Privacy and Security Alert: FTC Announces Three-Month Delay of Enforcement of "Red Flags" Rule
7/30/2009
Three days before the Federal Trade Commission (FTC) was to begin enforcement of the “Red Flags” Rule, the FTC announced it will delay enforcement until November 1, 2009 to provide creditors and financial institutions additional time to develop and implement the required written identity–theft prevention programs.
The FTC will also be redoubling its efforts to educate small businesses and other entities about compliance with the “Red Flags” Rule. The FTC also intends to ease compliance by providing additional resources and guidance to clarify whether businesses are covered entities and what action entities must take to comply with the “Red Flags” Rule.
The July 29, 2009 announcement by the FTC does not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for other institutions, such as banking institutions.
As discussed in our earlier alerts,1 the “Red Flags” Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the rule, financial institutions and creditors—including any business that accepts deferred payments for services—with covered accounts must have identity-theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, health care providers, and non-profit and government entities.
For businesses struggling to develop and implement a compliant written identity–theft program by August 1, 2009, this action offers a three–month extension to develop a strong program.
Mintz Levin’s Privacy and Security Group has been working with clients on development of “Red Flag” compliance programs. We can help conduct risk assessments and develop or review your “Red Flag” program and policies, including employee training; advise on duties to detect, prevent, and mitigate identity theft; analyze and prepare vendor agreements that comply with your “Red Flag” duties; and advise senior management on responsibilities under the regulations.
Endnotes
“Last Call for ‘Red Flag’ Compliance Planning” (July 23, 2009)
“Stay of Execution of Red Flag Enforcement: FTC Announces Three-Month Delay of Enforcement of ‘Red Flags Rule’” (May 1, 2009)
“Breaking News: FTC ‘Red Flags Rule’ Enforcement Delayed” (October 22, 2008)
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Cynthia Larose, CIPP
(617) 348-1732
CLarose@mintz.com
Michele Floyd
(650) 251-7723
MFloyd@mintz.com
Bruce D. Sokler
(202) 434-7303
BDSokler@mintz.com
Elissa Flynn-Poppey
(617) 348-1868
EFlynn-Poppey@mintz.com
Robert G. Kidwell
(202) 661-8752
RGKidwell@mintz.com
Julia M. Siripurapu
(617) 348-3039
JSiripurapu@mintz.com
