Opinion: Red Flags Rule deadline delayed again, now June 1

CSO -

Companies scrambling to meet a Nov. 1 enforcement deadline for the Federal Trade Commission's Red Flags Rule have gotten another reprieve. Bowing to pressure from some members of Congress, the commission pushed the deadline to June 1, 2010, according to a message on the FTC website.

The FTC made the announcement Friday, the same day the U.S. District Court for the District of Columbia ruled that the commission can't apply the rule to attorneys. But the FTC said its latest enforcement delay will not affect the separate timeline of that proceeding and any possible appeals, nor will it affect other federal agencies' ongoing enforcement for financial institutions and creditors subject to their oversight, the FTC statement said.

See also: Red Flag Rules and Vendor Relationships

The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions Act, where Congress ordered the FTC and other agencies to make regulations forcing creditors and financial institutions to address security holes that could lead to identity theft. The rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as red flags -- that could indicate identity theft.

See also: Five Ways to Fight ID Theft

The rule hasn't received much media attention in recent months, mostly because of the infosec community's anxiety over another often-delayed law -- Mass. 201 CMR 17. But last week, before the latest deadline extension, CSOonline conducted an informal poll of IT security practitioners and industry analysts, asking what their specific challenges have been in relation to the Red Flags Rule. What follows are some of the responses that arrived via the likes of e-mail and LinkedIn.

Ed Moyle, founding partner at Security Curve, former VP of information security at Merrill Lynch
Truthfully, in the field, a lot of the folks I've come across are pretty much where they need to be from a regulatory standpoint (i.e. they've hit the bar required by the regulation). But just hitting that bar doesn't mean a company is all the way there in terms of protecting customers from identity theft.

My recommendation to folks that think they have everything in hand on this is two-fold: First, make sure all the i's are dotted and t's crossed before the deadline to make sure they're compliant with the reg. (i.e., make sure that they have the defined identity theft processes and that their staff are trained on what to do if someone calls in to report identity theft). Second, while the iron's hot, look to see if there's something that they can do to address identity theft proactively for example, maybe can they change the business processes to reduce the likelihood of identity theft? This isn't always possible, but why not use compliance with the law as an opportunity to go over and above?