T OWN OF M OORESVILLE I DENTITY T HEFT P OLICY Effective November 1, 2008

B ACKGROUND ( S ECTION 1) The risk to the municipality, its employees, its citizens, and its customers from data loss and identity theft is of significant concerns to the municipality and can be reduced through the combined efforts of employee and contractor. Passed by the Town Board October 2008 Effective November 1, 2008, which met guidelines required by the Fair and Accurate Credit Transactions Act of 2003.

P URPOSE OF P OLICY (S ECTION 2) To define sensitive information To describe the physical security of data when it is printed on paper To describe the electronic security of data when stored and distributed; and To place the municipality in compliance with federal law regarding identity theft protection (Fair and Accurate Credit Transactions Act of 2003)

S COPE (S ECTION 3) Policy applies to any employee who has been identified as having access to sensitive information. Because the majority of municipal employees could potentially have access to sensitive information, training is required for both full and part-time employees.

S ENSITIVE I NFORMATION P OLICY (4.A) Sensitive information includes the following items whether stored in electronic or printed format: Credit card information Tax ID numbers Payroll Information Cafeteria benefit plan check requests and associated paperwork Medical information for any employee or customer Other personal information belonging to any customer, employee or contractor

S ENSITIVE I NFORMATION (4.A) Credit card information Credit card number (in part or whole) Credit card expiration date Cardholder name Cardholder address Tax ID numbers Social Security number Business ID number Employer ID number Payroll information Paychecks Pay stubs or advices

S ENSITIVE I NFORMATION (4.A) Cafeteria benefit plan check requests and associated paperwork Medical Information Doctor names and claims Insurance claims Prescriptions Any related personal medical information Other personal information Date of birth Address Phone Numbers Maiden name Names Customer number

U SE COMMON SENSE ! (4.A.1. G ) “Municipal personnel are encouraged to use common sense judgment in securing confidential information to the proper extent” (4.A.1.g). Use reasonable precautions to secure sensitive information. If you are uncertain about the sensitivity of a piece of information, treat the information as sensitive and ask your supervisor! If we don’t know, we will find out!

H ARD C OPY D ISTRIBUTION (4.A.2) File cabinets, desk drawers, overhead cabinets, and any other storage space containing sensitive information will be locked when not in use. Storage rooms and record retention areas will be locked at end of each workday or when not in use. Desks, workstations, work areas, printers, faxes, and shared work areas will be cleared of all documents containing sensitive information when not in use Whiteboards, dry-erase boards, writing tablets, etc. will be erased, removed or shredded after use.

H ARD C OPY D ISTRIBUTION (4.A.2) When discarding items with sensitive information, either place inside a locked shred bin or shred immediately. Municipal records may only be destroyed in accordance with the “Municipal Records Retention and Disposition Schedule” Town Hall retains all departmental financial records; do not retain copies of credit card receipts or other sensitive financial information without receiving prior approval from Maia.

E LECTRONIC D ISTRIBUTION (4.A.3) Internally Do not submit sensitive information using municipal . Externally Any sensitive information sent externally by electronic transmission must be encrypted and password protected and transmitted only to approved recipients. Recommendation for signature “This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.”

A WORD ABOUT E - MAIL … Do not use Town of Mooresville as your primary personal account. Any you receive or send via Town of Mooresville is subject to subpoena and is a matter of public record. Any information submitted can and will be read by IT employees seeking to meet the terms of a subpoena. Think of as the front page of a newspaper; if you would not want to see information broadcasted, then do not put it in an .

