[HISTORY: Adopted by the Mayor and Council of the Town of Rock Hall 6-11-2009 by Ord. No. 2009-01. Amendments noted where applicable.]
As used in this chapter, the following terms shall have the meanings indicated:
COVERED ACCOUNT
A. 
An account that the Town offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, including utility accounts; and
B. 
Any other account that the Town offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
CREDIT
The right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.
CREDITOR
Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
CUSTOMER or CONSUMER
The person or entity that has a covered account with the Town.
IDENTIFYING INFORMATION
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, Social Security number, date of birth, government-issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer's Internet Protocol (IP) address, or routing code.
IDENTITY THEFT
Fraud committed or attempted using the identifying information of another person without authority.
PROGRAM
The identity theft prevention program.
RED FLAG
A pattern, practice or specific activity that indicates the possible existence of identity theft.
A. 
There is hereby established an identity theft prevention program to detect, prevent and mitigate identity theft.
B. 
The program includes reasonable policies and procedures to:
(1) 
Identify relevant red flags for covered accounts and incorporate those red flags into the program;
(2) 
Detect red flags that have been incorporated into the program;
(3) 
Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
(4) 
Ensure that the program is updated periodically to reflect changes in risks to the City and its customers arising from identity theft.
A. 
The Town Manager or his designee shall be responsible for the development, implementation, oversight and continued administration of the program. The Town Manager or designee shall:
(1) 
Ensure that staff is trained, as necessary, to effectively implement the program;
(2) 
Exercise appropriate and effective oversight of service provider arrangements, as provided in § 19-8;
(3) 
Review reports prepared by staff regarding compliance; and
(4) 
Approve material changes to the program as necessary.
B. 
Reports shall be prepared by the Clerk-Treasurer and submitted to the Town Manager at least annually, no later than June 30, on the Town's program compliance. Such reports shall address and evaluate:
(1) 
The effectiveness of the policies and procedures in addressing the risk of identity theft in regard to existing covered accounts and the opening of covered accounts;
(2) 
Significant incidents involving identity theft and management's response;
(3) 
Service provider agreements; and
(4) 
Recommendations for material changes to the program.
In order to identify relevant red flags, the Town shall consider the types of accounts that the City provides and maintains, the methods used to open accounts, the methods used to access accounts and previous experience with identify theft. The Town shall identify the following red flags in each of the listed categories:
A. 
Notifications and warnings from credit reporting agencies and other service or information providers.
(1) 
Report of fraud accompanying a credit report;
(2) 
Notice or report of a credit freeze on a customer or applicant;
(3) 
Notice or report of an active duty alert for an applicant; and
(4) 
Indication from a credit report of activity that is inconsistent with a customer's usual pattern or activity.
B. 
Suspicious documents.
(1) 
Identification document or card that appears to be forged, altered or inauthentic;
(2) 
Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document;
(3) 
Other document with information that is not consistent with existing customer information (such as if a person's signature on a check appears forged); and
(4) 
Application for service that appears to have been altered or forged.
C. 
Suspicious personal identifying information.
(1) 
Identifying information presented that is inconsistent with other information that the customer provides (example: inconsistent birth dates);
(2) 
Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on the credit report);
(3) 
Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
(4) 
Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
(5) 
Social Security number presented that is the same as one given by another customer;
(6) 
An address or phone number presented that is the same as that of another person;
(7) 
A person fails to provide complete personal identifying information on an application when reminded to do so (however, by law Social Security numbers must not be required); and
(8) 
A person's identifying information is not consistent with the information that is on file for the customer.
D. 
Suspicious account activity or unusual use of account.
(1) 
Change of address for an account followed by a request to change the account holder's name;
(2) 
Payments stop on an otherwise consistently up-to-date account;
(3) 
Account used in a way that is not consistent with prior use (example: very high activity);
(4) 
Mail sent to the account holder is repeatedly returned as undeliverable;
(5) 
Notice to the locality that a customer is not receiving mail sent by the locality;
(6) 
Notice to the locality that an account has unauthorized activity;
(7) 
Breach in the locality's computer system security; or
(8) 
Unauthorized access to or use of customer account information.
