Compliance Management, Incident Response, Network Security, TDR

New ID theft rules may not pertain to small businesses

The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.

The rules, developed in accordance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), require financial institutions and other organizations classified as “creditors” to develop programs to identify, detect and respond to indications of identity theft. A bill passed this week would amend FACTA and exclude health care, accounting and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.

Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet one of the following guidelines: It must know all of its customers or clients individually; it must only perform services in or around the residences of its customers; or it must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.

The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.

Rep. John Adler, D-N.J., introduced the bill to “help protect small businesses from overreaching federal regulations during these tough economic times,” he said during hearing on Tuesday, according to the Congressional Record.

He said that complying with the Red Flags Rules is “necessary for large businesses and corporations with thousands of customers,” but would be burdensome and expensive for small businesses.

“The Federal Trade Commission (FTC), the government body responsible for enforcing these guidelines, has gone too far in defining the intent of the law and has chosen to apply the guidelines to all businesses, large and small,” Adler said.

A spokesperson for the FTC, scheduled to begin enforcing the rules Nov. 1, did not respond immediately on Thursday to a request for comment about the new bill.

In June, Betsy Broder, assistant director at the FTC, told that a major misconception about the regulation is that it imposes hardships on entities that are at a low risk for identity theft.

“We have heard a lot of questions from low-risk entities, where the burden should be quite minimal,” Broder said.

Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told on Thursday that he believes exempting small businesses from creating identity theft prevention programs is the wrong move because they, too, can experience fraud.

Even small medical practices and law firms often take on too many patients and clients to know each one personally, so they are not at a lower risk of suffering fraud related to identity theft, Goodman said. Creating an prevention program might be somewhat burdensome at first, but is ultimately beneficial to businesses and consumers, he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.