|
Under the Federal Trade Commission's "Red Flags Rule," financial institutions and creditors must develop protocols to detect and prevent identity theft. The new deadline for complying with this Rule is November 1, 2009. Originally, the deadline for complying with the Rule was November 1, 2008 but it was postponed several times. See the FTC announcement at http://www.ftc.gov/os/2009/07/P095406redflagspolicy.pdf.
The Red Flags Rule (16 CFR §681.2) was issued under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) (Pub L 108-159, 117 Stat 1952) to combat identity theft by mandating that financial institutions and creditors implement procedures to detect and respond to specific activities or patterns (known as "red flags") that could indicate identity theft. The Rule is broadly written and appears to apply to attorneys who bill for services. See 16 CFR §681.1(b)(5); 15 USC 1681a(r)(5); 15 USC 1691a(e) ("creditor" defined as "any person who regularly extends, renews, or continues credit"). For that reason, the ABA along with state bar associations from Arkansas, Colorado, Illinois, New York, Ohio, and Virginia have objected to the FTC on the grounds that the Rule requires lawyers to become involved in preventing identity theft and is thus destructive of the attorney-client relationship. See Wise, FTC Rule on Identity Theft Draws Strong Criticism From Bar Groups, New York Law Journal, July 1, 2009.
For guidance from CEB, see detailed discussion of the Red Flags Rule in Privacy Compliance and Litigation in California §10.28 (Cal CEB 2008).
|
