Village of Brownstown, IL
Fayette County
By using eCode360 you agree to be legally bound by the Terms of Use. If you do not agree to the Terms of Use, please do not use eCode360.
ATTACHMENTS
Attachment 1 - Addendum A, Collection, Use, and Communication of SSNs
[Amended 12-16-2008 by Ord. No. 08-12-2002]
This law is designed to identify and address the warning signs that indicate potential identity theft in order to prevent the misappropriation of Identifying Information in connection with the opening and maintenance of certain utility accounts. The Utility has developed the Program to comply with the Federal Trade Commission's ("FTC") Red Flag Rules, implemented under § 114 of the Fair and Accurate Credit Transactions Act of 2003, pursuant to 16 C.F.R. 681.2. The Commission analyzed the Utility's billing practices and concluded the Utility maintains "Covered Accounts" (as defined in the Red Flag Rules) and, consequently, must implement a written program to comply with the Red Flag Rules.
This law was developed with oversight and approval of the Village Board and shall be implemented by senior management staff. After consideration of the size and complexity of the Utility's operations and Account systems, and the nature and scope of the Utility's activities, the Village Board determined that this Program appropriately satisfies the Utility's obligation under the Red Flag Rules and therefore approves this Program on December 16, 2008.
For purposes of this Program:
(A) 
ACCOUNT or COVERED ACCOUNT —
(1) 
A continuing relationship the Utility has with an individual through an account the Utility offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and
(2) 
Any other account the Utility offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the Utility from Identity Theft.
(B) 
IDENTITY INFORMATION — "Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person" and includes: Name, address, telephone number, social security number, date of birth, governmental issued driver's license number or other identification number, alien registration number, government passport number, employer or tax identification number, unique electronic identification number, computer internet protocol address, and routing codes.
(C) 
IDENTITY THEFT — "Fraud committed using the identifying information of another person".
(D) 
RED FLAG — A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
In order to identify relevant Red Flags, the Utility considered, and shall continue to consider, the following risk factors: (i) the types of Covered Accounts that it offers and maintains, (ii) the method it provides to open its Covered Accounts, (iii) the methods it provides to access its Covered Accounts, and (iv) its previous experience with Identity Theft. The Utility incorporated relevant Red Flags from the following sources: (i) incidents of identity theft that the Utility has experienced, (ii) methods of identity theft that the Utility has identified that reflect changes in identity theft risks, and (iii) applicable supervisory guidance. The Utility identified the following Red Flags, in each of the listed categories:
(A) 
Suspicious Documents.
(1) 
Receiving documents provided for identification that appears to be forged or altered;
(2) 
A customer's photograph or physical description on an identification is not consistent with the person presenting the documentation;
(3) 
Receiving other documentation with information that is not consistent with existing customer information, such as a signature or recent check; and
(4) 
Receiving an application for service that appears to have been altered or forged, or gives the appearance of being destroyed and reassembled.
(B) 
Suspicious Identifying Information.
(1) 
A customer's identifying information is inconsistent with other sources of identifying information;
(2) 
A customer's identifying information is inconsistent with other information the customer provides (such as inconsistent SSNs or birth dates);
(3) 
A customer's identifying information is the same as shown on other applications found to be fraudulent;
(4) 
A customer's identifying information is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
(5) 
A customer's SSN is the same as another customer's SSN;
(6) 
A customer's address or phone number is the same as that of another person;
(7) 
A customer fails to provide complete personal identifying information on an application when reminded to do so; and
(8) 
A customer's identifying information is not consistent with the information that is on file for the customer.
(C) 
Unusual Use of, or Suspicious Activity Related to, a Covered Account.
(1) 
A request to change the Account holder's name or add other parties is received shortly after a change of address for an Account;
(2) 
A new Account is used in a manner consistent with fraud (such as the customer failing to make the first payment, or making the initial payment and no other payments);
(3) 
An Account being used in a way that is not consistent with prior use (such as late or no payments when the Account has been timely in the past);
(4) 
Mail sent to the Account holder is repeatedly returned as undeliverable;
(5) 
The Utility receives notice that a customer is not receiving paper statements;
(6) 
The Utility receives notice that an Account has unauthorized activity;
(7) 
The Utility's computer system is breached; and
(8) 
Unauthorized access to or use of customer Account information.
(D) 
Notice Regarding Possible Identity Theft. The Utility receives notice from a customer, a victim of identity theft, law enforcement authority or any other person regarding possible identity theft in connection with a Covered Account.
