Red Flags Rule Deadline Quickly Approaching: The FTC Will Begin Enforcing the New Identity Theft Rule on November 1, 2009

The Federal Trade Commission (FTC) is slated to begin enforcement of the Red Flags Rule on November 1, 2009. The Red Flags Rule (“Rule”), requires businesses and other organizations to implement effective, new policies to detect, prevent and mitigate identity theft.

According to the FTC, the scope of the Rule is broad: any company that provides goods or services on a deferred payment basis (e.g., net-30 days billing) may be required to comply with the Rule. The FTC has further indicated that nonprofit organizations and government entities may also be subject to the Rule.

For a more detailed discussion about the Red Flags Rule, please see the Holland & Knight Red Flags Alert published on July 22, 2009.

Congress Mulls Exceptions to the Rule

The scope of the Rule has been the subject of ongoing discussion, as numerous organizations have lobbied the FTC and Congress for a variety of exemptions. On October 20, 2009, the U.S. House of Representatives passed a bill that would exempt healthcare, accounting and legal practices from the Rule if the practice has 20 or fewer employees. The bill – H.R. 3763 – also requires the FTC to create a process allowing other businesses to request a similar exemption from the Rule. The U.S. Senate has yet to consider the proposed legislation.

There Is Still Time to Comply

The FTC has delayed enforcement three times to provide businesses more time to implement compliance programs. It has not, however, indicated plans to offer any further extensions.

To assist businesses and other organizations, Holland & Knight has developed a baseline, fixed-fee Red Flag Rule compliance package which is designed to help organizations and government entities determine if they are subject to the Rule, and if so, to implement a compliance program.