Red Flags Rule


Red Flags Rule is an Identity Theft program that the council passed last week. Frankly, I did not put nearly enough thought into this ordinance as I should have. The program was described as being required for Federal Trade Commission compliance of Fair and Accurate Credit Transactions (FACT) Act of 2003, resulting in myself taking for granted the language of the ordinance.

By council passing this ordinance, the city now requires for new home owners and renters to present:

  • A driver’s license of other picture ID of all authorized parties.
  • Lease/Rent Contract, Utility Bill, or closing statement showing new service address.
  • For a business; “no sales tax due’ statement.
  • Completed Identity Theft prevention form for all listed on account:
    • Name
    • Social Security Number
    • Drivers License number
    • service address
    • mailing address
    • day phone
    • evening phone
    • employer
    • employer’s phone
    • do you own or rent
    • landlord and his phone
    • signature and date
  • Occupancy Permit Number
  • $50 deposit for new renters

For existing customers:

  • Drivers license or other picture ID of all authorized parties.
  • completed identity theft prevention form – see above.

I have asked staff, with consent of the city council,  to re-evaluate the need for so much private personal information. The FTC does leave considerable discretion as to how this program is complied with and that the program should be tailored to the size of the municipality.

I have asked that the bare minimum personal information be required – exclusive of full social security numbers and copies of leases. I also want to make sure the city has proper security in place to make absolutely sure that this private data will not be compromised.

At a minimum, I have asked for the following assurances:

1. Ensure that its website is secure or provide clear notice that the website is not secure.
2. Where and when allowed, ensure complete and secure destruction of paper documents and computer files containing customer information.
3. Ensure that office computers are password protected and that computer screens lock after a set period of time.
4. Change passwords on office computers on a regular basis.
5. Ensure all computers are backed up properly and any backup information is secured.
6. Keep offices clear of papers containing customer information.
7. Request only the last 4 digits of social security numbers (if any).
8. Ensure computer virus protection is up to date.
9. Require and keep only the kinds of customer information that are necessary for utility purposes.

Also, I enquired from the police and utility departments if they were aware of any recent Identity Theft occurrences and both departments said they were not aware of any.

The following is a copy of correspondence I recently received from the Federal Trade Commission, Red Flags Division:

Thank you for your inquiry regarding the Red Flags Rules.  Attached to this email is an article for utilities that provides general information regarding the scope of the Rules.

On October 22, 2008, the Commission issued an Enforcement Policy statement that delays enforcement of the Red Flags rule until May 1, 2009

The following link will take you to a news release about the Rules and there is a link to the text of the final Rules on the right-hand side of that page (  The preamble to the Rules (pages 63718-63752) provides guidance regarding the rationale behind the Rules and the scope of coverage.  The text of the FTC rules can be found at pages 63771-63773.  The Guidelines (pages 63773-63774) provide compliance guidance and address a series of issues that covered entities must consider in developing their Identity Theft Prevention Program.  The Supplement to the Guidelines (page 63774) provides a non-exhaustive list of 26 red flags that covered entities may wish to consider incorporating into their programs.  Additionally, on the FTC website, you can find a news release ( and Business Alert ( that provides general information regarding the scope of the Rules.

Please check our website ( periodically for new guidance.


FTC Staff (  This does not affect enforcement of the address discrepancy and card issuer rules.   Nor does it affect compliance for entities not under the jurisdiction of the Federal Trade Commission.

If you have gotten this far, give yourself a gold star. If anyone wonders why I get so aggravated with big government, read the above.

Guy Midkiff


The URI to TrackBack this entry is:

RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: