FTC Extends Deadline for Compliance with ID Theft Red Flag Rules
On Friday, October 30, 2009, the FTC announced a further extension of the deadline for compliance with the Identity Theft Red Flag Rules. The Rules require businesses that offer "covered accounts" to create and implement an Identity Theft Protection and Prevention Program, and the deadline for compliance has now been extended to June 1, 2010. Businesses subject to the Identity Theft Red Flag Rules were originally required to comply by November 1, 2009, but an eleventh hour appeal to the FTC by members of Congress resulted in the FTC's agreement to delay enforcement of the Rules for companies under the FTC's jurisdiction.
The Rules apply to all organizations which maintain accounts that permit multiple payments, and where the purpose of the account is primarily personal, family or household. They also apply to non-consumer accounts of customers where there is a foreseeable risk of identity theft, such as sole proprietorships.
While the most obvious types of covered businesses are retail establishments, utilities, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments, many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program ("Program") to identify, detect and respond to the possible existence of identity theft with respect to these accounts.
The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008.
Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.
The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:
- identify relevant Red Flags, and then incorporate those Red Flags into the Program;
- detect such Red Flags;
- respond appropriately to any Red Flags to prevent and mitigate identity theft; and
- ensure that the Program is updated periodically to reflect changes in risks to customers
Detecting and Mitigating Red Flags
What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules.
Thus, the Guidelines provide risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:
- a fraud or active duty alert is included with a consumer report
- a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report
- a consumer reporting agency provides a notice of address discrepancy
- identification documents appear to be forged
- inconsistencies between identification provided and the consumer's appearance or the information actually provided by the consumer
- inconsistencies between personally identifying information provided and that obtained from external information sources
- a new revolving credit account is used in a manner commonly associated with known patterns of fraud.
Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.
Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.
For additional information, please contact Jane Hils Shea (513.651.6961) or any other attorney in Frost Brown Todd's Privacy and Information Security Law Group.