The Federal Trade Commission (FTC) requires that financial institutions and creditors develop and implement identity theft prevention programs by November 1, 2008, pursuant to regulations (see 16 C.F.R. Part 681) promulgated under the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. No. 108-159, 117 Stat. 1952).
The new regulations, sometimes referred to as the FACTA Red Flag Rules, define the terms “financial institution” and “creditor” very broadly, covering many different types of entities, thus creating the need for all entities to assess whether, and to what extent, they are subject to the regulations. “Financial institutions” include not only banks, savings and loan associations and credit unions, but also any person or entity that holds a “transaction account” belonging to an individual, where a “transaction account” is “a deposit or account on which the depositor or account holder is permitted to make withdrawals … for the purpose of making payments or transfers to third persons or others.” The definition of a “creditor” extends beyond finance companies, mortgage brokers and other lenders to include “any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” This definition could potentially encompass any entity that allows deferred payment for its products or services, including, for example, utility companies, automobile dealers, telecommunications companies, law firms, hospitals and educational institutions.
All financial institutions and creditors that are subject to the regulations are required to periodically determine whether they maintain or offer any “covered accounts,” which is defined to include two different types of accounts, essentially (1) certain consumer accounts, and (2) non-consumer accounts for which there is reasonably foreseeable risk of identity theft. Consumer accounts “primarily for personal, family or household purposes” and that involve “multiple payments or transactions” automatically constitute covered accounts, regardless of the risk involved with such accounts. If a financial institution or creditor has no qualifying consumer accounts but maintains other types of accounts (i.e., non-consumer accounts), it must conduct a risk assessment to determine whether there is a reasonably foreseeable risk of identity theft with respect to such other accounts. If a foreseeable risk exists, such other accounts constitute covered accounts.
Each financial institution and creditor that maintains one or more covered accounts is required to establish, implement and maintain an identity theft prevention program with regard to such accounts that has been approved by the entity’s board of directors. The program must be appropriate to the size and complexity of the entity and the nature and scope of its activities. The program must also include policies and procedures to identify, detect and respond to “Red Flags,” which are patterns, practices or specific activities regarding the covered accounts that indicate the possible existence of identity theft. Guidelines included as an appendix to the regulations provide factors to consider in identifying Red Flags, sources and categories of Red Flags and suggestions for updating and administering the program.
In addition to the FACTA Red Flag Rules issued by the FTC, there has been a lot of legislation at the state level imposing security and privacy obligations on companies that maintain or collect information of residents of the respective states. For example, a new Connecticut law that becomes effective October 1, 2008 imposes duties upon “any person in possession of personal information of another person” to safeguard and properly destroy the information. The law also requires “any person who collects Social Security numbers in the course of business” to create and publicly display a privacy protection policy in accordance with the law’s requirements. (CT Public Act No. 08-167.) Entities that maintain personal information of individuals should keep abreast of the rapidly changing laws and requirements with regard to the protection of such information.