The URL can be used to link to this page

Resolution No. 08-66 CITY OF TIGARD, OREGON TIGARD CITY COUNCIL SOLUTION NO. 08- A RESOLUTION IMPLEMENTING AN INFORMATION SEC(JRITY PROGRAM FOR THE QTY OF TIGARD TO COMPLY WITH SENATE BILL 538,- TEE OREGON IDENTITY THEFT PROTECTION ACT(C)ITPA) AND TEE FAIR AND ACCURATE CREDIT TRANSACTIONS (FACT) ACT OF 2003,AND FEDERAL TRADE GONIMISSION RULES WI-IEREAS, the Oregon Legislature enacted the Oregon Identity Protection Act giving consumers the ability to place security freeze on their credit file; and WI-iEEREAS, the Identity Theft Protection Act contains standards to shield Social Security numbers, notify consumers should there be a security breach,and safeguard personal identifying information,and. WHEREAS, the federal. Fair and Accurate Transactions (FACT) Act of 2003 tools effect January 1 2008, requiring entities (including utilities) to establish identity theft prevention programs;and WHEREAS,the Federal Trade Commission has adopted rules to implement this act;and WHEREAS,written procedures must identify,detect and respond to possible signals of identity theft Itnocvn as Red Flags;and WHEREAS,the initial written program must be approved bythe governing body. NOW,TF EREFORE,BE IT RESOLVED by the Tigard City Council that: SEGTTON 1 The City Council hereby adopts the Information Security Program for the City of Tigard attached hereto as ExlyibitA SECJI'ION 2: This resolution is effective inrmediatelyupon passage. PASSED': This day of � L2.7 2008. /'/� 'ZA Mayor- ty of Tigard A T. CtyRecorder- Caty of Tigard I\ADM\cathy\PROJEC:IS\ID Theft\Councl Itesnturion 2008.do RESOLUTION NO.08- Page 1 Exhibit A INFORMATION SECLTUTY PROGRAM FOR THE CITY OF TIGARD 1. Safeguarding Personal Information:Personal information includes the employee or customer's name in combination with a Social Security Number; Oregon driver's license or Oregon identification card;passport number; or financial,credit,or debit card numbers along with a security or access code or password. The Citywill implement and maintain reasonable safeguards to protect the secuurity and confidentiality of personal information, including proper custody and disposal. 2. Social Security Numbers (SSN):TheCity will safeguard SSNs on all-City materials. Except when required bylaw,SSRIs shall not be printed on mailed materials, shall not be printed on cards used to access products,services, or City buildings, and shall not be included on public postings or displays,including the city's web site. SSN maybe used for internal verification or administrative processes, but should be redacted whenever possible. 3. Notification of Security Breach:The City shall provide notification of a security breach as soon as possible in writing,or electronically if it is the primary manner of communication with the customer or employee, or bytelephone'if the person is contacted directly. The exception is if the notification would impede a criminal investigation. 4. Information Technology Division:IT shall establish technical controls to safeguard personal information stored in electronic format and shall document the controls in writing. 5. Department Directors:Department directors shall: • Be familiar with the Identity Theft Protection Act • Implement the Steps To Be Taken To Safeguard Sensitive Documents described in Section 7 • Establish and document in writing department-specific safeguard practices needed to protect personal information • Include training on identity theft protection as for the departmental new employees' (including temporary employees) orientation and provide the appropriate compliance sign-off statements to the Human Resources Department. 6. Employees; Employees shall adhere to this policy and any internal processes adopted by their department. Noncompliance may result in formal disciplinary action up to and including termination of employment. Employees should contact their department director if they have questions about compliance with this policy. 7. Steps To Be Taken To Safeguard Sensitive Documents: Review documents, fortes, and processes that include or require personal information to determine if and when obtaining or retaining personal information is necessary. o If the personal infon-nation is not necessary, revise the fortes and process to eliminate that information. o Redact personal infor nation if no longer needed. Resolution No. 08- J by Exhibit A,Page 1 Exhibit A o Shred documents with personal information when allowed by records retention schedules. • If personal information is necessary, take steps to ensure that information is secure from unauthorized access. Examples include: • Do not leave documents that contain personal information unattended at your desk. • When not needed for work purposes, documents containing personal information should be stored in a secured area or in a locked file cabinet or drawer. • Notaryjournals that contain personal information should be kept in a secured area or a locked file cabinet or drawer. • Lock or log off computers when leaving the workstation and otherwise comply with the computer workstation security protocols. 1AADfv1\Cathy\PROJECTS\1D Theffiresolution exhibit a.doc Resolution No. 08-4/ Exhibit A,Page"2