FTC Delays Enforcement of Red Flags Rule Until December 31, 2010

June 3, 2010
Health Care Alert

The Federal Trade Commission (FTC) has announced that it will again delay enforcement of the Red Flags Rule, this time until December 31, 2010. This extension of the enforcement deadline is the fifth such delay, and came at the request of Members of Congress to permit them additional time to consider proposed legislation clarifying the scope of entities covered by the Rule. Enforcement was originally set to commence November 1, 2008, and had been postponed previously to June 1, 2010. 

The Red Flags Rule requires “creditors” and financial institutions to develop and implement written identity theft prevention programs, designed to help identify, detect and respond to patterns, practices or specific activities known as “red flags,” that could signal an incident of identity theft. The Rule’s application to certain professionals, including health care providers and small businesses, has been controversial. For purposes of the Red Flags Rule, a “creditor” is any person or entity who regularly extends, renews or continues credit, or any person or entity who regularly arranges for the extension, renewal or continuation of credit. This includes all persons and entities that regularly permit deferred payments for goods or services, and has been interpreted to apply to health care providers who do not require advanced payment for services.

On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC could not enforce the Red Flags Rule against attorneys, who regularly provide services prior to requiring payment. Last week, the American Medical Association filed a lawsuit in the same federal court, charging that the Rule exceeds the powers delegated to the FTC by Congress, and that its application to physicians is “arbitrary, capricious and contrary to the law.” 

As was the case with the previous postponements, this delay in enforcement applies only to the Red Flags Rule requiring the development and implementation of written identity theft prevention programs. It does not apply to related rules applicable to users of consumer reports and card issuers requiring certain responses to changes of address and address discrepancies. Similarly, the delay in enforcement only applies to entities subject to the FTC’s jurisdiction; it does not affect institutions subject to the oversight of the federal bank regulatory agencies or the National Credit Union Administration.

For more information, please contact your regular Hinshaw attorney.

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.