Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
A court has enjoined application of the rule against lawyers, the House has voted to exempt lawyers and others, and the FTC has pushed back enforcement yet again.
The red Flags rule remains a moving target.
As reported previously in LawPulse, the Federal Trade Commission and several other executive agencies jointly issued the Identity Theft red Flags rule, found at 16 CFr Part 681, on November 9, 2007. The rule requires covered entities, including financial institutions, creditors, and other businesses who use consumer credit reports or bill customers periodically for services rendered, to develop programs and procedures to identify and respond to the "red Flags" of possible identity theft with respect to their customers or accountholders.
Enforcement delay - fourth time's a charm
The FTC has taken the position that lawyers, like physicians and other businesses, are "creditors" within the meaning of the enabling statute. The American Bar Association as well as many state and local bar associations, including ISBA, registered objections to the FTC's interpretation.
In August, the ABA filed a three-count suit in the federal district court for the District of Columbia seeking an injunction to block the FTC's application of the red Flags rule to lawyers. On October 29, 2009, three days before the FTC was set to begin enforcement of the rule, the court granted the ABA's motion for summary judgment.
In its two-page order, the court stated that it would issue a memorandum opinion setting forth its reasoning within 30 days. According to the Blog of LegalTimes, which reported the development at http://legaltimes.typepad.com/blt/2009/10/judge-ftc-cannot-make-lawyers-comply-with-identity-theft-laws.html, the judge orally stated that he had difficulty accepting the breadth of the FTC's interpretation of the statutory term "creditor."
Shortly before the court's ruling, on October 20, 2009, the U.S. House of representatives moved to curtail red Flags coverage by passing Hr 3763. The bill would exempt legal, health care, and accounting practices with 20 or fewer employees from the red Flags rule's coverage.
It would also permit businesses to apply to the FTC for exclusion from the rule's coverage if they know all of their customers or clients individually, if they only perform services in or around the residences of their customers, or if they have not experienced incidents of identity theft and identity theft is rare for businesses of that type. At press time, the bill was pending before the Senate Committee on Banking, Housing, and Urban Affairs.
As a third late breaking development, the day after the district court granted the ABA's motion for summary judgment the FTC announced that it would delay enforcement of the red Flags rule until June 1, 2010, at the request of several members of Congress. This announcement, available at http://www.ftc.gov/opa/2009/10/redflags.shtm, marks the fourth extension of the rule's enforcement date, which was originally set for January 1, 2008.
Finally, taking its cue from the ABA, the American Institute of Certified Public Accountants filed suit November 10, 2009, in federal district court for the District of Columbia seeking the same exemption from the red Flags rule for the accounting profession as the court granted to lawyers.
A "good start"
Rockford lawyer J. Joseph McCoy published an explanation and analysis of the red Flags rule, "FACTA's 'red Flags' rule May Apply To Law Firms," in the June 2009 issue of the ABA's GP/ Solo Technology eReport, available at http://www.abanet.org/genpractice/ere-port/2009/vol8/num2/redflags.html.
In his article, McCoy compared the FTC's position that the red Flags rule applies to lawyers with the agency's stance 10 years ago that lawyers were "financial institutions" within the meaning of the Gramm-Leach-Bliley Act and therefore subject to that statute's requirements. While litigation at that time also resulted in an order determining that lawyers were not subject to the statute's coverage, McCoy pointed out significant differences between that statute and the red Flags rule and cautioned that lawyers should not assume that the ABA's success in that litigation would necessarily presage success in litigation over the red Flags rule's coverage.
Though recognizing that the district court's ruling is a "good start" for the ABA, McCoy notes that the reported comments of the FTC's general counsel, Willard Tom, show that the agency still believes that the rule should apply to lawyers and suggest that an appeal may be forthcoming. McCoy says he'll be interested in reading the court's memorandum opinion once it's issued to compare its reasoning with that of the court in the Gramm-Leach-Bliley litigation.
McCoy believes the recent red Flags developments indicate that the FTC, the court, and Congress are "all operating in tandem to ensure that the red Flags rule is properly interpreted and en forced where the risk of identity theft is the greatest." He comments that with the passage of Hr 3763, the House appears to have expressed its view that the scope of the rule as interpreted by the FTC is overly broad. "The entities that the bill would exclude from red Flags coverage are some of those who would be the most financially burdened by having to implement an identity theft prevention policy."
The ABA's red Flags homepage contains links to the district court's order and many other documents at http://www.abanet.org/poladv/priorities/redflagrule/home.shtml. you can read the text and track the progress of Hr 3763 at http://www.govtrack.us/congress/bill. xpd?bill=h111-3763. As always, keep your browser pointed toward the ISBA's Illinois Lawyer Now (www.Illinoislawyernow.com) for breaking red Flags rule news and other developments.