First it was the lawyers. Now it's the accountants. Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants. According to the AICPA's press release, the suit was filed on November 10. For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.
The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level. The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers. As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.
It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers. It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits. As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear. Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.