[HISTORY: Adopted by the Mayor and Council of the Town of
Rock Hall 6-11-2009 by Ord. No. 2009-01. Amendments noted where applicable.]
As used in this chapter, the following terms shall have the
meanings indicated:
An account that the Town offers or maintains, primarily for
personal, family, or household purposes, that involves or is designed
to permit multiple payments or transactions, including utility accounts;
and
Any other account that the Town offers or maintains for which
there is a reasonably foreseeable risk to customers or to the safety
and soundness of the creditor from identity theft, including financial,
operational, compliance, reputation or litigation risks.
The right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property
or services and defer payment therefor.
Any person who regularly extends, renews, or continues credit;
any person who regularly arranges for the extension, renewal, or continuation
of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit.
The person or entity that has a covered account with the
Town.
Any name or number that may be used, alone or in conjunction
with any other information, to identify a specific person, including:
name, address, telephone number, Social Security number, date of birth,
government-issued driver's license or identification number,
alien registration number, government passport number, employer or
taxpayer identification number, unique electronic identification number,
computer's Internet Protocol (IP) address, or routing code.
Fraud committed or attempted using the identifying information
of another person without authority.
The identity theft prevention program.
A pattern, practice or specific activity that indicates the
possible existence of identity theft.
A.
There is hereby established an identity theft prevention program
to detect, prevent and mitigate identity theft.
B.
The program includes reasonable policies and procedures to:
(1)
Identify relevant red flags for covered accounts and incorporate
those red flags into the program;
(2)
Detect red flags that have been incorporated into the program;
(3)
Respond appropriately to any red flags that are detected to prevent
and mitigate identity theft; and
(4)
Ensure that the program is updated periodically to reflect changes
in risks to the City and its customers arising from identity theft.
A.
The Town Manager or his designee shall be responsible for the development,
implementation, oversight and continued administration of the program.
The Town Manager or designee shall:
(1)
Ensure that staff is trained, as necessary, to effectively implement
the program;
(2)
Exercise appropriate and effective oversight of service provider arrangements, as provided in § 19-8;
(3)
Review reports prepared by staff regarding compliance; and
(4)
Approve material changes to the program as necessary.
B.
Reports shall be prepared by the Clerk-Treasurer and submitted to
the Town Manager at least annually, no later than June 30, on the
Town's program compliance. Such reports shall address and evaluate:
(1)
The effectiveness of the policies and procedures in addressing the
risk of identity theft in regard to existing covered accounts and
the opening of covered accounts;
(2)
Significant incidents involving identity theft and management's
response;
(3)
Service provider agreements; and
(4)
Recommendations for material changes to the program.
In order to identify relevant red flags, the Town shall consider
the types of accounts that the City provides and maintains, the methods
used to open accounts, the methods used to access accounts and previous
experience with identify theft. The Town shall identify the following
red flags in each of the listed categories:
A.
Notifications and warnings from credit reporting agencies and other
service or information providers.
B.
Suspicious documents.
(1)
Identification document or card that appears to be forged, altered
or inauthentic;
(2)
Identification document or card on which a person's photograph
or physical description is not consistent with the person presenting
the document;
(3)
Other document with information that is not consistent with existing
customer information (such as if a person's signature on a check
appears forged); and
(4)
Application for service that appears to have been altered or forged.
C.
Suspicious personal identifying information.
(1)
Identifying information presented that is inconsistent with other
information that the customer provides (example: inconsistent birth
dates);
(2)
Identifying information presented that is inconsistent with other
sources of information (for instance, an address not matching an address
on the credit report);
(3)
Identifying information presented that is the same as information
shown on other applications that were found to be fraudulent;
(4)
Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address);
(5)
Social Security number presented that is the same as one given by
another customer;
(6)
An address or phone number presented that is the same as that of
another person;
(7)
A person fails to provide complete personal identifying information
on an application when reminded to do so (however, by law Social Security
numbers must not be required); and
(8)
A person's identifying information is not consistent with the
information that is on file for the customer.
D.
Suspicious account activity or unusual use of account.
(1)
Change of address for an account followed by a request to change
the account holder's name;
(2)
Payments stop on an otherwise consistently up-to-date account;
(3)
Account used in a way that is not consistent with prior use (example:
very high activity);
(4)
Mail sent to the account holder is repeatedly returned as undeliverable;
(5)
Notice to the locality that a customer is not receiving mail sent
by the locality;
(6)
Notice to the locality that an account has unauthorized activity;
(7)
Breach in the locality's computer system security; or
(8)
Unauthorized access to or use of customer account information.
E.
Alerts from others. Notice to the Town from a customer, identity
theft victim, law enforcement or other person that it has opened or
is maintaining a fraudulent account for a person engaged in identity
theft.
A.
New accounts. In order to detect any of the red flags identified in § 19-4 associated with the opening of a new account, the following steps shall be taken to obtain and verify the identity of the person opening the account:
(1)
Require certain identifying information, such as name, date of birth,
residential or business address, principal place of business for an
entity, driver's license or other identification;
(2)
Verify the customer's identity (for instance, review a driver's
license or other identification card);
(3)
Review documentation showing the existence of a business entity;
and
(4)
Independently contact the customer.
A.
In the event a red flag is detected, one or more of the following
steps shall be taken, depending on the degree of risk posed by the
red flag:
(1)
Continue to monitor an account for evidence of identity theft;
(2)
Contact the customer:
(3)
Change any passwords or other security devices that permit access
to accounts;
(4)
Not open a new account;
(5)
Close an existing account;
(6)
Reopen an account with a new number;
(7)
Notify the Town Manager or designee for determination of the appropriate
step(s) to take;
(8)
Notify law enforcement; or
(9)
Determine that no response is warranted under the particular circumstances.
B.
In order to further prevent the likelihood of identity theft occurring,
the following steps involving internal operations shall be taken to
protect customer identifying information:
(1)
Ensure that the Town's website is secure or provide clear notice
that the website is not secure;
(2)
Ensure complete and secure destruction of paper documents and computer
files containing customer information;
(3)
Ensure that the office computers are password protected and that
employees log off or lock their computers when leaving their work
area;
(4)
Keep offices clear of papers containing customer information;
(5)
Request only the last four digits of Social Security numbers (if
any);
(6)
Ensure computer virus protection is up-to-date; and
(7)
Require and keep only the kinds of customer information that are
necessary for utility purposes.
A.
The Town shall develop policies and procedures to enable it to form
a reasonable belief that a credit report, when such a report is requested
from the nationwide consumer reporting agency, relates to a Town customer
when a notice of an address discrepancy is received from the reporting
agency indicating that the address given by the customer differs from
the address contained in the report. An address may be confirmed by
the following means or by any other means deemed reasonable by management:
In the event a service provider is engaged to perform an activity
in connection with one or more covered accounts affected by the program,
the Town Manager or his designee shall ensure that the service provider
performs its activity in accordance with reasonable policies and procedures
designed to detect, prevent, and mitigate the risk of identity theft.
A service provider engaged pursuant to this section shall be required
by contract to have such policies and procedures in place and may,
at the Town Manager's discretion, be required by contract to
review the Town's program and report red flags to the Town Manager
or designee.
The program shall be updated periodically to reflect changes
in risks to customers or to the safety and soundness of the Town's
internal business practices in regard to identity theft. Such program
updates shall reflect the following elements: