag Rules

5/09