Red Flags Rule Enforcement Delayed Until December 31, 2010

June 4, 2010

The Federal Trade Commission ("FTC") has announced that it will delay enforcement of the Red Flags Rule until December 31, 2010. The Red Flags Rule requires creditors to implement identity theft prevention programs to detect, prevent, and mitigate identity theft. The current definition of "creditors" under the Red Flags Rule encompasses healthcare providers, attorneys, and other businesses not typically thought of as creditors.

The FTC's recent delay in enforcement gives Congress time to consider whether to adopt legislation to limit the scope of the Red Flags Rule. This legislation, passed in the House of Representatives on October 20, 2009 and introduced to the Senate on March 25, 2010, would exclude any healthcare, accounting, or legal practices with 20 or fewer employees from the definition of "creditor." In effect, these businesses would be exempt from the Red Flags Rule requirements.

Other businesses that know all of their customers or clients individually, only perform services in or around their customers' residences, have not experienced incidents of identity theft, or that are a type of business that rarely encounters identity theft, would also be able to apply for an exclusion under the bill. The FTC stated that, if the legislation is passed by Congress with an effective date prior to December 31, 2010, it will begin enforcing the Red Flags Rule as of that effective date.

For more information regarding the Red Flags Rule, please see Frost Brown Todd's March 24, 2009 Legal Update.  If you are a health care provider and need assistance with your Identity Theft Prevention Program, please contact Billy Mabry, Kristen Holt, Gretchen Tromp or any other attorney in Frost Brown Todd's Health Law Practice Group.  Otherwise, please contact an attorney in the Privacy and Information Security Practice Group for assistance.