HEAT Security Blog

Don’t Procrastinate on Red Flags Rule Compliance Despite Latest Delay

So, the Federal Trade Commission (FTC) has, for the fourth time (!) delayed enforcement of the so-called “Red Flags” rules, according to a statement posted on the agency’s website. Compliance enforcement is now scheduled for June 1, 2010 –- in case you’re keeping score at home, the previous dates were 01-Nov-08 (original), 01-May-09 (first delay), 01-Aug-09 (second deferment), and 01-Nov-09 (third postponement). These rules are designed to compel all organizations which offer consumer credit accounts and other “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities –- known as red flags –- that could indicate identity theft.

These Red Flags rules & guidelines are part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and are designed to help consumers in monitoring their own credit histories and to establish regulations to address business processes vulnerabilities which make identity theft possible. Specifically, Title 16 of the Code of Federal Regulations (CFR) Part 681 (see here; warning: PDF) requires all financial institutions and creditors to establish a written program to detect, prevent and mitigate identity theft, which is defined as a fraud committed or attempted using the identifying information of another person without authority (see 16 CFR 603.2(a)).

There has been considerable confusion about these Red Flags rules. Most companies outside the financial and healthcare sectors seem unaware that they apply very broadly. Although the FTC’s own FAQs on the matter (warning: PDF) concentrate on financial institutions, they do note that it applies to all “creditors.” In addition, they state that “covered accounts” includes any accounts “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Pretty broad wording, which leads one commentator to note that her law firm …

continue[s] to receive responses indicating surprise and even disbelief that the Red Flags Rule would apply to an operation that is not a financial institution or healthcare organization. Professionals and operations that do not accept credit cars payment or do not sell to consumers are particularly surprised by this regulation. … They miss the “punchline” that would inform them that their operation qualifies as a “creditor” as defined in Red Flags Rule.

Since these rules & guidelines were promulgated, several things have changed. First, a bill passed by the House in October would amend FACTA and exclude health care, accounting and legal practices with 20 or fewer employees from having to comply with the regulations. And second, a U.S. District Court in Washington, D.C. just ruled that the Red Flags rules do not apply to attorneys. We can expect this to continue … recently, the American Institute of Certified Public Accountants sued to prevent the rules from applying to accountants. But, assuming you’re not at a financial firm (in which case, you probably have little wiggle room), I don’t think hoping that your particular industry will get exempted somehow is a good plan -– after all, as they say, hope is not a strategy.

So what should you and your organization do? Well, I see a couple of things to think about …

  • when making sure you’re compliant with these Red Flags rules, don’t forget that compliance does not equate to security and protection of Personally Identifiable Information (PII)
  • move beyond the development of policies and really understand the technologies and procedures which will enforce them
  • remember that the Red Flags rules are focused on preventing the misuse of customer data … and that these data belong to your customers, not you
  • and don’t forget your suppliers & vendors … Michael Overly has some suggestions in that regard for SMBs

Certainly an exhaustive list, but something to get started with … I plan to revisit this topic again (assuming, of course, that it’s not completely gutted in the meantime). In the meantime, you might want to look at some of these online Red Flags resources from the FTC, in case you’ve not had a chance to do so yet …