Security of Information - Policy Statement 158

POLICY STATEMENT 158

Security of Information

 

Prepared by: Michelle W. Price, Controller, Finance Department

Supersedes: 6/12/2008

Adopted by Council:  6/13/2013

Effective: 6/13/2013

 

Introduction

 

The Town of Cary recognizes the importance of securing various types of information in order to reduce the risk of identity theft and fraud.  The Town is required to protect and secure various types of information as defined in the NC Identity Theft Act of 2005 (“State Act”), the Federal Trade Commission Identity Theft Act Red Flag legislation (“FTC Act”), the Criminal Justice Information Services Security Policy and through contractual obligations related to merchant services (credit card acceptance).  Under state statute, the Town also has an obligation to secure and limit access to other private information involving customers and employees.

 

Definitions

 

Sensitive Information

Sensitive information includes the following items, as well as any other information that may be included in the State Act or the FTC Act:

-     Social Security Information

-     Tax ID Information

-     Credit Card Information

-     Bank Account Information

-     Drivers License Information

-     Criminal Justice Information

 

Private Information

Private information includes employee and customer information that is protected by state statute or other regulatory agencies.  This may include, but is not limited to addresses, phone numbers and other personnel file contents.

 

Policy

 

The Town of Cary will adhere to all applicable requirements regarding the protection of sensitive information as stated in the State Act, FTC Act, Criminal Justice Information Services Security Policy and merchant services agreements.  As a part of these efforts, the Town will do the following:

-     Develop and maintain standard procedure(s) to provide guidance on the protection of sensitive information in order to reduce fraud and identity theft

-     Develop and maintain a formal breach response plan

-     Develop and maintain a training program in order to effectively communicate information provided in the standard procedure(s) and breach response plan to necessary staff

-     Review and update (as needed) all procedures, plans and training programs on an annual basis (at a minimum)

-     Ensure service providers, who are in contact with sensitive information, are aware of security requirements, as well as the need for confidentiality, through proper contractual agreements and arrangements.

 

The Town of Cary will also adhere to all applicable requirements regarding the protection of private information as stated in NC State Statutes and will provide proper security and confidential treatment of this information, while still adhering to all public record requirements.  Efforts may include special contractual language to ensure service providers are aware of statutory requirements and the need for confidentiality.

 

Program for the Security of Sensitive Information

 

The procedures surrounding the program for the security of sensitive information shall include:

-     Identification and definition of risk factors regarding customer accounts and all other systems that include the management, storage and handling of sensitive information.

-     Measures to adequately detect these risk factors on a timely basis and in an efficient manner.

-     A detailed breach response plan to respond appropriately when detection occurs in order to prevent and/or mitigate identity theft.

-     Methods for reviewing and testing the program on an annual basis, including the communication of information to appropriate personnel and the testing of the incident response plan.

 

Detailed procedures related to this program will be approved by the Town Manager or Assistant Town Manager through the Town’s Standard Procedure process.

 

Other related Town Policies:

 

No. 152 Public Records Policy