FTC Sends up a Red Flag


A day before it was to start to enforce the Red Flag Rules, the Federal Trade Commission (FTC) announced it was extending the enforcement deadline again, until August 1, 2009. The rules went into effect November 1, 2008. The FTC pushed back the enforcement deadline to May 1, 2009. According to FTC officials, the deadline was extended to give associations the ability to best determine how to comply and Congress time to determine if the guidelines are too broad. The Red Flag Rules require financial institutions and creditors to develop programs to identify and respond to identity theft issues.


According to the FTC, nine million Americans have their identities stolen each year. So, with the amount of identity theft that takes place, wouldn't you think the FTC would push to enforce the Red Flag Rules? I feel that the FTC is putting industry needs before the needs of the millions that have their identities stolen each year.


Now, I realize that there is a financial commitment on the part of organizations to implement the Red Flag Rules. Everything has a cost associated with it. I have been involved in mandatory implementation of federal regulations, like HIPAA, as well as non-mandatory standards, like CMMI and ISO9000 certifications. The costs of these programs can be rather high. The FTC guidelines spell out a four-step framework:


  1. Your program must include policies and procedures to identify "Red Flags." Red Flags include patterns that might indicate identity theft.
  2. Your program must be able to detect the Red Flags you identified in step 1.
  3. You must spell out the actions you will take after you detect a Red Flag.
  4. You must spell out how you will evaluate your program on a continual basis.


I personally know people who have had their identities stolen and it was quite a job for them to clear things up. I'll bet that if anyone in Congress or the FTC had their identities stolen, these "Guidelines" would be implemented immediately.


Has your organization taken the steps to implement the Red Flag Rules yet? If not, when will you implement your program?