The Federal Trade Commission has delayed enforcement of the “red flag” rule that requires certain businesses to implement identity-theft policies from May 1 to Aug. 1.

The rule has slipped under the radar because many businesses — including some law firms — are still unaware that they are likely to fall under the rule’s broad definition of “creditor.”
The three-month extension will give businesses more time to comply and make use of a model policy, said Betsy Broder, assistant director in the FTC’s Division of Privacy and Identity Protection.

“We realize a lot of companies are not in compliance, and we want to work with them to get them where they need to be by providing the resources and time,” Broder said.
She said that the model policy would allow entities at low risk of identity theft to “fill in the blanks” on the template in order to comply with the rule.

Experts warn that many businesses are still unprepared.

“Quite frankly, a lot of businesses are still just now realizing it applies to them because of the expansive definition of creditor. Retailers, health care providers and even law firms have been caught off-guard,” said Misty Speake, a lawyer in Atlanta.
The FTC has created a website where it has published a how-to guidance on the rule.
This is the second time enforcement has been delayed in order to give businesses more time to comply. The original deadline was November 2008.

Some law firms covered

The confusion over the rule comes from its broad definition of “creditor.”
The definition of “creditor” includes businesses or organizations that regularly accept deferred
payment, or provide goods or services and bill clients later.

In order to be subject to the rule, a creditor must also have “covered accounts” that include those provided to clients for personal, family or household purposes on a continuing basis, or other accounts that have a reasonably foreseeable risk of identity theft.

“Most people, including doctors and lawyers, don’t think of themselves as creditors,” said Pamela Devata, a management-side employment attorney at Seyfarth Shaw in Chicago.
Broder confirmed that certain law firms with individual clients, such as matrimonial and trust and estates clients, who bill at the end of a period rather than through a retainer up front, will be subject to the rule as “creditors” with “covered accounts.”

The American Medical Association argued that physicians should not be covered by the rule because they are already covered by HIPAA, but the Federal Trade Commission rejected that argument.

Model policy

Under the rule, creditors with covered accounts must implement a written policy on detecting and responding to the “red flags” of identity theft, such as inconsistent personal information.

Each business may have different red flags depending on the industry and the size of the organization.

This can be a time-consuming process, especially for smaller businesses that do not regularly track how often and in what ways identity theft may have occurred in their organization.

“In terms of companies trying to [come into compliance], one thing to take into account is the time commitment in analyzing historical incidents of identity theft. If companies wait until the last minute to put together a policy, it might be a shell without any substance,” said Speake.

She said that even small businesses may need to spend at least several days to a couple of weeks to gather information from employees on where identity theft may have occurred and how it could have been prevented.

But Broder said that for companies with a low risk of identity theft, such as a lawyer in a small town who knows all of his or her clients, “compliance should be very straightforward and a very low burden.”

The model policy that the FTC will issue is approximately six pages and will allow low-risk entities to fill in a PDF template that asks them questions, such as why they think they are at low risk of identity theft, what red flags they have identified in their operation, how they will detect them and how they plan to respond if a red flag is detected.

The company will then sign to certify they have completed the program and training of
employees.

Training required

The rule requires that once a written policy is in place, companies train their employees on how to recognize red flags and then respond to possible identity theft.

Such responses could include requiring additional identification from a client, limiting employee access to the client’s account or conducting further investigation.

“The bottom line is that training needs to be sufficient in all areas of the organization, not just in one department,” said Speake.

Speake said that early feedback from agencies implementing other parts of the rule shows that some companies are creating red-flag policies but forgetting to train employees on following them.

Failure to comply with the red-flag rule can lead to civil penalties, such as monetary sanctions and enforcement action by the FTC.