Privacy & Information Security Law Blog

On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.”  The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

If passed, H.R. 6420 would add a more narrow definition of “creditor” to Section 615(e) of the FCRA, which currently defines creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”  In response to concerns that the current FCRA definition improperly extends the Red Flag’s scope to implicate certain entities, including attorneys, law firms and health providers, the proposed definition would exclude those “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  The amended definition also would apply to other creditors if their regulating authority promulgates a rule pursuant to “a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  H.R. 6420 was introduced in response to the FTC’s call for Congress to clarify the scope of the Red Flags Rule.  The FTC delayed enforcement of the Red Flags Rule until December 31, 2010, to provide Congress an opportunity to legislate on the issue.

For more information on the debate, read our June post regarding the FTC’s intent to temporarily exempt health care providers from the Red Flags Rule.  In February, we reported on the FTC’s appeal of a D.C. District Court judgment in favor of the American Bar Association, which held that the Red Flags Rule does not apply to attorneys or law firms.