As awareness – and occurrences – of identity theft and significant corporate security breaches increase, United States government agencies have enhanced their scrutiny of businesses’ efforts to protect the confidentiality of private information by adopting new regulations with the goal of decreasing the likelihood of identity theft across the board.
Under the newly implemented Identity Theft Red Flags Regulations and Guidelines (the “Red Flags Rule”), financial services businesses that are subject to the Fair Credit Reporting Act (FCRA), which regulates credit reporting agencies and other businesses that deal with or report consumer credit, may be subject to heightened requirements to maintain the accuracy of the consumer data they control. The Red Flags Rule was a joint effort of the Federal Trade Commission (FTC), the federal bank regulatory agencies (the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision), and the National Credit Union Administration. The Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to require financial institutions and other creditors to develop and implement identify theft prevention measures. Although the Red Flags Rule became effective on January 1, 2008, the compliance enforcement deadline was extended by the FTC several times, with enforcement having commenced as of December 31, 2010.
The Rule applies to financial institutions as well as to any “creditor” that controls “covered accounts.” The definition of “creditor” extends to any entity that “regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.” Acceptance of credit cards as a form of payment, or simply advancing funds for expenses on behalf of a client or customer, does not alone make an entity a “creditor” under the Rule. Creditors include banks, credit unions, finance companies, mortgage brokers, utility companies, automobile dealers, and telecommunications providers. The definition of “covered account” includes any account “used mostly for personal, family or household purposes and that involves multiple payments or transactions.” These accounts include credit card accounts, margin accounts, checking and savings accounts, mobile phone accounts, utility accounts, mortgage loans, and automobile loans.
Under the Red Flags Rule, a covered creditor must develop and implement written identity theft prevention programs, which include measures for identifying, detecting, and responding to patterns, practices or specific activities at could indicate identity theft – the “red flags” that inspired the rule’s name. The FTC guidelines list 26 possible types of “red flags,” including: notice of a credit freeze in response to a request for a consumer report; unusual credit activity; information on a provided ID inconsistent with information provided by person opening account; lack of correlation between Social Security number range and date of birth; or an account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
Failing to comply with the new rules can lead to civil penalties under FCRA, up to $3,500 for a single violation. Repeat violators may also face additional claims on behalf of FTC and significantly higher fines. In addition, the State attorney general may be able to file class-action lawsuits on unfair and deceptive practices grounds, which generally permit both actual and punitive damages. A business may also be held responsible for actual losses of a victim of identity theft in the absence of a substantial written Red Flags Rule policy and documented proof of required staff training.
The full text of the Red Flags Rule can be found on the FTC’s website at the FTC website at: http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf.