[Adopted 4-27-2009 by Res. No. 09-07]
The identity theft prevention policy set forth in this article, establishing rules and procedures to detect, prevent and mitigate identity theft, is hereby approved.
The President and Village Board appoint the Village Administrator as the program administrator of the Identity Theft Prevention Program and chairperson of the Identity Theft Prevention Committee.
Identity theft has become the number one consumer fraud issue in the country. In 2007, more than 10,000 identity theft complaints were filed with the Federal Trade Commission (FTC) by Illinois residents. The Village of Coal City recognizes that the risk to the Village, its employees, residents, and customers from data loss and identity theft is a significant concern to the Village, which this Identity Theft Prevention Program ("program") seeks to address.
The Village developed the program in an effort to battle identity theft. The program was developed with oversight and approval of the President and Village Board. After consideration of the size and complexity of the Village's operations and customer account systems, and the nature and scope of the Village's activities, the President and Village Board determined that this program was appropriate for the Village, and therefore approved the program on April 27, 2008.
A. 
The Village adopts the program to help protect employees, customers, contractors, and itself from harm and damage related to, or caused by, the loss or misuse of sensitive information. The program also will assist the Village in detecting, preventing, and mitigating identity theft. The program does so by identifying certain "red flags" that suggest or indicate the possibility of identity theft, and by providing guidelines on how the Village should respond once it detects any such red flags. Further, the program will:
(1) 
Define sensitive information;
(2) 
Describe the physical security of data when it is printed on paper;
(3) 
Describe the electronic security of data when stored and distributed; and
(4) 
Place the Village in compliance with state and federal law regarding identity theft protection.
B. 
The program has been tailored to the size, complexity and the nature of the Village's operations. The program also has been designed in order to:
(1) 
Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the program;
(2) 
Detect red flags that have been incorporated into the program;
(3) 
Allow the Village to respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
(4) 
Ensure that the program is reviewed periodically and updated, if necessary, to reflect changes in risks to customers or to the safety and soundness of the Village from identity theft.
For the purpose of this article, the following definitions shall apply unless the context clearly indicates or requires a different meaning:
COVERED ACCOUNT
A. 
An account that the Village offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a utility account; and
B. 
Any other account that the Village offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the Village, including financial, operational, compliance, reputation, or litigation risks.
CREDIT
The right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.
CREDITOR
Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit, including utility companies.
CUSTOMER
A person that has a covered account with a creditor.
IDENTITY THEFT
A fraud committed or attempted using identifying information of another person without authority.
PERSON
A natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association.
RED FLAG
A pattern, practice, or specific activity that indicates the possible existence of identity theft.
SENSITIVE INFORMATION
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to, a person's credit card account information, debit card information, bank account information, driver's license information, social security number, mother's birth name, date of birth, electronic identification number, computer internet protocol address, and routing code.
SERVICE PROVIDER
A person that provides a service directly to the Village.
In order to identify relevant red flags, the Village considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with identity theft. The Village identifies the following red flags, in the following listed categories:
A. 
Notifications and warnings from credit reporting agencies. Red flags:
(1) 
Report of fraud accompanying a credit report;
(2) 
Notice or report from a credit agency of a credit freeze on a customer or applicant;
(3) 
Notice or report from a credit agency of an active-duty alert for an applicant; and
(4) 
Indication from a credit report of activity that is inconsistent with a customer's usual pattern or activity.
B. 
Suspicious documents. Red flags:
(1) 
Identification document or card that appears to be forged, altered or otherwise inauthentic;
(2) 
Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document;
(3) 
Other documentation with information that is not consistent with existing customer information (e.g., a person's signature on a check appears forged); and
(4) 
Application for service that appears to have been altered or forged.
C. 
Suspicious personal identifying information. Red flags:
(1) 
Identifying information presented that is inconsistent with other information the customer provides (e.g., inconsistent birth dates);
(2) 
Identifying information presented that is inconsistent with other sources of information (e.g., an address not matching an address on a credit report);
(3) 
Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
(4) 
Identifying information presented that is consistent with fraudulent activity (e.g., an invalid phone number or an answering service, or fictitious billing address, mail drop or prison);
(5) 
Social security number presented that is the same as one given by another customer;
(6) 
An address or phone number presented that is the same as that of another person;
(7) 
A person fails to provide complete personal identifying information on an application when reminded to do so; and
(8) 
A person's identifying information is not consistent with the information that is on file for the customer.
D. 
Suspicious account activity or unusual use of account. Red flags:
(1) 
Change of address for an account followed by a request to change the account holder's name;
(2) 
Payments stop on an otherwise consistently up-to-date account;
(3) 
Account used in a way that is not consistent with prior use (e.g., very high activity);
(4) 
Mail sent to the account holder is repeatedly returned as undeliverable;
(5) 
Notice to the Village that a customer is not receiving mail sent by the Village;
(6) 
Notice to the Village that an account has unauthorized activity;
(7) 
Breach in the Village's computer system security; and
(8) 
Unauthorized access to or use of customer account information.
E. 
Alerts from others. Red flag:
(1) 
Notice to the Village from a customer, identity theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in identity theft.
A. 
