On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent "Red Flags" regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance. This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC's action.

The "Red Flags" rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 ("FACTA"). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final "Red Flags" regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or "Red Flags" of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC's latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the "Red Flags" regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers "financial institutions" and "creditors" maintaining "covered accounts," the FTC has made clear that the "Red Flags" regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional "financial institutions". In particular, the new regulations expressly apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports.

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make payments or enter into financial transaction needs to assess whether they are subject to the new "Red Flags" regulations.

If your business is covered by the new "Red Flags" regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

  1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling "Red Flags" — such as discrepancies in customer information and suspicious account activity.
  2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
  3. Continually assess the identity theft risks to customers and update the company's Identity Theft Prevention Plan as necessary.

In addition, the new Red Flags regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information.

At present, it is still unclear what form the FTC's enforcement of the "Red Flags" regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

Foley Hoag has actively advised clients developing information security policies and procedures in compliance with federal, state and international laws and regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.