FTC Delays Enforcement of Red Flags Rule - Client Alert

Date: Nov 10, 2009

The Federal Trade Commission ("FTC") recently announced that, at the request of Members of Congress, it will again delay enforcement of the "Red Flags" Rule until June 1, 2010. The enforcement date was previously extended to November 1, 2009. In a related matter, on October 30, 2009, in response to a suit brought against the FTC by the American Bar Association, the U.S. District Court for the District of Columbia ruled that the FTC may not enforce the Red Flags Rule against attorneys.

Under the Red Flags Rule, entities that qualify as "financial institutions" and "creditors" with "covered accounts" are required to have identity theft prevention programs in place that identify and detect relevant red flags, prevent and mitigate identify theft, and provide for updates as new risks arise. The Rule is significant because it applies not only to traditional "financial institutions," but also "creditors," which is broadly defined to include entities that regularly defer payment for goods or services or provide goods or services and bill customers later. Furthermore, the term "covered account" includes not only consumer accounts, but also small business and sole proprietorship accounts.

The Commonwealth of Massachusetts recently delayed until March 1, 2010 the effective date of its new data security law, pursuant to which businesses that maintain data on Massachusetts residents must implement a written data security program.

For more information please contact Sheila Millar at 202-434-4143 or millar@khlaw.com or Tracy Marshall at 202-434-4234 or marshall@khlaw.com.