The Red Flags Rule

“Business throws credit card receipts,
unshredded, into dumpster.”

“Computer system is hacked into;
credit information stolen.”

These headlines are part of a recurring theme on the evening news – data breaches. The federal government has taken notice and is now instituting regulations requiring businesses, including certain franchise systems, to take measures to protect private and confidential information.

Along with other federal agencies, the Federal Trade Commission has issued a Red Flags Rule requiring “financial institutions” and “creditors” to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.¹

The Red Flags Rule may apply to businesses that do not typically think of themselves as “creditors” (much less as “financial institutions”), so every business should review the definitions of these terms to see if it is subject to the Rule. Federal agencies have clarified that the term “creditor” should be interpreted broadly to include all entities that defer payments, even in the normal course of a traditional billing process, even if there is no finance charge or agreement for installment payments.

A franchisor may be subject to the Red Flags Rule if it uses consumer credit reports in evaluating prospective franchise candidates. As a user of these reports, the franchisor must develop reasonable policies and procedures when it receives a notice from a consumer reporting agency of an address discrepancy or other information that indicates an identity theft may be occurring. In addition, if the franchised business offers extended credit terms to consumers, franchisees may be “creditors” engaging in consumer transactions that come under the definition.

The Red Flags Rule is designed to allow the business flexibility to design and implement a program that is appropriate to its size and complexity, as well as to the nature of its operations. At a minimum, however, the program must provide for identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. Once identified, the program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by senior-level employees who receive appropriate staff training and provide for oversight of any service providers. And finally, the program cannot simply be announced and then placed on the shelf. The Rule requires that programs be evaluated and updated regularly.

While the FTC has delayed the effective date of the Red Flags Rule three times (now to November 1, 2009), it is essential for businesses to develop and implement compliance plans now, if they haven't already, both for legal compliance and to minimize the intense business pressure that accompanies a data breach. According to public sources, over 263,000,000 records containing sensitive personal information have been involved in breaches in the U.S. since January 2005. Watchdog websites keep tallies on businesses who fail to properly maintain consumer information, and the public scrutiny that accompanies such breaches can result in a major consumer backlash. The overwhelming number of breaches that have occurred recently suggest if a franchise system has not already suffered a data breach, chances are it will in the future. For all of these reasons, it is critical to conduct a careful analysis and implement an effective security plan before a breach occurs.

¹ For more detailed information on the Red Flags Rule and data breaches, see the paper “Protecting Personal Data – Strategies for Dealing with a Data Breach,” Donna Christopherson, Kirk Nahra, Michaele Weatherbie, and Steven Toporoff (presented at the 2009 IFA Legal Symposium).