Pub. 3 2018 Issue 6

18 www.ctaahq.org it is suggested staff take the following steps: 1. Verify the identification of the Residents if they request informa- tion (in person, via telephone, via fax, via email); 2. Verify the validity of request to temporarily or permanently change billing address; 3. Verify changes in banking informa- tion given for billing and payment purposes; 4. Obtain reasonable explanation for rent payments coming from third parties. In the event staff detects any identified Red Flags, it is recommended to take one or more of the following steps, depending on the degree of risk posed by the Red Flag: Prevent and Mitigate: 1. Continue to monitor an account for evidence of Identity Theft; 2. Contact the applicant or Resident whenever suspicious circumstances dictate; 3. Change any passwords or other security devices that permit access to Resident information; 4. Notify the Program Administrator for determination of the appropri- ate steps to take; 5. Notify law enforcement; or 6. Determine that no response is warranted under the particular circumstances. Protect Resident Identifying In - formation: In order to further prevent the likeli- hood of Identity Theft occurring with respect to residents and applicants, take the following steps with respect to internal operating procedures to pro- tect resident and applicant identifying information: 1. After holding files for the ap- propriate time, ensure complete and secure destruction of paper documents and computer files containing resident and applicant information; 2. Ensure that office computers are password protected and that com- puter screens lock after a set period of time; 3. Keep offices clear of papers con- taining consumer information; 4. Except for applications for residen- cy, do not request social security numbers; 5. Ensure computer virus protection is up to date; 6. Require and keep only the customer information that is necessary for land- lord-tenant purposes; 7. Keep all documents containing res- ident social security numbers, dates of birth, numbers on driver’s licenses and other ID cards, consumer reports, account numbers on resident financial institution accounts in a secure place, limiting access only to individuals with a business need for access. Program Administration: The program administrator, a designat- ed staff member or member of upper management, should periodically review and update the company policy to reflect changes in risks to residents and appli- cants from Identity Theft. In doing so, consider the prevalence of identity theft in the general multifamily community throughout your state, changes in identity theft methods of detection and preven- tion, and changes in the business arrange- ments with other entities your company does business with. If warranted, then update the policy. The designated program administrator is responsible for ensuring appropriate training of the office staff on the policy, reviewing any staff reports regarding the detection of Red Flags; implementing the steps for prevention and mitigation of identity theft; determining which steps should be taken in particular circumstances; and considering periodic changes to the policy. Service providers should also perform activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identi- ty Theft. You may want to consider, by contract, that service providers have such policies and procedures in place and that they review and report any Red Flags to staff.