Red Flag Rules

This model has been designed to assist water and wastewater utilities comply with the Federal Trade Commission's (FTC) Identity Theft Red Flag Rule.  The rule requires utilities to develop red flags when accounts are fraudulent, procedures to prevent the establishment of false accounts, procedure's to ensure existing accounts are not being manipulated, and procedures to respond to identity theft.

All utilities are required to comply with the FTC's "Identity Theft Red Flag Rule" even if only nominal information such as name, phone number and address are collected.  However, the true risk established through the risk assessment activity may not require any changes to existing policies or procedures.

Risk Assessment: The City of Lakota-Lakota Municipal Utilities has conducted an internal risk assessment to evaluate how at risk the current (existing) accounts are being manipulated.  The risk assessment evaluated how new accounts were opened and the methods used to access the account information.  Using this information the utility was able to identify red flags the were appropriate to prevent identity theft.

  • New accounts opened In Person
  • New accounts opened via Telephone
  • Account information accessed In Person
  • Account information accessed via Telephone (Person)

Detection (Red Flags): The City of Lakota-Lakota Municipal Utilities adopts the following red flags to detect potential fraud.  These are not intended to be all-inclusive and other suspicious activity may be investigated as necessary.

  • Identification documents appear to be altered
  • Photo & physical description do not match appearance of applicant
  • Other information provided is associated with known fraudulent activity (e.g. address or phone number provided is same as that of a fraudulent application)
  • Information commonly associated with fraudulent activity is provided by applicant (e.g. address that is a mail drop or prison, non-working phone number or associated with answering service/pager)
  • SS#, address, or telephone # is the same as that of other customer at utility
  • Customer fails to provide all information requested
  • Personal information provided is inconsistent with information on file for a customer
  • Applicant can not provide information requested beyond what could commonly be found in a purse or wallet
  • Identity theft is reported or discovered

Response: Any employee that may suspect fraud or detect a red flag will implement the following response as applicable.  All detections or suspicious flags shall be reported to the senior management official.

  • Ask applicant for additional documentation
  • Notify internal manager: Any utility employee who becomes aware of a suspected or actual fraudulent use of a customer or potential customers identity must notify Amie Carlson
  • Notify law enforcement: The utility will notify the Sheriff's Office at 247-2474 of any attempted or actual identity theft.
  • Do not open the account
  • Close the account

Personal Information Security Procedures: The City of Lakota-Lakota Municipal Utilities adopts the following security procedures:

  1. Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets.  File cabinets will be stored in a locked room.
  2. Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets.  File cabinets will be stored in a locked room.
  3. Employees lock file room doors when leaving their work area.
  4. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility.
  5. No visitor will be given any entry codes or allowed unescorted access to the office.
  6. The use of laptops is restricted to those employees who need them to perform their jobs.
  7. Laptops are stored in a secure place.
  8. The computer network will have a firewall where your network connects to the internet.
  9. Any wireless network in use is secured.
  10. Access to customer's personal identity information is limited to employees with a "need to know."
  11. Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information.
  12. Implement a regular schedule of employee training.
  13. Employees will be alert to attempts at phone phishing.
  14. Employees who violate security policy are subjected to discipline, up to, and including, dismissal.
  15. Paper records will be shredded before being placed into the trash.