CONTACT: Melissa Sharp, (202) 314-2068
Washington, April 24, 2009 — The below article by Elizabeth Milito, senior executive counsel, National Federation of Independent Business Small Business Legal Center, may be used as an op-ed for your news organization or may be cited in articles about small business and employment law:
To schedule an interview with Elizabeth Milito, contact Melissa Sharp at 202-314-2068 or Melissa Sharp
NOTE: The implementation of the Red Flags rules has been delayed until November 1, 2009.
Red Flags Rules Effective August 1, 2009
Require Businesses to Develop Identity Theft Prevention Plans
By Elizabeth Milito
FACT Act and Red Flags Rules
The Fair and Accurate Credit Transactions Act was passed in December, 2003 and is designed to prevent identity theft by protecting consumer information. The Federal Trade Commission is charged with enforcing the act.
Small businesses that provide credit to customers should be aware of new FACTA rules from the FTC that go into effect August 1, 2009. On that date, the FTC will begin enforcing its Red Flags Rules, which require creditors to have in place programs to recognize and prevent identity theft.
What small businesses will be affected?
Virtually every small business that extends credit to customers or uses credit reports to make credit decisions about their customers will be affected. However, if your business simply accepts credit cards, without extending your own form of credit to customers, the rules are unlikely to apply to you.
What are the requirements of the Red Flags rules?
The rules require creditors to implement a written Identity Theft Prevention Program designed to detect the warning signs—or red flags—of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.
There are four main components of a complying plan:
- The plan must identify potential red flags your business is likely to come across. This includes receiving written notices from credit reporting agencies and suspicious account activity.
- The plan must establish procedures to detect the red flags you have identified in the first step.
- The third step is to act appropriately when a red flag is detected. This could mean notifying a customer, contacting law enforcement, closing an account, etc.
- The plan must be reviewed periodically to identify new potential sources of risk.
What are the penalties if I fail to comply?
Failing to comply with the new rules can lead to civil penalties under the Fair Credit Reporting Act.
Currently, fines for single violations can be up to $3,500. However, repeat violators may face a suit from the FTC and significantly higher fines.
Where can I learn more?
For questions or comments regarding FACTA, please contact the FTC at 600 Pennsylvania Avenue, N.W., Washington D.C., 20580, (877) 382-4357 or online at www.ftc.gov.
The FTC has published a helpful guide for businesses to learn more, including how to figure out if you’re covered and how to develop your plan.
This NFIB alert does not constitute legal advice, and you should consider consulting an attorney about any laws and regulations that are applicable in your state, locality or particular type of business.
The NFIB Small Business Legal Center is a 501(c)(3) organization created to protect the rights of America's small business owners by providing advisory material on legal issues and by ensuring that the voice of small business is heard in the nation's courts. The National Federation of Independent Business is the nation’s leading small business association, with offices in Washington, D.C. and all 50 state capitals.