Business Law Alert: New Compliance Deadline Approaches For FTC Identity Theft “Red Flags” Rule

In late 2007, the Federal Trade Commission ("FTC") issued its "Red Flags" rule, which imposes identity theft regulations on a class of businesses that the FTC defines as "Creditors." Many businesses are not aware, however, that the FTC’s expansive definition of Creditor sweeps into the Red Flags rule a broad array of industries, including professional services providers (for example, accounting and law firms), small businesses, non-profits, and retailers of goods. In fact, the FTC estimates that over 11 million businesses are covered by the new rule. The FTC will enforce its identity theft "Red Flags" rule beginning May 1, 2009.[1]

* * *

The "Red Flags" rule (found at 16 C.F.R. § 681) requires any "Financial Institution" or "Creditor" that offers or maintains "Covered Accounts" to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft Red Flags. "Red Flags" are patterns, practices, or specific activities that indicate possible identity theft; for example, when a customer complains about a bill for goods or services the customer claims never to have received.

A "Creditor" is a person who "regularly extends, renews, or continues credit," including the right to purchase property or services and defer payment. The FTC’s current interpretation of "Creditor" is very broad. According to one FTC attorney, a Creditor includes anyone who regularly provides goods or services without requiring immediate payment. Both for-profit and non-profit entities may be affected. In fact, a company or organization may fall into the category of a Creditor that offers or maintains a Covered Account simply by permitting customers to pay for services by means of payment plans or monthly invoices. Although certain industry groups have challenged the FTC’s broad interpretation of the term "Creditor," to date, the FTC has not issued an exception for any particular industry.

A "Covered Account" is also defined broadly, and includes "(1) [a]n account . . . primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions . . ., or (2) [a]ny other account . . . for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks."

If a business is a Creditor, it must periodically determine whether it offers or maintains Covered Accounts. Although a "one-time" transaction (such as a typical retail sale) might not constitute a Covered Account, a customer account that provides for multiple transactions or payments and results in debt probably does. If a Creditor determines that it offers or maintains Covered Accounts, the Creditor must institute an identity theft prevention and detection program to address the risks of identity theft. The program must include reasonable policies and procedures to (1) identify Red Flags and incorporate them into the program, (2) detect and respond appropriately to Red Flags, and (3) periodically update the program. In addition, a Creditor must ensure that its third-party service providers have reasonable programs for detecting, preventing, and mitigating the risks of identity theft associated with the Creditor’s Covered Accounts.

Fortunately, the Red Flags rule is risk-based and allows for "flexible implementation." Thus, a Creditor should utilize policies and procedures that are "reasonable" and "appropriate" in light of the Creditor’s activities, the types of Covered Accounts at issue, and the relative risk of identity theft. The FTC has stressed that identity theft programs do not necessarily need to be complex or technology-driven. In fact, a Creditor may incorporate its already-existing policies, procedures, and technology. Some procedures may be as simple as checking a person’s identification before opening a new customer account. The FTC does not expect that the Red Flags rule will present a substantial burden for a Creditor that is not subject to significant identity theft risk, for example, a Creditor that does not maintain sensitive customer information. The FTC also does not expect the rule to present a significant burden for a Creditor that has already instituted policies and procedures to address identity theft risk.

Pending further guidance from the FTC, businesses should carefully consider whether they are subject to the Red Flags rule and, if so, what their compliance obligations will be. It should be understood, however, that in all cases the FTC requires that a Creditor have a written identity theft program that has been initially approved by the Creditor’s board of directors or an appropriate board committee, and that subsequent development and administration of the program take place at a board or senior management level.

Be Mindful of Changing Requirements. With identity theft becoming an increasing concern in virtually all industries, businesses that maintain or process sensitive customer information (such as social security or credit card numbers) should carefully assess their policies and procedures for protecting customer information. In addition, businesses that operate in multiple states should be aware that most states, in addition to the FTC, have statutes and regulations regarding identity theft. For example, over forty states, including Maine, require businesses to take certain steps, such as notification, when a data breach has compromised certain customer information.

Recently, the State of Massachusetts issued even stricter regulations, requiring businesses to develop "comprehensive information security programs" to protect personal information such as social security, driver’s license, and financial account numbers. These regulations, found at 201 C.M.R. § 17.00, are not limited to Massachusetts-based businesses. Rather, they apply broadly to persons "who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." Massachusetts is requiring compliance with these regulations by January 1, 2010.

Conclusion. Businesses that use or maintain personal information susceptible to identity theft should be mindful of this rapidly evolving area of law, and they should consider seeking assistance from legal counsel to determine how best to comply with state and federal requirements. If you have questions regarding the effect of laws related to identity theft on your business, such as the Red Flags rule, please contact an attorney in the Business Law Group at Verrill Dana, LLP.

For further information please contact the Verrill Dana attorney listed below:
Alistair Y. Raymond
Business Law Group (araymond@verrilldana.com)