(A) 
In order to detect any of the Red Flags identified above with the opening of a new Account, Utility personnel will take the following steps to obtain and verify the identity of the person opening the Account:
(1) 
Requiring certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, SSN, driver's license or other identification;
(2) 
Verifying the customer's identity, such as by copying and reviewing a driver's license or other identification card;
(3) 
Reviewing documentation showing the existence of a business entity; and
(4) 
Independently contacting the customer.
(B) 
In order to detect any of the Red Flags identified above for an existing Covered Account, Utility personnel will take the following steps to monitor transaction with a Covered Account.
(1) 
Verifying the identification of customers if they request information (in person, via telephone, via facsimile, via email);
(2) 
Verifying the validity of request to change billing addresses; and
(3) 
Verifying changes in banking information given for billing and payment purposes.
(A) 
In the event Utility personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:
(1) 
Continuing to monitor an Account for evidence of Identity Theft by placing a "Red Flag Exists" warning on the Account;
(2) 
Creating a database to track past Red Flags;
(3) 
Contacting the customer;
(4) 
Not opening a new Account;
(5) 
Closing an existing Account;
(6) 
Notifying law enforcement; or
(7) 
Determining that no response is warranted under the particular circumstances.
(B) 
In order to further prevent the likelihood of identity theft occurring with respect to Utility Accounts, the Utility will take the following steps with respect to its internal operating procedures:
(1) 
Ensuring complete and secure destruction of paper documents and computer files containing customer information, including documentation of such destruction;
(2) 
Ensuring that office computers are password protected;
(3) 
Requiring only the last four digits of SSNs on customer applications;
(4) 
Limiting access to Accounts to only employees that require access;
(5) 
Prohibiting Account information to be written on sticky pads or note pads;
(6) 
Ensuring that computer screens are only visible to the employee accessing the Account; and
(7) 
Requiring customers to authenticate addresses and personal information, rather than Account representatives asking if the information is correct.
This Program will be periodically reviewed and updated to reflect changes in risks to customers and soundness of the Utility from Identity Theft. At least once per year, the Program Administrator will consider the Utility's experiences with Identity Theft situation, changes in Identity Theft methods, changes in Identity Theft detection and prevent methods, changes in types Accounts the Utility maintains and changes in the Utility's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator will present the Village Board with recommended changes and the Village Board will make a determination of whether to accept, modify or reject those changes to the Program.
(A) 
Oversight. The Program will be overseen by a Program Administrator. The Program Administrator shall be the Clerk for the Village. The Program Administrator will be responsible for the Program's administration, for ensuring appropriate training of employees on the Program, for reviewing any staff reports regarding the detection of Red Flags and steps for preventing and mitigating Identity Theft, determining which steps of the prevention and mitigation should be taken in particular circumstances, reviewing and if necessary, approving changes to the Program.
(B) 
Staff Training and Reports. Employees responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the responsible steps to be taken when a Red Flag is detected. Each employee responsible for implementing the Program shall sign an Identity Theft Program Acknowledgement. Such training and acknowledgement will be sufficient to effectively implement the Program.
(C) 
Violation. The Program Administrator will be responsible for notifying the appropriate individual of any failure of the employees in adhering to the provisions of the Program. All employees have been advised that violations of the policies set forth herein may be grounds for disciplinary action.
[Amended 5-17-2011 by Ord. No. 2011-05-01]
As required by the Illinois Identity Protection Act of 2010, there is hereby adopted in the Village of Brownstown the Privacy Policy as stated in the attached document entitled "Chapter 22, Article II: Village Policy with Regard to the Collection, Use and Communication of Individuals' Social Security Numbers" with regard to the collection, use, and communication of an individual's Social Security Number by employees, officials, contractors and/or subcontractors of the Village which is hereby adopted by reference as if fully set forth herein.
The Privacy Policy adopted in this article and Chapter shall be subject to amendment from time to time by the Village Board as the Village Board shall deem necessary in its sole discretion in order to maintain the Village's compliance with the Illinois Identity Protection Act as now or hereafter amended. (See Addendum A).[1]
[1]
Editor's Note: Addendum A is included as an attachment to this chapter.
Any person who violates any portion of this article or the attached Policy, as now or hereafter amended, shall be subject to a fine of not less than $100 for the first such violation and a fine of not less than $500 for each violation thereafter.