The Federal Trade Commission (FTC) has delayed by three more months the compliance deadline for its Red Flag (identity theft prevention) rules. The new deadline is November 1, 2009. These rules require many businesses to implement written identity theft prevention policies and programs to design and identify warning signs of actual or potential identity theft (i.e., “red flags”), detect those red flags, prevent identity theft and mitigate the consequences of identity theft, and regularly update the policy and program.
As we discussed in more detail in the Ulmer & Berne LLP Client Alert distributed on April 24, 2009, the Red Flag rules apply to “financial institutions” and “creditors,” both of which the rules defined broadly. The rules apply to many businesses that do not categorize themselves as “financial institutions” because the rules deem any business, organization or entity (including a sole proprietorship) that provides goods or services to its customers and then bills the customers later, a “creditor.” If your business falls within the definition of financial institution or creditor, you need to determine whether it has “covered accounts.” In addition to typical customer accounts, the definition of “covered accounts” includes any relationship (including business-to-business) where there is a “reasonably foreseeable” risk of identity theft – either to the customer or the entity.
The FTC has delayed enforcement twice already. In conjunction with this third enforcement delay, the FTC has released additional guidance relating to compliance, particularly by small and low-risk businesses and entities, and has indicated that it will release more explanatory materials before the new deadline. However, because the FTC has provided no definitive rules or safe harbors, every business or entity maintaining customer accounts must promptly conduct a risk assessment to determine what it needs to do to combat identify theft. The rules require financial institutions or creditors with traditional “covered accounts” to adopt and implement written identity theft prevention programs. However, the FTC’s new guidance provides a template for compliance for businesses the risk of identity theft is low.
Note that the FTC’s action did not delay enforcement of the Red Flag rules by other federal agencies (including federal bank regulatory agencies and the National Credit Union Administration) for institutions they oversee. Likewise, the FTC did not delay enforcement of the “address discrepancy” rules, which were issued in conjunction with the Red Flag rules and govern users of consumer reports and card issuers. If your business falls into any of these categories, please contact us, because enforcement for both areas began last year.
The FTC will base penalties under the Red Flag rules on the number of accounts a business has. Because of the unprecedented breadth of these rules and potentially high penalties, you should conduct a careful analysis to determine if and how these rules apply to your entity.
This Alert is only a brief summary of the updated Red Flag rules. As such, it is not intended to be an exhaustive recitation of the rules or a complete description of the requirements for compliance under the rules. Whether a business must comply with the Red Flag rules requires a fact-intensive analysis specific to the particular business. Further, Red Flag rule compliant policies and procedures must be tailored to the specific facts and circumstances applicable to a particular business.
For questions pertaining to the Red Flag rules, feel free to contact one of the attorneys listed on this Alert.
FULL TEXT/PRINTABLE VERSION