The URL can be used to link to this page

Home My WebLink About08 ONLINE UTILITY EXCH AGREEMENT 09-01-09• Agenda Item 8 AGENDA REPORT Reviewed: r .~ t~ City Manager Finance Director MEETING DATE: SEPTEMBER 1, 2009 TO: WILLIAM A. HUSTON, CITY MANAGER FROM: PAMELA ARENDS-KING, FINANCE DIRECTOR SUBJECT: ONLINE UTILITY EXCHANGE SUBSCRIBER SERVICE AGREEMENT TO MEET THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT REQUIREMENTS SUMMARY: The City adopted an Identity Theft Prevention Program May 2009 required by the Federal Trade Commission to meet the requirements of the Fair and Accurate Credit Transactions Act (FACT) of 2003. The Online Utility Exchange subscriber service agreement provides consumer credit information to aid in the implementation of the City's Identity Theft Prevention Program. RECOMMENDATION: It is recommended that the City Council approve the Online Utility Exchange subscriber service agreement. FISCAL IMPACT: Currently 100 to 150 new residential customer applications are processed monthly and 10 to 15 business applications are processed monthly. Estimated monthly cost for the Online Utility Exchange subscriber service is $600. Staff will be bringing application fees for new residential customers of $7 and $20 for businesses. If those fees are approved the net cost for the service to the Water Enterprise Fund will be nominal. BACKGROUND: The Federal Trade Commission (FTC) established the "Red Flag Rules", that are federal regulations enacted as part of the Fair and Accurate Credit Transactions Act of 2003. The City adopted an Identity Theft Prevention Program that identified relevant red flags and identified ways to detect red flags. Subscribing to the service provided by Online Utility Exchange will give staff access to a centralized database containing credit and consumer data information pertaining to the payment history of utility bills. The service will also provide information involving the supply of consumer and business information coming from credit information, credit scoring services, fraud detection and criminal records provided by credit reporting repositories, national criminal record databases and local county systems. This service will also aid staff in determining the credit worthiness of a new water customer and determining the amount of deposit required when opening a new account. Due to confidential information provided by the service only the Finance Director and two other employees designated by the Finance Director will have access to the information. ONLINE UTILITY EXCHANGE AGREEMENT SEPTEMBER 1, 2009 Respectfully submitted, ~~~~~a- ~~~,~~~- wJI Pamela Arends-Kmg Finance Director Page 2 Attachments: Online Utility Exchange Subscriber Service Agreement SUBSCRIBER SERVICE AGREEMENT This Subscriber Service Agreement ("Agreement") is entered into by ONLINE Information Services, Inc., (hereafter referred to as "ONLINE"), a North Carolina corporation, dba/ the ONLINE Utility Exchange, and City of Tustin, (hereafter referred to as "Subscriber"),a California municipal corporation, as of-AUGUST , 2009. ONLINE and Subscriber agree as follows: 1. Services. Through the ONLINE Utility Exchange, ONLINE maintains a centralized database containing credit and consumer data information pertaining to the payment history of utility bills and other services that ONLINE may, from time to time, make available to Subscriber. ONLINE will furnish consumer information from this database to Subscriber. ONLINE will also fumish services to Subscriber involving the supply of consumer and business information. The source of this information may be credit information, consumer information, credit scoring services, fraud detection, and criminal records provided by national credit reporting repositories, national criminal record databases, and/or local county systems. The ONLINE Utility Exchange provides access to Subscriber to Experian Credit Information Service's database. Any mention of rights or obligations to ONLINE within this agreement shall also apply to Experian, Equifax, and Trans Union. ("Services"). 2. Charges to Subscriber. Subscriber agrees to pay ONLINE for all charges for each Subscriber inquiry (including "no record found") submitted to ONLINE as outlined in SCHEDULE A "ONLINE Charges to Subscriber." ONLINE reserves the rights to change these charges upon sixty (60) days notice to Subscriber. Subscriber will be solely responsible for all federal, state and local taxes levied or assessed in connection with ONLINE's performance of the Services, other than income taxes assessed with respect to ONLINE's taxable net income, for which income taxes ONLINE will be solely responsible. 3. Payment. All billing is processed monthly and is payable within 15 days following the invoice date. All invoices will be delivered via electronic mail to the address designated in the billing address section on the signature page on this Agreement. A service charge of 2% of the unpaid balance will be charged on all accounts not paid by the 1ST day of the month following the invoice date. Services will be immediately terminated when account reaches 60 days past due. Services will not be reinstated until the full outstanding balance is paid in full. If account goes unpaid for 90 days the account will be referred to collections and/or legal proceedings initiated. Subscriber agrees to pay ONLINE's cost, including reasonable attorney fees, to recover any unpaid balance owed by Subscriber. 