May 26, 2010
The filing of a lawsuit on May 21, 2010, by the American Medical Association
(AMA) against the Federal Trade Commission (FTC) could signal yet another delay
of the enforcement deadline of the Red Flags Rule.
The Red Flags Rule requires many businesses to develop, implement and
administer an Identity Theft Prevention Program designed to detect the warning
signs or red flags of identity theft, as well as prevent and mitigate them. The
FTC is scheduled to begin enforcement for non-bank businesses on June 1, 2010.
Federal regulatory banking agencies have already begun enforcing the rule.
AMA’s lawsuit, filed on behalf of physicians, follows on the heels of
successful lawsuits brought by the American Bar Association (ABA) on behalf of
lawyers and the American Institute of Certified Public Accountants (AICPA) on
behalf of accountants. In those cases, a federal court granted summary judgment
for the ABA, and enjoined the FTC from enforcing the Red Flags Rule against
accountants for 90 days after a decision has been rendered by the court of
appeals in the ABA case.
As we discussed in an
article, Congress is also considering legislation that would provide
exemptions from the Red Flags Rule for certain professions, including lawyers,
accountants and physicians. Despite passing in the House of Representatives by a
400-0 vote on Oct. 21, 2009, H.R. 3763 has yet to be considered by the Senate,
and no related bills have been introduced in the Senate.
In light of the federal court’s injunction in the AICPA case with respect to
the FTC’s enforcement of the Red Flags Rule against accountants, it is probable
that, in the coming days, the court will similarly enjoin the FTC from enforcing
the Red Flags Rule against physicians. That is, the court may decide it is in
the best interests of justice for the FTC to delay its enforcement of the Red
Flags Rule against physicians, as it has already been ordered with respect to
accountants, until the court of appeals has rendered a decision in the ABA case.
In the meantime, we recommend that physicians’ offices, and other businesses
that may be subject to the Red Flags Rule, become knowledgeable about the rule’s
requirements and prepared to have an Identity Theft Prevention Program in place
in the event the enforcement deadline is not delayed past June 1, 2010.
We will update this alert, if and when enforcement of the Red Flags Rule is
deferred again (either by the FTC or via court order).