Custom Search

Wednesday, July 29, 2009

FTC delays enforcement of the Red Flag Rules ... again!

The Red Flag Rules, which require certain types of businesses, including some small businesses, to come up with and implement procedures to prevent identity theft, was supposed to go into effect on August 1. Key words being "supposed to". It was also supposed to go into effect on May 1 and even on November 1 of last year.

Its now delayed to November 1, 2009, one year to the day from when it was "supposed to" go into effect. Joe Campana at the Identity Theft Examiner sums up what this latest delay means:

"Further delay in enforcement may mean that many businesses will sit on the sidelines again to wait and see what happens when November 1st comes around. For most businesses, enforcement does not mean an audit, inspection or test. It simply means that if an identity theft incident occurs within a business, and there was a violation of the Red Flags Rule, then the law can be enforced by the FTC, the state attorney general or through a private right of action.

In the press release, the FTC suggests it would not enforce the law against to small low-risk businesses that are likely to 'know their customers.' Reviewing FTC enforcement of other laws over the last few years, shows that the FTC in general does not enforce laws against small businesses, and that it brings few enforcement actions, which some consumer advocates have already criticized.

This delay a compliance date may suggest that small low-risk businesses do nothing. Many already do not comply with other laws such as the FACT Act Disposal Rule, the Gramm-Leach Bliley Act and state breach notification laws. However, once an enforcement date is finalized, private citizens can sue businesses under the law if they can show harm resulting from the negligent authentication of a thief using their identity. Even today, small businesses are at risk of such lawsuits brought under common law."

As I have said before, the threat of FTC enforcement of any law is virtually meaningless. I am glad that the Red Flags Rule includes a private cause of action, thereby giving it enough teeth to actually give someone pause enough to at least attempt to comply with it. That is, if it ever actually goes into effect.

No comments:

Post a Comment