Identity theft is a pervasive and ongoing problem. Unmoored from the burglar's traditional constraints of space and time, identity theft can happen to anyone, anywhere, and at any time.
Recently promulgated federal regulations (the "Red Flags" Rules) seek to help prevent, or at least mitigate, identity theft.
This alert provides a brief overview of the Red Flags Rules, and concludes by noting that compliance with the Red Flags Rules makes good business sense.
Red Flags Rules to Become Fully Enforceable Soon.
As part of the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), [15 U.S.C. § 1681 et seq.; 16 C.F.R. § 602 et seq.], Congress required that certain financial institutions and creditors develop programs that detect and respond to certain activities — "red flags" — that could indicate possible identity theft.
The Federal Trade Commission ("FTC"), along with the National Credit Union Administration and the federal bank regulatory agencies, proposed Red Flags Rules regulations in 2008. The FTC has delayed enforcement until December 31, 2010 in order to: (1) provide covered entities with sufficient time to implement identity theft prevention plans; and (2) permit Congress to address unintended consequences of the legislation.
What Are the Red Flags Rules?
The Red Flags Rules mandate that all financial institutions and creditors who maintain covered accounts develop and implement written programs to identify, detect, and respond to specific activities indicative of identity theft.
Each program contains four basic elements.
Identification of Red Flags: The program must identify the "red flags" of identity theft that may arise in daily business operations.
Detection of Red Flags: Covered financial institutions and creditors must develop procedures for spotting red flags when they do arise.
Responding to Red Flags: The program must detail what actions will be taken when a red flag is detected.
Ensuring Constant Vigilance: Because identity thieves are never complacent, any identity theft program must detail how it will address the latest threats.
Compliance with the Rules.
The Red Flags Rules require that "financial institutions" and "creditors" that offer or maintain "covered accounts" be able to recognize and address signs of identity theft.
The term "financial institutions" includes: (1) all banks, savings associations, and credit unions; and (2) any other person that directly or indirectly holds a transaction account belonging to a consumer. 16 C.F.R. § 681.2(7) (referencing 16 C.F.R. § 603.2(a)).
A "creditor" is "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 16 C.F.R. § 681.2(5) (referencing 15 U.S.C. § 1681a(r)(5)).
The term "covered account" has two parts: (1) A covered account is one used "primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions." 16 C.F.R. § 681.2(3). Such accounts include credit card, mortgage and checking accounts.
(2) Also included is any other account "for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft." Id. This definition seeks to address concerns that certain other accounts — like proprietorship accounts — may be vulnerable to identity theft.
Effect of Complying with the Red Flags Rules.
The Red Flags Rules impose civil penalties and do not provide for a private right of action. Yet failure to comply with them carries far greater costs than simply the risk of governmental sanction.
First, compliance with the Red Flags Rules assures consumers that proactive steps are being taken to fight identity theft. Early and consistent adopters of the Red Flags Rules may well receive a "security premium" from consumers.
Second, the best way to remedy a problem is to avoid it altogether. By adopting, updating, and adhering to its Red Flags program, a financial institution or creditor can address the problem of identity theft when it is easiest to do so — before it arises.
Finally, compliance with the Red Flags Rules may assist financial institutions and creditors in addressing any potential negligence claims that may arise should an instance of identity theft occur.
While the Red Flags Rules do not provide a private cause of action, there is good reason to believe that these Rules will form the baseline standard of care. Like the Red Flags Rules, the Health Insurance Portability and Accountability Act ("HIPAA") does not provide a private cause of action. See Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006) (collecting cases and noting that "every district court that has considered this issue is in agreement that the statute does not support a private right of action"); see also O'Donnell v. Blue Cross and Blue Shield of Wyo., 173 F. Supp. 2d 1176 (D. Wyo. 2001). Yet a number of courts recently have permitted plaintiffs to bring suit where HIPAA violations have been used to sustain state-law negligence claims and RICO actions. See Acosta v. Byrum, 638 S.E.2d 246, 253 (N.C. App. 2006) (holding that while HIPAA does not create a private right of action, reference to HIPAA may help establish a breach of the appropriate standard of care).
The result is that while the Red Flags Rules do not provide a cause of action, they may serve as a baseline standard of care in proving a claim premised upon another cause of action.
Conclusion.
Identity theft poses a real threat to consumers, financial institutions, and creditors alike.
The Red Flags Rules require that financial institutions and creditors who provide covered accounts develop a program for detecting and responding to potential instances of identity theft. By implementing these Rules, financial institutions and creditors can address consumers' concerns about identity theft, avoid identity theft problems before they arise, and minimize exposure to legal liability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
