Identity Theft Program Requirements
Every affected municipality must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must be appropriate to the size and complexity of the municipality and the nature and scope of its activities.
The program must include provisions to:
- Identify relevant red flags for covered accounts signaling possible identity theft and incorporate those red flags into the program;
- Detect red flags that have been incorporated into the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the program is updated periodically to reflect changes in risks.
The policy must also provide for continued administration and oversight of the program, including:
- Obtaining approval of the initial written program by the governing body or an appropriate committee designated by the governing body;
- Involving the governing body, a committee of the governing body, or a designated management-level employee in the development, implementation, administration and oversight of the program;
- Staff training as necessary to effectively implement the program; and
- Exercise of appropriate and effective oversight of service provider arrangements.
The red flags fall into five categories:
- alerts, notifivations, or warnings from a consumer reporting agency
- suspicious documents
- suspicious indentifying information, such as a suspicious address
- unusual use of — or suspicous activity relating to — a covered account
- notices from customers, victims of identiy theft, law enforcemnt authorities, or other businesses about possible identity theft in connection with covered accounts.
Annually, the designated overseer of the municipality’s identity theft program must report to the governing body on the effectiveness of the program and compliance with the regulatory requirements.