After several delays, including the
latest last-minute delay at the end of July, the FTC Red Flags Rule
(www.ftc.gov/redflagsrule) is now set to become effective on Nov.
1, 2009.
The FTC has delayed the effective
date three times: from November 2008 to May 2009 to August 2009 to
November 2009, and affected entities need to develop and implement
compliance plans now, if they haven't already. Part of the reason
for the delays was to allow for folks who weren't initially aware
that they were subject to these regulations - which seemed targeted
at the financial sector - to come into compliance.
Both the legal and medical
professions, through the American Bar Association and American
Medical Association, among other non-financial-sector businesses,
have formally objected to the regulation's coverage of their
activities, but the FTC has not changed its posture.
This rule requires "creditors" under
certain "covered accounts" to maintain a heightened alertness to
numerous categories of "red flags" that may indicate that the
consumer who is the rightful account holder is the victim of
identity theft. If a red flag is triggered, the creditor must
notify the consumer and correct any inappropriate information
included in the creditor's records.
The FTC took something of a
common-sense approach here, recognizing that a compliance plan
needs to be tailored to the specific entity, the nature of its
"covered accounts" and its operations, because the potential red
flags and potential risks vary significantly based on size and type
of business.
Affected law firms and other
consumer-facing businesses need to understand that the Red Flags
Rule requirements overlap with other federal and state law, but
will not be satisfied by implementation of existing privacy
policies and compliance plans. Review of the intersection of
existing policies and procedures with the new rule's requirements
is the first order of business.
As with any other new regulatory
scheme, preparing a compliance plan and putting it on the shelf
won't cut it. The rule calls for regular monitoring of the plan and
issues that arise by a senior manager. Furthermore, best practices
would dictate the training of staff to deal with individual issues
and, most importantly, with the affected consumers.
Why comply?
Even if not clearly subject to the
Red Flags Rule, law firms and other consumer-facing businesses
should undertake to comply, for a couple of interrelated
reasons:
• Good PR. Data security is top of
mind these days. Much of the effort required under the rule should
be expended anyway, simply to respond to market pressures calling
for improved data security.
• Potential liability. The creative
trial attorney will seek to use the Red Flags Rule as establishing
a standard of care for the stewardship of personal information. The
incensed jury will go along. The small business caught in the
middle between thieves and victims may be the only perceived deep
pocket available.
OK, so what is a "creditor" and
what is a "covered account"?
Any entity that accepts payment
other than payment in full at the time of service is a creditor.
Businesses that take only cash-on-the-barrelhead (or credit cards)
from consumers aren't creditors; all others are creditors.
The FTC Guide defines covered
accounts as follows:
• A consumer account you offer your
customers that's primarily for personal, family or household
purposes that involves or is designed to permit multiple payments
or transactions; or
• Any other account that a financial
institution or creditor offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and
soundness of the financial institution or creditor from identity
theft, including financial, operational, compliance, reputation or
litigation risks.
Any creditor with covered accounts
must have a Red Flags Rule compliance plan in place with policies
and procedures for dealing with red flags - i.e., signs that
personal information may have been compromised. Red flags may
include:
• A complaint or question from a
client based on the client's receipt of a bill for another
individual;
• A complaint or question from a
client about the receipt of a collection notice from a bill
collector;
• A complaint or question from a
client about information added to a credit report;
• A dispute of a bill by a client
who claims to be the victim of any type of identity theft; and
• A notice or inquiry from a fraud
investigator or a law enforcement agency.
If a situation is flagged, a
creditor must take steps to mitigate the risk of identity theft or
continued identity theft.
There need to be uniform, but
appropriately flexible, answers to these questions:
• What do we do when a client claims
fraud is in their files?
• What do we do for clients and
other affected victims when we uncover a fraudulent operation?
• When we have a real case of
identity theft, how can we work with clients to fix the records and
limit future damages?
• How do we handle police reports
and requests for investigation from victims?
The answers to these questions need
to be viewed not just from the business' perspective, but also from
the victim's perspective, which can differ substantially.
Additional summary information on
the Red Flags Rule is available from CNA, the MBA's professional
liability insurance carrier, at http://bit.ly/CNAredflags.
As with any effort of this sort, it
is often valuable to have someone outside the organization review
existing policies, procedures and workflow in order to highlight
potential risks and opportunities for improvement. Whatever the
size or nature of your practice, or your clients' businesses,
please take a moment to consider how the Red Flags Rule may apply
to their operations, and how it may relate to other regulatory
schemes, including state privacy laws.
David Harlow, principal
of The Harlow Group LLC, Newton, is a health care lawyer,
consultant and blogger. Read his blog at
http://healthblawg.typepad.com and follow him on Twitter
at http://twitter.com/healthblawg
.