§ 99.09 PREVENTION AND MITIGATION OF IDENTITY THEFT.
   (A)   In the event that any city employee responsible for or involved in restoring an existing covered account or accepting payment for a covered account becomes aware of red flags indicating possible identity theft with respect to existing covered accounts, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to their supervisor. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to their supervisor, who may in his or her discretion determine that no further action is necessary. If the supervisor in his or her discretion determines that further action is necessary, a city employee shall perform one or more of the following responses, as determined to be appropriate by the supervisor:
      (1)   Contact the customer;
      (2)   Make the following changes to the account if, after contacting the customer, it is apparent that someone other than the customer has accessed the customer’s covered account:
         (a)   Change any account numbers, passwords, security codes, or other security devices that permit access to an account; or
         (b)   Close the account;
      (3)   Cease attempts to collect additional charges from the customer and decline to sell the customer’s account to a debt collector in the event that the customer’s account has been accessed without authorization and such access has caused additional charges to accrue;
      (4)    Notify a debt collector within 36 hours of the discovery of likely or probable identity theft relating to a customer account that has been sold to such debt collector. In the event that a customer’s account has been sold to a debt collector prior to the discovery of the likelihood or probability of identity theft relating to such account;
      (5)   Notify law enforcement, in the event that someone other than the customer has accessed the customer’s account causing additional charges to accrue or accessing personal identifying information; or
      (6)   Take other appropriate action to prevent or mitigate identity theft.
   (B)   In the event that any city employee responsible for or involved in opening a new covered account becomes aware of red flags indicating possible identity theft with respect to an application for a new account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to their supervisor. If, in his or her discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to their supervisor, who may in his or her discretion determine that no further action is necessary. If the supervisor in his or her discretion determines that further action is necessary, a city employee shall perform one or more of the following responses, as determined to be appropriate by the supervisor:
      (1)   Request additional identifying information from the applicant;
      (2)   Deny the application for the new account;
      (3)   Notify law enforcement of possible identity theft; or
      (4)   Take other appropriate action to prevent or mitigate identity theft.
(Ord. 1816, passed 2-17–09)