4. Subscriber Use. A. Subscriber hereby certifies and warrants that it will request and use credit information received from ONLINE solely in connection with credit transactions involving the consumer as to whom such information is sought, or for other "permissible purposes" as defined by the Fair Credit Reporting Act, 15 U.S.C. Section 1681 et seq. ("FCRA") and to effect the collection of unpaid debts. B. All such information shall be maintained by Subscriber in strict confidence and disclosed only to employees whose duties reasonably relate to the legitimate business purposes for which the information is requested. Subscriber will not disclose, sell or otherwise distribute to third parties any information received hereunder, except as otherwise required by law; provided, however, that if Subscriber has purchased a consumer report from ONLINE in connection with a consumer's application for credit, and the consumer makes a timely request of Subscriber, Subscriber may share the contents of that report with the consumer as long as it does so without charge. C. Subscriber shall request consumer reports from ONLINE by electronic means. Each request will contain sufficient identifying information concerning the consumer about who the consumer report is requested to enable ONLINE to deliver the consumer report. D. ONLINE reserves the right to modify the standard inquiry format to be used by Subscriber and Subscriber agrees to abide by such modifications. E. Subscriber hereby certifies that it will properly dispose of any customer information obtained from the use of the services to include the destruction or erasure of electronic media, the burning, pulverizing, or shredding of papers containing the customer information so that the information cannot practicably be read or reconstructed. Revised: 08/11/2008 UTILITY EXCHANGE F. Subscriber agrees to comply with all applicable provisions of the California Credit Reporting Agencies Act. Subscriber certifies that it IS or X IS NOT a "Retail Seller", as defined in Section 1802.3 of the California Civil Code, doing business in California and issues credit to consumers who appear in person that it will instruct its employees and agents to inspect a photo identification of the consumer at the time the application is submitted in person. This paragraph does not apply to an application for credit submitted by mail. G. Subscriber certifies that when requesting credit information on Vermont residents that it will comply with applicable provisions under Vermont law. In particular, Subscriber certifies that it will order information services related to Vermont residents that are defined as credit reports by the Vermont Fair Credit Reporting Act (VFCRA"), only after Subscriber has received prior consumer consent in accordance with VFCRA Section 2480c and applicable Vermont Rules. H. Subscriber further agrees that it will be solely responsible to ensure and require that each of its users meets and complies with applicable federal, state and local laws, rules, and regulations relating to its use of the Services and to the provision to ONLINE of Subscriber's Records. Relevant laws include but are not limited to: i. Establishing reasonable procedures to insure that its employees will not request Data Services relating to themselves, their families, friends, or request consumer information on other persons other than as permitted by the FCRA, ONLINE, and this Agreement. Where adverse action is taken against a consumer that is based in whole or in part on the information contained in a consumer report provided by ONLINE, consistent with the responsibilities under the Fair Credit Reporting Act, Subscriber shall notify the Consumer to direct consumer inquiries to the CRA that provided the report and contained on the adverse action notice for such report. 5. FCRA Requirements A. Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects Subscriber as a user of information. ONLINE has included a copy of the FORA with Subscriber's membership kit and it is posted at http://www.ftc.gov/os/statutes/fcradoc.pdf. ONLINE suggests that Subscriber and Subscriber's employees become familiar with the following sections in particular: § 604. Permissible Purposes of Reports § 607. Compliance Procedures § 615. Requirement on users of consumer reports § 616. Civil liability for willful noncompliance § 617. Civil liability for negligent noncompliance § 619. Obtaining information under false pretenses § 621. Administrative Enforcement § 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies & 628. Disposal of Records B. Each of these sections is of direct consequence to users who obtain reports on consumers. C. As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc. It is imperative that Subscriber identifies