The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009. This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008. It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them. This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.
When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply. With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying. Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well. With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.
This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns. However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad? This may well be an area Congress should consider revisiting, and sooner, rather than later.