(a) Sensitive information includes the following items whether stored in electronic or printed format:
(1) Credit card information, including any of the following:
A. Credit card number (in part or whole).
B. Credit card expiration date.
C. Cardholder name.
D. Cardholder address.
(2) Tax identification numbers, including:
A. Social Security numbers.
B. Business identification numbers.
C. Employer identification numbers.
(3) Payroll information, including, among other information:
A. Paychecks.
B. Pay stubs.
(4) Other personal information belonging to any customer, employee or contractor, examples of which include:
A. Date of birth.
B. Phone numbers.
C. Maiden name.
(b) Each employee, contractor or third party service provider performing work for the Municipality will comply with the following policies:
(1) The Utility Office will remain locked from the public and unauthorized employees.
(2) Storage rooms containing documents with sensitive information and record retention areas will be locked at the end of each workday or when unsupervised.
(3) Desks, workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing sensitive information when not in use.
(4) Whiteboards, dry-erase boards, writing tablets, etc. in common shared work areas will be erased, removed, or shredded when not in use.
(5) When documents containing sensitive information are discarded they will be destroyed in accordance with State mandated records retention law or the City’s records retention policy.
(c) Each employee, contractor and third party service provider performing work for the municipality will comply with the following policies:
(1) Internally, all information may only be transmitted through city approved and/or provided email and/or fax.
(2) Additionally, a statement such as this should be included in the e-mail:
“This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.”
(d) If the municipality maintains certain covered accounts pursuant to federal legislation; the municipality may include the additional program details.
A covered account includes any account that involves or is designed to permit multiple payments or transactions. Every new and existing customer account that meets the following criteria is covered by this program:
(1) Business, personal and household accounts for which there is a reasonably foreseeable risk of identity theft; or
(2) Business, personal and household accounts for which there are a reasonably foreseeable risk to the safety or soundness of the municipality from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(3) The City of Steubenville’s utility billing accounts including water, sewer and refuse would be considered a “covered account” and therefore, would be included as accounts that fall under the jurisdiction of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
(e) Suspicious documents include:
(1) Documents provided for identification that appears to have been altered or forged.
(2) The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
(3) Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
(4) Other information on the identification is not consistent with readily accessible information that is on file with the municipality, such as information already on the City’s computer database.
(f) Suspicious personal identifying information:
(1) Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the municipality. For example, the address on an application is the same as the address provided on a fraudulent application or Work Order or the phone number on an application is the same as the number provided on a fraudulent application.
(2) Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the municipality. For example:
A. The address on an application is fictitious, a mail drop, or a prison; or
B. The phone number is invalid or is associated with a pager or answering service.
(3) The SSN provided is the same as that submitted by other customers.
(4) Personal identifying information provided is not consistent with personal identifying information that is on file with the municipality.
(g) Unusual use of, or suspicious activity on a related account can be considered any of the following situations, but not necessarily limited to the following:
(1) A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
(2) Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account and the customer cannot be contacted by other methods.
(3) The municipality receives notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the municipality.
(4) The municipality is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
(Ord. 2011-5. Passed 1-4-11.)