each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact Subscriber's usage of reports for employment purposes. D. ONLINE strongly endorses the letter and spirit of the Federal Fair Credit Reporting Act. ONLINE believes that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce. E. In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, ONLINE expects that Subscriber will comply with all relevant federal statutes and the statutes and regulations of the states in which Subscriber operates. The FCRA provides that any people who knowingly and willfully obtain information on a consumer from a consumer reporting agency under false pretenses shall be fined under Title 18 of the United States Code, or imprisoned not more than two years, or both. F. ONLINE supports consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information. 6. ONLINE Use. A. ONLINE acknowledges its qualification as a specialty consumer reporting agency according to the Fair Credit Reporting Act: § 603 Definitions; rules of construction [15 U.S.C. § 1681a]: "(f) The term "consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports Revised: 08/11/2008 to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports." B. As a consumer reporting agency, ONLINE may only use Subscriber's Records for purposes consistent with applicable federal, state, and local laws, rules, and regulations' in the identification of credit risk and/or past due collections. C. ONLINE shall not sell or furnish to any third party a list of consumers' names and addresses identified as a customer list of Subscriber, nor will ONLINE extract directly from or otherwise identify on any third party's list a list of Subscriber's customers identified as a customer list of Subscriber. In no event shall ONLINE distribute a list of Subscriber's current or previous customers outside of the uses defined in this agreement. D. Subscriber agrees that ONLINE may use Subscriber's Records to affect collection of past-due accounts listed with ONLINE Collections. E. ONLINE shall use commercially reasonable efforts to promptly and accurately process and incorporate into its database any maintenance or consumer dispute verifications furnished to it by Subscriber, in accordance with the requirements of the FCRA or other applicable state or federal law. In the event that ONLINE deems any maintenance or verification response of Subscriber to be incomplete, internally inconsistent, or otherwise inaccurate, ONLINE, in its sole discretion, may revise the item of information to conform with information supplied by the consumer, reject the maintenance or verification response and delete the information from its database, or make any other revisions that it deems necessary or appropriate. 7. Conditions. Subscriber recognizes that ONLINE's services require the open sharing of information between utility subscribers. A. Subscriber agrees to furnish to ONLINE information from its records about its customers with whom it has established accounts at such time as Subscriber has the capability to do so. Such information will be fumished and updated no less frequently than at monthly intervals, unless otherwise agreed in writing. Subscriber hereby certifies that all information furnished to ONLINE shall be complete and accurate. Subscriber agrees to make a current list of all utility subscribers, including the service address, telephone number, place of employment and employment telephone number, well as a list of the payment experiences of Subscriber with current and previous customers. This listing of payment experiences may include customers who have unpaid utility bills more than 30 days old and prompt paying customers. Subscriber agrees that each account will be accompanied by the Social Security Number of the guarantor of the bill and, in the case of married parties or joint responsibility by more than one guarantor, the Social Security Number of each party who is responsible for payment of the bill. B. Subscriber agrees to notify ONLINE within 30 days of receipt of payment on any account which is part of ONLINE's Negative Data. C. Subscriber shall respond to any consumer disputes initiated by consumer within five (5) working days from receipt of dispute. Subscriber shall re-verify disputed information through either voice communication, electronic mail, or through other means as mutually agreed in writing. Subscriber certifies that all information supplied by it on any automated or manual basis in response to a consumer dispute verification request sent to it by ONLINE shall be complete and accurate. If in response to a consumer dispute verification request received from ONLINE, Subscriber desires to change any information relating to an account it has previously reported, Subscriber shall update the account information on both the verification response and in its own internal records to conform with such change. Subsequent customer record updates provided by Subscriber, shall reflect such change. D. In the event that Subscriber fails to contribute customer payment experience data to the ONLINE Utility Exchange within 180 days of the effective date of this agreement, ONLINE shall consider the Subscriber to be a Non-Data Contributing Subscriber. In the event that Subscriber becomes aNon-Data Contributing Subscriber, there shall be no additional charge imposed by ONLINE upon Subscriber. 