Client Alert

The Federal Trade Commission (“FTC”) recently announced that it will suspend enforcement of its "Red Flag Rules" ("Rules") until May 1, 2009, to give entities additional time to develop and implement written identity theft programs. The Rules were implemented under the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) in response to widespread concerns about misuse of personal information of consumers, including identity theft. The FTC initially required entities to comply by November 1, 2008.

The application of the FTC’s rules is extremely broad, and includes telecommunications providers. The Rules apply to creditors and financial institutions. By way of example, the FTC expressly states that these new rules apply to providers of cell phone, telecommunications, or retail utilities services. Determining whether your business or enterprise is covered by the new Red Flag Guidelines requires a careful review of definitions in the FACT Act and the new regulation. Simply stated, the new rule's coverage is based on what you do and not who you are.

The Rules are not about security breaches or loss of data. The FTC established the Rules to prevent identities from being stolen and used to obtain goods or services via covered accounts. A “covered account” is a typical customer account that involves multiple payments or transactions and can include: cell phone accounts, utility accounts, checking accounts, credit card accounts, mortgage loans, or auto loans. If your company is providing service on credit or covered account, you need an appropriate identity theft prevention mechanism in place a and must provide for the identification, detection and response to patterns, practices, or specific activities ("red flags") that could indicate identity theft. Specifically, a program should:

• Identify relevant patterns, practices and specific forms of activity that are "red flags" signaling possible identity theft, and incorporate those red flags into the program;
• Detect red flags when they occur;
• Respond appropriately to any red flags detected to prevent and mitigate identity theft;
• Ensure the program is updated periodically to reflect changes in risks from identity theft as your business model evolves; and
• The program must be managed by your Board of Directors or senior employees and must include appropriate staff training and oversight.

Please contact Jennifer Kashatus, (202) 857-4506), Eric Breisach, (202) 857-4446), or the Womble Carlyle attorney with whom you usually work if you have specific questions regarding the applicability of these rules to your company. Womble Carlyle is happy to assist you in conducting your "red flag" analysis and developing the best compliant program for your business.