§ 31.29 PROGRAM MANAGEMENT AND ACCOUNTABILITY.
   (A)   Initial risk assessment - covered accounts. Utility accounts for personal, family and household purposes are specifically included within the definition of COVERED ACCOUNT in the FTC’s Identity Theft Rules. Therefore, the Village of Elwood determines that with respect to its residential utility accounts it offers and/or maintains covered accounts. The village also performed an initial risk assessment to determine whether the utility offers or maintains any other accounts for which there are reasonably foreseeable risks to customers or the utility from identity theft. In making this determination the village considered: (1) The methods it uses to open its accounts; (2) The methods it uses to access its accounts; and (3) Its previous experience with identity theft, and it concluded that it does not offer or maintain any such other covered accounts.
   (B)   Program updates - risk assessment. The Program, including relevant red flags, is to be updated as often as necessary but at least annually to reflect changes in risks to customers from identity theft. Factors to consider in the Program update include:
      (1)   An assessment of the risk factors identified above;
      (2)   Any identified red flag weaknesses in associated account systems or procedures;
      (3)   Changes in methods of identity theft;
      (4)   Changes in methods to detect, prevent, and mitigate identity theft; and
      (5)   Changes in business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
   (C)   Training and oversight. All staff and third-party service providers performing any activity in connection with one or more covered accounts are to be provided appropriate training and receive effective oversight to ensure that the activity is conducted in accordance with policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
   (D)   Other legal requirements. Awareness of the following related legal requirements should be maintained:
      (1)   31 U.S.C. 5318 (g): Reporting of suspicious activities;
      (2)   15 U.S.C. 1681 c-1 (h): Identity theft prevention; Fraud alerts and active duty alerts - limitations on use of information for credit extensions;
      (3)   15 U.S.C. 1681 s-2: Responsibilities of furnishers of information to consumer reporting agencies; and
      (4)   15 U.S.C. 1681 (m): Requirements on use of consumer reports.
(Ord. 925, passed 10-15-2008)