Last month, we summarized the new federal rules regarding identity theft, commonly called Red Flag Rules, that the Federal Trade Commission (FTC), federal bank regulatory agencies, and National Credit Union Administration, adopted pursuant to the federal FACT Act. As we noted, the Red Flag Rules provide that an entity – such as a municipality – that falls within the scope of those Red Flag Rules must adopt an identity theft prevention policy that meets the Red Flag Rules’ requirements by November 1, 2008.
Since that summary, the Federal Trade Commission issued a statement announcing that it will delay enforcement of the Red Flag Rules for those entities under the FTC’s jurisdiction by six months. The FTC explained that, although it attempted education and outreach efforts following publication of the Red Flag Rules, there remained a great deal of uncertainty as to which entities were subject to the Red Flag Rules. Indeed, it appears that the Red Flag Rules apply to more entities than many actually anticipated.
The FTC determined that that uncertainty gave cause to suspend enforcement efforts until May 1, 2009. Despite the delay, it still seems clear that municipalities that maintain customer accounts (such as through maintaining utility accounts) must comply with the Red Flag Rules.