Does the FTC's 'red flags rule' override the Oklahoma Open Records Act?

(Question raised today at open records training for municipal clerks and treasurers.)

No. The rule does not keep confidential any information made public by the state Open Records Act.

"The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or 'red flags' of identity theft in their day-to-day operations," explains the
Federal Trade Commission.

The FTC issued the Red Flags Rule as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.

Even though municipal utilities are not financial institutions, they can be subject to the Red Flags Rule. The
FTC says a "creditor" is any "businesses or organizations that regularly provide goods or services first and allow customers to pay later."

"For example, cities that operate utilities that regularly bill customers after they've received services....,"
explains the FTC.

Red flag does not mean information that should not be disclosed to the public. This term is used to describe the warning signs of patterns, practices or specific activities that indicate the possible existence of identity theft.

Oklahoma Municipal League has told municipal attorneys:
Nothing in the Red Flag Rule or FACTA itself requires confidentiality of data, i.e., personal identifying information, in an account. Nothing in these federal mandates absolves your client from complying with state and local requirements pertaining to disclosure of public records.

It added:

How does the Red Flag Rule interact with local Sunshine Laws?

Not all data requests will trigger the Red Flag Rule, which only applies to personal identifying information in a 'covered account.' Therefore, it will be necessary for your client to consider an Open Records Assessment:
  • What records made open to the public under a sunshine law are also data in a 'covered account'?
  • What open records requests will constitute a 'red flag'?
  • How will your client respond to such a red flag?
  • Does your client really need all the 'personal identifying information' it collects?

The OML is not saying that open records requests can be denied because of the Red Flags Rule. It is saying that a records request could raise a red flag indicating the possibility of identity theft.

a 2008 training document, the OML told municipalities:

The Oklahoma Open Records Act still creates duties to make most of your records open.

Your records will include much 'personal identifying information' that
you will have to provide to any person requesting the record without inquiring why the requester wants the record or what the person will do with the information. 

What about Open Policy Act – does personal information not apply?

Answer: Nothing in the Red Flag Rule changes your duty to provide personal information contained in a record to a person who requests it. The Open Records Act itself has some exemptions but most personal information will be open. You will need to consider what kind of 'red flag' – risk of identity theft – might arise when you have to provide the information. 

What records must be made available to the public?

Answer: All records regardless of physical form or characteristic must be available to the public unless the Open Records Act itself provides an exception. Please note that the Open Records Act states that, if any other law requires a record to be confidential, it will be confidential for purposes of the Act. 

Are the Social Security Number and other personal information from job applicants, open records?
Our council voted to make application of persons not hired to be open record. Would the Social Security Number be open or blacked out? It states on the paper in our handouts that it is open record?

Answer: The Open Records Act allows you to keep confidential the applications of job applicants who are not hired. This would include all information in the job application.

If your council has decided to open up these records without creating exceptions for some personal information, all information on the records will be open unless some other exception to openness applies to some of the data.

There is no blanket protection in the Open Records Act for social security numbers.

The Act only protects the numbers of present or former employees and utility customers. 

Name removed from Record that must be opened. Not placed in list of what may be confidential? Open Records Act is now silent?

Answer: Effective November 1st, an amendment to the Open Records Act removes the requirement that the name of your utility customer does not have to be made public.

Unfortunately, another part of the statute listing the information about utility customers that may be kept confidential was not amended to add the name of the customer. The section pertaining to utility customers is now silent. You should ask your city attorney for advice on the confidentiality of names of utility customers. 

When a person calls and 'says' they are with Recovery Systems and looking for a customer and wants their physical address and says according to the 'Freedom Act' we must give out that information what should we do?

Answer: The Open Records Act does not require you to give information on the telephone but it does require you to make your records available to any person who requests to inspect them. Therefore, you may provide the same information on the telephone if that is your municipality’s policy.

The FTC itself states, “The Rule doesn’t require any specific practice or procedures.”

FTC’s FAQs on the regulation indicate that it is not intended to override state open records laws.

How do my obligations under other laws affect the implementation of my Identity Theft Prevention Program?

Your Program under the Red Flags Rule should be consistent with other relevant legal, professional, and ethical obligations.

The FTC’s site on the Red Flags Rule does not mention keeping confidential information required to be public under individual states’ open records laws.

The FTC has delayed implementation of the regulation
until June 1.

Joey Senat, Ph.D.
Associate Professor
OSU School of Journalism

The opinions expressed in this blog are those of the commentators and do not necessarily represent the position of FOI Oklahoma Inc., its staff, or its board of directors. Differing interpretations of open government law and policy are welcome.