(a) Oversight. Responsibility for developing, implementing and updating this program lies with an Identity Theft Committee for the Utility. The Committee is headed by a Program Administrator who shall be the City Manager or his or her appointee. Two or more other individuals appointed by the City Manager comprise the remainder of the committee membership. The City Manager will be responsible for the program administration, for ensuring appropriate training of Utility staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
(b) Staff training and reports. Utility staff responsible for implementing the program shall be trained either by or under the direction of the City Manager in the detection of red flags, and the responsive steps to be taken when a red flag is detected.
(c) Service provider arrangements. In the event the Utility engages a service provider to perform an activity in connection with one or more accounts, the Utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
(1) Require, by contract, that service providers have such policies and procedures in place; and
(2) Require, by contract, that service providers review the Utility's program and report any red flags to the City Manager.
(d) Specific program elements and confidentiality. For the effectiveness of identity theft prevention programs, the red flag rule envisions a degree of confidentiality regarding the Utility's specific practices relating to identity theft detection, prevention and mitigation. Therefore, under this program, knowledge of such specific practices are to be limited to the identity theft committee and those employees who need to know them for purposes of preventing identity theft. Because this program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the program's general red flag detection, implementation and prevention practices are listed in this document.
(Res. 17-2009-R. Passed 9-28-09.)