(A) Securing sensitive information.
(1) Village personnel are encouraged to use common sense judgment in securing sensitive and confidential information. Furthermore, in exercising such judgment, consideration should be given to the Illinois Freedom of Information Act ("FOIA"). If an employee is uncertain of the sensitivity of a particular piece of information, the employee should contact their supervisor or the program administrator. Further, if the village receives a FOIA or other request seeking sensitive information, or documents containing sensitive information, said requests should be forwarded to the Village President and the Village Attorney.
(2) In order to further prevent the likelihood of identity theft occurring with respect to village accounts, the village shall make reasonable efforts to take the following steps with respect to its internal operating procedures to protect customer identifying information:
(a) Take steps to ensure that the village's website is secure or provide clear notice that the website is not secure;
(b) Attempt to ensure destruction of paper documents and computer files containing sensitive information;
(c) Keep file cabinets, desk drawers, cabinets, and any other storage space containing documents with sensitive information locked when not in use;
(d) Lock storage rooms containing documents with sensitive information and record retention area at the end of the work day or when unsupervised;
(e) Attempt to ensure that office computers with access to covered accounts and/or sensitive information are password protected and that computer screens lock after a set period of time;
(f) Keep workstations, work areas, and offices clear of papers containing sensitive information;
(g) Request only the last four digits of Social Security numbers (if any);
(h) Attempt to ensure that computer virus protection is up to date;
(i) Require and keep only the kinds of sensitive information that are necessary for the village's purposes; and
(j) Account statements and receipts for covered accounts shall only include the last four digits of the credit card, debit card, or the bank account used for payment of the covered account.
(B) Electronic distribution. Each employee, service provider, or contractor performing work for the village will comply with the following policies:
(1) With respect to internal electronic distribution, sensitive information may be transmitted using approved village electronic mail; and
(2) With respect to external electronic distribution, sensitive information should only be transmitted in an encrypted format and should contain a statement such as this:
"This message may contain sensitive, confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited."
(C) Responses when red flags detected. In the event village personnel detect any identified red flags, such personnel should take one or more of the following steps, depending on the degree of risk posed by the red flag:
(1) Continue to monitor an account for evidence of identity theft;
(2) Contact the customer;
(3) Change any passwords or other security devices that permit access to covered accounts;
(4) Decline or otherwise refuse to open a new covered account;
(5) Close an existing covered account;
(6) Reopen a covered account with a new number;
(7) Notify the program administrator for determination of the appropriate step(s) to take;
(8) Notify law enforcement; or
(9) Determine that no response is warranted under the particular circumstances.
(Res. 09-02, passed 3-2-2009)