Medical Groups Challenge June 1 Application of FTC Red Flags Rule

Posted on May 21, 2010 by Colin J. Zick

Earlier today, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a complaint that seeks to block the application of the Federal Trade Commission's Red Flags Rule to their members.  

According to its press release, the AMA filed this suit because it unfairly treats physician practices like "banks, credit card companies and mortgage lenders,” according to AMA President-elect Cecil B. Wilson, M.D. He added, “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”

Given the impending June 1 deadline, it is somewhat curious that these groups have not sought an injunction to stop the FTC from applying the rule to their members (as it is unlikely their complaint will be resolved by June 1).  It would appear that these groups are going to let the American Bar Association and its earlier challenge do the heavy lifting here.

Tags: , , , , , ,

American Institute of Certified Public Accountants Sues FTC to Stop Application of Red Flags Rules to Accountants

Posted on November 12, 2009 by Jeff Bone

First it was the lawyers.  Now it's the accountants.  Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants.  According to the AICPA's press release, the suit was filed on November 10.  For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.

The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level.  The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers.  As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.

It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers.  It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits.  As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear.  Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.

 

 

 

 

 

Tags: , , , , ,

ALERT: FTC Announces Delay in Red Flags Enforcement Until June 1, 2010

Posted on October 30, 2009 by Jeff Bone

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010.  In the announcement, the FTC stated that the delay was due to "the request of Members of Congress" and highlighted the efforts it has made to provide guidance to covered entities on how to comply with the Rule.  However, the announcement specifically mentioned the October 30, 2009 ruling by District Judge Reggie B. Walton of the U.S. District Court for the District of Columbia (see our coverage here), in which the Court granted the ABA's motion for summary judgment, finding that the FTC may not apply the Rule to attorneys.  According to the announcement, the delay in enforcement "does not affect the separate timeline" of the ABA's lawsuit "and any possible appeals."  Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court's decision in the ABA suit. 

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.

However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.

Tags: , , , , , ,

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

Posted on October 30, 2009 by Gabriel M. Helmer

After hearing argument yesterday, Federal District Judge Reggie B. Walton entered an order (.pdf) this morning granting the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC's) controversial Red Flags Rules.  This comes as the legal community steeled itself for the FTC's imminent November 1st enforcement deadline.  The order does not go into detail to explain the Court's decision, but promises a written legal opinion within the next month.

The ABA sued the FTC in August to obtain this relief after lobbying both the FTC and Congress to exempt lawyers from the Red Flags Rules.  News of the judge's ruling spread after the hearing yesterday.  ABA President Carolyn B. Lamm stated "By voiding the FTC’s interpretation of a statute that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."  No public comment has been posted by the FTC.

Caution may be warranted here, however.  Lawyers, like many other consultants that handle clients' documents and data, will likely be required to take many, if not all of the same security measures demanded of their clients.  The Red Flags Rules require, among many things, that companies oversee how their service providers manage customer information and accounts (16 CFR Part 681.1(e)(4)).  As a result, lawyer may find themselves complying with the Red Flags Rules because they represent companies that must comply with the Rules, which currently includes financial institutions and a range of businesses. 

It should be noted that a range of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records. Many state identity theft regulations, such as the strict Massachusetts regulations promulgated as 201 CMR 17.00, require that companies obtain written certifications that service providers are taking all the same security measures as their clients.  Moreover, financial institutions governed by the Gramm Leach Bliley Act and health care providers covered by HIPAA have similar requirements.  Under these overlapping obligations, lawyers and law firms who represent regulated businesses may have little to celebrate as a result of the ruling in favor of the ABA.

Tags: , , , , ,

Bill to Narrow Red Flags Rules Moves Forward

Posted on October 20, 2009 by Jeff Bone

It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1.  According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill "To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses," directly to the House floor without a markup.  The bill proceeded to the House floor after the Republican side of the Financial Services Committee consented to such a move.

The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees.  It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.

Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit).  In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition.  On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.

Links:

 

Tags: , , , ,

ABA Sues FTC To Stop Application of Red Flag Rules to Lawyers

Posted on August 27, 2009 by Colin J. Zick

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009. 

The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule.  Interestingly, nowhere does the complaint suggest that lawyers are not just as vulnerable to identify theft as other professionals.  Rather, the complaint argues that lawyers are regulated at the state level, not by the federal government, and that the FTC has not been given the necessary authority by Congress to change this state of affairs.

The FTC had already delayed its planned enforcement of these rules from August 1 to November 1, in response to the ABA's objection (see our prior post on the back and forth between the FTC and ABA).  Whether there will be further delays in the Red Flags Rule implementation date or further talks to discuss carving out lawyers, is not yet known.

Links:

Tags: , , , , ,