§ 2-188. Preventing and mitigating identity theft and fraud  

(1) Identify theft and/or fraud has occurred.

(a) Physical breach. The following are indications that there has been unauthorized access to sensitive and confidential information via a physical breach. Other activities may occur that are also physical breaches that are not included in the listing.

1. Evidence of lock tampering on file cabinets or office doors.

2. Evidence of unauthorized entry in an area where sensitive and confidential information is stored.

3. Missing files or documents that contain sensitive information.

(b) Technology breach. The following are indications that there has been unauthorized access to sensitive and confidential information via a technology breach. Other activities may occur that are also technological breaches that are not included in the listing.

1. Unknown or unauthorized name in the computer logon window.

2. Disconnected computer cables or power cables.

3. Missing computer equipment (desktop, laptop).

4. Evidence that electronic files have been accessed by unknown or unauthorized individuals or are missing.

5. Devices or media attached to the computer that are not known or authorized.

6. Unusual programs running, icons, or windows that appear that are not known and are not part of the normal work process.

7. Any other suspicious activity which indicates an attempt to use technology without approval.

(2) Prevent and mitigate. In the event personnel detect any identified red flags, such personnel shall take one (1) or more of the following steps, depending on the degree of risk posed by the red flag.

(a) Continue to monitor an account for evidence of identity theft or fraud.

(b) Contact police investigator responsible for identity theft.

(c) Change any passwords or other security devices that permit access to accounts.

(d) Not open a new account.

(e) Close an existing account.

(f) Reopen an account with a new number.

(g) Notify the privacy committee for determination of the appropriate step(s) to take.

(h) Notify law enforcement if necessary.

(i) Determine that no response is warranted under the particular circumstances.

(3) Victim record request. Under the FACT Act, identity theft victims are entitled to a copy of the application or other business transaction records relating to their identity theft free of charge. The Town of Kure Beach must provide these records within thirty (30) days or sooner of receipt of the victim's request. We must also provide these records to any law enforcement agency which the victim authorizes. Before providing the records to the victim, the utility must ask victims for:

(a) Proof of identity (which may be a government-issued ID card) or the same type of information the identity thief used to open or access the account, or the type of information the business is currently requesting from applicants or customers; and

(b) A police report and a completed affidavit, which may be either the FTC identity theft affidavit (attached to ordinance adopting this article) or the business's own affidavit.

(4) IT security. The system administrator and IT director will conduct audits on an annual basis using the identity thief prevention program checklist for information technology. All IT professionals shall sign agreements to not disclose private information.