Identity Theft Prevention Program Required Under Red Flags Rules

Do you know you may need to develop and implement an identity theft prevention program for your firm?  Yes, it’s not just something important to do.  And it’s not just something important for you to inform some of your clients (Financial Institutions and Creditors) that they have to do.  It’s something you may be required to do under the new “Red Flags Rules”. 


The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.  Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.


Until recently, many entities, including health care institutions, telecommunications companies and educational institutions, did not realize they were considered “creditors” under the rules and complained they could not come into compliance in time for the November 1 deadline.  As a result, the Federal Trade Commission has extended the deadline to May 1, 2009.


In an informative article entitled “Lawyers rush to advise on new identity theft rules” which appeared in LawyersUSA, Columbus, OH attorney Jack Gravelle opines that law firms themselves may be covered by these rules.  “To the extent that firms extend credit by billing clients rather than accepting payment at the time of service, they appear to fall under the definition [of creditor]” he states.


Some states have already issued Ethics opinions regarding an appropriate law firm response and client communication when confidential client information security has been breached.  Whether these same opinions will be applied to potential or actual identity theft remains to be seen.  Certainly some states will issue opinions specifically in this matter to better clarify the attorney’s responsibilities.


I personally know of one case of identity theft perpetrated upon a PA law firm.  The plaintiff who received a settlement check was actually impersonating the actual plaintiff.  The check was long cashed and the thief had disappeared by the time the real plaintiff appeared asking for his award.


There is a wealth of information available on the FTC site in the section on Identity Theft regarding the regulations, guidance on how to deal with a data breach, and even sample recommended notification correspondence.




To return to the main page of the blog, click here.  To return to the blog  Index, click here.


WordPress Themes