May 25, 2012

Update on Federal Trade Commission Red Flag Rules Relating to Identity Theft

David J. Hanson
Kate L. Bechen
Kirk A. Pelikan
Michael Best & Friedrich LLP
Saturday, September 19, 2009
Antitrust & Trade Regulation / Consumer Protection / Financial Institutions & Banking
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

The Red Flag Rules, issued by the Federal Trade Commission (“FTC”) and other regulatory bodies, become effective November 1, 2009, and require certain entities to establish programs that facilitate the detection, prevention and mitigation of identity theft.

What entities are subject to the Red Flag Rules?

The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.

The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance: 

  • Doctors, dentists, and other health care providers;
  • Accountants and lawyers;
  • Utilities;
  • Telecommunications companies;
  • Debt collectors;
  • Retailers; and
  • Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.

Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.

The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.

Summary of Guidelines for Compliance

The regulations provide guidelines for the development of an identity theft plan. These guidelines are summarized below:

1. Identify relevant red flags. The relevant red flags will likely vary from business to business. It is important to identify red flags based on past experiences, especially any past experience with identity theft. It will be important to evaluate the type of consumer credit accounts that the organization holds. If the organization already has an identity theft policy that policy, should be analyzed and incorporated, as appropriate, into the new program. After an internal review, the organization should evaluate the list of red flags identified in the regulations. The regulations list 26 potential red flags which are organized into the following categories:

  • Alerts, notifications or warnings from a consumer reporting agency;
  • Suspicious documents;
  • Suspicious personal identifying information;
  • Unusual use of, or suspicious activity related to, the covered account; and
  • Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft.

2. Detect red flags. The organization should implement the appropriate policies and procedures to ensure that the potential red flags previously identified are indeed detected. Generally this will consist of requiring appropriate identification when opening new accounts and verifying identification on existing accounts. Change of address requests should be appropriately verified. Further, accounts should be monitored to ensure that suspicious usage patterns are detected. Detection techniques will largely depend upon the types of red flags the organization has identified as potential problems.

3. Prevent and mitigate identity theft. If a red flag is identified then the organization must take appropriate steps to prevent any loss or breach or, at the least, mitigate any damage. Appropriate responses may include:

  • Monitor an account for evidence of identity theft;
  • Contact the customer;
  • Change passwords, codes or other security devices that permit access to the account;
  • Reopen an account with a new number;
  • Refuse to open a new account;
  • Close an existing account;
  • Refrain from collecting on an account;
  • Notify law enforcement; or
  • After evaluating the situation, determine that no response is warranted.

4. Update your identity theft policy. Methods of identity theft, the technology used in the detection of identity theft, the types of business relationships (for example, the type of accounts maintained) and the experiences of the organization will invariably change over time. Thus, the policy should be updated annually. It is recommended that the board, a committee of the board or a senior, high-level manager be assigned direct oversight of the entity’s identity theft program. This person or group should receive regular reports including an evaluation of the effectiveness of the policy, a description of any significant incidents of identity theft and any recommended changes to the policy.

The contents of this client alert address only the Federal law on Red Flag Rules. Some states have similar laws. For example, in Wisconsin, entities must notify individuals whose personal information has been acquired by an unauthorized party, of the disclosure. As such, all entities should take steps to ensure that the Red Flag Rules (and any complementary state laws) are inapplicable to their operations or that they are compliant.

Please contact one of the authors of this alert should you have any questions regarding compliance with the Red Flag Regulations or if we can provide assistance with drafting an Identity Theft Policy for your organization.

© MICHAEL BEST & FRIEDRICH LLP

About the Author

David J. Hanson

Dave Hanson is a partner, Chair of the firm’s Health Care Practice Group and a member of the firm’s Business Practice Group. Since joining Michael Best & Friedrich LLP in 1981, Mr. Hanson has been actively engaged in a practice that emphasizes regulated industries, including health care, insurance and public utilities. He has extensive regulatory experience with state and federal agencies, including the U.S. Department of Justice, Federal Trade Commission, Department of Health and Human Services, the Wisconsin Office of the Commissioner of Insurance and the Wisconsin Public...

djhanson@michaelbest.com
608-283-2241
www.michaelbest.com
Kate L. Bechen

Kate Bechen is a member of the Business and Health Care Practice Groups. Kate’s corporate practice focuses primarily on securities, corporate finance and general business matters. She regularly assists companies with ongoing reporting requirements under the Securities Exchange Act of 1934, as well as drafting and filing registration statements. Her health law practice includes transactional work, regulatory compliance (including Stark and Anti-Kickback), medical staff issues and confidentiality (including HIPAA). She is also an active member of the firm’s Renewable...

klbechen@michaelbest.com
414-225-4956
www.michaelbest.com

Contributors

Kirk A. Pelikan

Kirk Pelikan is a member of the firm’s Labor and Employment Practice Group in the Milwaukee Office. Mr. Pelikan represents and advises clients regarding employee benefits issues related to defined benefit, defined contribution, and welfare benefit plans, including ERISA withdrawal liability, COBRA, HIPAA compliance, and family and medical leave. He represents clients in employment issues including workplace discrimination, worker’s compensation, unemployment insurance, non-competition agreements, OSHA, handbooks and affirmative action matters.

kapelikan@michaelbest.com
414-223-2529
www.michaelbest.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.