8. Access to Employment Screening Reports. Subscriber may elect to receive Credit, DMV and other consumer Information for the purpose of evaluating a potential or current employee's background. Information received by Subscriber may include data from Equifax, Experian, Trans Union, or other third party data sources. If Subscriber elects to receive Employment Reports Subscriber acknowledges the following: A. A clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consist solely of the disclosure, that a consumer report (to include credit) may be obtained for employment purposes. B. The consumer has authorized in writing the procurement of the Employment Report by the subscriber. C. To include on their application for employment a signed authorization and release section giving permission for the Subscriber to pull an Employment Report to investigate the applicant. D. To keep documentation on the applicant (Signed Employment Application, Copy of Employment Report) on file in their office for 2 years. E. Subscriber agrees that Employment Reports will be the only credit reporting products pulled to screen employment applicants. F. Subscriber acknowledges that before taking any adverse action based in whole or in part on the Employment Report (if an offer is not extended to applicant based on information contained within the Employment Report), a copy of the report which contains the applicant's rights under the Fair Credit Reporting Act must be given to the applicant. Revised: 08/11/2008 G. The information from ONLINE's Employment Reports will not be used in violation of any applicable federal or state equal employment opportunity law or other regulation. Subscriber hereby acknowledges receipt of the Summary of Consumer Rights. 9. Term. This Agreement shall continue in force without any fixed date of termination. ONLINE or Subscriber may terminate this Agreement upon ten (10) days prior written notice to the other party. 10. Warranties. A. ONLINE warrants to Subscriber that ONLINE will use commercially reasonable efforts to deliver the Services promptly and accurately. Subscriber acknowledges that the Services involve information provided to ONLINE by fallible human sources and that for the fee charged for the Services, ONLINE cannot and will not be an insurer or guarantor of the accuracy or reliability of the Services, data contained in its database, or data provided with the Services. THE WARRANTY IN THE FIRST SENTENCE OF THIS PARAGRAPH IS THE ONLY WARRANTY ONLINE HAS GIVEN SUBSCRIBER WITH RESPECT TO THE SERVICES AND SUCH WARRANTY IS IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, ONLINE MIGHT HAVE GIVEN SUBSCRIBER WITH RESPECT THERETO, INCLUDING, FOR EXAMPLE AND WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. B. Credit Scoring. ONLINE's Credit Scoring Vendors warrant that these Credit Scoring Models are empirically derived and demonstrably and statistically sound and that to the extent the population to which the Credit Scoring Model is applied is similar to the population sample on which the Credit Scoring Model was developed, the Credit Scoring Model score may be relied upon by Subscriber to rank consumers in the order of the risk of unsatisfactory payment such consumers might present to Subscriber. ONLINE's Credit Scoring Vendors further warrant that so long as they provide the Credit Scoring Model, they will comply with regulations promulgated from time to time pursuant to the Equal Credit Opportunity Act, 15 USC Section 1691 et seq. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES ONLINE'S CREDIT SCORING VENDORS HAVE GIVEN SUBSCRIBER WITH RESPECT TO THEIR CREDIT SCORING MODEL AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, ONLINE'S CREDIT SCORING VENDORS MIGHT HAVE GIVEN SUBSCRIBER WITH RESPECT THERETO, INCLUDING, FOR EXAMPLE, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Subscriber's rights under the foregoing Warranty are expressly conditioned upon Subscriber's periodic revalidation of the Credit Scoring Model in compliance with the requirements of Regulation B as it may be amended from time to time (12 CFR Section 202 et seq.). 