By: Stephen D. R. Taylor
Kohner, Mann & Kailas, S.C
The Federal Trade Commission (FTC) Red Flag Rule, which would have required a large number of businesses to adopt identity theft protection and mitigation policies and procedures, was scheduled to come into effect on November 1st. However, at the 11th hour, the FTC delayed enforcement until June 1, 2010.
This delay was in part the result of an October 29th federal court order which concluded that the FTC had only been authorized by Congress to address credit industry transactions and that merely because an entity or individual is capable of providing credit does not support it being included within the Rule, even if there is a period of time between provision of goods or services and payment.
Although the court seemingly restricts the range of businesses and transactions that the FTC can reach, caution is necessary. First, one of the starting points for the analysis was the long history of state regulation of lawyers and the particular significance of attorneys fiduciary and professional obligations. Second, it is not clear what businesses and practices fall within the scope of the credit industry as conceived by the court. The financial sector is clearly encompassed, but it is too early to tell what other business sectors or forms of credit the FTC may regulate.
Subject to an appeal, the courts decision effectively forces the FTC to reconsider the number of businesses and types of transactions reached by the Rule. As things stand, it is hard to see the Rule going into effect without significant redefinition of the types of business and transaction that are covered (unless the recent ruling is overturned). In the meantime, Congress is currently considering exempting all small businesses (a threshold of 20 employees has been mooted).
However, even businesses that eventually do escape coverage may still benefit considerably from following the letter of the Rule. This is particularly true for clients which, due to the last-minute nature of the delay in implementation, have already put policies and procedures in place. The Rule requires creation of policies and procedures based upon an internal evaluation of the risk of identity theft posed to actual or potential account holders who are offered goods or services on credit. Following such voluntary best practice is potentially powerful evidence of good-faith efforts to protect customers (or those of your clients) and, as a result, is likely to mitigate legal, client relations and public relations risks.