FTC’s NEW “Red Flags Rule” -- Is Your Business Prepared?
| May 1, 2009 The Federal Trade Commission’s new “Red Flags Rule” (issued pursuant to the Fair and Accurate Credit Transactions Act of 2003) went into effect on November 1, 2008. The FTC delayed actual enforcement of the Rule until no earlier than May 1, 2009 to give affected companies sufficient time to implement their compliance. Under the Rule, if you are a business or organization (including a nonprofit) that regularly provides consumers goods or services in exchange for subsequent payments -- i.e., a “creditor” -- you should have by now developed and implemented a written identity theft prevention program designed to:
The Rule represents the federal government wading with both feet into the growing maze of state and federal laws relating to data privacy, breach, and security. It steps in where data breach notification laws of many states leave off, leaving such existing notification requirements unchanged. Specifically, the Rule is intended to have the creditor (1) detect a thief’s attempting to use previously stolen data to, for example, open credit card accounts using personal identifying information of the person whose identity has been stolen, and (2) respond to the attempt in order to mitigate damage. What is my business required to do by May 1? The requirements for the specific details of an identity theft prevention program are flexible, but it must include reasonable policies and procedures appropriate to the size and complexity of the creditor and the nature and scope of its activities. Thus there is no canned set of policies and procedures for a creditor to use. Instead, the Rule contains guidelines and suggestions offered by the FTC to creditors developing a program. The creditor’s initial identity theft prevention program must be approved by its board of directors or a committee of the board. And the board, a board committee, or someone from senior management must be involved in the implementation, administration, and oversight of the program. The creditor must train staff as necessary to effectively implement the program and must exercise appropriate and effective oversight of its arrangements with service providers so that they act in accordance with the program. The latter may be particularly challenging when the service provider is overseas. Why is this important?
…………………… If you have questions about compliance with the new Red Flags Rule or preventing or responding to a data security breach, please contact: Joel Riff – Co-Chair, Intellectual Property Group Stephanie Sparks – Co-Chair, Intellectual Property Group For more information about Hoge Fenton’s Intellectual Property practice, click here. ……………… Online resources regarding the Red Flags Rule: Red Flags Rule, Federal Register, November 9, 2007 Fair and Accurate Credit Transactions Act of 2003, December 4, 2003 Definition of “creditor”, 15 U.S.C. 1691a(e) Federal Trade Commission’s Fighting Fraud with the Red Flags Rule – A How-To Guide for Business, March 2009 ………………. This Legal Update is provided as an educational service by Hoge Fenton for clients and friends of the firm. This newsletter is an overview only, and should not be construed as legal advice or advice to take any specific action.
|
