(A) Oversight. Responsibility for developing, implementing and updating this program lies with an identity theft designee for the utility. The designee will be the Finance Director or his or her appointee. The Finance Director will be responsible for the program administration, for ensuring appropriate training of Finance Department staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
(B) Staff training and reports. Finance Department staff responsible for implementing the program shall be trained either by or under the direction of the Finance Director in the detection of red flags, and the responsive steps to be taken when a red flag is detected. Training shall be done on an annual basis, or when deemed necessary by the Finance Director
(C) Service provider arrangements. In the event the utility engages a service provider to perform an activity in connection with one or more accounts, the utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
(1) Require, by contract, that service providers have such policies and procedures in place; and
(2) Require, by contract, that service providers review the utility's program and report any red flags to the Finance Director.
(D) Non-disclosure of specific practices. For the effectiveness of this identity theft prevention program, knowledge about specific red flag identification, detection, mitigation and prevention practices must be limited to the Finance Director who developed this program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered exempt under KRS § 61.878(1)b and are unavailable to the public because disclosure of them would be likely to substantially jeopardize the security of information against improper use, that use being to circumvent the utility's identity theft prevention efforts in order to facilitate the commission of identity theft.
(Ord. O-20-08, passed 11-11-08)