Petals & Stems Identity Theft Prevention Program
Policy and Procedures
Petals & Stems strictly complies with all federal and state laws and reporting requirements regarding identity theft, including the federal Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This policy outlines Petals & Stems Identity Theft Prevention Program(“Program”), which is mandated by the Red Flags Rule and governs how Petals & Stems will (1) identify, (2) detect and (3) respond to “red flags.” A “red flag” is defined as a pattern, practice, or specific activity that indicates possible identity theft. The Program must be approved by Petals & Stems and its Board of Directors as of August 1, 2009, and the Program must be reviewed and updated at least once a year in order to ensure that the Program keeps current with identity theft risks. In doing so, Petals & Stems and its Board of Directors will consider Petals & Stems experiences with identity theft situations and similar experiences for other entities in the floral industry, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in Petals & Stems arrangements with other entities.
It is Petals & Stems policy that Brad Weinstein is assigned the responsibility of overseeing, developing, implementing, and administering the Program. Petals & Stems is committed to ensuring that this individual, designated as Petals & Stems privacy official, be provided with sufficient resources and authority to fulfill these duties. Petals & Stems requires that its business associates be contractually bound to protect sensitive client information to the same degree as set forth in this policy. Business associates of Petals & Stems who violate their agreement will be dealt with first by an attempt to address the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate. Petals & Stems employees must be trained on the policies and procedures governing compliance with the Red Flags Rule, and new employees are required to receive training on these matters within a reasonable amount of time after they have been hired. Should any policy or procedure related to the Red Flags Rule materially change, Petals & Stems shall provide further training within a reasonable amount of time after the policy or procedure materially changes. All training sessions are to be documented, indicating participants, date and subject matter.
may encounter inconsistent or suspicious documents, information, or activity that suggests the possibility of identity theft. The following are identified as potential red flags:
- Notice from a customer, a victim of identity theft, a law enforcement agency, or someone else that an account has been opened or used fraudulently.
- A dispute of a bill by a customer who claims to be the victim of any type of identity theft.
- Suspicious documents, such as paperwork that appears altered or forged, and information on the identification that is inconsistent with other information, like a signature card or recent check.
- Suspicious personal identifying information, such as inconsistencies with what is already known and inconsistencies in the information the customer has already provided.
- Suspicious account activity, such as an account that is used in a way inconsistent with established patterns, an account that has been inactive for a long time that is suddenly used again, and information that the customer is not receiving their account statements in the mail.
II. Detect Red Flags.
Employees of Petals & Stems will be alert for discrepancies in documents and customer information that suggest risk of identity theft or fraud. Employees will verify customer identity and address before services are provided and billed. Specifically, the procedures for detecting red flags are as follows:
- When somebody notifies Petals & Stems that an account has been opened or used fraudulently, employees are required to report such notifications to their immediate supervisor or the designated privacy official. If reported to a supervisor, that supervisor should relay the information to the privacy official.
- When verifying the identity of a customer who is opening a new account, employees are required to get a name, address and identification number and,for in-person verification, to check a current government-issued identification card, such as a driver’s license or passport.
- Regarding existing accounts, employees are expected to verify the identification of customers if they request information, and verify the validity of change-ofaddress requests and changes in banking information given for billing purposes.
- In general, staff should be alert for the possibility of identity theft in
the following situations:
- The photo identification submitted by the customer does not resemble the customer.
- Identifying information submitted by the customer appears to be altered or forged.
- Information on one form of identification the customer has submitted is inconsistent with information on another form of identification or with information already in the records kept by Petals & Stems
- An address or telephone number is discovered to be incorrect, non-existent, or fictitious.
- The customer fails to provide identifying information or documents.
- The customer’s signature does not match a signature in the customer’s records.
- [If programs are already being used to mitigate identity theft, such tools should also be listed here.]
III. Respond to Red Flags.
If any employee of Petals & Stems detects fraudulent activity or if a customer claims to be a victim of identity theft, Petals & Stems will respond to and investigate the situation.
If potentially fraudulent activity (a red flag) is detected by an employee:
- The employee should gather all documentation and report the incident to his or her immediate supervisor or the designated privacy official. If reported to a supervisor, that supervisor should relay the information to the privacy official.
- The privacy official will determine whether the activity is fraudulent or authentic.
- If the activity is determined to be fraudulent, then Petals & Stems should take immediate action, which may include:
- Canceling the transaction
- Closing an existing account;
- Reopening an account with a new account number
- Not opening a new account
- Not trying to collect on an account or not selling an account to a debt collector
- Notifying appropriate law enforcement
- Notifying the affected customer and Changing any passwords or other security devices that permit access to accounts.
If a customer claims to be a victim of identity theft:
- The customer should be encouraged to file a police report for identity theft if the customer has not done so already.
- The customer should be encouraged to complete the ID Theft Affidavit developed by the Federal Trade Commission, along with supporting documentation.
- Petals & Stems will compare the customer’s documentation with personal information in the customer’s records.
- If following investigation, it appears that the customer has been a victim of identity theft, Petals & Stems will promptly consider what further remedial act/notifications may be needed under the circumstances.
- If following investigation, it does not appear that the customer has been a victim of identity theft, Petals & Stems will take whatever action it deems appropriate.