Thursday, December 16, 2010

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

The Federal Trade Commission has extended the deadline for compliance with the Red Flags Law, which deals with identity theft, to December 31, 2010. If you bill out or extend credit for products and services, and are not paid when products or services are rendered, your dealership is subject to this law. 

Ask yourself these questions:
1. Do you offer products and services to consumers or other businesses?
2. Do you bill out or extend credit for products and services?

Answering YES to these questions means that you must:
·      Perform a risk assessment.
·      Identify all covered accounts.
·      Identify relevant red flags that may signal identity theft.
·      Implement appropriate detection and response procedures.
·      Develop a written Identity Theft Prevention Program.
·      Obtain board of directors approval for the Program.
·      Appoint in writing a Security Compliance Officer to oversee the program.
·      Train and educate staff on Identity Theft.
·      Have a plan in place to mitigate damages in case of a breach.
·      Oversee that “shared information” with vendors or suppliers is protected as well.

       Not only are credit card companies and financial institutions subject to these rules, but any company that regularly extends or merely arranges for the extension of credit is also subject to the Red Flags rule. 
If your company extends or arranges for the extension of credit, then you are considered a “creditor” and the Red Flags Rule require you to have an identity theft prevention program in place.

       The Federal Trade Commission has acknowledged the fact that they have learned that many companies have been unaware that they fall under these rules.  Therefore they have extended the previous deadlines of November 1, 2008, then May 1, 2009, October 2009, June 1, 2010, and now to December 31, 2010. 

       There are also Red Flags Rule Penalties for Non-Compliance:

  • Federal: $2,500 per individual incident (customer / transaction)

  • State: $1,000 per individual incident (customer / transaction, plus attorney’s fees)

  • After Regulatory Warning: $11,000 per individual incident.

For more information on this urgent matter, Here is the link to the FTC's Red Flag Enforcement page