E. 
Alerts from others. Notice to the Town from a customer, identity theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft.
A. 
New accounts. In order to detect any of the red flags identified in § 19-4 associated with the opening of a new account, the following steps shall be taken to obtain and verify the identity of the person opening the account:
(1) 
Require certain identifying information, such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification;
(2) 
Verify the customer's identity (for instance, review a driver's license or other identification card);
(3) 
Review documentation showing the existence of a business entity; and
(4) 
Independently contact the customer.
B. 
Existing accounts. In order to detect any of the red flags identified in § 19-4 for an existing account, the following steps shall be taken to monitor transactions with an account:
(1) 
Verify the identification of customers if they request information, whether in person, via telephone, via facsimile or via e-mail;
(2) 
Verify the validity of requests to change billing addresses; and
(3) 
Verify changes in banking information given for billing and payment purposes.
A. 
In the event a red flag is detected, one or more of the following steps shall be taken, depending on the degree of risk posed by the red flag:
(1) 
Continue to monitor an account for evidence of identity theft;
(2) 
Contact the customer:
(3) 
Change any passwords or other security devices that permit access to accounts;
(4) 
Not open a new account;
(5) 
Close an existing account;
(6) 
Reopen an account with a new number;
(7) 
Notify the Town Manager or designee for determination of the appropriate step(s) to take;
(8) 
Notify law enforcement; or
(9) 
Determine that no response is warranted under the particular circumstances.
B. 
In order to further prevent the likelihood of identity theft occurring, the following steps involving internal operations shall be taken to protect customer identifying information:
(1) 
Ensure that the Town's website is secure or provide clear notice that the website is not secure;
(2) 
Ensure complete and secure destruction of paper documents and computer files containing customer information;
(3) 
Ensure that the office computers are password protected and that employees log off or lock their computers when leaving their work area;
(4) 
Keep offices clear of papers containing customer information;
(5) 
Request only the last four digits of Social Security numbers (if any);
(6) 
Ensure computer virus protection is up-to-date; and
(7) 
Require and keep only the kinds of customer information that are necessary for utility purposes.
A. 
The Town shall develop policies and procedures to enable it to form a reasonable belief that a credit report, when such a report is requested from the nationwide consumer reporting agency, relates to a Town customer when a notice of an address discrepancy is received from the reporting agency indicating that the address given by the customer differs from the address contained in the report. An address may be confirmed by the following means or by any other means deemed reasonable by management:
(1) 
Verification by contacting the consumer;
(2) 
Verification by reviewing utility records; or
(3) 
Verification through third-party sources.
B. 
If an accurate address is confirmed by the process established under Subsection A of this section, the Town shall furnish the address to the reporting agency from which it was received if:
(1) 
The Town has established or will establish a continuing relationship with the account holder; and
(2) 
The Town regularly, in the ordinary course of business, furnishes information to the reporting agency.
In the event a service provider is engaged to perform an activity in connection with one or more covered accounts affected by the program, the Town Manager or his designee shall ensure that the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. A service provider engaged pursuant to this section shall be required by contract to have such policies and procedures in place and may, at the Town Manager's discretion, be required by contract to review the Town's program and report red flags to the Town Manager or designee.
The program shall be updated periodically to reflect changes in risks to customers or to the safety and soundness of the Town's internal business practices in regard to identity theft. Such program updates shall reflect the following elements:
A. 
Experiences involving identity theft.
B. 
Changes in the methods used in identity theft.
C. 
Changes in the methods used to detect, prevent and mitigate identity theft.
D. 
Changes in the types of accounts the Town offers or maintains.
E. 
Changes in the Town's business practices.