November 17, 2009
Local Units Must Adopt Identity Theft Policy to Comply with Newly Effective FTC Regulations
Any local unit that operates a utility or other activity that extends credit (i.e. bills consumers for utility services after they are received) must adopt an identity theft policy as required by the United States Federal Trade Commission (“FTC”). In response to the growing threat of identity theft, FTC regulations, effective as of August 1, 2009, require local utilities and those local units extending credit to adopt “red flag” practices that are intended to prevent and highlight potential instances of identity theft.
A “red flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft. For example, “red flags” are indicators of fraud and include, but are not limited to the following: an alert, notification or warning from a consumer reporting agency; a credit freeze imposed by a consumer reporting agency; an address discrepancy notice from a consumer reporting agency; irregular or suspicious account activity; suspicious documents; personal identifying information inconsistent with external information used for verification; and personal identifying information associated with prior fraud.
The FTC rules apply to “financial institutions” and “creditors” with “covered accounts.” All government water, wastewater, and electric utilities are explicitly covered under these rules. Further, the FTC has suggested that government agencies that “defer payments” for goods or services are also covered.
Every affected local unit must develop and implement a written Identity Theft Prevention Program (“ITPP”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The ITPP must be appropriate to the size and complexity of the local unit and the nature and scope of its activities. Specifically, ITPP’s must include mechanisms to:
- Identify relevant red flags for covered accounts signaling possible identity theft and incorporate those red flags into the program;
- Detect red flags that have been incorporated into the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the program is reviewed and updated periodically to reflect changes in risks.
In addition, ITPP’s must also provide for continued administration and oversight, including:
- Designation or assignment of an appropriate person to coordinate the ITPP;
- Obtaining approval of the initial written program by the governing body or an appropriate committee designated by the governing body;
- Involving the governing body, a committee of the governing body, or a designated management-level employee in the development, implementation, administration and oversight of the program;
- Staff training as necessary to effectively implement the program; and
- Exercise of appropriate and effective oversight of service provider arrangements.
Annually, those personnel responsible for oversight of the ITPP must report to the governing body on the effectiveness of the program and compliance with the regulatory requirements. Diligent implementation of the ITPP will aid in the local unit’s achievement of the goals of the federal legislation, which is the prevention of identity theft.
Megan M. Schwartz is an associate of Hill Wallack LLP in the Princeton office where she is a member of the Litigation Division and Administrative Law/Government Procurement Practice Group. Ms. Schwartz concentrates her practice in administrative law, regulatory compliance and corporate litigation including public procurement, employment and government litigation.