FTC Pushes Back Identity Theft Rules Deadline -- for Fifth Time
The Federal Trade Commission (FTC) has once again pushed back its enforcement deadline for an identity theft --lated regulation called the Red Flags Rule.
The rule requires financial institutions and other organizations that extend consumer credit to develop and implement written policies for detecting and preventing identity theft.
Before this latest deadline change, the FTC was to have started enforcing the rule on June 1. Under the new deadline, it will now start doing so only after Jan. 1, 2011.
The FTC noted in a statement that the delay was prompted by requests from "several members of Congress" who are working on limiting the scope of the Red Flags Rule.
In the statement, the FTC expressed hope that Congress would work quickly on addressing certain "unintended consequences" of the legislation.
The FTC has previously delayed enforcement of the rule on four different occasions, the most recent being in October 2009, when it pushed the deadline back from Nov. 1 to June 1 of this year.
Today's extension comes just days after the American Medical Association (AMA), along with the American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC), filed a lawsuit against the FTC, demanding that physicians be excluded from the requirements of the Red Flags Rule.
The lawsuit alleged that the Red Flags Rule was meant primarily for the banking sector, but was written so broadly that it now unintentionally covers physicians as well.
The suit follows almost two years of efforts by the AMA and the other two organizations to get the FTC to exclude physicians from the law. In January this year, the AMA, the AOA and two other groups formally petitioned the FTC to exempt physicians from the rule.
The recent lawsuit was filed after the FTC rejected the request.
"For two years, the AMA has made the case to the FTC that physicians are not creditors like banks and lenders, and the misguided red flags rule should not apply to them," a statement announcing the lawsuit noted.
The FTC's decision to apply the rule to physicians regardless of such complaints is 'arbitrary, capricious and contrary to the law', the lawsuit alleged.
The Red Flags Rule was developed as part of the Fair and Accurate Credit Transactions Act (FACTA) and went into effect in January 2008. The original compliance deadline for the rules was Nov. 2008, but it has been pushed back repeatedly largely as a result of concerns in Congress about the applicability of the rules to organizations other than financial institutions.
The FTC has argued that unless the rule is tweaked by Congress, it applies equally to any entity that extends credit to consumers in any form -- like a physician would, for example, when waiting for an insurance company to make payments for services rendered earlier.
According to the FTC, entities that are covered under the Red Flags Rule include finance companies, auto dealers, mortgage brokers, health providers and telecommunications companies.
It's a position that has been challenged before. Last October, a federal court in Washington D.C ruled that the regulations could not be applied to lawyers and other legal professionals as the FTC had argued it did. The ruling was in response to a lawsuit brought by the American Bar Association against the FTC.
The AMA lawsuit argues that physicians who do not require or collect immediate payment from patients cannot be considered to be creditors, under Red Flags rules.
It also noted that requiring physicians to collect and investigate each patients identity would impose too high of an administrative burden on them and erode a lot of the patient-physician trust relationship.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com .
Read more about privacy in Computerworld's Privacy Topic Center.