On May 28, 2010, the Federal Trade Commission (the “FTC”) once again extended the enforcement deadline for the Red Flags Rule (the “Rule”) while Congress considers legislation that would affect the scope of the Rule with respect to the types of entities required to comply with the identity theft protection measures the Rule mandates. The new enforcement deadline is December 31, 2010.

The compliance deadline for the Rule has been extended by the FTC multiple times since the original November 1, 2008 deadline because the breadth of the Rule caught many members of the business community by surprise. The scope of the FTC’s Rule has been challenged by the American Bar Association and the American Medical Association, both of which take issue with the FTC’s position that doctors and lawyers are subject to the Rule. At the heart of this debate is the breadth of the interpretation of the types of persons deemed “creditors” who, along with “financial institutions,” are required to implement written identity theft prevention programs to detect identity theft “red flags.” The legislation that Congress is currently considering is aimed at clarifying and narrowing the types of persons deemed “creditors” under the Rule, thereby freeing some businesses from the requirement to implement an identity theft prevention program.

Entities subject to other Federal agencies’ enforcement of the Rule are not impacted by this or any of the previous FTC extensions.

For more information on the latest extension of the compliance deadline, please see the FTC’s Press Release.

Please also see our prior Client Alerts on the Red Flags Rule, “Another Yellow Light for FTC’s Enforcement of Red Flags Rule,” and “The Red Flags Waive for Thee! Extended Red Flags Rule Compliance Deadline is August 1, 2009.”