Identity Theft Policy Requirements for Local Government

March 22, 2010
« Next Previous »

By Thomas A. Segreto | In response to the growing threat of identity theft, Congress adopted the Fair and Accurate Trade Act of 2003 (FACT), which is administered and enforced by the United States Federal Trade Commission (FTC). FACT applies to many facets of consumer transactions involving credit. Years later, the FTC promulgated the final rules, known as “Red Flag” rules. The FTC has advised that all financial institutions and creditors with covered accounts must have their written identity theft policies implemented by November 1, 2009. Creditors Under 15 U.S.C. § 1681a (r)(5), a creditor is defined in the same way as the Equal Credit Opportunity Act, which is defined as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” This broad definition potentially includes within its scope, local government agencies and utilities. Covered Accounts The State of New Jersey has recognized that certain Local Governments and utilities (including but not necessarily limited to government wastewater, water, electrical utilities or other utilities which bill after receipt of services) are covered by the FACT. For example, a municipality with a water department that provides water to users and bills those users on a monthly basis according to water usage would need to adopt an identity theft policy with regard to the covered accounts in the water department. The local government agency must adopt an identity theft red flag policy by November 1, 2009. Features of a Compliant Policy The keystone features of a compliant identity theft policy incorporates the identification of potential sources of delineated red flags, detection of the red flags, prevention and mitigation of possible identity theft and review of policies to address then present circumstances in which there is a potential for identity theft. While the State of New Jersey has suggested a model Identity Theft Policy, each local government agency which falls within the scope of FACT must adopt a policy which fits its operational needs and circumstances. OPRA Implications There are Open Public Records Act, N.J.S.A. 47:1A-1 et esq. (OPRA) implications to the adoption of identity theft policies and any policy which is intended to be compliant with FACT must also address OPRA implications. Custodians of Records must be vigilant to ensure that sensitive information is redacted from government records in accordance with the FACT and the local government agency’s identity theft policy. Enforcement The FTC may pursue enforcement against creditors who fail to implement a written identity theft policy though an “unfair or deceptive act or practice in commerce” action. Aside from a Cease and desist order, civil penalties for violations may be imposed up to a maximum of $2,500 per offense. For local units that obtain consumer credit reports of customers, failure to comply with the regulations pertaining to address discrepancy could result in penalties not exceeding $1,000. This Scarinci Hollenbeck Legal Update has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel.