Header graphic for print
Privacy Law Blog

FTC Extends (Yet Again) Enforcement Deadline for Identity Theft Red Flags Rule

Posted in Identity Theft

The Federal Trade Commission announced today that it is once again extending the deadline for enforcing its “Red Flags” Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule.

As we’ve previously written, the Rule requires all “creditors” and “financial institutions” that have “covered accounts” to develop and implement programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The intended (and appropriate) scope of the Rule, however, is anything but clear and the FTC has delayed enforcement of the Rule multiple times in order to address this issue. (Note, however, that the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight. Similarly, the related address discrepancy and card issuer change of address rules are in effect and not delayed.)

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!