§ 54.25  IDENTITY THEFT PREVENTION PROGRAM.
   (A)   This program is intended to identify red flags that will alert our employees when new or existing accounts are opened using false information, protect against the establishment of false accounts, methods to ensure existing accounts were not opened using false information, and measures to respond to such events.
   (B)   Contact information:  The senior management person responsible for this program is:  Pikeville City Manager, phone number: 606-437-5100.  The governing body members of the utility will be:  All sitting members of the Pikeville City Commission.
   (C)   Risk assessment:  The city has conducted an internal risk assessment to evaluate how at risk the current procedures are at allowing customers to create a fraudulent account and evaluate if current (existing) accounts are being manipulated.  This risk assessment evaluated how new accounts were opened and the methods used to access the account information.  Using this information the utility was able to identify red flags that were appropriate to prevent identity theft.
      New accounts opened in person.
      New accounts opened via telephone.
      New accounts opened via fax.
      New accounts opened via web.
      Account information accessed in person.
      Account information accessed via telephone (person).
      Account information is accessed via telephone (automated).
      Account information is accessed via web site.
      Identify theft occurred in the past from someone falsely opening a utility account.
   (D)   Detection (red flags).  The city adopts the following red flags to detect potential fraud.  These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary.
      Fraud or active duty alerts included with consumer reports.
      Notice of credit freeze provided by consumer reporting agency.
      Notice of address discrepancy provided by consumer reporting agency.
      Inconsistent activity patterns indicated by consumer report such as:
         Recent and significant increase in volume of inquiries.
         Unusual number of recent credit applications.
         A material change in use of credit.
         Accounts closed for cause or abuse.
      Identification documents appear to be altered.
      Photo and physical description do not match appearance of applicant.
      Other information is inconsistent with information provided by applicant.
      Other information provided by applicant is inconsistent with information on file.
      Application appears altered or destroyed and reassembled.
Personal information provided by applicant does not match other sources of information (such as credit reports, SS# not issued or listed as deceased).
      Lack of correlation between the SS# range and date of birth.
Information provided is associated with known fraudulent activity (such as address or phone number provided is same as that of a fraudulent application).
Information commonly associated with fraudulent activity is provided by applicant (such as address that is a mail drop or prison, non-working phone number or associated with answering service/pager).
      SS#, address, or telephone # is the same as that of other customer at utility.
      Customer fails to provide all information requested.
Personal information provided is inconsistent with information on file for a customer.
Applicant cannot provide information requested beyond what could commonly be found in a purse or wallet.
Identity theft is reported or discovered.
   (E)   Employee response.  Any employee that may suspect fraud or detect a red flag shall implement the following response as applicable.  All detections or suspicious red flags shall immediately be reported to the senior management official.
      Ask applicant for additional documentation.
Notify internal manager:  Any utility employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customers identify must notify immediate supervisor or City Manager.
Notify law enforcement:  The utility will notify City of Pikeville Police Department at 101 Division Street, Pikeville, KY 41501 of any attempted or actual identity theft.
      Do not open the account.
      Close the account.
Do not attempt to collect against the account but notify authorities.
   (F)   Personal information security procedures.  The city adopts and all city personnel shall comply with the following security procedures:
      (1)   Paper documents, files and electronic media containing secure information will be stored in locked file cabinets.  File cabinets will be stored in a locked room.
      (2)   Only specifically identified employees with a legitimate need will have keys to the room and cabinet.
      (3)   Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file.
      (4)   Employees lock file cabinets when leaving their work areas.
      (5)   Access to offsite storage facilities is limited to employees with a legitimate business need.
      (6)   No visitor will be given any entry codes or allowed unescorted access to the office.
      (7)   Passwords will not be shared or posted near workstations.
      (8)   Password-activated screen savers will be used to lock employee computers after a period of inactivity.
      (10)   When sensitive data is received or transmitted, secure connections will be used.
      (11)   Computer passwords will be required.
      (12)   User names and passwords will be different.
      (13)   Passwords will be changed at least monthly.
      (14)   The use of laptops is restricted to those employees who need them to perform their jobs.
      (15)   Any wireless network in use is secured.
      (16)   Monitor incoming traffic for signs of a data breach.
      (17)   Monitor outgoing traffic for signs of a data breach.
      (18)   Access to customer’s personal identity information is limited to employees with a “need to know”.
      (19)   Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information.
      (20)   Employees are required to notify the City Manager immediately if there is a potential security breach, such as a lost or stolen laptop.
      (21)   Employees who violate security policy are subjected to discipline, up to, and including, dismissal.
      (22)   Paper records will be shredded before being placed into the trash.
      (23)   Any data storage media will be disposed of by shredding, punching holes in, or incineration.
   (G)   Confirmation.  A confirmation sheet, approved by the Commission and signed by the Mayor of this program will be required and kept on file with the Pikeville City Clerks office.
(Ord. 0-2008-025, passed 10-27-08)