May 1, 2009
Stay of Execution of Red Flag Enforcement: FTC Announces Three-Month Delay of Enforcement of “Red Flags Rule”
Less then one day before the Federal Trade Commission (FTC) was to begin enforcement of the Red Flags Rule, the FTC announced it will delay enforcement until August 1, 2009 to provide creditors and financial institutions additional time to develop and implement the required written identity theft prevention programs.
The FTC will also be releasing, in the future, a compliance template for “entities that have a low risk of identity theft,” such as businesses that know their customers personally. The April 30, 2009 announcement by the FTC does not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for other institutions, such as banking institutions.
The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the rule, financial institutions and creditors—including any business that accepts deferred payments for services—with covered accounts must have identity-theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, healthcare providers, and non-profit and government entities.
During the course of outreach efforts last year, the FTC staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Red Flags Rule. In yesterday’s announcement, FTC Chairman Jon Leibowitz stated that the delay in enforcement will provide Congress, which “wrote this provision too broadly,” time to consider this issue further. The FTC says that the delay in enforcement of the Red Flags Rule will also allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the upcoming FTC template in developing their programs, and provide additional time for entities to establish and implement appropriate identity-theft prevention programs as required by the rule.
For businesses struggling to develop and implement a compliant written identity theft program by May 1, 2009, it is a three-month extension to develop a strong program.
Mintz Levin’s Privacy and Security Group has been working with clients on development of Red Flag compliance programs. We can help conduct risk assessments and develop or review your Red Flag program and policies, including employee training; advise on duties to detect, prevent, and mitigate identity theft; analyze and prepare vendor agreements that comply with your Red Flag duties; and advise senior management on responsibilities under the regulations.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
This communication may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. to its clients and friends; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.
list is maintained at Mintz Levin’s main office, located at One Financial
Center, Boston, Massachusetts 02111. If you no longer wish to receive electronic
mailings from the firm, please visit http://
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Cynthia Larose, CIPP
Julia M. Siripurapu