On February 11, 2019, a coalition of 31 state attorneys general sent a letter to the FTC urging the Commission to retain its “Identity Theft Rules,” also referred to as the “Red Flag Rules.” Led by Oregon AG Ellen Rosenblum, the letter further requests the FTC update the Rules in light of technological advancements and the increasingly sophisticated tactics of identity thieves. The AGs’ letter comes in response to the FTC’s request for public comment regarding whether any modifications should be made to the Rules.
The FTC’s Identity Theft Rules require covered businesses and organizations to implement a written identity theft prevention program. The program must be designed to detect the early warning signs of identity theft, and to discover theft in the business’s day-to-day operations. Additionally, financial institutions and businesses that grant credit or issue debit or credit cards must mitigate identity theft by implementing reasonable safeguards to protect consumers’ information.
In the letter, AG Rosenblum notes the increasing prevalence of data breaches and need for the Identity Theft Rules to protect consumer information. Rosenblum further states that businesses retaining consumer information are in the best position to protect it. If the FTC were to repeal the Rules, the onus for data protection could be left to the consumer who, in many cases, is unaware of the extent of data retained by a particular company and unable to protect it.
The AGs suggest the Identity Theft Rules should be modified to add a requirement that if an email address or cell phone number associated with a credit card holder’s account is changed, the consumer must be notified by email or cell phone at both old and new numbers. The letter additionally asks that the definition of “suspicious activity” under the Rules be broadened to include account access by new and previously unknown devices and repeated unsuccessful access attempts. The AGs note that the current rules are insufficient to deal with the advanced strategies of modern identity thieves, who are often able to access a consumer’s account through aggregating data from multiple sources without raising suspicion.
The FTC’s request for comment and AGs’ letter come at a critical time in United States privacy law, amidst calls for uniform national data privacy protection legislation and in the wake of well-publicized misuses of data such as the Cambridge Analytica scandal. As the FTC continues to ramp up enforcement in the area, adherence to national and state laws are essential to keeping your business compliant. Retaining experienced counsel to develop a comprehensive privacy program can help businesses identity data breaches before they occur, and ensure they stay abreast of consumer data protection developments.