‘Red flags’ rule delayed

On July 29, The Federal Trade Commission agreed to delay enforcement of the new “Red Flags Rule” to Nov. 1, 2009, to give “small business[es] and other entities more time to develop and implement written identity theft prevention programs.”

In 2003, the Fair and Accurate Credit Transactions Act directed the FTC to promulgate rules requiring “creditors” with “covered accounts” to implement identity theft programs to identify, detect and mitigate identity theft. The regulations, known as the Red Flags Rule, were issued on Nov. 9, 2007, with a Nov. 1, 2008, deadline for compliance. Because of confusion surrounding which businesses are covered by the rule, including discussions with the American Medical Association and the American Bar Association, the FTC postponed compliance a number of times, most recently to Nov. 1.

The Red Flags Rule defines a creditor as any entity that regularly accepts deferred payments for its goods or services. The FTC has indicated that health-care providers and lawyers, as well as “most businesses and organizations that provide products and services to their customers and then bill them later are covered by the rule.” The FTC has published general guidelines for businesses and has listed other entities that may be subject to the Red Flags Rule, including utility companies, telecommunications companies, finance companies, mortgage brokers, real estate agents, automobile dealers and retailers.

The FTC has announced that it will “redouble its efforts” to educate small businesses and other entities about compliance with the Red Flags Rule. This is a result of the House Appropriation Committee’s request that the FTC defer enforcement for small businesses that have a low risk of identity theft problems.

The Red Flags Rule requires entities to develop and implement a written program of policies and procedures to detect, prevent, and mitigate identity theft, including:

• Identifying relevant “red flags” and incorporating those red flags into their program

• Detecting red flags that have been incorporated into the program

• Responding appropriately to any red flags that are detected, to prevent and mitigate identity theft

• Ensuring the program is updated at least annually

Best practice

To ensure compliance and success, a Red Flags Rule program must be approved by the board of directors or other governing body, should be overseen, implemented and administered by a member of the board or senior level management, and employees should be trained on applicable red flags and how to respond to them.

Non-compliance with the rule may subject a business to civil action and fines of up to $2,500 per violation — therefore it is important for businesses to be in compliance with the rule.

Further, since identity theft was the number one complaint received by the FTC in 2008, and with the appointment of a new director of the FTC’s Bureau of Consumer Protection, it is anticipated that enforcement efforts will be more proactive than in the past. The new director, David Vladeck, spent 10 years as director of Public Citizen Litigation Group and has publicly stated that the FTC will focus on data security, identity theft and fraud.

It should be a business’s top priority to keep their customers’ personal information (including name, address, date of birth, credit card information, driver’s license number and Social Security number) secure and have security measures in place to ensure that the information is protected. This has a bottom-line impact on the business by ensuring regulatory and legal compliance, increasing customer trust and loyalty and maintaining a positive reputation and brand image in the marketplace.

In addition, the value of a good data protection program, including a Red Flags Rule program, reduces or mitigates the risk of data loss or theft, which has an adverse impact on reputation and brand, not to mention the fact that responding to a data loss or theft can be extremely costly to a business, including complying with breach notification laws and direct claims from customers as a result of the loss or theft.

The business case justifies security measures and compliance programs, and it is best practice for customer relations.

James Hood, a corporate transactions partner, is based at Nixon Peabody’s Manchester, N.H., office. Linn Freedman, a health services partner and chair of the firm’s Health Information Technology team, is based in Providence, R.I.