Many small businesses have delayed implementing the identity theft “red flags” rules despite the approaching June 1 deadline — not because they do not know about them, but because there have been so many extensions to the deadline that companies have put them on the back burner.
The enforcement deadline has been extended several times since the original date of
November 2008 to give businesses more time to comply.
“The topic has fallen off the radar. When it got extended last year, people thought, ‘OK, there’s no rush.’ I would say there are still a lot of businesses not ready for the deadline,” said Craig Strong, a regional director of human resources for the California Employers Association, a non-profit that advises employers on compliance issues.
Law firms, which the Federal Trade Commission said were covered by the rules, have successfully delayed compliance under a court ruling from a U.S. District Court in Washington, D.C., which is currently on appeal.
All other covered businesses, including accountants and doctors who are hoping to win exemptions, should assume they are covered and delay compliance at their peril, lawyers say.
“I suspect a lot of small businesses were hoping this ultimately wouldn’t happen,” said Tanya Forsheit, an attorney who co-founded InformationLawGroup in Los Angeles, a firm that advises businesses on privacy and data security compliance.
The rules require a written program for spotting and handling red flags that signal identity theft, training of employees and annual review of the policy.
Initially, many businesses were confused by the broad definition of “creditor” and it
came as a shock that it included not just banks and traditional lenders, but any business that allows customers or clients to defer payment for goods and services.
Although it is still possible that the deadline will be extended yet again, lawyers are advising businesses to assume the rules will be enforced as of June 1.
“Everything that’s required is a good practice anyway,” said John Seiver, of counsel to Davis, Wright, Tremaine in Washington, D.C.
Small businesses
All businesses that bill for goods and services, except for those that deal with cash transactions, are covered.
Although most companies already have common sense rules about not leaving customer information lying around, “hardly any of them had a written procedure or policy specifically dealing with identity theft,” Strong said.
Small businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors.
However, Forsheit noted that there are user-friendly, do-it-yourself online tools available for small businesses, especially those that only occasionally sell on credit.
For example, the FTC created a sample red flags policy for businesses at a low risk of identity theft.
While the rules ensnare many small businesses, those businesses may not be targeted for enforcement.
“In the past, on privacy and security issues, the FTC typically focused on the truly egregious — companies that handle a lot of sensitive customer information and have no written program and didn’t implement any mechanism for detecting or responding to red flags of identity theft,” said Forsheit, who predicts it will be several months before enforcement of the red flags rules kicks into high gear.
Lawyers and doctors
Law firms are not formally adopting red flags policies because of a successful court challenge.
A U.S. District Court ruled in favor of the American Bar Association’s challenge to the rules as applied to law firms.
The FTC has appealed the case to the D.C. Circuit.
“All of us protect our accounts, both financial and records of clients already. It’s part of a good business strategy,” Seiver said.
Accountants also filed a lawsuit in November 2009 in federal court in Washington, D.C., but the court has not ruled yet, Forsheit said.
Many doctors and dentists, on the other hand, are delaying enforcement in the hopes that their bid for an exemption will be successful.
The FTC has rejected a request by the American Medical Association for an exemption for medical providers.
A bill in Congress, H.R.3763, that would carve out an exemption for medical providers passed the House, but has since been added to various other bills, said Strong, who is following the legislation.
“We’re advising dentists and medical offices to prepare for the exemption not to go through,” he added.
Although the rules put a significant burden on small medical practices, medical professionals are already used to complying with the notoriously unwieldy HIPAA privacy regulations.
“In a lot of ways, that’s more complicated,” Forsheit said.