Congress enacted the Fair and Accurate Credit Transaction Act in
2003 to help combat rising identity theft crimes. The Federal Trade
Commission (FTC) was enlisted by Congress to help combat identity
theft by adopting regulations that would require creditors to
develop policies to "red flag" identity theft involving
their accounts or customer information. The "Red Flag
Rules" adopted by the FTC impose three principle obligations
on creditors. First, creditors must conduct a risk assessment to
determine whether they offer accounts for which there is a
reasonably foreseeable risk to customers of identity theft. Second,
creditors who offer such accounts must adopt a written identity
theft protection program that is designed to prevent and mitigate
identity theft in connection with the opening of a covered account.
The policy must be approved by the governing body and implemented
by a designated employee. Finally, creditors must annually review
the adopted program to evaluate the need for changes to reflect new
procedures or identity theft risks. The FTC mandated adoption of
the written policies by Nov. 1, 2009.
The regulations explicitly declare that "utility
companies" constitute creditors under the regulations.
Informational releases from the FTC make clear that the Agency
believes municipal and non-profit utilities fall within the
definition of a creditor. Some municipal and non-profit utilities
are unaware of the obligation to adopt an identity theft prevention
program.
Failure to adopt an identity theft prevention program that complies
with the FTC's regulations could result in penalties and
liability. The FTC has authority to seek enforcement actions in
federal court for failure to comply with its regulation that can
include the imposition of up to $2,500 in penalties for each
independent violation of the rule. State Attorney Generals also are
granted authority to require compliance with the regulations on
behalf of their residents and may recover penalties up to $1,000
for each violation plus attorneys fees. Customers impacted by a
violation of the FTC's regulation are given private rights to
recover actual damages sustained from a violation.
Utilities that have not yet adopted written identity theft
protection policies are encouraged to do so as soon as possible to
avoid being found non-compliant. Please feel free to contact a
member of Barnes & Thornburg LLP's Energy,
Telecommunications, Transportation and Utilities or Government
Services Departments if your utility has not yet complied with the
FTC's Red Flag Rules and would like assistance in developing a
compliant plan.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.