Adopted in 2009 pursuant to the Fair and Accurate Credit Transactions Act of 2003, the Federal Trade Commission’s Red Flag Rule requires many businesses and organizations to implement a written identity theft prevention program designed to detect the warning signs (i.e., “red flags”) of identity theft in their day-to-day operations. 

The rule applied to a city department, such as a municipal utility, that collects payment after a service was offered. That meant that the city and/or utility were required to adopt and implement a policy that would protect customer financial information. 

On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act.  The Act limits the application of the rules to creditors that use or report information to consumer reporting agencies.  Thus, a city department that does not use consumer reports and does not report information to consumer reporting agencies is no longer required by this federal law and rule to have an identity theft policy.  

Other laws may still be relevant.  For example, Texas Business and Commerce Code Section 501.052 is a state law requiring a municipal utility that requires an individual to disclose his or her social security number to: (1) adopt a privacy policy; (2) make the privacy policy available to the individual; and (3) maintain the confidentiality and security of the social security number.

Each city should consult with local legal counsel to determine whether the new law will affect a city’s identity theft policy.  For more information, please visit the Federal Trade Commission’s Web site here
TML member cities may use the material herein for any purpose.
No other person or entity may reproduce, duplicate, or distribute any part of this document without the written authorization of the
Texas Municipal League.

Back to Legislative Update Index