November 4, 2009
FTC Delays Enforcement of the Red Flag Rules until June 1, 2010
At the request of Congress, the Federal Trade Commission ("FTC") has delayed enforcement of The Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 ("Red Flag Rules") until June 1, 2010, for entities subject to enforcement by the FTC. This most recent delay comes amid growing pressure on the FTC to exempt certain organizations from compliance with the Red Flag Rules and on-going questions regarding the need for the Red Flag Rules in the health care industry given the safeguards for personal information already established by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the implementing regulations adopted pursuant to HIPAA. H.R. Bill 3763 and the recent decision by the U.S. District Court for the District of Columbia, which are discussed below, are only the most recent attacks on the FTC's enforcement of the Red Flag Rules.
Background
The Red Flag Rules stem from the Fair Credit and Reporting Act, as amended by the Fair and Accurate Credit Transaction Act of 2003 (collectively, the "Acts"). The Red Flag Rules were promulgated pursuant to the Acts and require that certain entities that maintain information that could be used for purposes of identity theft, develop a written Identity Theft Prevention Program and implement policies and procedures designed to detect and mitigate against the harmful impacts of identity theft and medical identify theft.
H.R. Bill 3763 by the 2009-2010 Congress
On October 21, 2009, the House of Representatives unanimously passed H.R. Bill 3763, which excludes certain small businesses from having to comply with the Red Flag Rules. As currently drafted, H.R. Bill 3763 excludes the following from the definition of "creditor" under the Fair Credit Reporting Act and, therefore, these entities would not have to develop an Identity Theft Prevention Program in compliance with the Red Flag Rules:
-
Any other business, if the FTC determines, following an application for exclusion by such business that such business (i) knows all of its customers or clients individually; (ii) only performs services in or around the residences of its customers; or (iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.
H.R. Bill 3763 was received in the Senate on October 21, 2009 and has been referred to the Committee on Banking, Housing and Urban Affairs. It is anticipated that the Senate will take action on the Bill relatively quickly in order to allow the FTC sufficient time to implement any necessary exemption protocols.
American Bar Association v. Federal Trade Commission
On August 27, 2009, the American Bar Association ("ABA") filed a three-count complaint against the FTC alleging, among other things, that the application of the Red Flag Rules to attorneys exceeds the statutory jurisdiction and authority of the FTC. On October 30, 2009, the U.S. District Court for the District of Columbia granted partial summary judgment in favor of the ABA, meaning that, unless the FTC wins on appeal, it may not apply the Red Flag Rules to attorneys. The District Court is set to release its Memorandum Opinion within the next thirty (30) days, which may provide some additional clarification on this issue.
Conclusion
The FTC's most recent delay in the enforcement of the Red Flag Rules may have been granted, in part, to allow the Senate sufficient time to review and analyze H.R. Bill 3763. Given the progress being made with H.R. Bill 3763 and the summary judgment victory for the ABA, we anticipate that the FTC will continue to face opposition to the broad applicability of the Red Flag Rules, as currently drafted, especially from the health care industry.
Should you have any questions regarding the Red Flag Rules or anything contained in this Alert, please contact Monica C. Hocum at 414.721.0454 or Steven C. Hahn at 414.721.0443. |
