Editor’s Note: Bridget L. Welborn is a member of the Business and Health Care Practice Groups at Ward and Smith, P.A.

According to statistics published by the Better Business Bureau, nearly 9,000,000 Americans were victims of some form of identity theft in 2007 alone. The cost to repair damage resulting from identity theft affects individuals and businesses alike. As a result, the Federal Trade Commission ("FTC") recently issued regulations requiring financial institutions and business creditors to play an active role in the identification, mitigation, and prevention of identity theft. All creditors with covered accounts and all users of consumer credit reports must implement a written identity theft prevention program addressing the "red flags" of identity theft and the "address discrepancies" found in many consumers’ credit reports. The FTC recently extended the effective date of the Identity Theft Red Flag Rule ("Red Flag Rule") until May 1, 2009. The Address Discrepancy Rule became effective on November 1, 2008.

Red Flag Rule: Are you a "Creditor" and do you have a least one "Covered Account"?

Whether a business must comply with the Red Flag Rule depends on whether it is a "creditor" with "covered accounts." A "creditor" includes any business entity that regularly extends, renews, or continues credit. If a business defers or allows deferral of payment by its customers, it enters into a debt relationship with such customers and is a creditor. Practically speaking, most businesses that offer payment plans to customers, or otherwise allow customers to pay over time or in installments, are creditors.

A "covered account" is a credit account offered or maintained primarily for personal, family, or household purposes and which permits multiple payments or transactions. A covered account includes any account for which there is reasonably foreseeable risk of identity theft to customers or the creditor. The definition of covered account leaves a lot to interpretation. There is no practical guidance as to what constitutes a foreseeable risk of identity theft, leaving open the possibility that all businesses have covered accounts.

Red Flag Rule Compliance: Identify, Detect, Respond, and Update

A business that is a creditor with covered accounts must develop and implement a written Identity Theft Prevention Program ("Program") before May 1, 2009. While a great amount of flexibility exists in designing policies under such a Program, the following requirements must be included in each Program:

• Identify. The Program must include procedures to allow the business to identify warning signs (or "red flags") of identity theft when they occur. The Red Flag Rule lists 26 potential red flags. These red flags include inconsistencies in the identifying information and the credit history of a customer, or the use of a photocopied driver’s license as proof of identification. Each creditor with covered accounts must create a list of potential red flags specific to its business and tailored to its specific practices and patterns. The list may include the 26 items listed in the Red Flag Rule.

• Detect. Once potential red flags are identified, the business’s Program must include procedures for detecting them when they occur. This requires understanding how the business creates and maintains its covered accounts and how these accounts are accessed. For example, a large business with numerous covered accounts will need more oversight of and planning for its detection procedure than a small business that knows all of its customers personally.

• Respond. A Program must provide how best to respond to prevent or mitigate the occurrence of identity theft once a red flag is detected. All responses should be appropriate to the degree of risk posed by the detected red flag. If a response is required, the Red Flag Rule provides guidance as to acceptable responses, which include routinely monitoring identified covered accounts, follow up questioning of a customer, closing a covered account, or notifying law enforcement. If the business determines that no response is needed after a red flag has been detected, there must be a reasonable basis for such a conclusion.

• Update. The Program cannot be a one-time assessment. The Red Flag Rule requires periodic updates of each Program in order to determine what other potential red flags are identified over time, and an assessment as to whether previous policies under the Program are working. Updates should occur systematically to limit or minimize the occurrence of new red flags.

In addition to establishing the required elements of a Program, the Red Flag Rule governs the administration of the Program. Any Program must be approved by the governing body or appropriate committee of the business, and such governing body, appropriate committee, or senior management employees must be involved in the oversight, development, implementation, and administration of the Program. Additionally, the Red Flag Rule requires that all business staff and management be trained, as appropriate, to implement the Program effectively.

Address Discrepancy Rule

The FTC Address Discrepancy Rule requires regular users of consumer credit reports to implement policies and procedures to respond to discrepancies in reported consumer addresses. While this Rule is completely separate from the Red Flag Rule, the FTC will allow creditors with covered accounts who are also users of consumer credit reports to implement one Program addressing both Rules. The Address Discrepancy Rule applies to any business that actively uses nationwide credit reports, and requires such business to have policies to address credit reports it requests for consumers that result in a Notice of Address Discrepancy. A Notice of Address Discrepancy is generated when the address given by the business requesting the report is substantially different from the address on file with the credit bureaus.

The purpose behind the Address Discrepancy Rule is to help ensure that a credit report relates to the consumer about whom the business requested information. Much like the Red Flag Rule, a business subject to the Address Discrepancy Rule has flexibility to develop and implement policies and procedures specific to its business.

Unlike the Red Flag Rule, however, the Address Discrepancy Rule applies to only those businesses that actively use nationwide credit reports, thereby making it less applicable than its Red Flag Rule counterpart. Whatever policies and procedures are implemented by a business subject to the Address Discrepancy Rule, the result must enable such business to (1) form a reasonable belief that it knows the identity of the customer and (2) reconcile the address discrepancy with the credit bureau issuing the Notice of Address Discrepancy. Otherwise, businesses are free to construct policies as they see fit to account for address discrepancies. Time will tell if more guidance is necessary.

The purpose behind the Red Flag and Address Discrepancy Rules is not to create more "red tape," but to prevent and mitigate future threats of identity theft and misidentification, which is becoming more prevalent as businesses and consumers do more business electronically. These Rules do not specify or target any particular industry. Therefore, businesses of all types will have to comply.

© 2008, Ward and Smith, P.A.

Ward and Smith, P.A. provides a multi-specialty approach to the representation of technology companies and their officers, directors, employees, and investors. Bridget L. Welborn practices in the Business and Health Care Practice Groups at Ward and Smith. Comments or questions may be sent to blw@wardandsmith.com.

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.