A DDITIONAL I DENTITY T HEFT P REVENTION (S ECTION 5) Covered accounts (5.A) Includes any account which involves or may allow multiple payments or transactions. New and existing customer accounts are covered IF they meet the following criteria: Business, personal, and household accounts for which there is a reasonably foreseeable risk of identity theft Business, personal, and household accounts for which there is a reasonably foreseeable risk to the safety and soundness of the municipality from identity theft. (Financial, operational, compliance, reputation, or litigation risks)

A DDITIONAL I DENTITY T HEFT P REVENTION (S ECTION 5) Red Flags (5.B.1) If a red flag or a situation resembling a red flag transpires, investigation for confirmation should occur. Potential indicators of fraud Alerts, notifications or warnings from a consumer reporting agency Fraud or active duty alert included with a consumer report Notice of credit freeze from a consumer reporting agency in response to a request for a consumer report Notice of address discrepancy from a consumer reporting agency

A DDITIONAL I DENTITY T HEFT P REVENTION (S ECTION 5) Red Flags (5.B.2) Include consumer reports demonstrating activity inconsistent with the history of account activity or behavior Specific examples Recent and significant increase in the volume of inquiries Unusual number of recently established credit relationships Material change in use of credit, especially with respect to recently established credit relationships Account was closed for cause or identified for abuse of privileges by a financial institution or creditor

S USPICIOUS D OCUMENTS (5.C) Documents provided for ID that appear to have been altered or forged; any additional document appearing to have been altered or forged. The photograph or physical description on the ID is not consistent with the appearance of the applicant. Other information on the ID is not consistent with information provided by the individual. Other information on the ID is not consistent with information on file with the municipality.

S USPICIOUS P ERSONAL I DENTIFYING I NFORMATION (5.D) Identifying information is inconsistent with verification sources Address does not match in consumer report SSN has not been issued or is listed on SSN Death Master File Inconsistent with other information provided by customer (ex. SSN range and birth date do not correlate) Identifying information is associated with known fraudulent activities Identifying information Fabricated address, or address is a mail drop or prison Invalid telephone number; number may also be associated with answering service or pager

S USPICIOUS P ERSONAL I DENTIFYING I NFORMATION (5.D) Same SSN as another account holder Telephone number or address corresponds to a large number of other customers Customer does not provide all required identifying information Personal information does not correspond to information on file Person cannot authenticate account by adequately answering security questions generated originally by the account holder

U NUSUAL USE / SUSPICIOUS ACTIVITY RELATED TO COVERED ACCOUNT (5.E) After an address change occurs, town receives request for additional services and/or requests for additional authorized users on the account Account is used in the manner associated with fraudulent activity Account activity is not consistent with established patterns of previous activity Covered account is reactivated after a lengthy period of inactivity Mail relating to account is deemed consistently undeliverable to address associated with account

U NUSUAL USE / SUSPICIOUS ACTIVITY RELATED TO COVERED ACCOUNT (5.E) Town has been notified that the customer is not receiving paper account statements Town has been notified of unauthorized account changes and transactions Town has been notified that it has opened a fraudulent account for an individual engaging in identity theft

R ESPONDING TO R ED F LAGS (S ECTION 6) Once potentially fraudulent activity is detected, act quickly to protect customers and the municipality from damages and loss. Gather all relevant information and document the situation The designated authority will complete additional authentication to determine whether the activity was fraudulent.

R ESPONDING TO R ED F LAGS (S ECTION 6) 6.B: If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include: Canceling the transaction Notifying and cooperating with appropriate law enforcement Determining the extent of liability of the municipality; and Notifying the actual customer that fraud has been attempted

P ERIODIC U PDATES TO P OLICY (S ECTION 7) Program will be reevaluated to determine applicability and efficacy, and to ensure up-to- date compliance with additional legislation Assessments will be conducted to determine which accounts are covered Red flags may be revised, replaced, or eliminated; new red flags may be defined Revision to action plan may occur depending on damage and threat of ID theft to town and customers.

P ROGRAM A DMINISTRATION (S ECTION 8) The importance of this policy “warrants the highest level of attention.” Staff training will be conducted annually in all elements of the policy. Newly hired employees will be trained in all elements of the policy before commencing work in official capacity. Employees may receive additional training if and when changes to the policy are made. Contracts and vendors must be in compliance with policy.