Lawyers are scrambling to advise businesses about new rules that require them to implement procedures to detect and respond to identity theft.
Many law firms have sent out client alerts warning businesses about the so-called “red flag rules” that apply to financial institutions and creditors.
Until recently, many entities, including health care institutions, telecommunications companies and educational institutions, did not realize they were considered “creditors” under the rules and complained that they could not come into compliance in time for the original Nov. 1, 2008, deadline.
As a result, the Federal Trade Commission has extended the deadline to May 1.
“It’s been a mad scramble. There has been a lot of concern and a lot of questions. The six-month extension is a welcome opportunity to work on designing better procedures,” said Brent Eller, a partner in the health law practice group at Davis, Wright & Tremaine in Seattle.
Part of the confusion is that the rules apply not only to traditional financial institutions like banks, but also to “creditors,” a term that has been broadly interpreted by the FTC to include any entity that regularly extends credit or accepts deferred payment for services.
“The definition of creditor is enormous,” said Pamela Devata, an employment defense attorney at Seyfarth Shaw in Chicago.
Law firms themselves may be covered.
To the extent that firms extend credit by billing clients rather than accepting payment at the time of service, they appear to fall under the definition, said Jack Gravelle, an attorney at Porter, Wright, Morris & Arthur in Columbus, Ohio.
On the other hand, he said that other definitions under the rules would arguably exclude law firms, such as the requirement that an account be primarily for “personal, family or household purposes” and involve multiple payments.
“The vast majority of law firms are not [billing] for personal, family or household purposes,” he said.
The deadline extension is limited to the “red flag rules” for financial institutions and creditors.
As of Nov.1, users of consumer reports, such as finance companies or employers who obtain consumer credit reports, had to comply with new rules for responding to an address change or discrepancy.
Red flag rules
The red flag rules, which can be found on the FTC’s website, www.ftc.gov, are part of the Fair and Accurate Credit Transaction Act of 2003 (FACTA).
The rules require companies to develop policies to find and respond to “red flags” of identity theft.
Some examples of “red flags” include a fraud alert on a credit report or suspicious information supplied by a customer, such as inconsistent Social Security numbers or other mismatched personal information.
In addition to the many entities that fall under the definition of “creditor,” the rules also apply to companies that bill in advance if they continue to provide services despite late payment or non-payment. This would include phone, Internet and cable providers, as well as other utilities.
The regulations apply to “covered accounts,” which includes those “used mostly for personal, family or household purposes” that also involve multiple payments.
Accounts that have a “foreseeable risk” of identity theft, such as small business or sole proprietorship accounts, are also covered.
How extensive a written policy is required depends on the size of the entity and how much and what type of credit accounts it maintains.
The policy must have a way of detecting red flags, such as reviewing accounts regularly, and must include “appropriate responses” to prevent and mitigate identity theft once a red flag is found.
“You may just ask a person for more information and it turns out to be nothing. Or, maybe I’m going to stop access to this account, or do further investigation such as a background check, or require more identification the next time someone tries to use the account,” suggested Devata.
The regulations also require that the policy be approved by the company’s board of directors and updated every year.
‘Not a trivial process’
For many companies that already have a security policy, this change will only require them to update those policies to include red flag rules.
But the new rules put more pressure on businesses, especially smaller companies, that don’t already have a policy in place, said Barry Goheen, a partner in the litigation practice group at King & Spaulding in Atlanta.
He has advised clients that although “there is a level of ambiguity, you assume that the statute covers you because there is potential exposure and risk of non-compliance.”
The regulations provide for civil penalties such as monetary sanctions and enforcement action by the FTC.
They also require covered entities to train employees on the written policies.
“This is not a trivial process,” said Eller. “In addition to setting up a written program, another element is training staff so they know what to do when a red flag pops up.”
Some lawyers predict that the new rules will become the standard of care in litigation involving identity theft.
“As the red flag rules become more prevalent and companies adopt them, that will become the standard for what a reasonable company does,” said Gravelle.