A how-to guide has been published by the Federal Trade Commission to help businesses comply with rules requiring a written policy and procedures to prevent and respond to identity theft.
The guide, “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business,” goes a long way toward clarifying which types of businesses are covered and how to comply.
“It’s a tremendous improvement over the original definitions,” said Margaret E.M. Utterback, a partner at Madison-based Quarles & Brady, who advises businesses on identity theft and security breaches. “Businesses can be much more confident that they either need to be compliant or that they are not covered.”
The so-called “red flags” identity theft rule has been a source of ongoing confusion and litigation because the original definition of “creditors” was so broad that it caught virtually any business that billed clients for payment, including doctors and lawyers.
Congress stepped in and exempted lawyers and other professionals from the rules.
The new guide makes clear that the rules only apply to businesses that “regularly and in the ordinary course of business” use credit reports or make reports to a credit agency in connection with a credit transaction.
The FAQs section offers several examples of businesses that would not be covered, such as an employer who reviews credit reports to screen job applicants, a professional who allows clients to pay later by billing monthly, or a lawyer who advances filing fees or other costs for clients.
The guide also gives concrete examples of some common red flags that might be a tip-off to identity theft, such as documents that look altered or torn up and reassembled, or sudden changes in otherwise regular account activity.