Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

"Red Flag" Rules May Snare Unsuspecting Businesses

September 16, 2008

"Red Flag" Rules May Snare Unsuspecting Businesses

September 16, 2008

Read below

The OCC, FDIC, Federal Reserve, FTC and other federal regulators recently issued a series of rules and guidelines to counter identity theft. These new "red flag" rules and guidelines are not just applicable to financial institutions and traditional creditors. Every business that maintains "covered accounts" must comply with the red flag rules by November 1, 2008. [UPDATE: The FTC pushed back the compliance date for "red flag" rules to May 1, 2009. Additional rules that were published at the same time that apply specifically to credit and debit card issuers and to certain users of consumer reports still require compliance by November 1, 2008.]

The definition of "covered account" is broad and includes all consumer accounts that permit multiple payments or transactions, and any other account posing a reasonably foreseeable risk to a consumer or business from identity theft. In addition to traditional credit extended by financial institutions, the definition also includes all types of trade credit and other payment terms extended by merchants to customers, such as cell phone accounts, utility accounts and used car loans. The rules also suggest that small business or sole proprietorship accounts may also be included in the definition.

Businesses that maintain "covered accounts" must develop and implement programs designed to detect, prevent and mitigate identity theft and particularly focus on "red flags" that should raise suspicion. Failure to comply may result in civil liability to consumers for actual damages, nominal damages when actual damages cannot be proved, punitive damages and attorney's fees, as well as administrative enforcement by the FTC or other relevant regulator.

For Further Information

Please see our Alert dated July 30, 2008.

If you have any questions regarding these regulations, including how they may affect your company, please contact a member of the Information Technologies and Telecom Practice Group or the lawyer in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.