Under the Federal Trade Commission’s “Red Flags Rule,” financial institutions and creditors with “covered accounts” must develop protocols to detect and prevent identity theft. The new deadline for complying with this Rule is June 1, 2010. This effective date has been postponed several times, most recently from November 1, 2009, because:
a number of industries and entities within the FTC’s jurisdiction expressed confusion and uncertainty about their coverage by and/or obligations under the rule. See the earlier FTC Statement and the FTC Red Flag website.
The Red Flags Rule (16 CFR §681.2) was issued under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) (Pub L 108-159, 117 Stat 1952). It provides that entities that “regularly permit deferred payment for goods or services” must implement procedures to detect and respond to specific activities or patterns (known as “red flags”) that could indicate identity theft. The Rule is broadly written and the FTC specifically mentioned that it it would apply to attorneys who bill for services. See 16 CFR §681.1(b)(5); 15 USC §1681a(r)(5); 15 USC §1691a(e); FTC Statement.
On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. (American Bar Association v FTC, Civil Action No. 09-1636 (RBW)). The FTC is appealing that ruling. See ABA Statement.
For guidance from CEB, see a detailed discussion of the Red Flags Rule in Privacy Compliance and Litigation in California §10.28 (Cal CEB 2008).
© The Regents of the University of California, 2010. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.