This Policy does not supersede any more restrictive law, rule, or regulation regarding the collection, use, or disclosure of Social Security Numbers. [NOTE: This Policy is to comply with Public Act 096‑9874 of the State of Illinois, cited as the Identity Protection Act, and codified as Title 30, Act 5, Section 1, et seq., as now or hereafter amended.]
Any person who violates any portion of this Article, as now or hereafter amended, shall be subject to a fine of not less than One Hundred Dollars ($100.00) for the first such violation and a fine of not less than One Thousand Dollars ($1,000.00) for each violation thereafter.
(A) All officers, employees and agents of the County identified as having access to Social Security Numbers in the course of performing their duties to be trained to protect the confidentiality of all Social Security Numbers. Training shall include instructions on the proper handling of information that contains Social Security Numbers from the time of collection through the destruction of the information.
(B) Only employees who are required to use or handle information or documents that contain Social Security Numbers have access to such information or documents.
(C) Social Security Numbers requested from an individual shall be provided in a manner that makes the Social Security Number easily redacted if required to be released as part of a public records’ request.
(D) When collecting a Social Security Number or upon request by the individual, a statement of the purpose or purposes for which the County is collecting and using the Social Security Number be provided.
Beginning immediately on the effective date of the County’s authorizing Ordinance, no officer or employee of the County may encode or embed a Social Security Number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, RFID technology, or other technology, in place of removing the Social Security Number as required by this Policy.
(A) This policy does not apply to the collection, use, or disclosure of a Social Security Number as required by State or Federal law, rule, or regulation.
(B) This policy does not apply to documents that are required to be open to the public under any State or Federal law, rule, or regulation, applicable case law, Supreme Court Rule, or the Constitution of the State of Illinois.
Notwithstanding any other provision of this policy to the contrary, all officers and employees of the County must comply with the provisions of any other State law with respect to allowing the public inspection and copying of information or documents containing all or any portion of an individual’s Social Security Number. All officers and employees of the County must redact Social Security Numbers from the information or documents before allowing the public inspection or copying of the information or documents.
(A) No officer or employee of the County shall do any of the following:
Publicly post or publicly display in any manner an individual’s Social Security Number.
Print an individual’s Social Security Number on any card required for the individual to access products or services provided by the person or entity.
Require an individual to transmit his or her Social Security Number over the Internet, unless the connection is secure or the Social Security Number is encrypted.
Print an individual’s Social Security Number on any materials that are mailed to the individual, through the United States Postal Service, any private mail service, electronic mail, or a similar method of delivery, unless Illinois or federal law requires the Social Security Number to be on the document to be mailed. Notwithstanding any provision in this Section to the contrary, Social Security Numbers may be included in applications and forms sent by mail, including, but not limited to, any material mailed in connection with the administration of the Illinois Unemployment Insurance Act, any material mailed in connection with any tax administered by the Illinois Department of Revenue, and documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the Social Security Number. A Social Security Number that may permissibly be mailed under this Section may not be printed, in whole or in part, on a postcard or other mailer that does not require an envelope or be visible on an envelope without the envelope having been opened.
(B) Except as otherwise provided in this policy, beginning immediately on the effective date of the County’s authorizing Ordinance, no officer or employee of the County shall do any of the following:
Collect, use, or disclose a Social Security number from an individual, unless (i) required to do so under State or Federal law, rules, or regulations, or the collection, use, or disclosure of the Social Security Number is otherwise necessary for the performance of that agency’s duties and responsibilities; (ii) the need and purpose for the Social Security Number is documented before collection of the Social Security Number; and (iii) the Social Security Number collected is relevant to the documented need and purpose.
Require an individual to use his or her Social Security Number to access an Internet website.
Use the Social Security Number for any purpose other than the purpose for which it was collected.
(C) The prohibitions in subsection (B) do not apply in the following circumstances:
The disclosure of Social Security Numbers to agents, employees, contractors, or subcontractors of the County or disclosure to another governmental entity or its agents, employees, contractors, or subcontractors if disclosure is necessary in order for the entity to perform its duties and responsibilities; and, if disclosing to a contractor or subcontractor, prior to such disclosure, the officer or employee of the County must first receive from the contractor or subcontractor a copy of the contractor’s or subcontractor’s policy that sets forth how the requirements imposed under this Policy on the County to protect an individual’s Social Security Number will be achieved.
