Skip to main content

Changes to the "Red Flag" Rules may be coming -- and so is the November 1 compliance deadline

By an overwhelming vote of 400-0, the U.S. House yesterday approved legislation that will exempt certain businesses from the Federal Trade Commission’s Red Flag Rules. As we have reported, the Red Flag Rules require a broadly-defined class of “creditors” to implement identity theft prevention programs by November 1st. Under H.R. 3763, health care, accounting, and legal practices with 20 or fewer employees will be excluded from the definition of “creditor.” The measure also requires the FTC to issue new regulations allowing any business -- regardless of size -- to apply for an exemption.

New Exemption Provision
Under the exemption provision, the bill allows any business to be exempted if the FTC determines that the organization knows all of its customers or clients individually, only performs services in or around the residences of its customers, or has not experienced incidents of identity theft and is part of an industry that rarely experiences the problem. The FTC will be required to issue regulations setting out the exemption process.

ABA Still Not Happy
The American Bar Association says the legislation does not go far enough and
is demanding a full exemption for law firms. The ABA also continues
asking a federal court to bar the FTC from enforcing the rules against
attorneys. Besides the ABA, the FTC's broad interpretation of the creditor
category has prompted objections from the American Medical Association and the AICPA.
It is unlikely that this legislation will be finalized by the current November 1st enforcement deadline, and it remains to be seen whether this will cause the FTC to announce another delay.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.