On May 28, 2010, the FTC postponed enforcement of the “Red Flag” rule until December 31, 2010 to allow Congress to consider legislation that would affect the scope of entities covered by the Rule.
As we reported earlier, the FTC developed the rule as required by the Fair and Accurate Credit Transactions Act. Under the Act, “creditors” must implement written identify-theft-prevention programs to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. In the Rule, the FTC has defined “creditor” to include professionals who might allow their patients or clients to pay over time.
Announcing this further delay in enforcement, FTC Chairman Jon Leibowitz said that
Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly.
Professional organizations have challenged the scope the Rule’s definition. The ABA, filed suit in U.S. District Court for the District of Columbia and the judge agreed that the application to lawyers was unreasonable. The FTC has said that they intend to appeal that decision. In May, the American Medical Association also sued the FTC in U.S. District Court, arguing the rule should not apply to physicians either.
If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
For guidance from CEB, see a detailed discussion of the Red Flags Rule in Privacy Compliance and Litigation in California §10.28 (Cal CEB 2008).
© The Regents of the University of California, 2010. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.