A primer on the FTC’s Red Flags Rule

Issue Sept/Oct 2009 By David Harlow, Esq.

After several delays, including the latest last-minute delay at the end of July, the FTC Red Flags Rule ( is now set to become effective on Nov. 1, 2009.

The FTC has delayed the effective date three times: from November 2008 to May 2009 to August 2009 to November 2009, and affected entities need to develop and implement compliance plans now, if they haven't already. Part of the reason for the delays was to allow for folks who weren't initially aware that they were subject to these regulations - which seemed targeted at the financial sector - to come into compliance.

Both the legal and medical professions, through the American Bar Association and American Medical Association, among other non-financial-sector businesses, have formally objected to the regulation's coverage of their activities, but the FTC has not changed its posture.

This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft. If a red flag is triggered, the creditor must notify the consumer and correct any inappropriate information included in the creditor's records.

The FTC took something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations, because the potential red flags and potential risks vary significantly based on size and type of business.

Affected law firms and other consumer-facing businesses need to understand that the Red Flags Rule requirements overlap with other federal and state law, but will not be satisfied by implementation of existing privacy policies and compliance plans. Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it. The rule calls for regular monitoring of the plan and issues that arise by a senior manager. Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Why comply?

Even if not clearly subject to the Red Flags Rule, law firms and other consumer-facing businesses should undertake to comply, for a couple of interrelated reasons:

• Good PR. Data security is top of mind these days. Much of the effort required under the rule should be expended anyway, simply to respond to market pressures calling for improved data security.

• Potential liability. The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information. The incensed jury will go along. The small business caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account"?

Any entity that accepts payment other than payment in full at the time of service is a creditor. Businesses that take only cash-on-the-barrelhead (or credit cards) from consumers aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows:

• A consumer account you offer your customers that's primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; or

• Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.

Any creditor with covered accounts must have a Red Flags Rule compliance plan in place with policies and procedures for dealing with red flags - i.e., signs that personal information may have been compromised. Red flags may include:

• A complaint or question from a client based on the client's receipt of a bill for another individual;

• A complaint or question from a client about the receipt of a collection notice from a bill collector;

• A complaint or question from a client about information added to a credit report;

• A dispute of a bill by a client who claims to be the victim of any type of identity theft; and

• A notice or inquiry from a fraud investigator or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.

There need to be uniform, but appropriately flexible, answers to these questions:

• What do we do when a client claims fraud is in their files?

• What do we do for clients and other affected victims when we uncover a fraudulent operation?

• When we have a real case of identity theft, how can we work with clients to fix the records and limit future damages?

• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to be viewed not just from the business' perspective, but also from the victim's perspective, which can differ substantially.

Additional summary information on the Red Flags Rule is available from CNA, the MBA's professional liability insurance carrier, at

As with any effort of this sort, it is often valuable to have someone outside the organization review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement. Whatever the size or nature of your practice, or your clients' businesses, please take a moment to consider how the Red Flags Rule may apply to their operations, and how it may relate to other regulatory schemes, including state privacy laws.

David Harlow, principal of The Harlow Group LLC, Newton, is a health care lawyer, consultant and blogger. Read his blog at and follow him on Twitter at .