The Federal Trade Commission (FTC) announced on May 28, 2010 that it would again postpone enforcement of the “Red Flags Rule,” this time until December 31, 2010.  This announcement marks the FTC’s fifth decision to delay enforcement of the Rule, a response to a number of lawsuits and pressure by Congress and trade organizations to limit the Rule’s applicability.  Critics of the Rule argue that it will impose expensive and unnecessary compliance costs on virtually all businesses that handle any sort of financial information and, in many cases, replicate existing privacy laws.

The Red Flags Rule, promulgated by the FTC pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, currently requires “creditors” with “covered accounts” to take steps to help prevent identity theft.  Specifically, entities covered by the Red Flags Rule must develop and implement written programs to identify, detect and respond to warning signs that may indicate identity theft.  Enforcement is currently slated to begin January 1, 2011; however, the FTC indicated that if Congress passes legislation to amend the scope of the Red Flags Rule before the new enforcement deadline, the FTC will begin enforcement on the effective date of the legislation.

Recent legislative activity suggests that the Red Flags Rule may be significantly revised before being implemented.  For example, H.R. 3763, which passed unanimously in the House of Representatives on October 20, 2009, would exempt legal, accounting and health care practices with fewer than twenty employees from all Red Flags Rule requirements.  Further, the bill would allow businesses to seek an exemption if they (1) have not experienced prior incidents of identity theft and are at low risk for identity theft, (2) are individually acquainted with their customers or (3) only perform services in and around customer residences.  This legislation is currently pending in the Senate Committee on Banking, Housing and Urban Affairs.

The Red Flags Rule faces opposition from several trade organizations that have filed lawsuits contesting the application of the Rule to their members.  For example, the American Medical Association, the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit in May 2010 objecting to the FTC’s position that physicians are “creditors” that are subject to the Red Flags Rule requirements, arguing that physicians must already comply with rigorous privacy protection requirements of the Health Insurance Portability and Accountability Act (HIPAA), and claiming that the Red Flags Rule would interfere with the physician-patient relationship. 

In a similar suit filed by the American Bar Association in November 2009, the U.S. District Court for the District of Columbia held that the FTC exceeded its jurisdiction in including attorneys under the Red Flags Rule; this decision, however, is currently under appeal.  Likewise, the American Institute of Certified Public Accountants filed a lawsuit in November 2009 contesting application of the Rule to its member accountants, and the U.S. District Court for the District of Columbia issued an order in March 2010 instructing the FTC to continue delaying enforcement of the Rule against accountants until the appellate court reached a decision in the American Bar Association’s case.

Meanwhile, the FTC continues to publish on its Web site guidance to help clarify the Rule’s requirements, including a how-to guide for businesses in which the FTC responds to frequently asked questions, a streamlined do-it-yourself compliance template for “low-risk” entities and various industry-specific guidance materials (including guidance for the health care sector).  The FTC has promised to continue working with trade organizations and Congress toward resolving concerns with the Red Flags Rule.