Gunster – Banking and Financial Services, April 2009
The “Red Flags Rule” of the Fair and Accurate Credit Transactions Act of 2003 (the “Regulations”) requires all businesses which sell goods or services on covered accounts to complete an identity theft riskassessment and adopt and implement acomprehensive Identity Theft Program by May 1, 2009. The Federal Trade Commission (“FTC”) recently announced that the Regulations apply to EVERY business which sells goods or services on account for personal, family or household purposes or other accounts for which there is a reasonably foreseeable risk of identity theft. The FTC included a long list of businesses which may be subject to compliance with the Regulations, including physicians, lawyers, merchants, repair persons and even “a local store where a customer rings up a tab.” Essentially, if you are wondering whether the Regulations apply to your business, they probably do.
Identity Theft Programs must be specifically tailored to the size of a business and the nature of its operations. The rules mandate that Identity Theft Programs include reasonable policies and procedures for detecting, preventing and mitigating identity theft by enabling the business to:
§ Identify “red flags”, such as relevant patterns, practices andspecific forms of activity that maysignal identity theft;
§ Detect “red flags” that have been incorporated into the Identity Theft Program; and
§ Respond to “red flags” that aredetected to prevent and mitigateidentity theft.
The Regulations set forth specific steps that businesses must take to administer their Identity Theft Program, such as ensuring oversight by senior management of the development, implementation and administration of the Identity Theft Program, overseeing service provider arrangements and training staff.
Every business subject to the Regulations is required to continually update their Identity Theft Program to reflect changes in risks from identity theft,prepare and review annual reports andobtain approval of the Identity Theft Program by the board of directors or a committee of the board.
This publication is for general information only. It is not legal advice, and legal counsel should becontacted before any action is taken which might be influenced by this publication.