11. Limitation of Liability. Subscriber acknowledges that ONLINE maintains a database, updated on a periodic basis, from which Subscriber solicits information, and that ONLINE does not undertake a separate investigation for each inquiry or request for Services made by Subscriber. Subscriber also acknowledges that ONLINE provides Subscriber access to Experian's national credit reporting repository and various products and services available to Subscriber from Experian through ONLINE. ONLINE may also provide Subscriber with access to Equifax and Trans Union's national credit reporting repositories. With regard to limitation of liability, any mention of ONLINE shall also apply to Experian, Equifax, and Trans Union. Subscriber also acknowledges that the prices ONLINE charges Subscriber for the Services are based upon ONLINE's expectation that the risk of any loss or injury that may be incurred by use of the Services will be borne by Subscriber and not ONLINE. Subscriber therefore agrees that it is responsible for determining that the Services are in accordance with ONLINE's obligations under this Agreement. If Subscriber reasonably determines that the Services do not meet ONLINE's obligations under this Agreement, Subscriber shall so notify ONLINE in writing within ten (10) days after receipt of the Services in question. Subscriber's failure to so notify ONLINE shall mean that Subscriber accepts the Services as is, and ONLINE shall have no liability whatsoever for the Services. Unless ONLINE disputes Subscriber's claim, ONLINE shall, at its option, either re-perform the Services in question or issue Subscriber a credit for the amount Subscriber paid for the nonconforming Services. This re- performance or credit constitutes Subscriber's sole remedy and ONLINE's maximum liability for any breach of this Agreement by ONLINE. If, notwithstanding the above, liability is imposed on ONLINE, then Subscriber agrees that ONLINE's total liability for any or all of Subscriber's losses or injuries from ONLINE's acts or omissions under this Agreement, regardless of the nature of the legal or equitable right claimed to have been violated, shall not exceed the amount paid by Subscriber to ONLINE under this Agreement during the six month period preceding the alleged breach by ONLINE of this Agreement. Subscriber covenants that it will not sue ONLINE for any amount greater than permitted by this Agreement. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, UNDER NO CIRCUMSTANCES WILL EITHER PARTY HAVE ANY OBLIGATION OR LIABILITY TO THE OTHER HEREUNDER FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL OR SPECIAL DAMAGES INCURRED BY THE OTHER PARTY (INCLUDING DAMAGES FOR LOST BUSINESS, LOST PROFITS OR DAMAGES TO BUSINESS REPUTATION), REGARDLESS OF HOW SUCH DAMAGES ARISE AND REGARDLESS OF WHETHER OR NOT A PARTY WAS ADVISED SUCH DAMAGES MIGHT ARISE. 12. Indemnification. Subscriber shall indemnify, defend and hold ONLINE and ONLINE Utility Exchange harmless from and against any and all claims and expenses which may be asserted against or incurred by ONLINE or ONLINE Utility Exchange, based upon the use by Subscriber of the Services or other information furnished by ONLINE for purposes not permitted by law. Subscriber shall be liable for its own acts of negligence, and Subscriber shall hold ONLINE harmless and indemnify ONLINE for any loss, cost, expense or liability incurred by ONLINE as a result of Subscriber's negligence in the furnishing of data to ONLINE, Subscriber's failure to perform any of its obligations described in this 4 Revised: 08/ 11 /2008 Agreement, or Subscriber's failure to comply with the FCRA. ONLINE shall hold subscriber harmless and indemnify Subscriber for any loss, cost expense of liability incurred by Subscriber as a result of ONLINE's negligence in the furnishing of data to Subscriber, ONLINE's failure to perform any of its obligations described in this agreement, or ONLINE's failure to comply with the FCRA. 13. Intellectual Property. Subscriber acknowledges that ONLINE has expended substantial time, effort and funds to create and deliver the Services and compile its consumer credit reporting database. The Services and the data in ONLINE's consumer credit reporting database is and will continue to be ONLINE's exclusive property. Nothing contained in this Agreement shall be deemed to convey to Subscriber or to any other party any right, title or interest, including any patent, copyright or other proprietary right, in or to the Services or data in ONLINE's consumer credit reporting database. Subscriber will not use or permit its employees, agents and subcontractors to use, the trademarks, service marks, logos, names, or any other of ONLINE's or its affiliates' proprietary designations, whether registered or unregistered, without ONLINE's prior written consent. 14. Access Security Requirements: Subscriber agrees that ONLINE and Subscriber must work together to protect the privacy and information of consumers. The following information security measures are designed to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. Capitalized terms used herein have the meaning given in the Glossary attached as Exhibit A. ONLINE reserves the right to make changes to Access Security Requirements without notification. The information provided herewith provides minimum baselines for information security. In accessing ONLINE's services, you agree to follow these security requirements: A. Implement Strong Access Control Measures i. Do not provide your credit reporting agency Subscriber Codes or passwords to anyone. No one from the credit reporting agency will ever contact you and request your Subscriber Code number or password. ii. Proprietary or third party system access software must have credit reporting agency Subscriber Codes and password(s) hidden or embedded. Account numbers and passwords should be known only by supervisory personnel. iii. You must request your Subscriber Code password be changed immediately when: • any system access software is replaced by system access software or is no longer used; • the hardware on which the software resides is upgraded, changed or disposed of iv. Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s). v. Create a separate, unique user ID for each user to enable individual authentication and accountability for access to the credit reporting agency's infrastructure. Each user of the system access software must also have a unique logon password. vi. Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users' profiles. vii. Keep user passwords Confidential. viii. Develop strong passwords that are: • Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) • Contain a minimum of seven (7) alpha/numeric characters for standard user accounts ix. Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. x. Active logins to credit information systems must be configured with a 30 minute inactive session, timeout. xi. Restrict the number of key personnel who have access to credit information. xii. Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application. xiii. Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose. xiv. Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in theirjob tasks and no longer require access to that credit information. xv. After normal business hours, turn off and lock all devices or systems used to obtain credit information. xvi. Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information. B. Maintain a Vulnerability Management Program i. Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates. ii. Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks. Revised: 08/11/2008 iii. Implement and follow current best security practices for Computer Virus detection scanning services and procedures: • Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks. • If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated. • On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files. iv. Implement and follow current best security practices for computer anti-Spyware scanning services and procedures: • Use, implement and maintain a current, commercially available computer anti-Spyware scanning product on all computers, systems and networks. • If you suspect actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated. • Run a secondary anti-Spyware scan upon completion of the first scan to ensure all Spyware has been removed from your computers. • Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files weekly, at a minimum. If your company's computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly. C. Protect Data i. Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.) ii. All credit reporting agency data is classified as Confidential and must be secured to this requirement at a minimum. iii. Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information. iv. Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum. v. Only open email attachments and links from trusted sources and after verifying legitimacy. D. Maintain an Information Security Policy i. Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule. ii. Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. iii. The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information. iv. Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization. E. Build and Maintain a Secure Network i. Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices. ii. Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used. iii. Administrative access to Firewalls and servers must be performed through a secure internal wired connection only. iv. Any stand alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic. v. Encrypt Wireless access points with a minimum of WEP 128 bit encryption, WPA encryption where available. vi. Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point. F. Regularly Monitor and Test Networks i. Perform regular tests on information systems (port scanning, virus scanning, vulnerability scanning). ii. Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: • protecting against intrusions; • securing the computer systems and network devices; • and protecting against intrusions of operating systems or software. Revised: 08/11/2008 G. Record Retention: The Federal Equal Opportunities Act states that a creditor must preserve all written or recorded information connected with an application for 60 months. In keeping with the ECOA, the credit reporting agency requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 60 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. "Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA maybe liable for a civil penalty of not more than $2, 500 per violation. " 15. Confidentiality. All information, access granted, and services delivered and conveyed by ONLINE Information Services, Inc. and/or its representatives, whether furnished before or after the date hereof, and regardless of the manner in which it was furnished, is referred to in this agreement as CONFIDENTIAL information, whether or not marked "CONFIDENTIAL" and whether disclosed orally or in writing via any medium, including electronic. 