§ 36.07  PROGRAM ADMINISTRATION.
   (A)   Oversight. Responsibility for developing, implementing and updating this program lies with an Identity Theft Committee for the utility. The Committee is headed by the City Recorder or his or her appointee. Two or more other individuals appointed by the Mayor for the city comprise the remainder of the Committee membership. One of the members should have detailed technical knowledge of the utility’s computer information systems. The City Recorder will be responsible for the program administration, for ensuring appropriate training of utility staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
   (B)   Staff training and reports. Utility staff responsible for implementing the program shall be trained either by or under the direction of the City Recorder in the detection of red flags, and the responsive steps to be taken when a red flag is detected utility staff will provide reports to the Program Administrator on incidents of identity theft.
   (C)   Service provider arrangements. In the event the utility engages a service provider to perform an activity in connection with one or more accounts, the utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft:
      (1)   Require, by contract, that service providers have such policies and procedures in place; and
      (2)   Require, by contract, that service providers review the utility’s program and report any red flags to the City Recorder.
   (D)   Non-disclosure of specific practices.
      (1)   For the effectiveness of this identity theft prevention program, knowledge about specific red flag identification, detection, mitigation and prevention practices must be limited to the Identity Theft Committee who developed this program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “security information” (as defined in division (D)(2) below) and are unavailable to the public because disclosure of them would be likely to substantially jeopardized the security of information against improper use, that use being to circumvent the utility’s identity theft prevention efforts in order to facilitate the commission of identity theft.
      (2)   SECURITY INFORMATION is defined as government data the disclosure of which would be likely to substantially jeopardize the security of information, possessions, individuals or property against theft, tampering, improper use, attempted escape, illegal disclosure, trespass or physical injury.
(Res. 2009-03, passed 5-7-2009)