(A) Oversight. Responsibility for developing, implementing and updating this Program lies with the Program Administrator, who may be the head of the city or his or her appointee. The Program Administrator will be responsible for the Program administration, for ensuring appropriate training of city staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.
(B) Staff training and reports.
(1) Initially, all city staff shall be trained either by or under the direction of the Program Administrator in the detection of red flags, and the responsive steps to be taken when a red flag is detected. Thereafter, all City Accounting Department staff shall undergo update training not less than annually. Additionally, all new City Accounting Department employees shall undergo training.
(2) All City Accounting Department staff shall submit reports annually concerning the City's compliance with the Program, the training that has been given and the effectiveness of the policies and procedures in addressing the risk of identity theft, including recommendations for changes to the Program. While incidents of identity theft are to be reported immediately to the Program Administrator, the annual reports shall contain a recap of the incident and include the steps taken to assist with resolution of the incident.
(C) Service provider arrangements. In the event the city engages a service provider to perform an activity in connection with one or more accounts, including but not limited to franchise utility providers, the city will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
(1) Require, by contract or contract amendment, that service providers have such policies and procedures in place; and
(2) Require, by contract or contract amendment, that service providers review the city's Program and report any red flags to the Program Administrator.
(D) Specific program elements and confidentiality. For the effectiveness of identity theft prevention programs, the red flag rule envisions a degree of confidentiality regarding the city's specific practices relating to identity theft detection, prevention and mitigation. Therefore, under this Program, knowledge of such specific practices are to be limited to the Program Administrator and those employees who need to know them for purposes of preventing identity theft. Because this Program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the Program's general red flag detection, implementation and prevention practices are listed in this document.
(Ord. 130122-B, passed 1-22-2013)