16. Waiver. Either party may at any time waive compliance by the other with any covenant or condition contained in this Agreement, but only by written instrument signed by the party waiving such compliance. No such waiver, however, shall be deemed to constitute the waiver of any such covenant or condition in any other circumstance or the waiver of any other covenant or condition. 17. Successors and Assigns. This Agreement will be binding upon and will inure to the benefit of the parties hereto and their respective heirs, representatives, successors and permitted assignees. This Agreement may not be assigned, transferred, shared or divided in whole or in part by Subscriber without ONLINE's prior written consent, such consent shall not be unreasonably withheld. 18. Audit Rights. Subscriber understands that ONLINE and each of the national credit repositories requires the right to audit usage by Subscriber for compliance of requirements of the Federal Fair Credit Reporting Act. Subscriber herein agrees to cooperate fully with any compliance audit by a national credit repository and to provide ONLINE any required documentation or other information necessary for such an audit in a timely and reasonable manner. 19. Excusable Delays. Neither party shall be liable for any delay or failure in its performance under this Agreement (other than for payment obligations hereunder) if and to the extent that such delay or failure is caused by events beyond the reasonable control of the party including, without limitation, acts of God or public enemies, labor disputes, equipment malfunctions, computer downtime, software defects, material or component shortages, supplier failures, embargoes, rationing, acts of local, state or national governments or public agencies, utility or communication failures or delays, fire, earthquakes, flood, epidemics, riots and strikes. 20. Dispute Resolution. With the exception of any action taken under paragraphs 1 and 4 or any alleged violation of paragraph 9, 10 & 12 of this Agreement, the parties will resolve any dispute arising out of or relating to this Agreement in a binding arbitration conducted under the auspices of the American Arbitration Association. Disputes arising out of or resulting from actions taken under paragraphs 1- 4, or 9, 10, & 12 may be resolved informally by the parties through the courts. 21. Bureau Surcharges. Subscriber acknowledges that Credit Repositories may impose additional surcharges for access to files that are affiliate owned or that reside in certain States or Counties. Examples of these charges include Equifax Affiliate owned files, California Privacy Act Surcharges, and Alaska and Colorado State surcharges. In the event that a file is accessed which has such a surcharge, ONLINE reserves the right to pass that Surcharge along to the Subscriber. 22. Severability. This Agreement shall be deemed to be severable and, if any provision is determined to be void or unenforceable, then that provision will be deemed severed and the remainder of the Agreement will remain in effect. 23. Site Inspection. Subscriber agrees to an inspection of its premises by an independent Third Party Inspection Agency. The national credit repository required inspection is to be completed, in a timely manner, before any services will be set up with our company. 24. Continuance of Business. In the event that Subscriber's business is sold or relocates to a different location, it is the Subscriber's obligation to notify ONLINE, in writing, of these changes, within 72 business hours of the effective date of the transaction or the relocation. 25. Governing Law. The laws of the State of California shall govern this agreement. Any action hereunder shall be brought only in the State of California, in the County of Orange. If any provision is found void, invalid, or unenforceable, it will not affect the validity of the balance of this agreement, which shall remain valid. All rights not specifically granted in this agreement are reserved by ONLINE Information Services, Inc. 26. Contract in Entirety; Law. This Agreement sets forth the entire understanding and agreement between ONLINE and Subscriber concerning the Services, and supersedes any prior or contemporaneous oral or written agreements or representations. It may be modified only by a written amendment executed by both parties. This Agreement shall be interpreted in accordance with the laws of the State of California. ~ Revised: 08/11 /2008 t AC(1/~L 1 27. Effective Date. This Agreement shall be effective on the date first set forth above. (Effective Date). IN WITNESS WHEREOF, the parties authorized representatives have executed this Agreement on the date indicated below. Subscriber hereby certifies to have read and understand the "FCRA Requirements" notice and "Access Security Requirements" and will take all reasonable measures to enforce them within Subscribers facility. Subscriber certifies that a permissible purpose exists to use all Services accessed from ONLINE