Skip to main content

Latest Postponements and Exemptions of FTC Enforcement of 'Red Flags' Rule

Written by Kenneth Gantz

At the urging of congressional lawmakers, the Federal Trade Commission has for the fifth time delayed enforcement of the “Red Flags” Rule – this time through December 31, 2010. In the interim, Congress plans to consider legislation that would alter the scope of entities covered under the Rule.

Under the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditors to address the risk of identity theft. The FTC in turn sought to impose the Red Flags Rule, requiring all such entities to develop and implement written identity theft prevention programs.

In a news release issued on the organization’s website, “[the FTC] urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.” The Commission goes on to explain that it will begin enforcement sooner should Congress pass legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010.

Additionally, the FTC agreed on June 25 to temporarily exempt physicians from the Red Flags Rule. Per a joint stipulation with the American Medical Association and other health organizations, the FTC will wait until the U.S. Court of Appeals for the District of Columbia resolves questions concerning the Rule’s scope before it seeks enforcement against physicians. The AMA, American Osteopathic Association, and the Medical Society of the District of Columbia had filed a lawsuit on May 21 to prevent the FTC from applying the rule to physicians (AMA v. FTC, D.D.C., No. 1:10-cv-00843), arguing that the FTC exceeded its statutory powers and acted in a manner that is “arbitrary, capricious, and contrary to the law.”

The District Court previously barred the FTC from applying the Red Flags Rule to attorneys following a similar challenge by the American Bar Association. The FTC appealed that decision, and the health group’s lawsuit will now be put on hold until the Court of Appeals issues its opinion in the ABA case.

Related Links: (AMA’s complaint)

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.