TOWN OF MOORESVILLEIDENTITY THEFT POLICYEffective November 1, 2008

BACKGROUND ( SECTION 1)

The risk to the municipality, its employees, its citizens, and its customers from data loss and identity theft is of significant concerns to the municipality and can be reduced through the combined efforts of employee and contractor.

Passed by the Town Board October 2008 Effective November 1, 2008, which met

guidelines required by the Fair and Accurate Credit Transactions Act of 2003.

PURPOSE OF POLICY (SECTION 2)

• To define sensitive information• To describe the physical security of data

when it is printed on paper• To describe the electronic security of data

when stored and distributed; and• To place the municipality in compliance with

federal law regarding identity theft protection (Fair and Accurate Credit Transactions Act of 2003)

SCOPE (SECTION 3)

Policy applies to any employee who has been identified as having access to sensitive information.

Because the majority of municipal employees could potentially have access to sensitive information, training is required for both full and part-time employees.

SENSITIVE INFORMATION POLICY (4.A)

Sensitive information includes the following items whether stored in electronic or printed format: Credit card information Tax ID numbers Payroll Information Cafeteria benefit plan check requests and

associated paperwork Medical information for any employee or

customer Other personal information belonging to any

customer, employee or contractor

SENSITIVE INFORMATION (4.A)

Credit card information Credit card number (in part or whole) Credit card expiration date Cardholder name Cardholder address

Tax ID numbers Social Security number Business ID number Employer ID number

Payroll information Paychecks Pay stubs or advices

SENSITIVE INFORMATION (4.A)

Cafeteria benefit plan check requests and associated paperwork

Medical Information Doctor names and claims Insurance claims Prescriptions Any related personal medical information

Other personal information Date of birth Address Phone Numbers Maiden name Names Customer number

USE COMMON SENSE! (4.A.1.G)

“Municipal personnel are encouraged to use common sense judgment in securing confidential information to the proper extent” (4.A.1.g).

Use reasonable precautions to secure sensitive information.

If you are uncertain about the sensitivity of a piece of information, treat the information as sensitive and ask your supervisor! If we don’t know, we will find out!

HARD COPY DISTRIBUTION (4.A.2)

File cabinets, desk drawers, overhead cabinets, and any other storage space containing sensitive information will be locked when not in use.

Storage rooms and record retention areas will be locked at end of each workday or when not in use.

Desks, workstations, work areas, printers, faxes, and shared work areas will be cleared of all documents containing sensitive information when not in use

Whiteboards, dry-erase boards, writing tablets, etc. will be erased, removed or shredded after use.

HARD COPY DISTRIBUTION (4.A.2)

When discarding items with sensitive information, either place inside a locked shred bin or shred immediately.

Municipal records may only be destroyed in accordance with the “Municipal Records Retention and Disposition Schedule”

Town Hall retains all departmental financial records; do not retain copies of credit card receipts or other sensitive financial information without receiving prior approval from Maia.

ELECTRONIC DISTRIBUTION (4.A.3)

Internally Do not submit sensitive information using

municipal e-mail. Externally

Any sensitive information sent externally by electronic transmission must be encrypted and password protected and transmitted only to approved recipients.

Recommendation for e-mail signature “This message may contain confidential and/or

proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.”

A WORD ABOUT E-MAIL…

Do not use Town of Mooresville e-mail as your primary personal e-mail account.

Any email you receive or send via Town of Mooresville e-mail is subject to subpoena and is a matter of public record.

Any information submitted can and will be read by IT employees seeking to meet the terms of a subpoena.

Think of e-mail as the front page of a newspaper; if you would not want to see information broadcasted, then do not put it in an email.

ADDITIONAL IDENTITY THEFT PREVENTION (SECTION 5)

Covered accounts (5.A) Includes any account which involves or may

allow multiple payments or transactions. New and existing customer accounts are covered

IF they meet the following criteria: Business, personal, and household accounts for which

there is a reasonably foreseeable risk of identity theft Business, personal, and household accounts for which

there is a reasonably foreseeable risk to the safety and soundness of the municipality from identity theft. (Financial, operational, compliance, reputation, or litigation risks)

ADDITIONAL IDENTITY THEFT PREVENTION (SECTION 5)

Red Flags (5.B.1) If a red flag or a situation resembling a red flag

transpires, investigation for confirmation should occur.

