Congress enacted the Fair and Accurate Credit Transaction Act in 2003 to help combat rising identity theft crimes. The Federal Trade Commission (FTC) was enlisted by Congress to help combat identity theft by adopting regulations that would require creditors to develop policies to "red flag" identity theft involving their accounts or customer information. The "Red Flag Rules" adopted by the FTC impose three principle obligations on creditors. First, creditors must conduct a risk assessment to determine whether they offer accounts for which there is a reasonably foreseeable risk to customers of identity theft. Second, creditors who offer such accounts must adopt a written identity theft protection program that is designed to prevent and mitigate identity theft in connection with the opening of a covered account. The policy must be approved by the governing body and implemented by a designated employee. Finally, creditors must annually review the adopted program to evaluate the need for changes to reflect new procedures or identity theft risks. The FTC mandated adoption of the written policies by Nov. 1, 2009.

The regulations explicitly declare that "utility companies" constitute creditors under the regulations. Informational releases from the FTC make clear that the Agency believes municipal and non-profit utilities fall within the definition of a creditor. Some municipal and non-profit utilities are unaware of the obligation to adopt an identity theft prevention program.

Failure to adopt an identity theft prevention program that complies with the FTC's regulations could result in penalties and liability. The FTC has authority to seek enforcement actions in federal court for failure to comply with its regulation that can include the imposition of up to $2,500 in penalties for each independent violation of the rule. State Attorney Generals also are granted authority to require compliance with the regulations on behalf of their residents and may recover penalties up to $1,000 for each violation plus attorneys fees. Customers impacted by a violation of the FTC's regulation are given private rights to recover actual damages sustained from a violation.

Utilities that have not yet adopted written identity theft protection policies are encouraged to do so as soon as possible to avoid being found non-compliant. Please feel free to contact a member of Barnes & Thornburg LLP's Energy, Telecommunications, Transportation and Utilities or Government Services Departments if your utility has not yet complied with the FTC's Red Flag Rules and would like assistance in developing a compliant plan.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.