(A) Fulfilling Requirements of the Red Flags Rule. Under the Red Flag Rule, every financial institution and creditor is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity and the nature of its operation. Each program must contain reasonable policies and procedures to:
(1) Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program;
(2) Detect Red Flags that have been incorporated into the Program;
(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and
(4) Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft.
(B) Red Flags Rule Definitions Used in this Program. The Red Flags Rule defines “Identity Theft” as “fraud committed using the identifying information of another person” and a “Red Flag” as “a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.”
According to the Rule, a municipal utility is a creditor subject to the Rule requirements. The Rule defines creditors “to include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.”
All the Utility’s accounts that are individual utility service accounts held by customers of the utility whether residential, commercial or industrial are covered by the Rule. Under the Rule, a “covered account” is:
(1) Any account the Utility offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions; and
(2) Any other account the Utility offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the Utility from Identity Theft.
“Identifying information” is defined under the Rules as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol address, or routing code.