Potential indicators of fraud Alerts, notifications or warnings from a consumer

reporting agency Fraud or active duty alert included with a consumer

report Notice of credit freeze from a consumer reporting

agency in response to a request for a consumer report Notice of address discrepancy from a consumer

reporting agency

ADDITIONAL IDENTITY THEFT PREVENTION (SECTION 5)

Red Flags (5.B.2) Include consumer reports demonstrating activity

inconsistent with the history of account activity or behavior

Specific examples Recent and significant increase in the volume of

inquiries Unusual number of recently established credit

relationships Material change in use of credit, especially with

respect to recently established credit relationships Account was closed for cause or identified for abuse of

privileges by a financial institution or creditor

SUSPICIOUS DOCUMENTS (5.C)

Documents provided for ID that appear to have been altered or forged; any additional document appearing to have been altered or forged.

The photograph or physical description on the ID is not consistent with the appearance of the applicant.

Other information on the ID is not consistent with information provided by the individual.

Other information on the ID is not consistent with information on file with the municipality.

SUSPICIOUS PERSONAL IDENTIFYING INFORMATION (5.D)

Identifying information is inconsistent with verification sources Address does not match in consumer report SSN has not been issued or is listed on SSN Death

Master File Inconsistent with other information provided by

customer (ex. SSN range and birth date do not correlate)

Identifying information is associated with known fraudulent activities

Identifying information Fabricated address, or address is a mail drop or prison Invalid telephone number; number may also be

associated with answering service or pager

SUSPICIOUS PERSONAL IDENTIFYING INFORMATION (5.D)

Same SSN as another account holder Telephone number or address corresponds to

a large number of other customers Customer does not provide all required

identifying information Personal information does not correspond to

information on file Person cannot authenticate account by

adequately answering security questions generated originally by the account holder

UNUSUAL USE/SUSPICIOUS ACTIVITY RELATED TO COVERED ACCOUNT

(5.E)

After an address change occurs, town receives request for additional services and/or requests for additional authorized users on the account

Account is used in the manner associated with fraudulent activity

Account activity is not consistent with established patterns of previous activity

Covered account is reactivated after a lengthy period of inactivity

Mail relating to account is deemed consistently undeliverable to address associated with account

UNUSUAL USE/SUSPICIOUS ACTIVITY RELATED TO COVERED ACCOUNT

(5.E)

Town has been notified that the customer is not receiving paper account statements

Town has been notified of unauthorized account changes and transactions

Town has been notified that it has opened a fraudulent account for an individual engaging in identity theft

RESPONDING TO RED FLAGS (SECTION 6)

Once potentially fraudulent activity is detected, act quickly to protect customers and the municipality from damages and loss. Gather all relevant information and document

the situation The designated authority will complete

additional authentication to determine whether the activity was fraudulent.

RESPONDING TO RED FLAGS (SECTION 6)

6.B: If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include: Canceling the transaction Notifying and cooperating with appropriate law

enforcement Determining the extent of liability of the

municipality; and Notifying the actual customer that fraud has

been attempted

PERIODIC UPDATES TO POLICY (SECTION 7)

Program will be reevaluated to determine applicability and efficacy, and to ensure up-to-date compliance with additional legislation

Assessments will be conducted to determine which accounts are covered

Red flags may be revised, replaced, or eliminated; new red flags may be defined

Revision to action plan may occur depending on damage and threat of ID theft to town and customers.

PROGRAM ADMINISTRATION (SECTION 8)

The importance of this policy “warrants the highest level of attention.”

Staff training will be conducted annually in all elements of the policy.

Newly hired employees will be trained in all elements of the policy before commencing work in official capacity.

Employees may receive additional training if and when changes to the policy are made.

Contracts and vendors must be in compliance with policy.