Identity Theft Red Flag Rules
Date Published: 2010-05-27
Author: Christina Harris Schwinn
The Fair and Accurate Credit Transaction Red Flag Rules (“Rules”) were originally slated to go into effect on June 1, 2008. Since that time, the Federal Trade Commission (“FTC”) announced a number of extensions regarding the enforcement date. Unless delayed again, the Rules take effect June 1, 2010 and the FTC will begin enforcing them. In addition to financial institutions and credit card issuers, the Rules also apply to creditors. A creditor is defined as a business that extends credit to a consumer. Put simply, if your business provides a service prior to receiving payment and collects credit card information, your business is considered a creditor. Businesses covered by the Rules are required to implement a written identity theft program or policy (“Program”) to protect consumer information from unauthorized disclosure.
Consumer information includes the names, addresses and phone numbers of the businesses customers, but also includes social security and credit card information.
Red Flag means “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”
Covered businesses are required to develop a Program that first assesses the risk and which is designed to detect, mitigate and prevent identity theft in connection with a covered account. Covered account means “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account and any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.” At a minimum, the Program provides methods to:
1) Identify Red Flags for covered accounts of the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
2) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
4) Ensure that the Program is (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor.
Under the Rules, covered businesses are required to train to staff to ensure the Program is implemented effectively in order to safeguard consumer information.
The Program should include a confidentiality provision putting employees on notice that any consumer information maintained on a covered account is to be maintained in strict confidence. Consumer information maintained in electronic databases should be password protected and only those employees who have a business need for accessing the information should be given access passwords. While businesses store a great deal of information electronically, do not forget that information may also be maintained in paper format.
The Rules also require covered businesses to take certain actions following the discovery of an unauthorized disclosure of consumer information that includes notifying the consumer, the major credit bureaus and law enforcement.
The Rules provides for civil penalties up to $3,500 per violation.
Questions regarding whether your business is a covered business should be referred to competent legal counsel as well as questions relating to what to do in the event of unauthorized disclosure.
Tidbit: On May 24, 2010, the U.S. Department of Labor published a proposed rule in the Federal Register, Vol. 75, No. 99 relating to Walking-Working Surfaces. The rule, if enacted, applies to all general industry workplaces. More information regarding the proposed rule may be obtained at www.osha.com.
 Citation omitted.
A note to the reader: This article is intended to provide general information and is not intended to be a substitute for competent legal advice. This article has been reprinted with the permission of Lee Building Industry Association, www.bia.net. Questions regarding the content of this column or past columns may be e-mailed to Christina Harris Schwinn at firstname.lastname@example.org. To view past columns written by Ms. Schwinn please visit the firm’s website at www.paveselaw.com. Ms. Schwinn is an experienced employment lawyer and a partner with the Pavese Law Firm, 1833 Hendry Street, Fort Myers, FL 33901; Telephone: (239) 336-6228; Telecopier: (239) 332-2243.