• Business Litigation
• Personal Injury
• Estate Planning
• Family Law
• Insurance Defense
• Real Estate

Business Law

Under a new federal law, businesses which bill their customers or clients after products or services have been provided are expected to implement a written program guarding against the theft of their employees’, customers’, or clients’ personal information.

The Federal Trade Commission will start enforcing its newly-adopted “red flag rules” on November 1, 2009.  These new rules stem from the Fair and Accurate Credit Transaction Act of 2003 (FACTA).  Identity theft typically involves the assumption of another person’s entire identity or a combination of parts of identities from various victims.  Because more than one-half of identity thefts originate in the workplace, businesses will now be required to implement safeguards.

Professional services firms, such as accountants, doctors, dentists and lawyers who defer payment of a client’s bill following performances of services, will be among those businesses affected by the new FTC requirements.  Other businesses subject to the rules include finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; and non-profit and government entities that defer payment for goods or services.

Expected Impact
Under the new rules, affected businesses must implement written policies specifying how they will detect the warning signs -- the “red flags” -- that indicate an identity theft may be occurring.  Businesses must also show how they will respond to prevent or mitigate identity theft crimes if uncovered.

These written policies are supposed to be tailored to the amount of risk. However, the FTC acknowledges there is no bright-line rule to distinguish between high and low risk.  The rules suggest that affected businesses consider such factors as how easily their accounts are opened or accessed and previous experiences with identity theft.

Recommended Response
Policies should be in proportion to the risk posed.   Affected businesses are advised to consider any “aggravating factors” that may exacerbate the threat. For example “What if we had a security breach?”  Examples of appropriate responses could be alerting law enforcement, monitoring customer or client accounts for evidence of identity theft, changing passwords or other security devices controlling account access, reopening accounts with new account numbers, or closing accounts.  Under certain circumstances, the rule states that a business may determine no response is necessary.

These written policies should be updated periodically to account for changes in risks to customers’ or clients’ information or innovations in detection of identity theft.  A new merger, acquisition, joint venture, service provider arrangement, or other contractual relationship in the future may also prompt the need for an updated written policy.

The rule also requires appointing senior management personnel to implement the program; appropriately educating employees; and overseeing any service provider arrangements. Liability follows a business’ data, so due diligence is necessary to confirm vendor compliance before outsourcing payroll or hiring an office cleaning company.

For more detailed information on how “Red Flag Rules” may affect your business or for help in developing a policy, please call Attorney Bob Duimstra (robert-duimstra @mennlaw.com).   All of our attorneys may be reached by phone at 920-731-6631 to discuss any legal services you may require.

To unsubscribe, please click here.
Menn Law Firm, Ltd., 2501 E. Enterprise Drive, P.O. Box 785, Appleton, WI 54912-0785
920-731-6631