Attorneys

• Stephanie Cason
• Robert S. Lavet
• Robert M. Portman
• James C. Pyles

Related Practices

• Corporate/Governance
• Ethics/Discipline
• Public Policy & Government Relations
• Tax Exempt Organizations

Federal Trade Commission (FTC) Delays Enforcement of Red Flags Rule until November 1, 2009

In November 2007, the Federal Trade Commission (FTC) issued a set of regulations known as the “Red Flags Rule” (the Rule) requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  Due to wide confusion over who must comply with the Rule, the FTC has postponed enforcement of the Rule three separate times, with the most recent postponement issued today.  To give entities more time to review FTC guidance and develop and implement mandated written identity theft prevention programs, the FTC has further delayed enforcement of the Rule until November 1, 2009.

            Under the Rule, “creditors” must develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later.  The FTC has gone on record that health care entities, such as physician practices, are “creditors” subject to the Rule if they defer payment.  Not demanding payment in full at the time of service, including through the billing of insurance, makes practices “creditors.” 

            Drafting and implementing a program to comply with the Red Flags Rule does not have to be an expensive or protracted exercise.  The Rule gives practices a great deal of flexibility to design and implement programs that are appropriate to their size and complexity and the nature of their operations.  The FTC’s Red Flags Website, www.ftc.gov/redflagsrule, offers resources to help entities comply with the Rule.  Additionally, we have provided a guide to drafting and implementing an effective Red Flags program (please click here).    

For more information, contact: Jim Pyles (jim.pyles@ppsv.com) or Stephanie Cason (stephanie.cason@ppsv.com).