This is a post by guest blogger Jonathan Ezor.
The Federal Trade Commission recently announced that it was postponing the implementation of the Red Flags Rule from August 1, 2009 to November 1, 2009. In doing so, the FTC also announced a new business education initiative designed to help companies understand what the Red Flags Rule is and how and why they need to comply with it. This is probably a very good move by the FTC, considering that most firms have not even heard of the Red Flags Rule, let alone know that they will be subject to it (now) as of November 1.
In case you haven’t heard of it, the Red Flags Rule was drafted by the FTC in response to the growing number of identity theft and data breach incidents, many involving thousands or even millions of consumer records. Rather than simply issuing guidance on what to do when a data breach occurs, the FTC now requires companies that may be at risk of data breaches and identity theft to proactively examine, identify and deal with the risk factors they face. The rule itself obligates financial institutions and any other creditor that holds a consumer account to “develop and implement an Identity Theft Prevention Program” with policies and procedures to help reduce identity theft. What makes this rule so challenging, however, is that unlike other rules relating to financial institutions (such as the Gramm-Leach-Bliley privacy rules), the Red Flags Rule applies to any firm that maintains an ongoing account through which a consumer is charged. As the FTC itself says:
The Rule applies to creditors and financial institutions. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that defer payment for goods or services. Financial institutions include entities that offer accounts that enable consumers to write checks or to make payments to third parties through other means, such as other negotiable instruments or telephone transfers.
The rule was actually published back on October 31, 2007 and became effective on January 1, 2008, but its implementation date (after which companies would be responsible for complying) has been repeatedly delayed, from November 1, 2008 to May 1, 2009, then August 1, and now November 1. At this point, one cannot assume that the FTC will further delay implementation, meaning that if your business or organization may be subject to the rule, you need to begin working on compliance now if you have not already done so.
The best place to start for information on the Red Flags Rule is the FTC’s own Web site, http://www.ftc.gov/redflagsrule. There, you will find a guide for businesses discussing the Red Flags Rule, including how to determine if your business or organization is subject to it. You may also want to seek out others in your industry, whether through trade associations or publications, in order to share information and best practices. Ultimately, though, whether the Red Flags Rule begins on November 1 or later, it is coming, and many firms and organizations will find themselves out of compliance if they don’t begin working on it now.
Jonathan I. Ezor is the director of the Touro Law Center Institute for Business, Law and Technology, and an assistant professor of law and technology. He also serves as special counsel to The Lustigman Firm, a marketing and advertising law firm based in Manhattan. A technology attorney for more than 15 years, Ezor has represented advertising agencies, software developers, banks, retailers, and Internet service providers, and has been in-house counsel to an online retailer, an Internet-based document printing firm, and a multinational Web and software development company.