(A) Oversight. Responsibility for developing, implementing and updating this Program lies with an Identity Theft Committee for the Utility. The Committee is headed by a Program Administrator who may be the head of the Utility or his or her appointee. Two or more other individuals appointed by the head of the Utility, or the Program Administrator comprise the remainder of the committee membership. The Program Administrator will be responsible for the Program administration, for ensuring appropriate training of Utility staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
(B) Staff Training and Reports. Utility staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
(C) Service Provider Arrangements. In the event the Utility engages a service provider to perform an activity in connection with one or more accounts, the Utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.
(1) Require, by contract, that service providers have such policies and procedures in place; and
(2) Require, by contract, that service providers review the Utility’s Program and report any Red Flags to the Program Administrator.
(D) Non-Disclosure of Specific Practices. For the effectiveness of this Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation and prevention practices must be limited to the Identity Theft Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “security information” as defined in 720 ILCS 5/16-30 et seq. and 5 ILCS 179/1 et seq. and are unavailable to the public because disclosure of them would be likely to substantially jeopardized the security of information against improper use, that use being to circumvent the Utility’s Identity Theft prevention efforts in order to facilitate the commission of Identity Theft.