If you have been hustling to establish a "Red Flags" identity theft prevention program by the May 1, 2009 deadline, take a deep breath. The Federal Trade Commission ("FTC") has decided to grant entities that are not already subject to compliance an additional three months to implement appropriate procedures.
The "Red Flags Rule" requires financial institutions and other "creditors" to establish programs to identify and react to instances and circumstances that indicate an instance of identity theft. Strange account usage, identifying information that seems mismatched, and sudden account activity might all be indicators (or "red flags") that identity theft has occurred or is occurring. Business that note these occurrences are in a good position to stop the identity theft before it goes too far, and the Red Flags Rule enlists them (perhaps unwillingly) in that effort. To read our previous e-Alert on this topic, click here.
Financial institutions are already subject to compliance with the Red Flags Rule. Other entities that meet the broad and vague definition of "creditor" were originally required to come into compliance by November 1, 2008. However, the FTC realized the great amount of confusion regarding which entities are required to comply and how they must comply, and granted an extension to "creditors" until May 1, 2009.
Several groups that sought further clarification from the FTC, particularly physicians and other healthcare providers, were distressed when the FTC determined that any healthcare provider who bills after the services have been provided is considered by the FTC to be a creditor, and therefore subject to the Red Flags Rule. This ruling by the FTC resulted in a flurry of activity, including letters from the American Medical Association and other groups of physicians objecting to the FTC's conclusions. The FTC did not respond to those further inquiries, and as the May 1, 2009 deadline approached, many providers bit the bullet and adopted Red Flag policies.
Of particular interest in the FTC press release announcing the delay (which may be seen here) is the statement that the FTC will provide a specific template for entities that have a low risk of identity theft. This could be an olive branch to the AMA and others who complained; however, the press release reiterates the FTC's position that "businesses that provide services and bill later, including many lawyers, doctors, and other professionals," are still covered by the Red Flags Rule.
To learn more about the Red Flags Rule and to obtain information on identity theft protection programs, please contact Jeff Drummond at 214.953.5781 or jdrummond@jw.com.
If you wish to be added to this e-Alert listing, please
CLICK HERE
to sign up. If you wish to be removed, please reply to this e-mail with REMOVE in the subject line and include your first and last name.
