FTC's Identity Theft "Red Flag" Obligations: Is Your Organization Required to Comply?

The Federal Trade Commission's (FTC's) identity theft "Red Flag" Rules, which become mandatory on May 1, 2009, have a surprisingly wide application to businesses. For example, the Rules apply to most hospitals, physician practices and other health care organizations. Even though many health care organizations don't think of themselves as "creditors," the FTC issued a letter in February 2009, confirming that they are, at least for purposes of having to comply with the Red Flag Rules. In fact, the FTC has confirmed that any business that provides goods or services to ongoing customers - individuals or businesses - and allows those customers to (1) make multiple payments over time, or (2) defer payment until after the goods or services have been provided, is likely to be a "creditor." As such, a wide array of American businesses, such as product and service suppliers, colleges and universities (if they allow students to defer tuition), and even many consulting organizations, are required to comply with the Red Flag Rules. Many remain unaware of this obligation, largely because they do not think of themselves as "creditors."

What Are the Red Flag Rules?

The Red Flag Rules require organizations that fall within its scope to implement a comprehensive program to identify, detect and respond to potential indicators of identity theft that may occur in connection with customer accounts. Failure to comply with the Red Flag Rules can result in FTC enforcement activity, including fines of up to $2,500 for each independent violation of the Rules, state enforcement of up to $1,000 per violation plus attorney's fees and litigation (including class action lawsuits) by individuals who can demonstrate damages from an organization's failure to comply. This could add up quickly if an organization were to suffer a modest security breach of say, 10,000 customers, and the FTC or State Attorneys General determined that an organization had not complied with the requirements of the Rules.

Why Were the Red Flag Rules Enacted?

The Red Flag Rules were designed to help address the very serious problem of identity theft. Because identity thieves tend to follow certain identifiable patterns and practices of behavior, the Rules contain a list of five general categories of "Red Flags" - or potentially suspicious signals - that covered organizations must watch for and report to authorities. Within those general categories, the FTC also provided 26 examples of suspicious activities. The FTC's goal is to reduce identity theft and catch and prosecute more identity thieves.

Currently, a U.S. resident becomes a victim of identity theft at least every two minutes. Some studies report that the thieves amass $90,000 in unauthorized charges per victim before the fraud is identified and blocked. Usually, the victim is only required to pay a small percentage of that, but may spend much more time and money trying to restore their credit. Organizations, including credit card companies and retailers, get saddled with the bulk of the fraudulent charges. Regrettably, only a small percentage of the identity thieves are caught and prosecuted, with some studies reporting the number to be one in 700.

Who Must Comply?

The Red Flag Rules apply to "financial institutions" and "creditors" that maintain "covered accounts." A "creditor" is essentially any entity that provides goods or services for personal, family or household purposes with the expectation of subsequent payment or allows multiple payments for services rendered for goods or services previously provided. A "covered account" is essentially an account that has been established for an ongoing customer - an individual or a business - who will either make payments over time or defer payment until after goods or services have been provided. An extension of credit may be made even if there are no finance charges and irrespective of the number of installments for repayment. Indeed, credit may be extended even if a customer does not defer payment, as long as the customer had the right to defer payment. A "covered account" is essentially an account that is established for a customer who does repeat business or makes staggered payments over time. This would include, for example, businesses that allow customers to carry a balance and those that bill on a monthly or periodic basis.

Although the Rules provides examples of "creditors," including finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies, the FTC has advised that the definition includes many more types of organizations - including, for example, health care organizations and government entities that maintain covered accounts. They justify this position on the basis that most heath care providers allow patients to defer payment (or agree to wait for insurance reimbursement) and establish patient accounts. (However, it is not entirely clear whether the FTC has jurisdiction over nonprofit organizations or government entities.)

What Must Be Done to Comply?

The Red Flag Rules require covered organizations to adopt a written identity theft prevention program. The program must contain reasonable written policies and procedures and a training program designed to identify, detect and respond to red flags. The program must also contain provisions to ensure that it is updated periodically, to ensure ongoing reasonable prevention, detection and response to identity theft. The initial written program must be approved by the board of directors (or if the entity does not have a board of directors, a member of senior management). After initial approval, the administration of the program may be delegated by the board of directors to a member of senior management. In addition, the personnel responsible for administering the Red Flags Rule program must provide a compliance report at least annually to the entity's board of directors or designated senior management.

What Are the "Red Flags" for Which Organizations Must Watch?

For purposes of the Rule, a "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of identity theft. Every covered organization should include relevant Red Flags from the five general categories in the Rules, and, as may be appropriate, from the non-exclusive list of 26 examples of suspicious activities.

What Are the Next Steps for Organizations?

In conclusion, given the rapidly approaching deadline for compliance, organizations that have not yet determined whether they are subject to the Red Flag Rules should take immediate steps to evaluate whether they must do so. If so, they should assemble a team to address implementation. Among other things, the team will need to evaluate covered accounts as well as the third parties who assist the organization with managing them. They will also need to prepare written policies and procedures, as well as a training program, and seek board of director's approval. They should also put in place an approach for monitoring compliance and for periodic reassessment, such that new threats and new covered accounts are incorporated. If companies are unsure of their obligations, they should consult with counsel.

Although some of the aspects of the Red Flags Rules are onerous and time-consuming, the overall impact, including the new compliance measures, may reduce your organization's risk of having a reportable security breach or other security issue that could significantly impact your business and reputation. It might also help foster customer trust, which is the name of the game for most organizations.

Baker & Daniels has created "Red Flag Rules Compliance Kits," which include board resolutions adopting a Red Flag Rules program, policies and procedures, and other documentation a covered organization can adapt to fit its Red Flag Rules compliance program.