The Federal Trade Commission (FTC) promulgated regulations to help reduce consumer identity theft back in 2007, with implementation of these rules for “creditors” and national banks to begin in 2008 (and then 2009, now November 1, 2009 for certain kinds of creditors). (See the Red Flags Rule here)
Identity theft is a real problem for people of all sorts (approximately 10 million people fall victim to this kind of fraud at a loss of around $50 billion each year). As a result, the FTC has interpreted the term “creditor” more broadly than the kinds of businesses we tend to think of, like credit card companies. (See FTC FAQ) According to the FTC, a creditor includes anyone that provides a service now and accepts payment later. Lawyers routinely do that, as do health care providers, department stores with lay-away plans, and other service professionals (except maybe your mechanic who won’t give you your car until you pay for the service). Because of the broad application of the rule by the FTC, the lawyers decided to sue the FTC to force an interpretation of the Red Flags Rule to exclude, you guessed it, lawyers. (See the ABA Release here)
As a practical matter, federal courts generally will defer to administrative agency interpretations of their own regulations under the Chevron doctrine. Every so often, courts will overturn an administrative agency’s interpretation, but the odds are low. (See Massachusetts v. E.P.A., 549 U.S. 497 (2007)). The ABA’s odds of getting a decision in their favor are probably about average, but in any case, won’t help other kinds of professionals that accept payments from customers over time. And for lawyers, as no decision is expected before the latest compliance deadline of November 1, 2009, we find ourselves all in the same boat of needing to comply with the Rules.
Section 681.2 requires that covered organizations (a) identify accounts periodically that may be covered accounts within the rules, (b) develop a program for identifying accounts that “is designed to detect, prevent, and mitigate identify theft,” and (c) administer the program by seeking Board approval of the policy, training staff, and monitoring the program over time to ensure that it is overseen properly. 16 C.F.R. § 681.2(c)-(e). The program must be in writing, and must be reasonable in relation to the size of the organization implementing it.
The Appendix to section 681 provides some guidelines for covered organizations in formulating their Red Flags Program.
The Red Flag Rules also require that creditors establish a written policy that outlines how the organization will comply with the rules. For health care providers looking for a sample policy for compliance, the AMA has published one on its web site here. The FTC has also published a document for creditors who are probably at low risk for identity theft here, which may likely include many solo and small law firms.
Once you have appropriately assessed your risks and written a plan, the plan must be approved by the ownership of your organization. For solo and small firm attorneys who are already chief cook and bottle washer, that means you. Larger corporations that have a board of directors will need to take board action to approve and be involved in the organization’s compliance with its program.
The guidelines emphasize that a creditor should exercise reasonable care to protect its covered consumer accounts from theft or unauthorized access. Implicitly, this means that a covered organization should have appropriate data security systems in place that protect the organization’s data from loss, unauthorized access, or theft. Health care providers should already by compliant as they have been required to comply with the HIPAA security regulations since 2003. These regulations require regular technical risk assessments, mitigation plans, access control mechanisms, and data backup plans (among other requirements in the rules – See 45 C.F.R. § 164 et seq.).
Lawyers, however, may not have had the pleasure of complying with these rules (unless of course you are a business associate to a covered entity and are now, under the ARRA, required to fully comply with the HIPAA security regulations next year that already apply to covered entities). For example, if an attorney accepts payments for services through a web site, the attorney should evaluate the risk of identity theft from the site and take appropriate steps to mitigate those risks, such as ensuring she is using a current SSL certificate to encrypt communications with the client, not storing credit card numbers in a database that can be accessed from the internet, and appropriately maintaining the server that houses the web site to ensure it is patched for known security risks and has appropriate anti-virus software.
From there, staff will need to be trained on identifying that a consumer’s identity has been stolen, and to take appropriate actions to protect the consumer from further loss. The FTC form also indicates that outside agencies such as a billing agency may also need to be trained (or you need to verify that that organization has its own acceptable policy for complying with the rules). After that, the program requires an internal annual report on activities, and updating the program to address evolving threats to consumer identities. Now that wasn’t so bad, was it?