[Ord. No. 09-03, 7-6-2009]
The risk to the County, its employees and customers from data loss and identity theft is of significant concern to the County and can be reduced only through the combined efforts of every employee and contractor. The County will focus on detection and prevention of identity theft on all accounts where the County accepts deferred payments for goods or services.
[Ord. No. 09-03, 7-6-2009]
The County is committed to detecting situations in which identity theft may have occurred.
A “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft. In order to identify relevant Red Flags, the County considered risk factors such as the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts and its previous experiences with identity theft.
Identity theft will be addressed by detecting Red Flags in connection with the opening of accounts and existing accounts, such as by:
(A) 
Obtaining identifying information about, and verifying the identity of, a person opening an account.
(B) 
Monitoring transactions with emphases on a change of address closely followed by a new service request or a material change in a customer’s credit use.
(C) 
Verifying the validity of change of address requests, in the case of existing accounts in order to monitor the diversion of statements as a prelude to possible account manipulation.
[Ord. No. 09-03, 7-6-2009]
(A) 
In order to prevent and mitigate identify theft, the County will provide appropriate responses to the following Red Flags:
(1) 
Suspicious documents.
(a) 
Documents provided for identification that appear to have been altered, forged or are unauthentic.
(b) 
The photograph or physical description on the identification is not consistent with the appearance of the applicant or person presenting the identification.
(c) 
Receiving other documentation with information that is not consistent with existing customer information (such as if a person’s signature on a check appears forged).
(d) 
Receiving an application for service that appears to have been altered or forged.
(2) 
Suspicious personal identifying information.
(a) 
The person opening an account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
(b) 
Personal identifying information provided is not consistent with personal identifying information that is on file with the County.
(c) 
A person’s identifying information is the same as shown on other applications found to be fraudulent.
(d) 
A person’s identifying information is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address).
(e) 
A person’s social security number is the same as another customer’s social security number.
(f) 
A person’s address or phone number is the same as that of another person.
(g) 
A person’s identifying information is not consistent with other information the customer provides.
(3) 
Unusual use of, or suspicious activity related to, an account.
(a) 
A change of address for an account followed by the County receiving a request for the addition of authorized users on the account or adding other parties.
(b) 
An account that has been inactive and then becomes active.
(c) 
Payments stop on an otherwise consistently up-to-date account.
(d) 
Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s account.
(e) 
The County is notified of unauthorized charges or transactions in connection with a customer’s account.
(f) 
A new account is used in a manner consistent with fraud (such as the customer failing to make the first payment or making the initial payment and no other payments).
(g) 
An account being used in a way that is not consistent with prior use (such as late or no payments when the account has been timely in the past).
(h) 
The County receives notice that a customer is not receiving his/her paper statements.
(i) 
The County is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
(B) 
In order to detect any of the Red Flags identified above with the opening of a new account, County personnel will take the following steps to obtain and verify the identity of the person opening the account:
(1) 
Requiring certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, social security number, driver’s license or other identification.
(2) 
Verifying the customer’s identity, such as by copying and reviewing a driver’s license or other identification card.
(3) 
Reviewing documentation showing the existence of a business entity.
(4) 
Independently contacting the customer.
(C) 
In order to detect any of the Red Flags identified above for an existing account, County personnel will take the following steps to monitor transactions with an account:
(1) 
Verifying the identification of customers if they request information (in person, via telephone, via facsimile, via e-mail).
(2) 
Verifying the validity of requests to change billing addresses.
(3) 
Verifying changed in banking information given for billing and payment purposes.
(D) 
Responses to these Red Flags are commensurate with the degree of risk posed based on the County’s risk assessment. Appropriate responses may include the following:
(1) 
Monitoring an account for evidence of identity theft or suspicious activity by placing on the County’s watch list;
(2) 
Contacting the customer;
(3) 
Reopening an account with a new account number;
(4) 
Not opening a new account;
(5) 
Closing an existing account;
(6) 
Not attempting to collect on an account or not sending an account to a debt collector;
(7) 
Notifying law enforcement; or
(8) 
Determining that no response is warranted under the particular circumstances.
(E) 
If a notice of change of address for an existing account is received and then within thirty (30) days a request for a change to the account is made, the County will assess the validity of the change of address or requested change to the account.
[Ord. No. 09-03, 7-6-2009]
The County will periodically review and update this policy (including the Red Flags determined to be relevant) to reflect changes in risks to customers or to the safety and soundness of the County from identity theft, based on factors such as:
(A) 
Experiences with identity theft;
(B) 
Changes in methods of identity theft;
(C) 
Changes in methods to detect, prevent, and mitigate identity theft;
(D) 
Changes in the types of accounts or services that the County offers or maintains; and
(E) 
Changes in our business arrangements, including services provided and service provider arrangements.
After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator will update the Program or present the Board of County Commissioners with his or her recommended changes, and the Board of County Commissioners will make a determination of whether to accept, modify or reject those changes to the Program.
[Ord. No. 09-03, 7-6-2009]
(A) 
The ultimate oversight of the Program is the Monroe County Board of Commissioners. The Monroe County Board of Commissioners has assigned specific responsibility for the Program’s implementation to the Program Administrator.
(B) 
The Program Administrator will report to the Board of County Commissioners, at least annually, on compliance by the County with all identity theft issues.
(C) 
The report will address material matters related to the Program and evaluate issues such as:
(1) 
The effectiveness of the policies and procedures of the County in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts;
(2) 
Service provider arrangements;
(3) 
Significant incidents involving identity theft and management’s response; and
(4) 
Recommendations for material changes to the Program.
The Monroe County Board of Commissioners will take any additional steps necessary to support this Program.
[Ord. No. 09-03, 7-6-2009]
The County will oversee any service provider who performs an activity in connection with one or more accounts. The County will take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft and require the service provider to report any Red Flag to the Program Administrator.
[Ord. No. 09-03, 7-6-2009]
The County staff responsible for implementing the Program will be trained to recognize and detect Red Flags and properly react to unauthorized or fraudulent attempts to obtain customer information. The County directs the Program Administrator to conduct annual training for all employees regarding identity theft and to supplement that training throughout the year as more schemes are uncovered.
[Ord. No. 09-03, 7-6-2009]
As part of the overall Program, the County will include other legal requirements when needed, such as implementing any requirements under which accounts may be created, changed or altered when the County detects a fraud or active duty alert.