(A) In the event utility personnel detect any identified red flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the red flag. Steps can include:
(1) Continuing to monitor an account for evidence of identity theft;
(2) Contacting the customer;
(3) Changing any passwords or other security devices that permit access to accounts;
(4) Reopening an account with a new number;
(5) Not opening a new account;
(6) Closing an existing account;
(7) Notifying law enforcement;
(8) Determining that no response is warranted under the particular circumstances; or
(9) Notifying the Program Administrator (as defined below) for determination of the appropriate step(s) to take.
(B) In order to further prevent the likelihood of identity theft occurring with respect to utility accounts, the utility will take the following steps with respect to its internal operating procedures. These steps are not outlined in the FTC’s Red Flag Rule, but possible steps may include:
(1) Providing a secure website or clear notice that a website is not secure;
(2) Ensuring complete and secure destruction of paper documents and computer files containing customer information, including documentation of such destruction;
(3) Ensuring that office computers are password protected and that computer screens lock after a set period of time;
(4) Requiring only the last four digits of Social Security numbers on customer applications;
(5) Limiting access to accounts to only employees that require access;
(6) Prohibiting account information to be written on sticky pads or note pads;
(7) Ensuring that computer screens are only visible to the employee accessing the account; and
(8) Requiring customers to authenticate addresses and personal information, rather than account representatives asking if the information is correct.
(Ord. passed - -)