FTC, Other Agencies Issue FAQ Guidance On Red Flag Rules

June 12, 2009 at 3:30 pm

The broadly reaching Red Flag Rules require “financial institutions” and “creditors” to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address.  The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.  

The sweeping reach of the definition of “creditor: and “financial institutions” in the Red Flag Rules and other confusion about the Red Flag Rules have prompted the agencies to delay the deadline for compliance several times.  The most recent delay, which extended the compliance deadline from May 1 to August 1, 2009, was announced by the FTC on April 30, 2009.  The FTC promised to issue additional guidance to help promote better understanding of the rules when it announced this latest delay in the compliance deadline on April 30, 2009.

Fulfilling this promise, the FAQs discuss numerous aspects of the Red Flag Rules, including:

  • Types of entities and accounts covered;
    Establishment and administration of an Identity Theft Prevention Program;
  • Address validation requirements applicable to card issuers; and
  • Obligations of users of consumer reports upon receiving a notice of address discrepancy.

FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many  doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

FACTA is only one of a growing list of the evolving privacy and data security mandates applicable to businesses under federal and state laws that organizations must address under applicable federal laws.   In addition to FACTA, most businesses also face other specific data security and data breach requirements under a tapestry of other federal and state laws which are constantly evolving.  In addition to these FACTA and other generally applicable data security and breach rules, many organizations face evolving industry specific mandates. For example, health care providers, health plans, health care and their business associates also are required to update their privacy and data security practices to comply with recent amendments to the Health Insurance Portability & Accountability Act Privacy & Security Standards signed into law February 17, 2009. 

Many of these federal laws provide for both civil penalties as well as criminal penalties that bring violations of these regulations under the Federal Sentencing Guidelines.  As a consequence, most organizations need to implement and administer compliance programs to manage these Federal Sentencing Guideline risks.  Even where criminal sanctions are not triggered, noncompliance with these and other data security mandates can trigger substantial judgment awards, administrative penalties or both.

For More Information

We hope that this information is useful to you. For assistance in reviewing and updating your privacy and data security practices in light of the Red Flag Rules or addressing other compliance and risk management policies, practices or programs, assessing the strength of your controls in addressing these and other laws and regulations or addressing other privacy, data security or compliance concerns, please contact Cynthia Marcotte Stamer at cstamer@CTTLegal.com or (214) 270- 2402.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at here.

Advertisements

Entry filed under: Data Security, FACTA, FTC, Health, Health care, Health Care Policy, Health Information Technology, Health Plans, HIPAA, Hospitals, Medical Privacy, Personal Financial Information, Personal Health Records, Physicians, Privacy, Red Flag Rules.

Senate Democrats Unveil Their Version of Comprehensive Health Care Reform, Seek To Enact By Fall Office of National Coordinator for Health Information Technology Invites Input on Meaningful Use Of Electronic Medical Records For Purposes of Definition


June 2009
S M T W T F S
« May   Jul »
 123456
78910111213
14151617181920
21222324252627
282930  

Recent Posts

Share this blog

Bookmark and Share
June 2009
S M T W T F S
« May   Jul »
 123456
78910111213
14151617181920
21222324252627
282930  

%d bloggers like this: