Law Firm, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.