June 14, 2010 update: The FTC pushed back enforcement of the "Red Flag" rule to December 31, 2010.
The Federal Trade Commission adopted regulations in 2007 requiring all utility companies and other entities that act as creditors, and provide certain types of accounts, to enact "red flag policies" to protect consumers from identity theft.
Since the regulations cover utility companies, thereby including municipal water, sewer, gas, electric, telecommunications and other utilities, as well as possible additional types of municipal accounts, GMA has drafted a sample red flag ordinance which is available for use by Georgia cities.
While the federal regulations do not require the red flag policies to be adopted in the form of an ordinance, the policies are required to be formally adopted by the governing body by May 1, 2009.
Since the drafting of red flag policies and the process of tailoring a sample policy or ordinance to meet the specific needs of each city are complex tasks, it is important that your city attorney be involved in this process. Given the flexibility of the regulations and the variations between cities, each city will need to assess its own risks and determine the appropriate scope of the red flag policies it adopts.
It is possible that provisions included in the GMA sample ordinance will not be applicable to your city. With your city attorney, please review the federal regulations found at 16 CFR Part 681 carefully and, if the regulations apply to your city, either amend GMA’s sample policy to make it meet the needs and resources of your city or create an entirely unique policy for your city. The Minnesota Municipal Utilities Assocaition sample ordinance is also available to use as a guide.
Importantly, there is no private right of action against a city for the failure to enact a red flag policy by May 1, 2009. That said, identity theft is a significant issue and it is vital that your city adopt a useful, workable red flag policy as soon as possible.