§ 30.106  PROGRAM ADMINISTRATION.
   (A)   Oversight.  Responsibility for developing, implementing and updating this program lies with an identity theft committee for the utility.  The committee is headed by a Program Administrator, or his or her appointee.  One or more other individuals appointed by the Program Administrator comprise the remainder of the committee membership.  The Program Administrator will be responsible for the program administration, for ensuring appropriate training of utility staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
   (B)   Staff training and reports.
      (1)   Initially, all utility staff shall be trained either by or under the direction of the Program Administrator in the detection of red flags, and the responsive steps to be taken when a red flag is detected.  Thereafter, all utility staff shall undergo update training not less than annually.  Additionally, all new utility employees shall undergo training.
      (2)   Utility staff shall submit reports monthly concerning the utility’s compliance with the program, the training that has been given and the effectiveness of the policies and procedures in addressing the risk of identity theft, including recommendations for changes to the program.  While incidents of identity theft are to be reported immediately to the Program Administrator, the monthly reports shall contain a recap of the incident and include the steps taken to assist with resolution of the incident.
   (C)   Service provider arrangements.  In the event the utility engages a service provider to perform an activity in connection with one or more accounts, including but not limited to franchise utility providers, the utility will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
      (1)   Require, by contract or contract amendment, that service providers have such policies and procedures in place; and
      (2)   Require, by contract or contract amendment, that service providers review the utility’s program and report any red flags to the Program Administrator.
   (D)   Specific program elements and confidentiality.  For the effectiveness of identity theft prevention programs, the Red Flag Rule envisions a degree of confidentiality regarding the utility’s specific practices relating to identity theft detection, prevention and mitigation.  Therefore, under this program, knowledge of such specific practices are to be limited to the Identity Theft Committee and those employees who need to know them for purposes of preventing identity theft.  Because this program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here.  Therefore, only the program’s general red flag detection, implementation and prevention practices are listed herein.
(Ord. 293, passed 11-13-2008)