The filing of a lawsuit on May 21, 2010, by the American Medical Association (AMA) against the Federal Trade Commission (FTC) could signal yet another delay of the enforcement deadline of the Red Flags Rule.
The Red Flags Rule requires many businesses to develop, implement and administer an Identity Theft Prevention Program designed to detect the warning signs or red flags of identity theft, as well as prevent and mitigate them. The FTC is scheduled to begin enforcement for non-bank businesses on June 1, 2010. Federal regulatory banking agencies have already begun enforcing the rule.
The AMA’s lawsuit, filed on behalf of physicians, follows on the heels of successful lawsuits brought by the American Bar Association (ABA) on behalf of lawyers and the American Institute of Certified Public Accountants (AICPA) on behalf of accountants. In those cases, a federal court granted summary judgment for the ABA, and enjoined the FTC from enforcing the Red Flags Rule against accountants for 90 days after a decision has been rendered by the court of appeals in the ABA case.
As we discussed in an earlier article, Congress is also considering legislation that would provide exemptions from the Red Flags Rule for certain professions, including lawyers, accountants and physicians. Despite passing in the House of Representatives by a 400-0 vote on Oct. 21, 2009, H.R. 3763 has yet to be considered by the Senate, and no related bills have been introduced in the Senate.
In light of the federal court’s injunction in the AICPA case with respect to the FTC’s enforcement of the Red Flags Rule against accountants, it is probable that, in the coming days, the court will similarly enjoin the FTC from enforcing the Red Flags Rule against physicians. That is, the court may decide it is in the best interests of justice for the FTC to delay its enforcement of the Red Flags Rule against physicians, as it has already been ordered with respect to accountants, until the court of appeals has rendered a decision in the ABA case.
In the meantime, we recommend that physicians’ offices, and other businesses that may be subject to the Red Flags Rule, become knowledgeable about the rule’s requirements and prepared to have an Identity Theft Prevention Program in place in the event the enforcement deadline is not delayed past June 1, 2010.
We will update this alert, if and when enforcement of the Red Flags Rule is deferred again (either by the FTC or via court order).