August 1, 2009 – FTC’s New Identity Theft Rule Probably Requires You To ComplyJuly 1, 2009
FDA-regulated businesses are certainly closely regulated by FDA and other federal agencies. However, one area that many of these businesses erroneously believe does not affect them is the federal laws and regulations that apply to identity theft. The federal government is taking the position that companies, lawyers and doctors who send their customers and clients bills, expecting payment within a set period of time (even if they are not trying to extend credit), are governed by a recent rule which took effect in May. Of greater importance to those entities covered by the rule is that the federal government has stated that covered entities are required to establish and implement a Written Identity Theft Prevention program by no later than August 1, 2009.
Several federal agencies, including the FTC, issued the “Red Flags Rule” (“the Rule”) on November 9, 2007. After a few delays, the Rule became effective on May 14, 2009. The Rule was promulgated under the Fair and Accurate Credit Transaction Act of 2003 (“FACT Act”) and applies to any financial institution and/or creditor with “covered accounts.” The federal government believes that the Rule requires most businesses and other entities to implement a written program to prevent identity theft by detecting warning signs (i.e., red flags) and to take actions to prevent, mitigate and resolve incidents of identity theft.
“Creditor” is defined as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit;” or “any person…who participates in the decision to extend, renew or continue credit.” 15 U.S.C. § 1691a. The FTC has stated the term creditor encompasses any business that “regularly defer[s] payment for goods or services or provides goods or services and bill customers later.” This extremely broad definition has been interpreted by the FTC to include utility companies, health care providers, telecommunications companies, and even attorneys. Essentially, according to the federal government, any business that bills customers, rather than collecting full payment at the time of delivery of the goods or services, is deemed a “creditor,” and thus potentially subject to this Rule.
Even if an entity is a creditor, its activities are regulated under the Rule only with regard to “covered accounts.” A “covered account” includes any “account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the … creditor from identity theft […]” 16 C.F.R. § 681.2(b)(3)(i) and (ii). The FTC appears to interpret this provision broadly, essentially determining that any organization that is considered a creditor under the Rule is also very likely to have “covered accounts.”
If a business is a creditor with covered accounts, the Rule mandates that the entity create and implement a written program to prevent and mitigate identity theft. The Rule affords a fair amount of flexibility in designing a program that fits a company’s needs. The FTC has indicated that the Rule also directs covered entities to train staff, exercise oversight and involve the board of directors or senior management.
According to the FTC, these broad definitions of creditor and covered account apply to companies and professions that have never considered themselves creditors in their daily business transactions, such as lawyers and doctors. Given the apparent reluctance of the FTC to create exemptions from this regulation, most companies regulated by FDA must determine if the Rule applies to them. If the answer is yes, there is an August 1, 2009 deadline fast approaching to develop and implement a compliance plan. Failure to comply may subject the entity to administrative enforcement action by FTC as well as civil liability to consumers.