Did you know that most districts fall under the jurisdiction of the federal Red Flags Rule? Created by the Federal Trade Commission (FTC), this rule requires organizations to create, implement, and administer a comprehensive identity theft prevention program if they are a financial institutions or creditors. Do you collect funds from the public for any reason? This might include park space rental, any kind of service or training, utility bills, or medical billing. If so, then your district is a creditor and must comply with these regulations.
Identity theft as defined by the federal statute is “a fraud committed or attempted using the identifying information of another person without authority. ‘Identifying information [entails] any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any – name, Social Security number, date of birth, official state or government issued driver’s license or identification number […], unique biometric data, […] unique electronic identification number, [….] and telecommunication identifying information or access device’.”
Your program must be approved by an entity’s respective Board of Directors or other appropriately senior employee. Either the Board, a committee of the Board, or designated senior employee must ensure the entity’s program is in full compliance with
the following steps of the Red Flags Rule:
- Identify Relevant Risk Factors
- Detect Red Flags
- Prevent and Mitigate Identity Theft>/li>
- Update the Program
The FTC highly recommends that the conditions of the entity’s program be reported and discussed annually as a bare minimum. The report should include an evaluation of the program’s efficacy, monitoring practices with service providers, any significant incidents, and recommendations of appropriate upgrades.
The best tweaks to your operation may be things that you change at the administrative level. If your district asks for social security numbers or drivers’ license numbers as part of your billing process—ask yourself if that is absolutely necessary. For most vendors it isn’t, and housing that data is an enormous informational liability.
For tips on creating a Red Flags Rule program and helping to fight identity theft, visit the FTC’s website here.
