Enforcement of Red Flag Rules Delayed Until August 1
The Federal Trade Commission announced that it will delay enforcement of its Identity Theft Red Flag Prevention Rules until August 1, 2009. The FTC's broad application of the Red Flag Rules caught many businesses off-guard. Doctor's offices, law firms, and other similar companies only recently became aware that their accounts were covered under the Red Flag Rules. These businesses were scrambling to put Identity Theft Prevention Programs in place by the May 1 deadline.
The FTC remained firm in its broad application of the Red Flag Rules but alleviated pressure on such businesses by delaying enforcement. The FTC will also provide a template Identity Theft Prevention Program for businesses that have personal relationships with their customers and a low risk of identity theft to help them comply with the law. This template is expected to be released in the near future but no specific date has been set.
A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of identity theft. Any business that maintains one or more "covered accounts" must have an Identity Theft Prevention Program in place that complies with the Red Flag Rules. A "covered account" is any account that permits multiple payments or for which there is a reasonable risk of identity theft. Identity Theft Prevention Programs must incorporate reasonable policies and procedures to (1) identify Red Flags relevant to the entity's accounts, (2) detect Red Flags, and (3) respond appropriately to any Red Flags that are detected. The Program must be approved by the company's board of directors or an appropriate committee of the board of directors; be overseen by the board, a committee of the board, or an employee at least at the level of upper management; and be updated at least annually.
For a more detailed explanation of the Red Flag Rules, please see Frost Brown Todd's Legal Update distributed March 24, 2009. For additional information, please contact Jane Hils Shea (513.651.6961), Gretchen Ackerman (502.568.0286) or any other attorney in Frost Brown Todd's Privacy and Information Security Law Group or Health Law Group.