FTC Defers Red Flags Rule Yet Again

June 1, 2010

The Federal Trade Commission (FTC) announced on May 28, 2010 that enforcement of the Red Flags Rule will be further delayed until January 1, 2011, unless Congress takes steps to narrow the scope of covered businesses and legislates an earlier enforcement deadline.

This latest deferral comes on the heels of a recent lawsuit filed by the American Medical Association against the FTC, seeking an injunction of the Rule’s enforcement. The AMA’s lawsuit, filed on behalf of physicians, follows successful lawsuits brought by the American Bar Association (ABA) on behalf of lawyers and the American Institute of Certified Public Accountants (AICPA) on behalf of accountants. In those cases, a federal court granted summary judgment for the ABA, and enjoined the FTC from enforcing the Red Flags Rule against accountants for 90 days after a decision has been rendered by the court of appeals in the ABA case.

As we have written in previous alerts, the Red Flags Rule requires many businesses to develop, implement and administer an Identity Theft Prevention Program designed to detect the warning signs or red flags of identity theft, as well as prevent and mitigate them. The FTC was scheduled to begin enforcement for non-bank businesses on June 1, 2010. Federal regulatory banking agencies have already begun enforcing the rule.

Congress is also considering legislation that would provide exemptions from the Red Flags Rule for certain professions, including lawyers, accountants and physicians. That bill, H.R. 3763, was passed by the House of Representatives by a 400-0 vote on Oct. 21, 2009. A nearly identical bill, S. 3416, was introduced in the Senate on May 25, 2010, likewise exempting accounting, law, and medical practices with less than 20 employees from the rule.

We will monitor ongoing Congressional and FTC (as well as judicial) action in this arena, and will provide updates as the situation develops.