The Federal Trade Commission (FTC) has pushed back the enforcement date for the Red Flags Rule yet again – this time to December 31, 2010. The original compliance date for this rule was November 1, 2008, and it has since been pushed back four other times: May 1, August 1, and November 1 of 2009, and then to June 1, 2010. The reasons for the delays have varied, mostly to give businesses that the FTC classified as covered entities the chance to further prepare. However, this latest delay comes at the request of several members of Congress, as they are considering legislation that may limit the scope of entities covered under the rule.

To add to this debate, opponents from many different industries have been pushing for exemption – the AMA filed a lawsuit on May 21 that argues for physician exemption, and last November, a federal court blocked the rule from being applied to attorneys. The FTC is appealing that decision. Meanwhile, H.R. 3763 and S. 3416 are making their way through the House and Senate respectively, with basically the same objective – to exempt law firms, accounting firms, and medical practices with 20 or fewer employees from the Rule.

In reviewing H.R. 3763, it seems the thought process is that a small business is more likely to know all of its customers, have a limited area of service, and/or have a very low chance of encountering incidents of identity theft. The funny thing about this is that the FTC has, all along, encouraged businesses to scale their Red Flags plan according to their own level of risk. From the FTC’s How-To Guide for Business: “If identity theft isn’t a big risk in your business, complying with the Rule should be simple and straightforward, with only a few red flags.” Of course, if H.R. 3763 becomes law, small businesses that fit its description won’t have to comply at all.

The Red Flags Rule covers some things businesses should do simply as best practices to lessen fraud and protect their customers. But it is understandable why suddenly changing “best practice” to “rule” and adding in terms like “government enforcement” and “fines” suddenly makes this a very scary prospect. Is this rule too much of a burden for small businesses – or for certain industries, for that matter? Let us know your thoughts on this ongoing debate.

By Melissa Sandefur
Research Analyst, Kroll Fraud Solutions

Tags: Congress, FTC, Lawsuit, Red Flags Rule

Categories: Data Security Issues.