The “new” Red Flags Rule—initially issued in October 2007—is scheduled to become effective on June 1, 2010. The Rule applies to “financial institutions” and “creditors” that maintain “covered accounts.” Because the definitions of a “creditor” (an entity that regularly extends credit) and “covered account” (a consumer account that permits multiple transactions or a commercial account where there is a “reasonably foreseeable risk” of identity theft) are so broad, a wide range of businesses must comply (e.g., car dealers, healthcare providers, mortgage brokers, utility companies and telecommunication companies).
To comply with the Rule, a written program designed to identify, detect and respond to patterns of identity theft (Red Flags) must be implemented. The specific elements of identification, detection and response to Red Flags that must be addressed by the program are enumerated in the Rule. The program must also:
The program may incorporate, as appropriate, any existing policies and procedures that are designed to control the risk of identity theft. The Rule also reminds creditors and financial institutions to be mindful of other potentially applicable obligations, such as filing Suspicious Activity Reports or implementing requirements of the Fair Credit Reporting Act.
Groups representing healthcare providers, attorneys and accountants have argued that they should not be covered by the Rule. On October 20, 2009, the U.S. House of Representatives passed a bill that would exempt healthcare, legal and accounting firms with 20 or fewer employees from compliance. The bill would also require the FTC to issue a regulation that would allow other businesses to apply for an exemption. The Senate is currently reviewing this bill. Additionally, the American Bar Association and the American Institute of Certified Public Accountants have filed lawsuits seeking to prevent the Federal Trade Commission from applying the Rule to their members. The ABA obtained a decision from the trial court holding that the Rule does not apply to attorneys because they do not meet the definition of a “creditor.” The FTC appealed that decision, and the case is now before the D.C. Circuit. The trial court in the AICPA case issued an order precluding the FTC from enforcing the Rule against AICPA members in public practice until 90 days after the D.C. Circuit rules on the FTC’s appeal in the ABA case.
Additional information on the Red Flags Rule can be obtained from a Webinar presented by the Baker Hostetler Healthcare Industry Team or by contacting any member of our Privacy and Information Security or Healthcare Industry Teams. We hope you find this information helpful.
Authorship Credit: Craig A. Hoffman
Subscribe to Privacy and Information Security News
Subscribe to Health Law Update
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2010 Baker & Hostetler LLP