The disclosure of Social Security Numbers pursuant to a court order, warrant, or subpoena.
The collection, use, or disclosure of Social Security Numbers in order to ensure the safety of: County employees; persons committed to correctional facilities, local jails, and other law enforcement facilities or retention centers; wards of the State; and all persons working in or visiting a County facility.
The collection, use, or disclosure of Social Security Numbers for Internal verification or administrative purposes.
The collection or use of Social Security Numbers to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is enumerated under the federal Gramm Leach Bliley Act, or to locate a missing person, a lost relative, or a person who is due a benefit such as a pension benefit or an unclaimed property benefit.
(D) Any standards of the County for the collection, use, or disclosure of Social Security Numbers that are stricter than the standards under this Policy with respect to the protection of those Social Security Numbers, then, in the event of any conflict with the provisions of this Policy, the stricter standards adopted by the County shall control.
“Person” means any individual in the employ of the County.
“Publicly post” or “publicly display” means to intentionally communicate or otherwise intentionally make available to the general public.
“Social Security Number” means the nine (9) digit number assigned to an individual by the United States Social Security Administration for the purposes authorized or required under the United States Social Security Act of August 14, 1935, as amended (Public Law 74–271).
In the event one of the County’s customers becomes a victim of identity theft, the following steps will be taken, as appropriate, to assist them:
(A) Have trained personnel respond to customer calls regarding identity theft or pretext calling.
(B) Determine if it is necessary to close an account immediately after a customer reports unauthorized use of that account and create a new customer account when appropriate. Where a customer has multiple accounts, an assessment will be made as to whether any other account has been the subject of potential fraud.
(C) Help educate the customer about appropriate steps to take if they have been victimized.
Educating consumers about preventing identity theft and identifying potential pretext calls may help reduce their vulnerability to these fraudulent practices. The County will have brochures available to consumers and an identity theft prevention section on the County’s website that describes preventative measures consumers can take to avoid becoming victims of these types of fraud.
The County staff responsible for implementing the Program will be trained to recognize and detect Red Flags and properly react to unauthorized or fraudulent attempts to obtain customer information. The County directs the Program Administrator to conduct annual training for all employees regarding identity theft and to supplement that training throughout the year as more schemes are uncovered.
The County will oversee any service provider who performs an activity in connection with one or more covered accounts. The County will take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft and require the service provider to report any Red Flag to the Program Administrator.
(A) The ultimate oversight of the program is the County Commissioners. The County Commissioners have assigned specific responsibility for the Program’s implementation to the Program Administrator.
(B) The Program Administrator will report to the County Commissioners, at least annually, on compliance by the County with all identity theft issues.
(C) The report will address material matters related to the Program and evaluate issues such as:
The effectiveness of the policies and procedures of the County in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;
Service provider arrangements;
Significant incidents involving identity theft and management’s response; and
Recommendations for material changes to the Program.
The County Commissioners will take any additional steps necessary to support this program.
he County will periodically review and update this policy (including the Red Flags determined to be relevant) to reflect changes in risks to customers or to the safety and soundness of the County from identity theft, based on factors such as:
(A) Experiences with identity theft;
(B) Changes in methods of identity theft;
(C) Changes in methods to detect, prevent, and mitigate identity theft;
(D) Changes in the types of accounts or services that the County offers or maintains; and
(E) Changes in our business arrangements, including services provided and service provider arrangements.
After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator will update the Program or present the County Commissioners with his or her recommended changes, and the County Commissioners will make a determination of whether to accept, modify or reject those changes to the Program.
If a notice of change of address for an existing account is received and then within thirty (30) days a request for a change to the account is made, the County will assess the validity of the change of address or requested change to the account.
The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
Personal identifying information provided is not consistent with personal identifying information that is on file with the County.
A person’s identifying information is the same as shown on other applications found to be fraudulent.
A person’s identifying information is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address).
A person’s social security number is the same as another customer’s social security number.
A person’s address or phone number is the same as that of another person.
A person’s identifying information is not consistent with other information the customer provides.
(D)Unusual Use of, or Suspicious Activity Related to, the Covered Account.
A change of address for a covered account followed by the County receiving a request for the addition of authorized users on the account or adding other parties.
A covered account that has been inactive and then becomes active.
Payments stop on an otherwise consistently up-to-date account.
Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
The County is notified of unauthorized charges or transactions in connection with a customer’s covered account.
A new account is used in a manner consistent with fraud (such as the customer failing to make the first payment, or making the initial payment and no other payments).
An account being used in a way that is not consistent with prior use (such as late or no payments when the account has been timely in the past).
The County receives notice that a customer is not receiving his/her paper statements.
(E) Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the County.
The County is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
Should any of the above instances of suspicious activity that could be identity theft occur, the County will take immediate actions to either prevent or mitigate the situation.
In order to detect any of the Red Flags identified above with the opening of a new account, County personnel will take the following steps to obtain and verify the identity of the person opening the account:
Steps can include:
Requiring certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, social security number, driver’s license or other identification.
Verifying the customer’s identity, such as by copying and reviewing a driver’s license or other identification card.
Reviewing documentation showing the existence of a business entity.
Independently contacting the customer.
In order to detect any of the Red Flags identified above for an existing account, County personnel will take the following steps to monitor transactions with an account:
Steps can include:
Verifying the identification of customers if they request information (in person, via telephone, via facsimile, via e‑mail).
Verifying the validity of requests to change billing addresses.
Verifying changes in banking information given for billing and payment purposes.
Responses to these Red Flags are commensurate with the degree of risk posed based on the County’s risk assessment.
Appropriate responses may include the following:
Complete verification of identification for fraud, active duty, credit freeze or address discrepancy alert for any of these types of alerts found on a consumer credit report when applying for services;
Monitoring a covered account for evidence of identity theft or suspicious activity by placing on the County’s watch list;
Contacting the customer;
Changing any passwords, security codes, or other security devices that permit access to a covered account;
Reopening a covered account with a new account number;
Not opening a new covered account;Closing an existing covered account;
Not attempting to collect on a covered account or not sending a covered account to a debt collector;
Notifying law enforcement; or
Determining that no response is warranted under the particular circumstances.
The County is committed to detecting situations in which identity theft might have or may have occurred.
A “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of Identity Theft. In order to identify relevant Red Flags, the County considered risk factors such as the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts and its previous experiences with Identity Theft.
Identity Theft will be combated by detecting Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(A) Obtaining identifying information about, and verifying the identity of, a person opening a covered account.
(B) Authenticating customers’ transactions, including photo ID if necessary, plus possible additional verification methods such as a user ID and password.
(C) Monitoring transactions with emphasis on a change of address closely followed by a new service request or a material change in a customer’s credit use.
(D) Verifying the validity of change of address requests, in the case of existing covered accounts in order to monitor the diversion of statements as a prelude to possible account manipulation.
While the overall risk of identity theft involving the County appears low, the County will focus on detection and prevention from identity theft on the following covered accounts: accounts to individual customers; all of the County’s accounts that are individual utility service accounts held by customers of the utility whether residential, commercial or industrial; any account the County offers or maintains primarily for personal, family or household purposes that involves multiple payments or transactions; and any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the County from Identity Theft, as well as automatic deposits to the accounts of the County employees. There will be a periodic review to determine if the covered accounts are still accurate due to any changes such as changes of address or other changes which may occur relating to an account.
Each type of covered account will be examined and reviewed for relevant Red Flags in part by considering:
(A) The methods provided to open covered accounts;
(B) The methods provided to access covered accounts; and
(C) Previous experiences with identity theft.
As part of the process, the County will consider the relevant Red Flags provided by the regulatory guidance, as well as incidents of identity theft that the County and/or the County customers have experienced and applicable supervisory guidance.
The County is committed to comply with the Federal Fair and Accurate Credit Transactions Act of 2003, as well as provide customers, particularly customers with utility accounts, the maximum identity theft protection possible. Situations that lead to identity theft would hurt and inconvenience the County’s customers, while at the same time damage the County’s reputation and place the County at risk for losses. The County developed this Identity Theft Prevention Policy with the oversight and approval of the County Commissioners after considering the size and complexity of the County’s operations and account systems and the nature and scope of the County’s activities.
(A)Examples of Identity Theft.
An identity thief uses another person’s social security number to open a utility account.
An identity thief uses a victim’s information to obtain unauthorized services from the County.
An identity thief opens a utility account using a victim’s name and good credit.
An identity thief files for bankruptcy using a victim’s name.
An identity thief gives a victim’s name as his/her own when arrested by police.