According to the Federal Trade Commission, as many as 9 million Americans experience identity theft each year. The Red Flags Rule, a law the FTC will enforce Nov. 1, requires certain businesses and organizations to develop a written program to spot the warning signs of identity theft and respond appropriately. The FTC has issued a guidebook for developing a program entitled “Fighting Fraud with the Red Flags Rule: A How-To Guide for Business,” available at www.ftc.gov/redflagsrule.

Importantly, you need not reinvent the wheel to comply with the rule. Many organizations have policies in place for identifying and preventing identity theft. Those policies should be used as the starting point for written programs under the Red Flags Rule.

Creditors with covered accounts

The rule applies to your organization if it falls within both of the law’s two key definitions: creditor and covered accounts. The rule defines a creditor as any company that “regularly defers payment for goods or services (or arranges for the extension of credit) and then bills customers later.” Accepting credit cards does not make your organization a creditor, but if you bill customers after the fact, you are likely a creditor under the rule.

The rule applies to financial institutions and creditors with covered accounts. A covered account is defined as either: 1) a consumer account that allows multiple payments or transactions, or 2) any other account with a reasonably foreseeable risk of identity theft. Given the broad scope of these definitions, many types of organizations will likely need to comply with the rule.

Implementing a program

Implementation begins with making a risk assessment of any covered accounts to determine the possibility for identity theft. If your organization is covered by the rule, you need to adopt a written policy specific to your organization and have it approved by your board of directors or senior management.

The FTC requires that your written policy must: 1) specifically identify red flags, or signs of possible identity theft, relevant to your business; 2) describe your process for detecting them; 3) explain how you’ll respond to red flags to prevent and mitigate identity theft; and 4) comment on how you’ll keep your program current. The program must initially be managed by the board or by your senior employees in the absence of a board.

The rule also requires an annual review of the program, including evaluation of staff training and methods for monitoring any third-party service providers.

Identifying red flags

There is no standard set of red flags that would signal identity theft for a particular organization. The rule sets forth five categories of red flags: alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious personal identifying information; unusual use of, or suspicious activity relating to, a covered account; and notices from customers, identity theft victims, law enforcement or other organizations about possible identity theft. Supplement A to the Red Flags Rule sets out some examples and can also be found at www.ftc.gov/redflagsrule.

Enforcement

Based on consumer complaints, outside tips, and other industry information, the FTC will investigate organizations that are potentially non-compliant. Up to a $2,500 federal penalty per knowing violation is possible. The method for calculating violations of the Red Flags Rule is unclear, but it is possible the penalty could be assessed for each covered account held by the organization. State attorneys general also have enforcement authority under the rule. When no federal enforcement action is pending, states may issue up to a $1,000 penalty per willful or negligent violation.

Complying with the rule will help mitigate the risk of identity theft to your customers. This measure of prevention is small compared with the potential harm to your organization.

Louis E. Ebinger is at attorney with Simmons Perrine Moyer Bergman PLC, Cedar Rapids. He can be reached at (319) 366-7641 or

lebinger@simmonsperrine.com