ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Posted on May 28, 2010 by Gabriel M. Helmer

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

Tags: , , , , , , , , , , ,

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Posted on July 29, 2009 by Gabriel M. Helmer

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

Tags: , , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

Posted on February 13, 2009 by Gabriel M. Helmer

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010. 

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.” 

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures. 

Links:

  • The OCABR homepage
  • The OCABR's February 12, 2009 announcement
  • The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)
Tags: , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

Posted on November 15, 2008 by Gabriel M. Helmer

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

  • Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.
  • “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.
  • Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.
  • Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.
  • The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

Tags: , , , , , , , ,

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC "Red Flags" Regulations

Posted on October 23, 2008 by Gabriel M. Helmer

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

  1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
  2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
  3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

Tags: , , , , , , , ,