In the event a town employee detects any identified red flags, the employee shall respond by taking one or more of the following steps to investigate, prevent and mitigate possible identity theft, depending on the degree of risk posed by the red flag.
(A) Investigate, prevent and mitigate identity theft.
(1) Upon detecting a red flag, employees must take the following action:
(a) Gather relevant documentation regarding the suspect covered account;
(b) Report the identified red flag to the Program Administrator;
(c) Contact the customer with the covered account; and
(d) Assist Program Administrator in investigating the red flag issue.
(2) After receiving a red flag report, the Program Administrator may take one or more of the following actions as warranted under the particular circumstances in the discretion of the Program Administrator:
(a) Monitor a covered account for evidence of identity theft;
(b) Change any passwords or other security codes and devices that permit access to a covered account;
(c) Close the existing covered account;
(d) Open a new covered account with a new number;
(e) Put a hold on attempting to collect payment on a covered account; and/or
(f) Notify the Town Police Department.
(B) Ongoing protection of customer identifying information. The Department shall take the following steps with respect to its internal operating procedures in order to take an active role in the ongoing protection of customer identifying information from identity theft.
(1) Paper documents.
(a) Storage. Documents containing customer identifying information must be stored in locked file cabinets contained within a locked room except when an employee is working on the file. Only specially identified employees with a legitimate need shall have keys or swipe card to the file cabinets and storage room.
(b) Use of documents. Department employees must not leave documents containing customer identifying information out on their desks when they are away from their workstations. Department employees must store documents containing customer identifying information in locked areas when leaving their work areas.
(2) Computers and electronic media.
(a) Passwords. All computers must be set to require passwords. Each employee must have a unique username and password, which must be different from each other, and shall not be posted at his or her workstation. When new software is installed, the default passwords must be changed. Department employees must log off their computers when leaving their workstations, and computer screens must be set to lock after a set period of time.
(b) Firewalls and anti-virus. The town’s website and network systems must be secured with adequate firewalls and regularly updated anti-virus and anti-theft software. Anti-virus and anti-spyware programs must be run on the server daily. The town’s website must provide clear notice to customers that the website is not a “secure” website.
(3) Destruction of documents and other media,
(a) Paper records. All paper records containing customer identifying information that are designated for disposal must be shredded before being placed into a trash bin. A paper shredder or shredding bin provided by a shredding company must be located in each department containing customer identifying information.
(b) Other media. Any other data storage media containing customer identifying information that are designated for disposal must be destroyed by shredding, hole punching or incineration.
(4) Visitors and access.
(a) Access. Department employees must lock office doors when leaving their work areas. Access to any offsite facilities is limited to Department employees with a legitimate business need.
(b) Visitors. Visitors who enter any area where records containing customer identifying information are kept must be escorted by an authorized Department employee. No visitor shall be given any entry code, key or swipe card, or allowed unescorted access to any such area.
(5) Employment practices.
(a) New hires. Before hiring any new employee who will have access to customer identifying information, the Human Resource Department must first complete a reference and background check of such potential employee. All employees must also sign an agreement to follow the town’s confidentiality and security standards for handling customer identifying information.
(b) Exit requirements. If an employee leaves the Department’s employ or is reassigned duties that no longer require access to customer identifying information, the employee must return all keys and swipe cards to the Program Administrator. Immediately upon the employee’s departure or reassignment, the Program Administrator shall ensure that all of such employee’s passwords allowing access to customer identifying information are changed.
(c) Policy violations. Any employee who violates this identity theft prevention program and any security policy or procedure adopted hereunder will be subject to immediate discipline, which may include dismissal.
(Res. 2011-04, passed 3-14-2011)