Loading...
The Department hereby establishes the following procedures to assist in detecting red flags in connection with the opening of covered accounts and existing covered accounts.
(A) New accounts. New accounts may be opened in person, by fax or by mail or phone. In all cases, a potential customer must submit all of the following information:
(1) Full legal name;
(2) Telephone number;
(3) Mailing address;
(4) Social Security number; and
(5) Must be on the lease if a rental property.
(B) Existing accounts. When handling a transaction regarding an existing account, the Department staff will take the following steps to monitor transactions with an account in order to detect possible red flags as listed above:
(1) Verify the identification of customers if they request information (in person, via telephone, via facsimile or via e-mail);
(2) Verify the validity of requests to change billing addresses: and
(3) Verify changes in banking and credit card information given for billing and payment purposes.
(Res. 2011-04, passed 3-14-2011)
In the event a town employee detects any identified red flags, the employee shall respond by taking one or more of the following steps to investigate, prevent and mitigate possible identity theft, depending on the degree of risk posed by the red flag.
(A) Investigate, prevent and mitigate identity theft.
(1) Upon detecting a red flag, employees must take the following action:
(a) Gather relevant documentation regarding the suspect covered account;
(b) Report the identified red flag to the Program Administrator;
(c) Contact the customer with the covered account; and
(d) Assist Program Administrator in investigating the red flag issue.
(2) After receiving a red flag report, the Program Administrator may take one or more of the following actions as warranted under the particular circumstances in the discretion of the Program Administrator:
(a) Monitor a covered account for evidence of identity theft;
(b) Change any passwords or other security codes and devices that permit access to a covered account;
(c) Close the existing covered account;
(d) Open a new covered account with a new number;
(e) Put a hold on attempting to collect payment on a covered account; and/or
(f) Notify the Town Police Department.
(B) Ongoing protection of customer identifying information. The Department shall take the following steps with respect to its internal operating procedures in order to take an active role in the ongoing protection of customer identifying information from identity theft.
(1) Paper documents.
(a) Storage. Documents containing customer identifying information must be stored in locked file cabinets contained within a locked room except when an employee is working on the file. Only specially identified employees with a legitimate need shall have keys or swipe card to the file cabinets and storage room.
(b) Use of documents. Department employees must not leave documents containing customer identifying information out on their desks when they are away from their workstations. Department employees must store documents containing customer identifying information in locked areas when leaving their work areas.
(2) Computers and electronic media.
(a) Passwords. All computers must be set to require passwords. Each employee must have a unique username and password, which must be different from each other, and shall not be posted at his or her workstation. When new software is installed, the default passwords must be changed. Department employees must log off their computers when leaving their workstations, and computer screens must be set to lock after a set period of time.
(b) Firewalls and anti-virus. The town’s website and network systems must be secured with adequate firewalls and regularly updated anti-virus and anti-theft software. Anti-virus and anti-spyware programs must be run on the server daily. The town’s website must provide clear notice to customers that the website is not a “secure” website.
(3) Destruction of documents and other media,
(a) Paper records. All paper records containing customer identifying information that are designated for disposal must be shredded before being placed into a trash bin. A paper shredder or shredding bin provided by a shredding company must be located in each department containing customer identifying information.
(b) Other media. Any other data storage media containing customer identifying information that are designated for disposal must be destroyed by shredding, hole punching or incineration.
(4) Visitors and access.
(a) Access. Department employees must lock office doors when leaving their work areas. Access to any offsite facilities is limited to Department employees with a legitimate business need.
(b) Visitors. Visitors who enter any area where records containing customer identifying information are kept must be escorted by an authorized Department employee. No visitor shall be given any entry code, key or swipe card, or allowed unescorted access to any such area.
(5) Employment practices.
(a) New hires. Before hiring any new employee who will have access to customer identifying information, the Human Resource Department must first complete a reference and background check of such potential employee. All employees must also sign an agreement to follow the town’s confidentiality and security standards for handling customer identifying information.
(b) Exit requirements. If an employee leaves the Department’s employ or is reassigned duties that no longer require access to customer identifying information, the employee must return all keys and swipe cards to the Program Administrator. Immediately upon the employee’s departure or reassignment, the Program Administrator shall ensure that all of such employee’s passwords allowing access to customer identifying information are changed.
(c) Policy violations. Any employee who violates this identity theft prevention program and any security policy or procedure adopted hereunder will be subject to immediate discipline, which may include dismissal.
(Res. 2011-04, passed 3-14-2011)
The Program Administrator, and the Town Council will at least annually evaluate and revise the program to reflect changes in risks to covered accounts and to the safety and soundness of the town from identity theft. The annual program review and evaluation process shall consider the town’s experiences with identity theft, changes in identity theft detection and prevention methods, changes in types of account that the town maintains and changes in the town’s business arrangements with other entities and service providers. Following the review and consideration of those factors, the Program Administrator shall revise the program as necessary. If warranted, the Program Administrator shall update and implement the revised program and obtain Town Council approval of such changes.
(Res. 2011-04, passed 3-14-2011)
(A) Oversight. The Program Administrator shall be responsible for the program administration, for staff training on the program as appropriate, for reviewing any reports regarding the detection of red flags, for determining and instituting the necessary steps to prevent and mitigate identity theft when red flags are detected, and for periodically reviewing and revising the program. The Program Administrator shall maintain, for a reasonable amount of time and as appropriate and necessary, reports and documentation regarding incidents of detected red flags.
(B) Staff training and reports. The town employees that are responsible for implementing the program shall be trained wither by or under the direction of the Program Administrator in the detection of red flags, and the steps to be taken in responding to red flags. Such staff shall be trained on how to report detected red flags.
(C) Service provider arrangements. In the event the town engages a service provider to perform an activity in connection with one or more covered accounts, the town shall take the following steps to require that the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
(1) Require, by contract, that service provider acknowledges receipt and review of the program and agrees to perform its activities with respect to the town’s covered accounts in compliance with the terms and conditions of the program and with all instructions and directives issued by the Program Administrator relative to the program; or
(2) Require, by contract, that service provider acknowledges receipt and review of the program and agrees to perform its activities with respect to the town’s covered accounts in compliance with the terms and conditions of the service provider’s identity theft prevention program and will take appropriate action to prevent and mitigate identity theft; and that the service provider agrees to report promptly to the town in writing if the service provider in connection with a town covered account detects an incident of actual or attempted identity theft or is unable to resolve one or more red flags that the service provider detects in connection with a covered account.
(D) Customer identifying information and public disclosure. The identifying information of the Department’s customers with covered accounts shall be kept confidential and shall be exempt from public disclosure to the maximum extent authorized by law, including I.C. 5-14-3-4. The Town Council also finds and determines that public disclosure of the town’s specific practices to identity, detect, prevent and mitigate identity theft may compromise the effectiveness of such practices and hereby directs that, under the program, knowledge of such specific practices shall be limited to the Program Administrator and those town employees and service providers who need to be aware of such practices for the purpose of preventing identity theft.
(Res. 2011-04, passed 3-14-2011)
ANTI-NEPOTISM AND CONFLICT OF INTEREST POLICY
Loading...