On May 28, 2010, the Federal Trade Commission (FTC) issued a press release stating the enforcement of the Red Flags Rule has been further delayed, from June 1, 2010 to December 31, 2010. The delay was requested by several members of Congress, and allows additional time to consider legislation limiting the scope of entities covered by the Rule.
The FTC is urging Congress to act quickly to avoid any more delays, and it may be possible that enforcement will occur sooner than the December date. According to the FTC press release, “If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”
A bill to amend the Fair Credit Reporting Act, providing an exclusion from the Red Flags Rule for certain businesses with less than 20 employees (HR3763) had passed the House of Representatives as of this past October and was sent to Senate committee. A separate bill (S. 3416) was introduced in the Senate on May 25, 2010. It also includes exclusions to the Red Flags Rule for certain businesses (health care, accounting and legal) with less than 20 employees, and other businesses that:
- Know all of its customers or clients individually, OR
- Only performs services in or around the residences of its customers, OR
- Has not experienced incidents of identity theft AND identity theft is rare for businesses of that type.
The Bill also includes the following definitions:
- Health care practice: a business, the primary service of which is providing health care through health care professionals employed by the business;
- Health care professional: for purposes of the above clause, means an individual engaged in providing health care and licensed under state law, including a physician; dentist; podiatrist; chiropractor; physical therapist; occupational therapist; marriage or family therapist; optometrist; speech; language or hearing therapist; and a veterinarian.
It is not known at this time whether the Bill will be passed, or if changes will be made to the Bill before passage. We will continue to monitor developments and will notify you as the Bill moves forward.
Although mandatory compliance to the Rule has been delayed, keep in mind that the intent of the law is the prevention of identity theft. Each individual organization bears some responsibility for keeping personal financial information safe. Depending upon your degree of risk, you are not only protecting your customers, but also protecting your business from incurring costs associated with service charges that may go unpaid. Your business practices should be reviewed and a determination made as to whether an identity theft program has potential benefits for both you and your customers. Each organization is unique.
- The methods you use when obtaining and accessing financial information (including courier services),
- How those records are stored or transported (hard copy and electronic),
- How the records are discarded (both hard copy and electronic),
- How you will detect and respond to a security incident or possible breach,
- How you will train employees on how to recognize security threats.