Privacy and Data Security Alert

New Deadline For Red Flags Rules: FTC Gives Businesses Until June 1, 2010 To Develop Compliant Identity Theft Prevention Programs

November 2, 2009

On Friday, October 30, 2009, just two days before the Federal Trade Commission (FTC) was set to begin enforcement of federal Red Flags Rules, the FTC announced that it was giving businesses seven additional months, until June 1, 2010, to comply with the new identity theft regulations. The announcement came just hours after a federal judge in the District of Columbia ruled that the Red Flags Rules do not apply to attorneys in a lawsuit filed by the American Bar Association (ABA).

The FTC, FDIC and other federal regulatory authorities adopted the Red Flags Rules in January 2008 in response to the enactment of the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). The Rules have been in effect for banks, credit card companies and traditional financial institutions for about a year, since November 1, 2008. However, the FTC has delayed enforcement of the broadest of the Red Flags Rules, as set forth in 16 C.F.R. Part 681, which apply to “creditors.” In 2008, the FTC caused considerable controversy by construing the term “creditor” to apply to any business that sells goods or services now and bills its customers later, including doctors, lawyers and many other businesses. As a result of this broad interpretation, confusion about who should be complying with the Red Flags Rules has been pervasive across many industries. It also led to the ABA’s suit in federal court.

In response to the confusion, the FTC has attempted to provide guidance to entities it claims are within its jurisdiction, through its website (www.ftc.gov/redflagsrule) and through public outreach, seminars and conferences. It also published a compliance guide for businesses, and created a template that enables low risk entities to create an identity theft program with an online form. Despite these efforts, confusion over who is affected and how to comply has continued and the FTC has repeatedly delayed enforcement to give entities more time to develop programs that comply with the Rules. For those businesses in the process of developing a compliant program, the new deadline provides a helpful extension of time to develop and implement reasonable security measures.

For more news and analysis of the FTC Red Flags Regulations, please visit the forum developed by Foley Hoag’s Security & Privacy Practice Group at www.SecurityPrivacyandtheLaw.com and the FTC’s Red Flags Rules website. Foley Hoag is advising clients developing information security programs in compliance with the Red Flags Rules, Massachusetts identity theft regulations, as well as other federal, state and international laws regarding information security and identity theft.

Co-Author: Gabriel M. Helmer