in accordance with the Fair Credit Reporting Act and the applicable service agreement. Subscriber also certifies that information obtained from ONLINE will be used for the purpose(s) listed below and no other. Subscriber will not resell the report to any third party. PERMISSIBLE PURPOSE/APPROPRIATE USE: Describe the specific purpose (A clear definition) for which ONLINE Services and consumer data will be used. (An answer like "Checking Credit" is not a permissible purpose.): To validate consumer's identity in compliance with Fair Credit Reporting Act (FCRA) 15 U S C S 1681 et seo Subscriber: City of Tustin Signature: Print Name: Pamela Arends-King ONLINE Information Services, Inc. dba/ ONLINE Utility Exchange By: Cathy Keeler Account Executive Title: Finance Director Email: PArends-King(a~tustinca.org Date: Federal Tax ID: 95-6000804 Address of Principal Business Office: 300 Centennial Way Tustin, CA 92780 Billing Address: 300 Centennial Way Tustin, CA 92780 Date: Address: 202 West Firetower Road Winterville, NC 28590 www.ONL I NEUtilitvExchange.com Telephone: (866) 630-6400 Fax: (800) 838-9830 Email address to send invoices: TBerardi@tustinca.org Revised: 08/ 11 /2008 SCHEDULE A ONLINE Charges to Subscriber Please denote beside each product what level user should have access. Please not that if Administrator (Admin) level is assigned, Supervisors (Super) and Users (User) will not have access to those products. And like wise if a Supervisor level is assigned Users will not have access to those products. If you desire for all individuals at your organization to have access to a product please set the Access Level for that product to User. ONLINE Utility Exchange Pricing: ONLINE Utility Exchange Report: Monthly Access Fee: Adverse Action Letter Service Business Report Pricing: Access Level 2.70 Per Applicant Screened User 30.00 Per Month 0.95 Per Letter Sent Y/N Business Intelliscore Report Business Profile Report Business Profile w/ Intelliscore Report Employment Screening Reports Pricing Employment Credit Report $11.00 Per Report DMV State De artment of Motor Vehicles Search N/A STATE PRICE STATE PRICE NON INSTANT STATE PRICE Alabama $12.50 Montana $12.00 Alaska $10.50 Arkansas $17.50 Nebraska $7.50 Delaware $20.00 Arizona $14.50 New Jerse $15.50 Hawaii $16.50 Colorado $9.00 New Mexico $7.00 Iowa $14.00 Connecticut $20.50 Nevada $12.50 Missouri $6.75 Dist. Of Columbia $12.50 New Ham shire $13.50 Washin ton $10.50 Florida $12.00 New York $10.50 W omin $10.50 Geor is $12.50 North Carolina $10.50 Idaho $11.00 North Dakota $8.50 Illinois $17.50 Ohio $7.50 Indiana $11.50 Oklahoma $18.00 Kansas $12.00 Rhode Island $23.50 Kentuc $10.00 South Carolina $11.50 Louisiana $11.50 South Dakota $9.50 Maine $12.50 Tennessee $12.50 M land $14.50 Texas $12.00 Massachusetts $11.50 Utah $12.75 Michi an $12.50 Vermont $14.50 Minnesota $8.00 Virginia $12.50 Mississi i $17.50 West Vir inia $13.50 Wisconsin $10.50 User/Super/Admin 16.00 Per Report -User 31.00 Per Report 35.50 Per Report Revised: 08/11 /2008 SCHEDULE A Continued ONLINE Charges to Subscriber Access Level Skip Tracing Report Pricing: ONLINE PEOPLE SEARCH XPN COLLECTION REPORT XPN SOCIAL SEARCH XPN CREDIT W/SCORE XPN CREDIT FILE $ 0.25 Per Search $ 1.80 Per Report $ 1.35 Per Search $ 4.21 Per Report $ 3.25 Per Report User/Super/Admin User Subscriber agrees to the above pricing schedule for reports pulled from ONLINE Information Services. -Pamela Arends-King _ (Subscriber's Name) (Subscriber's Signature) (Date) 10 Revised: 08/ 11 /2008 EXHIBIT A Glossary of Terms Glossary Term Definition Computer Virus A Computer Virus is aself-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying. Confidential Very sensitive information. Disclosure could adversely impact our companies. Encryption Encryption is the process of obscuring information to make it unreadable without special knowledge. Firewall In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle. Information Lifecycle (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained. IP Address A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices. Peer-to-Peer A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission. Router A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets. Spyware Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the Internet. SSID Part of the Wi-Fi Wireless LAN, a service set identifier (SSID) is a code that identifies each packet as part of that network. Wireless devices that communicate with each other share the same SSID. Subscriber Code Your seven digit credit reporting agency account number. WEP Encryption (Wired Equivalent Privacy) A part of the wireless networking standard intended to provide secure communication. The longer the key used, the stronger the encryption will be (Older technology reaching its end of life). WPA (Wi-Fi Protected Access) A part of the wireless networking standard that provides stronger authentication and more secure communications. Replaces WEP. Uses dynamic key encryption verses static as in WEP (key is constantly changing and thus more difficult to break than WEP). 11 Revised: 08/ 11 /2008