The U.S. Circuit Court of Appeals for the District of Columbia Circuit today issued its opinion and judgment in the matter of American Bar Association v. FTC. The Court held that, in light of the recent amendments to the Fair Credit Reporting Act, the ABA’s challenge to the FTC Red Flags Rule is moot. The court of appeals vacated the district court’s ruling, and remanded with instructions that the case be dismissed.
“Congress made a very good fix to a very badly written law,” FTC Chairman Jon Leibowitz said. “Not surprisingly, the DC Circuit vindicated the FTC’s position that the ABA’s case should be dismissed. The Commission will continue to carry out Congress’ directive to protect the American people from ID theft. We look forward to working with business and professional organizations to minimize compliance costs while safeguarding the public.”
Congress passed legislation resolving the uncertainty it created when it directed the federal financial institution regulatory agencies and the Federal Trade Commission to develop the Identity Theft Red Flags Rule, which requires many businesses and organizations to have a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. The legislation clarifies which entities must comply with the Rule.
The Rule doesn’t require any specific practice or procedures. It gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program – for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.