New covered accounts. In order to try and detect any of the red flags identified in § 37-21 associated with the opening of a new covered account, Village personnel should take the following steps to obtain and verify the identity of the person opening the covered account:
(1) 
Require certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification;
(2) 
Verify the customer's identity (e.g., review a driver's license or other identification card);
(3) 
Review documentation showing the existence of a business entity; and
(4) 
Independently contact the customer if appropriate.
B. 
Existing covered accounts. In order to detect any of the red flags identified in § 37-21 for an existing covered account, Village personnel will take the following steps to monitor transactions with a covered account:
(1) 
Verify the identification of customers if they request information (in person, via telephone, via facsimile, via e-mail, or otherwise);
(2) 
Verify the validity of requests to change billing addresses; and
(3) 
Verify changes in banking information given for billing and payment purposes.
A. 
Securing sensitive information.
(1) 
Village personnel are encouraged to use common-sense judgment in securing sensitive and confidential information. Furthermore, in exercising such judgment, consideration should be given to the Illinois Freedom of Information Act (FOIA).[1] If an employee is uncertain of the sensitivity of a particular piece of information, the employee should contact his or her supervisor or the program administrator. Further, if the Village receives a FOIA or other request seeking sensitive information, or documents containing sensitive information, said requests should be forwarded to the Village Manager and the Village Attorney.
[1]
Editors' Note: See 5 ILCS 140/1 et seq.
(2) 
In order to further prevent the likelihood of identity theft occurring with respect to Village accounts, the Village shall make reasonable efforts to take the following steps with respect to its internal operating procedures to protect customer identifying information:
(a) 
Take steps to ensure that the Village's website is secure or provide clear notice that the website is not secure;
(b) 
Attempt to ensure destruction of paper documents and computer files containing sensitive information;
(c) 
Keep file cabinets, desk drawers, cabinets, and any other storage space containing documents with sensitive information locked when not in use;
(d) 
Lock storage rooms containing documents with sensitive information and record retention area at the end of the work day or when unsupervised;
(e) 
Attempt to ensure that office computers with access to covered accounts and/or sensitive information are password protected and that computer screens lock after a set period of time;
(f) 
Keep workstations, work areas, and offices clear of papers containing sensitive information;
(g) 
Request only the last four digits of social security numbers (if any);
(h) 
Attempt to ensure that computer virus protection is up-to-date;
(i) 
Require and keep only the kinds of sensitive information that are necessary for the Village's purposes; and
(j) 
Account statements and receipts for covered accounts shall only include the last four digits of the credit card, debit card, or the bank account used for payment of the covered account.
B. 
Electronic distribution. Each employee, service provider, or contractor performing work for the Village will comply with the following policies:
(1) 
With respect to internal electronic distribution, sensitive information may be transmitted using approved Village electronic mail.
(2) 
With respect to external electronic distribution, sensitive information should only be transmitted in an encrypted format and should contain a statement such as this:
"This message may contain sensitive, confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited."
C. 
Responses when red flags detected. In the event Village personnel detect any identified red flags, such personnel should take one or more of the following steps, depending on the degree of risk posed by the red flag:
(1) 
Continue to monitor an account for evidence of identity theft;
(2) 
Contact the customer;
(3) 
Change any passwords or other security devices that permit access to covered accounts;
(4) 
Decline or otherwise refuse to open a new covered account;
(5) 
Close an existing covered account;
(6) 
Reopen a covered account with a new number;
(7) 
Notify the program administrator for determination of the appropriate step(s) to take;
(8) 
Notify law enforcement; or
(9) 
Determine that no response is warranted under the particular circumstances.
This program will be periodically reviewed and updated to try and reflect changes in risks to customers and the soundness of the Village from identity theft. At least once a year, the program administrator will consider the Village's experiences with identity theft, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the Village maintains and changes in the Village's business arrangements with other entities. After considering these factors, the program administrator will determine whether changes to the program, including the listing of red flags, are warranted. If warranted, the program administrator will update the program or present the President and Village Board with his or her recommended changes and the President and Village Board will make a determination of whether to accept, modify or reject those changes to the program.
A. 
Oversight. Responsibility for developing, implementing and updating this program lies with the Identity Theft Committee. The Committee shall be headed by the program administrator or his or her appointee. Two or more other individuals appointed by the corporate authorities shall comprise the remainder of the Committee membership. The program administrator will be responsible for the program administration, for ensuring appropriate training of Village staff on the program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.
B. 
Staff training and reports. Village staff responsible for implementing the program shall be trained either by or under the direction of the program administrator in the detection of red flags, and the responsive steps to be taken when a red flag is detected. Further training shall also be provided on a yearly basis or as needed to address changes in the program.
C. 
Service provider arrangements. In the event the Village engages a service provider to perform an activity in connection with one or more covered accounts, the Village will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
(1) 
Require, by contract, that service providers have such policies and procedures in place; and
(2) 
Require, by contract, that service providers review the program and report any red flags to the program administrator.
D. 
Specific program elements and confidentiality. For the effectiveness of identity theft prevention programs, the red flag rule envisions a degree of confidentiality regarding the Village's specific practices relating to identity theft detection, prevention and mitigation. Therefore, under this program, knowledge of such specific practices is to be limited to the program administrator or Identity Theft Committee and those employees who need to know them for purposes of preventing identity theft. Because this program is to be adopted by a public body and thus publicly available, it would be counterproductive to list these specific practices here. Therefore, only the program's general red flag detection, implementation and prevention practices are listed in this article.