[HISTORY: Adopted by the Board of Supervisors of the Township of Springettsbury 5-14-2009 by Ord. No. 2009-05. Amendments noted where applicable.]
A. 
To establish an identity theft prevention program designed to detect, prevent and mitigate identity theft in connection with new or existing accounts and to provide for continued administration of the program in compliance with the Federal Trade Commission's Red Flag Rule (Part 681 of Title 16 of the Code of Federal Regulations), implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
B. 
This program is intended to:
(1) 
Identify relevant red flags for new or existing covered accounts;
(2) 
Detect red flags which have been identified;
(3) 
Provide the appropriate response to any red flags that are detected to prevent and mitigate identity theft; and
(4) 
Ensure that the program is updated periodically to reflect changes in risks to customers.
C. 
This program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
[Amended 4-8-2021 by Ord. No. 2021-03]
The Senior Management Official responsible for this program is:
Township Manager
1501 Mount Zion Road
York, Pennsylvania 17402
(717) 757-3521
As used in this chapter, the following terms shall have the meanings indicated:
IDENTITY THEFT
Fraud committed or attempted using the identifying information of another person without authority.
RED FLAG
A pattern, practice or specific activity that indicated the possible existence of identity theft.
A. 
Springettsbury Township (the "Township") has conducted an internal risk assessment with necessary staff to evaluate how at risk the current procedures are at allowing customers to create fraudulent accounts and evaluate if current and existing accounts are being manipulated or can be manipulated. The Township reviewed each red flag and determined its applicability, if any, to the Township.
B. 
The Township reviewed sewer accounts ("utility accounts"). It was determined that the accounts run with the property and not the property owner. The Township provides the account number. The only personal information provided is the property owner's name and property address. The Township does not maintain any personal information or background information such as social security numbers, dates of birth or driver's license information. No application is provided. The real estate transfer is the trigger for the account after the property is connected to the sewer system. The account is always in the property owner's name as indicated on the deed. Since the account runs with the property, it would be impossible for someone to open a fraudulent account.
[Amended 4-8-2021 by Ord. No. 2021-03]
C. 
The Township does accept payment by credit card and electronic checks by the Township's third-party provider. The Township does speak to a credit agency, NRA Group LLC, on behalf of the Township for past emergency medical services. Information about an account is not provided over the telephone. Staff with access to these accounts is minimal.
[Amended 4-8-2021 by Ord. No. 2021-03]
D. 
The Township invoices customers by use of a sealed envelope.
[Amended 4-8-2021 by Ord. No. 2021-03]
E. 
(Reserved)[1]
[1]
Editor's Note: Former Subsection E, which stated: "It was determined that this information is not personal identifying information and could not result in any identity theft," was repealed 4-8-2021 by Ord. No. 2021-03.
F. 
The Township does provide its residents with the option for a direct withdrawal system. The authorization form does contain identifying information such as name, address and bank information such as bank name, account number and muting number.
G. 
After a thorough review, the Township determined that the customers' utility accounts are at a low to very low risk for identity theft.
A. 
After a thorough review of the red flags and Township policies and practices, the Township has identified the following red flags:
(1) 
Change of billing address or request to have bill sent somewhere else.
(2) 
Payments are made in a manner associated with fraud, i.e., signature on check or name on check.
(3) 
A commercial account with low activity unexpectedly jumps to high consumption or any other suspicious activity relating to a specific account.
[Amended 4-8-2021 by Ord. No. 2021-03]
(4) 
Mail sent to customer is repeatedly returned only if the property is vacant and no forwarding address is on file with the post office.
[Amended 4-8-2021 by Ord. No. 2021-03]
(5) 
Township is notified regarding possible identity theft.
[Amended 4-8-2021 by Ord. No. 2021-03]
(6) 
Presentation of suspicious documents.
(7) 
Presentation of suspicious personal identifying information.
(8) 
A resident notifies the Township of a possible identity theft.
(9) 
Resident fails to provide all the information requested on the authorization for ACH debits/drafts, in which case the Township removes the document received and does not process the ACH.
[Amended 4-8-2021 by Ord. No. 2021-03]
B. 
This is not intended to be an all-inclusive list, and any other suspicious activities may be investigated as necessary.
Any staff or employee that may suspect fraud or detect a red flag shall take one or more of the following steps, depending on the degree of risk posed by the red flag. All detections and suspicions shall be reported to and logged by the Senior Management Official.
A. 
Notify Senior Management Official.
B. 
Notify law enforcement of any attempted or actual identity theft.
C. 
Contact customer.
D. 
Continue to monitor the situation for evidence of identity theft.
E. 
Take all steps necessary to correct the situation.
In order to further prevent the likelihood of identity theft occurring with respect to utility accounts, the Township will take the following steps with respect to its internal operating procedures to protect customer-identifying information:
A. 
Ensure complete and secure destruction of customer information, if applicable, or appropriate and secure storage of forms with identifying information.
B. 
Employees will not leave sensitive papers out on their desks when they are away from their workstations.
C. 
Employees will log off their computers when leaving for the day.
D. 
Passwords will not be shared or posted near workstations.
E. 
No visitor will be given access keys or allowed unescorted access to the Township offices.
F. 
When installing new software, immediately change vendor-supplied default passwords to more secure, strong passwords.
G. 
Antivirus programs will be run on individual computers.
H. 
New and existing employees will sign a confidentiality agreement.
I. 
Issue visitor badges or sign-in sheet for all outside vendors, visitors, etc.
J. 
Township will not provide identifying information to creditors.
This program shall be updated periodically to reflect changes in the risks to customers, or changes to the safety and soundness of the Township, from identity theft based upon factors such as:
A. 
The experience of the Township with identity theft;
B. 
Changes in methods of identity theft;
C. 
Changes in methods to detect, prevent and mitigate identity theft;
D. 
Changes in the types of accounts that the Township offers or maintains;
E. 
Changes in the Township procedures regarding accounts that the Township offers or maintains; and
F. 
Changes in business arrangements of the Township, including but not limited to joint ventures and service provider arrangements.
G. 
Township staff keeps up-to-date with annual training on identity theft prevention.
[Added 4-8-2021 by Ord. No. 2021-03]
This program is enacted by this chapter. Revisions to this policy shall only be enacted by amending the above referenced chapter.