The Federal Trade Commission ("FTC") this morning granted a third delay in enforcement of the Identity Theft Red Flags Rule until November 1, 2009. Therefore, the compliance date set forth in the July 28, 2009 Alert on this subject should be changed from August 1, 2009 to November 1, 2009.
In a news release issued on July 29, 2009, the FTC said it will "redouble" its efforts to educate small businesses and other entities about compliance with the Red Flags Rule and will provide additional resources and guidance to clarify whether businesses are covered by the rule. For these reasons, the FTC said it was delaying enforcement to give more time to "creditors" and "financial institutions" to review guidance and develop and implement written Identity Theft Prevention Programs.
The FTC noted that many covered entities have already developed and implemented appropriate programs, but others remain uncertain about their obligations. The additional compliance guidance the FTC intends to provide is designed to help entities resolve whether they are covered by the rule and what they must do to comply with it.
The U.S. House of Representatives' Appropriations Committee had requested that the FTC further delay enforcement of the Red Flags Rule to enable the Commission to provide additional guidance on efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems. The FTC's grant of a further delay is consistent with that request.