147.05 PROGRAM ADMINISTRATION.
   (a)   At periodic intervals established in the program, or as required, the program will be reevaluated to determine whether all aspects of the program are up to date and applicable in the current business environment. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate.
   (b)   Actions to take in the event that fraudulent activity is discovered may also require revisions to this policy to reduce damage to the municipality and its customers in the future.
   (c)   The determination to make changes to this policy will be well within the discretion of the responsible parties, but only after careful consideration of the following:
      (1)   The City of Steubenville’s past experience(s) with identity theft;
      (2)   Changes in methods of identity theft;
      (3)   Changes in methods to detect, prevent and mitigate identify theft;
      (4)   Changes in the types of accounts that the City of Steubenville offers or maintains; and
      (5)   Changes in the business arrangements of the City of Steubenville, including alliances, joint ventures and service provider arrangements.
   (d)   Involvement of management is critical in planning, designing and implementing any fraud risk program. For this reason the Identity Theft Prevention Program shall not be operated as an extension to existing fraud prevention programs, and its importance warrants the highest level of attention. The Identity Theft Prevention Program is the responsibility of the governing body. Approval of the initial plan must be appropriately documented and maintained. Operational responsibility of the program is the responsibility of the Appointing Authority. The Appointing Authority may wish to delegate this authority to anyone that has the appropriate training and expertise to manage an Identity Theft Prevention Program.
   (e)   Staff training shall be conducted for all employees for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to the Municipality or its customers. To ensure maximum effectiveness, employees may continue to receive additional training as changes to the program are made.
   (f)   It is the responsibility of the Municipality to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
(Ord. 2011-5. Passed 1-4-11.)