The ‘red flags rule’ and your business

Q. Dan is the sole proprietor of a small engine repair shop that serves a variety of residential and commercial customers. As he sets up his billing system for 2011, is there anything new he should be doing in managing his accounts?A. As a company that bills customers after its services are provided, Dan must consider whether his company needs an identity theft prevention program. Enforcement of the Federal Trade Commission’s regulation known as the “red flags rule” starts Dec. 31, 2010. The rule requires certain businesses or organizations to implement a written identity theft prevention program designed to detect the warning signs, or “red flags,” of identity theft that may occur in that organization’s daily operations.The purpose of the rule is to move beyond data security policies and increase demands on businesses, nonprofits and government entities to slow the identity theft epidemic. It applies to “creditors” and “financial institutions” that maintain “covered accounts.”So is Dan’s company a creditor?Most “financial institutions” are well aware of the red flags rule, so the definition of “creditor” requires special attention. Your company or nonprofit is a “creditor” if it permits deferred payment of debt. The FTC’s position is that any person that provides a product or service for which the consumer pays after delivery is a creditor. Creditors include entities that defer payment for goods or services or businesses that provide services and bill later.Common and easily identifiable “creditors” include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. But this list is not exhaustive. The FTC interprets “creditor” broadly so that it would likely include the local hardware store that keeps an account for its customers, the youth sports program that accepts tuition payment in installments, or the one-person small engine repair shop that fixes that snowblower and then sends the corresponding bill to the customer one month later.Finally, “creditors” also include business-to-business transactions concerning the deferred payment of debt, even when no consumer is involved in the transaction.Covered accountsCreditors must develop an identity theft prevention program for any “covered account.” A covered account is an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.If no covered account exists, then there is no need for an identity theft prevention program.The delays to the FTC’s enforcement of the rule up until now mean that there has been little litigation challenging these definitions or the scope of application, which limits the available guidance on how the rule works in the real world.At this point, sound analysis requires at least two determinations.First, determine whether the account permits multiple payments and transactions to an individual consumer. If it does, then more likely than not you have a covered account because it is difficult to come up with a consumer transaction that would not be for a “personal, family or household purpose.”Second, if the account does not include multiple payments and transactions to an individual consumer, then determine whether the account creates a reasonably foreseeable risk of identity theft to any person. A reasonably foreseeable risk of identity theft would include any situation in which a credit report is obtained or required, or where personal information (dates of birth, Social Security number, financial account numbers, for example) is exchanged during any transaction. In those instances, conclude that the account is a covered account.As for an identity theft prevention program, at a minimum it must describe appropriate responses that would prevent and mitigate against identity theft.As an outline, consider listing examples of red flags of possible identity theft, procedures on how to detect and respond to red flags and administration of the program. The law requires the company’s board or senior employees to initially approve the program, to include appropriate staff training, to identify the program’s coordinator and to provide for oversight of any service providers.The FTC has developed helpful resources to assist in compliance with the red flags rule at ftc.gov/redflagsrule.Noncompliance with the rule could prove costly.Although there are no criminal penalties for failing to comply, FTC enforcement, state government action or common law tort actions could trigger monetary sanctions for failing to have an identity theft prevention program that meets the rule’s standards.The imposition of fines attaches to each individual covered account. For example, an organization with 100 covered accounts and no prevention program could face an FTC fine of $3,500 for each account, or $350,000. The cost of creating and managing an identity theft prevention program really does pale in comparison.Neil Nicholson, an attorney at the law firm of McLane, Graf, Raulerson & Middleton, can be reached at 603-628-1483 orneil.nicholson@mclane.com.