Model Identify Theft Policy: Sections 6, 7, 8
SECTION 6: RESPONDING TO RED FLAGS
6.A: Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the municipality from damages and loss.
6.A.1: Once potentially fraudulent activity is detected, gather all related documentation and write a description of the situation. Present this information to the designated authority for determination.
6.A.2: The designated authority will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic.
6.B: If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include:
1. Canceling the transaction;
2. Notifying and cooperating with appropriate law enforcement;
3. Determining the extent of liability of the municipality; and
4. Notifying the actual customer that fraud has been attempted.
SECTION 7: PERIODIC UPDDATES TO PLAN
7.A : At periodic intervals established in the program, or as required, the program will be re-evaluated to determine whether all aspects of the program are up to date and applicable in the current business environment.
7.B: Periodic reviews will include an assessment of which accounts are covered by the program.
7.C : As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate.
7.D : Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the municipality and its customers.
SECTION 8: PROGRAM ADMINISTRATION
8.A: Involvement of management
1. The Identity Theft Prevention Program shall not be operated as an extension to existing fraud prevention programs, and its importance warrants the highest level of attention.
2. The Identity Theft Prevention Program is the responsibility of the governing body. Approval of the initial plan must be appropriately documented and maintained.
3. Operational responsibility of the program is delegated to ____________________.
8.B:Staff training
1. Staff training shall be conducted for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to the municipality or its customers.
2. ____________________ is responsible for ensuring identity theft training for all requisite employees and contractors.
3. Employees must receive annual training in all elements of this policy.
4. To ensure maximum effectiveness, employees may continue to receive additional training as changes to the program are made.
8.C: Oversight of service provider arrangements
1. It is the responsibility of the municipality to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
2. A service provider that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
3. Any specific requirements should be specifically addressed in the appropriate contract arrangements.
This resolution will take effect immediately upon its passage, the public welfare requiring it.