(A) (1) This program will be periodically reviewed and updated to reflect changes in risks to customers and the soundness of the Utility from identity theft. At least every six months, the Program Administrator will consider the Utility’s experiences with identity theft situation, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the Utility maintains, and changes in the Utility’s business arrangements with other entities.
(2) After considering these factors, the Program Administrator will determine whether changes to the program, including the listing of red flags, are warranted. If warranted, the Program Administrator will update the program or present the Board of Commissioners with his or her recommended changes, and the Board of Commissioners will make a determination of whether to accept, modify, or reject those changes to the program.
(B) (1) Responsibility for developing, implementing and updating this program lies with an Identity Theft Committee for the Utility. The Committee is headed by a Program Administrator who may be the head of the Utility or his or her appointee. Two or more other individuals appointed by the head of the Utility or the Program Administrator comprise the remainder of the committee membership. The Program Administrator will be responsible for the program administration, for ensuring appropriate training of Utility staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the program.
(2) Utility staff responsible for implementing the program shall be trained either by or under the direction of the Program Administrator in the detection of red flags, and the responsive steps to be taken when a red flag is detected. (The Utility may include in its program how often training is to occur. The program may also require staff to provide reports to the Program Administrator on incidents of identity theft, the Utility’s compliance with the program, and the effectiveness of the program.)
(3) In the event the Utility engages a service provider to perform an activity in connection with one or more accounts, the Utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
(a) Require, by contract, that service providers have policies and procedures in place; and
(b) Require, by contract, that service providers review the Utility’s program and report any red flags to the Program Administrator.
(4) For the effectiveness of identity theft prevention programs, the red flag rule envisions a degree of confidentiality regarding the Utility’s specific practices relating to identity theft detection, prevention, and mitigation. Therefore, under this program, knowledge of the specific practices are to be limited to the Identity Theft Committee and those employees who need to know them for purposes of preventing identity theft. Because this program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the program’s general red flag detection, implementation, and prevention practices are listed.
(Ord. passed 10-20-2008)