Implementation of a Federal Trade Commission rule that will require certain businesses, such as financial services and health care providers, to take stronger identity-protection measures than they may already have in place has been delayed until August 1. That gives such organizations more time to prepare for the new rules, at the same time causing firms specializing in identity-theft prevention to further ramp up marketing and outreach efforts. It also has them chomping at the bit to cash in on the mandatory investments some businesses will have to make in the products and services they peddle. “Unfortunately, businesses have not stepped up to protect their customers, members or patients,” said Steve Bearak, CEO of Identity Force, a Framingham, Mass. company, with clients in the greater Valley area. The new rules, known collectively as the “Red Flags Rules,” require companies that heavily manage personal information in the course of doing business to identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft. In addition to identifying problems, the new rules require organizations to incorporate those red flags into a formalized identity-theft protection program. Furthermore, they must respond appropriately to any red flags that are detected to prevent and mitigate identity theft, as well as ensure their identity-theft programs are updated periodically to reflect changes in risks from identity theft. Yet, the latest delay in implementing the rules, which were created by Congress as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), comes after a previous six-month reprieve. “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use (a) template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said. In general, according to the FTC, with FACTA, congress directed covered businesses to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Who must comply All businesses that are defined by FACTA as “creditors” must comply with the rules. However, simply accepting credit cards as a form of payment does not mean a company falls under the authority of the Fed Flag Rules regime. Still nearly all financial institutions do. “We want financial institutions and creditors to know that they are covered by the Red Flags Rules and to understand what is required of them,” said Lydia Parnes, Director of the Bureau of Consumer Protection at the Federal Trade Commission. On the healthcare front, local hospitals have been relying on industry associations for guidance on FACTA. The American Hospital Association (AHA), which distributed a sample identity-theft policy for its members last year, has new advice for hospitals and medical associations as the new August deadline approaches. “While it may be appropriate to start with the sample policy, the regulation requires that the program be appropriate for the organization’s size and complexity and the nature and scope of its activities,” said Lawrence Hughes, AHA assistant general counsel. “Each organization must adapt the sample document to address the specific risks they face and to ensure an appropriate and reasonable organizational response to those risks.” But, some hospitals in the region are ahead of the game. For one, Providence Health & Services claims its two local hospitals are in full compliance with the Red Flag Rules. “We have had a strict policy of protecting our patients’ personal information in place for years,” said a spokesperson for Providence. “The Red Flag Rules don’t represent a challenge for us, as our own rules meet and exceed the government’s.”
