On April 30, 2009, the U.S. Federal Trade Commission (the “FTC”) deferred enforcement of the Red Flags Rule from May 1, 2009 to August 1, 2009 in order “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” As we discussed in an earlier article, the Red Flags Rule will require many businesses to develop, implement, and administer an Identity Theft Prevention Program that is designed to detect the warnings signs (or “red flags”) of identity theft, as well as to prevent and mitigate it.
As noted earlier, the rule is very broad, and is not limited to any specific business sector – quite the contrary, it is directed to not just financial companies, but also many other types of businesses such as telecommunications, utility, auto, retail and healthcare companies – including hospitals and physician practices. The steps for compliance will vary on the size and nature of the business, as well as existing data protection policies, but failure to comply may result in civil monetary penalties.
The Rule is Being Deferred Only – Not Revised
It is important to note that the Rule is not being revised or amended in any way. Therefore, the scope of businesses coming within its ambit will be the same on August 1 as would have been affected had the May 1 deadline been implemented. The only action point here is that businesses have been granted three extra months in which to examine the Rule’s application to their specific situations, and to develop a set of policies that will comply with the Rule while addressing their specific risk parameters for identity theft.
However, recognizing the widespread backlash from those businesses deeming themselves as “low risk” with respect to the occurrence of the identity theft the Rule is meant to combat, the FTC noted last night that “[f]or entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” That template should be forthcoming and we will advise our readers when it becomes available.
What to Do Now?
For those businesses that are “financial institutions” and “creditors” that offer or maintain one or more “covered accounts,” and must therefore comply with the Red Flags Rule by August 1, they must undertake efforts immediately to properly assess the Rule’s applicability, prepare policies as appropriate to reflect identity theft risks per the Rule, and train their employees on the implementation of those Policies – thus avoiding last-minute assessments and potential difficulties arising from such circumstances.
As noted earlier, businesses subject to the Red Flags Rule must develop and implement a written Identity Theft Prevention Program (the “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
Every Program must include reasonable policies and procedures related to four elements: (1) the identification of red flags, (2) the detection of red flags, (3) the response to red flags that are detected, and (4) the periodic update of the Program. The FTC and the other federal bank regulatory agencies charged with enforcing the Red Flags Rule have issued guidelines to assist businesses in developing and implementing a Program.
We will be pleased to answer any questions you might have as to the application, implementation or assessment of the Red Flags Rule with respect to your business.