Date: Aug 11, 2009
The Federal Trade Commission ("FTC") recently announced that it will further defer enforcement of its Red Flags Rule until November 1, 2009. Under the Rule, entities that qualify as "financial institutions" and "creditors" with "covered accounts" must have identity theft prevention programs in place that identify and detect relevant red flags, prevent and mitigate identify theft, and provide for updates as new risks arise. The Rule is significant because it applies not only to traditional "financial institutions," but also to "creditors," broadly defined to include entities that regularly defer payment for goods or services or provide goods or services and bill customers later. Furthermore, the term "covered account" includes not only consumer accounts, but also small business and sole proprietorship accounts.
Does the Rule Apply to Non-Profit Organizations and Governmental Agencies?
The terms "financial institution" and "creditor" are not limited to for-profit entities. Non-profit organizations and governmental agencies could also be covered. For example, non-profits that allow members to pay dues or trade show fees on an installment plan would be covered.
What are Some Common Types of Covered Accounts?
The Rule applies to any entity that offers credit card accounts, mortgage loans, automobile loans, telephone accounts, utility accounts, checking and/or savings accounts. However, it also includes firms offering a "bill me" option, installment plan, or similar plan where payment is deferred. Merely accepting credit cards as a form of payment is not enough. The Rule also identifies another category of "covered accounts," which includes small business accounts, sole proprietorship accounts, and single transaction consumer accounts that may be vulnerable to identity theft, but only if the risk of identity theft associated with such accounts is reasonably foreseeable. Under the Rule, covered entities must periodically determine whether they offer or maintain covered accounts, considering the methods for opening and accessing accounts and previous experiences with identity theft.
What Measures Must be Implemented to Comply with the Rule?
The Red Flags Rule does not specify in detail how covered entities should develop and implement identity theft prevention programs. Compliance programs should be tailored to the size, complexity and nature of the covered entity's operations, as red flags that are relevant for one entity might not be relevant for another. An entity with a history of identity theft incidents will likely need to implement a more detailed program. In addition, the nature of the accounts (e.g., consumer or business) and method by which covered accounts can be accessed (e.g., remotely via the Internet or telephone) may impact the risk of identity theft, and hence the measures in place. The FTC has provided separate guidance for entities that are deemed low risk.
If a Covered Entity Already Has a Data Security Program in Place is that Enough?
Internal programs already in place to address data security may satisfy the requirements of the Rule and could be quickly put in place, but such programs should be reviewed to ensure full compliance. In addition to a written program, entities should provide appropriate training to employees and service providers whose job functions may expose them to red flags.
What are Some Typical Red Flags to be Identified?
The Rule provides that in identifying red flags, entities should consider the types of covered accounts, the methods for opening and accessing accounts, and previous experiences with identity theft. Typical red flags could include: alerts, notifications or warnings from a credit reporting agency; suspicious documents; suspicious personal identifying information; suspicious account activity; and notice from other sources, such as a customer, identity theft victim, or law enforcement.
How Can an Entity Detect Red Flags?
Red flags can be detected by several means, including by obtaining information about, or verifying the identity of, a person opening a covered account, authenticating customers, monitoring transactions, and verifying the validity of change of address requests. The means of verification or authentication may vary depending on how it is being conducted (i.e., in person or via telephone, mail, or Internet).
What are Appropriate Measures to Take in Response to a Red Flag?
In general, the response to be taken when a red flag is detected will depend on the nature of the incident and the degree of risk imposed. Nevertheless, the FTC has offered the following examples of appropriate responses: monitoring a covered account, contacting the customer, changing passwords or security codes, closing an account and/or reopening an account with a new number, and notifying law enforcement.
How Should Programs be Updated to Comply with the Rule?
All programs that are implemented should be reviewed periodically. Relevant factors that may influence program updates include identity theft incidents, technology changes or changes to identity theft methods, changes in the number and type of accounts that an entity offers, and changes to the entity's business or operations or to an entity's service providers.
What are the Penalties for Failure to Comply with the Rule?
Any covered entity that fails to comply with the Red Flag Rule may be subject to civil monetary penalties. Civil monetary penalties for noncompliance with the Fair Credit Reporting Act, including the Red Flag Rule, were recently increased based on the Consumer Price Index to $3,500 per violation.