The Trusted Adviser August 2009 | Volume 2 - Number 6

IN THE NEWS | Identity Theft

The Red Flags Rule - Professional Practices

by Stuart H. Wolf

EDITOR'S NOTE: This article is the copyright of Stuart H. Wolf, all rights reserved, and is reprinted here with permission.

The Federal Trade Commission (FTC) estimates that nine million Americans have their identities stolen each year. In response to this growing threat of identity theft, Congress passed The Fair and Accurate Credit Transactions Act of 2003 (FACTA). Contained within FACTA is the Red Flags Rule, originally intended to be applicable to the financial industry and businesses regularly extending credit. The FTC, however, is intent on extending the rule to small businesses, professional practices and even not-for- profit organizations.

The Red Flags Rule requires many businesses and professions, including attorneys, to determine whether their practices are covered by the Red Flags Rule and, if so, to develop and adopt a written program to detect, prevent and minimize damage that could result from identity theft. Whether your professional practice is covered by the Red Flags Rule is based upon whether your practice falls within the Rule's definitions of "creditor" and "covered account."

If you bill clients for fees after services are provided, help clients obtain credit from other sources or allow clients to set up payment plans after services are rendered, you are within the definition of Acreditor@ under the Red Flags Rule. If you open and maintain accounts for clients allowing multiple payments, you fall within the Red Flags Rule Acovered accounts@ definition. Fall within both definitions, as most professional practices will, and you need to adopt a written Identity Theft Prevention Program.

The Red Flags Rule contains certain requirements. You should, however, adopt a program that best suits the business operations of your practice. Any Identity Theft Program should complement any fraud prevention or security program already in place, as well as programs that are currently in place or will need to be adopted for privilege, confidentiality, general security, and Privacy Act compliance.

The FTC has provided a sample template for risk determination and plan adoption. The template is, in my opinion, woefully lacking in detail and direction. Various professional trade associations have published sample policies and procedures. While the intent and guidance of these sample policies may be laudable, they too are lacking in external guidance and, unfortunately, apply a "one size fits all" philosophy. A practice specific program developed with key staff input should be developed.

While compliance with still another government required program could be viewed solely as "the pain" that it is, it can also be viewed as a serious opportunity to review and revise overall office security and privacy protection programs. You may also be obligated to advise your business and professional clients of the Red Flags Rule and its possible applicability to them.

This article is for informational purposes only and is not intended to be and should not be considered as, or a substitute for, legal advice. This article is not intended to nor does it create an attorney-client relationship. You should not act (or fail to act) based upon information in this letter without first adequately reviewing the law or consulting with your attorney and receiving guidance from your attorney.






THE TRUSTED ADVISER is published by Attorneys’ Title Guaranty Fund, Inc., P.O. Box 9136, Champaign, IL 61826-9136. Inquiries may be made directly to Mary Beth McCarthy, Corporate Communications Manager. ATG®, ATG® plus logo, are marks of Attorneys’ Title Guaranty Fund, Inc. and are registered in the U.S. Patent and Trademark Office. The contents of the The Trusted Adviser © Attorneys' Title Guaranty Fund, Inc.

[Last update: 7-29-09]