Your governing board recently instructed you to look at any and all means to cut costs. In reviewing ways to streamline administrative expenses you discover that the unit can reduce its utility fee collection costs significantly by printing and mailing its water bills in postcard form. Excited to have an action item to report back to the board, you immediately implement the new billing practice. Printed on the front of each postcard is the customer’s name and address, account number (unique number randomly created and assigned to the customer by the local unit), current applicable utility rate, monthly usage, and total amount due. Also printed on the card is a graph of the past twelve month’s water usage at the listed address. Finally, the card instructs the customer where to send payment, and lists the penalty provisions for non-payment.
Shortly after the unit distributes the first series of postcard bills, you receive a call from an irate customer. He is extremely unhappy that his utility billing information was exposed to the public. He further claims that the local unit has violated state and federal law, and he threatens to sue if you do not suspend the new billing practice immediately. Is the customer correct—does state or federal law prohibit a unit from sending utility bills in postcard form?
The answer is no. Neither state nor federal law prohibits a local government from sending utility bills in postcard form. But, there are some restrictions on what information may be printed on the postcard and thereby (at least potentially) exposed to public view.
North Carolina Public Records Law
As detailed in a previous post, under North Carolina public records law, information “compiled and maintained by a city or county or other public entity providing utility services . . . is not a public record . . . .” G.S. 132-1.1(c). Billing information is defined as “any record or information, in whatever form, compiled or maintained with respect to individual customers.” It includes most, if not all, of the information that typically is included on a utility bill. The statutes provides, however, that nothing in its terms is intended to limit a local government entity form releasing billing information if it is “necessary to assist the city, county, State, or public enterprise to maintain the integrity and quality of services it provides.” G.S. 132-1.1(c)(2). Thus, the statute specifically authorizes a local unit or authority to disclose the billing information, in its discretion, under the stated circumstances. And, G.S. 132-1.1(c)(2), is very broad. Although one might quibble over the meaning of the term “necessary,” I believe that if sending utility bills in postcard form is more cost-efficient than other billing methods, the unit may utilize this method in order to preserve limited resources and maintain the integrity and quality of its utility services, even though it potentially exposes billing information to the public.
Furthermore, a unit likely is not prohibited from releasing utility billing information even if does not come within the purview of G.S. 132-1.1(c)(2). The exclusion of utility billing information from the public records in G.S. 132-1.1(c) is permissive, not mandatory. (Compare with the exclusions in G.S. 132-1.2, which are mandatory.) The statutory language does not expressly prohibit a local government from disclosing billing information. That means that although a local unit does not have to provide public access to the utility billing information, but it is not prohibited from disclosing this information. Thus, a local government likely may disclose the billing information under any circumstance, in its discretion. Excluding the billing information from the public records merely protects the information from required disclosure.
But, that does not mean that all utility billing information may be printed on the postcard. There is some information that is protected from public disclosure whether or not it is part of utility billing information. Specifically, a local government is prohibited under state law from intentionally communicating or otherwise making available to the general public a person’s Social Security number. G.S. 132-1.10(b)(5). It also is a felony violation under federal law to disclose any Social Security number or related record that was obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990. 42 U.S.C. § 405(c)(2)(C)(viii) (2009).
A local unit further is prohibited from disclosing certain other identifying information—employer taxpayer identification numbers; driver’s license, state identification card, or passport numbers; checking or savings account numbers; credit or debit card numbers; digital signatures; personal identification codes; biometric data; fingerprints; passwords; and other information that can be used to access a person’s financial resources. G.S. 132-1.10(b)(5). The requirement that the identifying information be kept confidential does not apply if the information is sufficiently redacted. G.S. 132-1.10(c)(4).
It is likely that all of the information listed on the unit’s postcard described above—customer’s name and address, utility account number (randomly assigned by local unit), current rate, monthly usage, total amount due, past water usage, payment information, and penalty provisions—legally may be printed on a postcard bill.
Federal Red Flags Rule
But wait—isn’t there a new federal law that prohibits a local unit from disclosing customer information? There is a relatively new federal regulation, the Red Flags Rule, which is aimed at preventing or mitigating identity theft associated with certain financial transactions, including the opening or maintaining of “customer” accounts that provide for the repayment of loans or the deferred payment for products or services.
In a previous blog post, I summarized the types of local government entities and activities to which the Rule applies. But, assuming that it applies to local government utilities (which it likely does), what does the Rule require? A unit subject to the Rule must develop and maintain a governing board–approved, written Identity Theft Prevention Program (ITP) that is designed to detect, prevent, and mitigate identity theft in connection with the opening and maintaining of its covered accounts. Identity theft is defined as “fraud committed using the identifying information of another person.” Identifying information encompasses “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.” Examples include a name, address, telephone number, Social Security number, date of birth, driver’s license number, alien registration number, government passport number, employer or taxpayer identification number, bank routing code, or computer’s Internet protocol (IP) address.
In its ITP, a local unit must identify certain red flags, defined as patterns, practices, or specific activities that indicate the possible existence of identity theft, in each of five categories. Once the unit identifies red flags and incorporates them into its ITP Program, it must implement sufficient policies and procedures to detect those red flags. For example, it may require personnel to take certain steps to obtain and verify the identity of a person opening a public enterprise utility account. Likewise, it may adopt certain procedural requirements to monitor transactions on open accounts, such as verifying the identity of customers who request information and verifying requested changes to an account. And, the unit must respond appropriately once any flags are raised that might indicate that identity theft has occurred or is occurring.
Thus, the Rule is designed to force covered entities, including local government utilities, to monitor and militate against the use of utility accounts to commit identity theft. Nothing in the federal regulations prohibits a unit from billing for utility services in postcard form. If a unit employs this billing method, however, it does (at least potentially) expose some billing information to the public. And, because of this, the unit may need to take extra steps to verify a customer’s identity before accessing or making changes to a utility account.
(Note that the Red Flags Rule became effective on January 1, 2008. The agency responsible for their enforcement has delayed the enforcement of the regulations until at least January 1, 2011.)