(A) Oversight. Responsibility for developing, implementing and updating this program lies with the Identity Theft Committee. The Committee shall be headed by the program administrator or his or her appointee. Two or more other individuals appointed by the corporate authorities shall comprise the remainder of the committee membership. The program administrator will be responsible for the program administration, for ensuring appropriate training of village staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
(B) Staff training and reports. Village staff responsible for implementing the program shall be trained either by or under the direction of the program administrator in the detection of red flags, and the responsive steps to be taken when a red flag is detected. Further training shall also be provided on a yearly basis or as needed to address changes in the program.
(C) Service provider arrangements. In the event the village engages a service provider to perform an activity in connection with one or more covered accounts, the village will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
(1) Require, by contract, that service providers have such policies and procedures in place; and
(2) Require, by contract, that service providers review the village's program and report any red flags to the program administrator.
(D) Specific program elements and confidentiality. For the effectiveness of identity theft prevention programs, the red flag rule envisions a degree of confidentiality regarding the village's specific practices relating to identity theft detection, prevention and mitigation. Therefore, under this program, knowledge of such specific practices is to be limited to the program administrator or identity theft committee and those employees who need to know them for purposes of preventing identity theft. Because this program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the program's general red flag detection, implementation and prevention practices are listed in this document.
(Res. 09-02, passed 3-2-2009)