§ 38.025 PROGRAM ADMINISTRATION.
   (A)   Program Administrator. The City Administrator is the Program Administrator and is responsible for the implementation and administration of the Program, for ensuring appropriate training of city staff on the Program, for reviewing any staff reports regarding the detection of Red Flags, and for determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
   (B)   Periodic updates.  
      (1)   This Program must be periodically reviewed and updated to reflect changes in risks to customers and the soundness of the city from identity theft.
      (2)   At least annually, the Program Administrator shall consider:
         (a)   The city’s experiences with identity theft;
         (b)   Changes in identity theft methods;
         (c)   Changes in methods for detecting and preventing identity theft;
         (d)   Changes in types of accounts that the city maintains; and
         (e)   Changes in the city’s business arrangements with other entities.
      (3)   After considering the factors under division (B)(2) above, the Program Administrator must determine whether changes to the Program, including the listing of Red Flags, are warranted. If changes are warranted, then the Program Administrator must present the City Council with his or her recommended changes, and the City Council shall determine whether to accept, modify or reject those changes to the Program.
   (C)   Staff training and reports. The Program Administrator must train or direct the training of all of the city staff who are responsible for implementing the Program. This training must include the detection of Red Flags and the responsive steps to be taken if a Red Flag is detected.
   (D)   Service provider arrangements. If the city engages a service provider to perform an activity in connection with one or more accounts, then the city shall take the following steps to ensure that the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate identity theft:
      (1)   Require, by contract, that service providers have such policies and procedures in place; and
      (2)   Require, by contract, that service providers review the Program and report any Red Flags to the Program Administrator.
(Ord. 2010-15, passed 9-7-2010)