Red Flags Rule – Delayed Again

On July 29, 2009, the FTC deferred its enforcement of the Identity Theft Red Flags Rules for an additional three month period.  Organizations, labeled as “creditors” by the FTC, will have until November 1, 2009 to implement their Identity Theft Prevention Policies.  Creditors required to comply with the Red Flags Rule include businesses that regularly defer payments or extend credit to personal or household accounts or establish customer accounts in which there is a reasonably foreseeable risk of identity theft.  The FTC broadly interprets its definition of “creditor” examples of which include healthcare providers, car dealerships, utilities, cable companies, and colleges.  Red Flags are indicators of the possible existence of identity theft.  Creditors must create a program that detect Red Flags which may suggest the occurrence of identity theft as well as appropriate methods for mitigating identity theft, preventing identity theft and responding to the Red Flags.  Failure to create a program may result in civil liability and fines from the FTC.  A “Red Flag” itself is a pattern, practice, or specific activity that indicates the possible existence of identity theft.  For example a Red Flag may be the failure of a customer or patient to provide valid identification or notification by a customer that his/her identity has been stolen. 

As a preliminary step a creditor will need to identify if it has covered accounts, which is defined to include an account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”  As a practical matter all patient accounts are considered covered accounts.  This determination includes a risk assessment which takes into account: 1) the methods the creditor provides to open its accounts, 2) the methods the creditor provides to access its accounts, and 3) the creditors previous experiences with identity theft.  This determination and risk assessment must occur on a periodic basis.       

The next step is to develop a written Identity Theft Program that is designed to “detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.”  This Program should be appropriate to the size and complexity of the creditor.  The Program must include policies and procedures to:

1)               Identify relevant Red Flags and incorporate those Red Flags into the Program.

                  Specifically for a healthcare organization this includes the assessment of the risk of medical identity theft (i.e. identity theft for the purpose of obtaining medical services).

2)               Detect Red Flags that the creditor has incorporated into its Program.

3)               Respond appropriately to any Red Flags detected to mitigate and prevent Identity Theft.    

4)               Ensure the Program is updated periodically.

A creditor must provide continued administration of the Program.  These administration requirements include:

1)               Obtaining approval of the Program from the organization’s Board of Directors or the appropriate committee of the Board.

2)               Involve either the Board, the appropriate committee, or a senior manager in the oversight, development, implementation and administration of the Program.

3)               Train staff to implement the Program.

4)               Exercise appropriate and effective oversight of service provider arrangements.

Lastly, a creditor must consider the guidelines attached to the Red Flags Rule and implement those guidelines as appropriate.  Each of these guidelines corresponds to a provision of the final rules.  In addition to these guidelines, the FTC released a supplement to help creditors identify Red Flags.  A creditor has the ability to tailor its Program as it deems necessary depending on its size and the type of business conducted   

In addition to the Red Flags Rule, compliance with other provisions of the Fair Credit Reporting Act (FCRA) is required for all users of credit reports. 

We recommend adopting a board level policy which outlines the goals of an Identity Theft Prevention Program and that empowers the management of the organization to adopt a more detailed policy.  We are available to assist you with drafting both policies.  Attached to this memorandum are the Red Flags Rule and the appendices.