(a)   Involvement of Management.
      (1)   The Identity Theft Prevention Program shall not be operated as an extension to existing fraud prevention programs, and its importance warrants the highest level of attention.
      (2)   The Identity Theft Prevention Program is the responsibility of the governing body. Approval of the initial plan must be appropriately documented and maintained.
      (3)   Operational responsibility of the program is delegated to the Human Resources Department.
   (b)   Staff Training.
      (1)   Staff training shall be conducted for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to the City or its customers.
      (2)   The Human Resources Department is responsible for ensuring identity theft training for all requisite employees and contractors.
      (3)   Employees must receive annual training in all elements of this policy.
      (4)   To ensure maximum effectiveness, employees may continue to receive additional training as changes to the program are made.
   (c)   Oversight of Service Provider Arrangements.
      (1)   It is the responsibility of the City to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
      (2)   A service provider that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
      (3)   Any specific requirements should be specifically addressed in the appropriate contract arrangements.
(Res. 2008-R63.  Passed 11-25-08.)