Identity Theft Red Flag Rules - May 1, 2009 Compliance Deadline

by:  Paul A. Gilman

What are the Red Flag Rules?
The Federal Trade Commission (“FTC”) recently enacted regulations known as the “Red Flag Rules” which may require your business to adopt a written Identity Theft Prevention Program. These rules were adopted pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. The Rules are designed to identify and respond to possible Identity Theft “Red Flags.” Examples of these Red Flags include a credit card customer changing their address and then requesting a new card, or a possible security breach in customer information your business may keep on file.

Who Must Comply?
The Red Flag Rules apply to any business that regularly extends, renews or continues credit to its customers for products or services, or that engages a third party to provide credit to its customers. This includes traditional lenders such as banks and financial companies, but also includes automobile dealers, utility and telecommunications companies. If your business regularly provides services or products for which it does not require payment in full at the time of delivery, you may be covered by these Red Flag Rules.

How do the Red Flag Rules Apply to Health Care Providers?
Although the rules appear to focus primarily on financial activities, as currently drafted the Red Flag Rules do apply to health care providers.  Identity theft in the health care context occurs when a patient uses the name and/or other parts of a person’s identity to obtain medical services.  The American Medical Association and other organizations have asked the FTC to exempt physicians from the Red Flag Rules.  Notwithstanding, as of February 2009, the FTC has announced that physicians and other health care providers are covered by the Red Flag Rules.

What is Required?
Under the Red Flag Rules, a business must adopt a written Identity Theft Prevention Program which meets the following four requirements:

          1. Identifies the relevant red flags for the type of business involved (i.e. presence of suspicious personal identifiers, alerts, notifications and other warnings for the consumer);
          2. Detects those red flags identified;
          3. Responds appropriately to red flags when detected; and
          4. Updates the Identity Theft Prevention Program regularly to reflect changes in identity theft risks and changes to its business procedures.

In establishing the Identity Theft Prevention Program, your business should train appropriate staff to implement the Identity Theft Prevention Program.

When do the Red Flag Rules Apply?
The Identity Theft Prevention Program must be in place by May 1, 2009.

What are the Penalties for Non-Compliance?
The FTC is charged with enforcing the Red Flag Rules.  Non-compliance can result in penalties of up to $2,500 for each individual violation, as well as civil liability to the consumer (or patient) for violations.

What to Do?
Contact us to determine if the Red Flag Rules apply to your organization, and for our assistance in developing a written Identity Theft Prevention Program.

The above material is intended for general information purposes and should not be relied on or construed as professional advice. Under the applicable Illinois Rules of Professional Conduct, the contents of this e-mail may be considered to be advertising material.
Copyright © 2009 Aronberg Goldgehn Davis & Garmisa. All rights reserved.



330 N. Wabash AvenueSuite 1700Chicago, Illinois 60611