Red Flags Rule Enforcement Delayed to August 1, 2009; FTC Providing a Compliance “Template”

The FTC has once more announced a delayed enforcement of the Red Flags Rule to August 1, 2009

To assist the huge numbers of entities with limited to no information security resources to implement the Red Flags Rule requirements, and those small entities that know most of their customers personally, the FTC will soon be providing a compliance template to help entities with a “low risk of identity theft” with compliance.
Any organization with personally identifiable information (PII) is vulnerable to incidents.
Knowing customers personally DOES remove some of the risks, but hopefully organizations will not use the fact they know their customers personally to NOT implement appropriate safeguards for PII.
There are so many ways in which information security incidents and privacy breaches, including identity theft, can occur without proper safeguards, training and awareness.
It will be interesting to see the details provided within the template.
Now that the template is being provided, I don’t anticipate that there will be any more compliance date delays. We shall see.
Here’s the announcement:

“The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.
“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.
During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements,, and a Web site with more resources to help covered entities design and implement identity theft prevention programs, The compliance template will be available on this Web site.”

Tags: , , , , , , , , , ,

Leave a Reply