On May 1, 2009, the FTC’s “Red Flag Rules” regulations regarding identity theft prevention go into effect.  In general, the Red Flag Rules require certain businesses acting as “creditors” to develop and implement written identity theft prevention programs that identify, detect, and respond to patterns, practices, and activities that might indicate that identity theft has occurred  (i.e., the “Red flags” signaling identify theft). 

The Red Flag rules apply to all “creditors” that offer or maintain one or more “covered accounts.”  A “creditor” is defined as a person that regularly extends credit, which includes businesses that allow deferred payment of debts.  A “covered account” is defined as an account for personal, family, or household purposes that permits multiple payments or transactions and any other account for which there is a reasonably foreseeable risk to the creditor of identity theft.  For those businesses that expressly offer financing or deferred payment plans, the rules clearly apply.  Even for businesses that do not engage in such practices, though, the rules may yet apply.  FTC personnel have indicated that businesses are “creditors” if they do not require full payment up front but rather bill customers after the services are rendered.  This, of course, describes the standard practices of the vast majority of the service industry.  Thus, barring further guidance from the FTC to the contrary, we advise that businesses consult with their attorneys to determine whether they should comply with the Red Flag Rules.

Thankfully, compliance with the Red Flag rules should not be too burdensome for most businesses.  The business should first identify its covered accounts.  For most businesses, covered accounts would be the business’s customer accounts.  Second, the business should identify potential theft Red Flag events.  These may include presentation of photo IDs or other documents that appear to be forged or altered, suspicious changes of address, and customers demanding records containing personal information with unusual urgency or frequency.  Third, the business should have a mechanism to detect the Red Flags.  This should facilitate the business obtaining identifying information about, and verifying the identity of, new customers.  It should also help the business authenticate customers, monitor transactions, and verify the validity of change of address requests.  Complying with this may be as simple as requiring photo IDs for customers (whether new or existing customers) and requiring certain information to verify a customer’s identity over the phone, on the web, or by email before any customer-identifying information is disclosed.  Fourth, the business should respond appropriately to any Red Flags that are detected.  Appropriate response might include monitoring a customer’s account for further evidence of identity theft, contacting the customer, changing passwords or security codes, foregoing collection on a customer account, notifying law enforcement, or taking no further action. 

The rules specifically state that a creditor’s identity theft prevention program must be “appropriate to the size and complexity” of the creditor and to the “nature and scope of its activities.”  Thus, reasonable common sense safeguards are likely enough for most businesses.

A business’s board of directors must sign off on the identity theft prevention program, and the business should train its staff on how to execute the program.  Also, where the business engages third party service providers (e.g., billing agents and management companies), the business should ensure that such third parties cooperate with the business to safeguard against identity theft. 

Feel free to contact Gregory Bee in our Cincinnati office, Kevin Barnes in Cleveland, Hugh Wall in Dayton, David Johnson in Columbus or Jonathan Bryant in Indianapolis or feel free to contact your regular attorney at Taft, if you have questions about whether the new Red Flag rules may apply to your organization and/or if you would like assistance in designing and implementing an identify theft prevention program.