July 8, 2009 – With an Aug. 1 enforcement date looming, the State Bar of Wisconsin has joined with the ABA and colleagues in about a dozen other states in objecting to the inclusion of attorneys under the “Red Flags Rule” adopted by the Federal Trade Commission (FTC) to deter identity theft, in compliance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
In a June 29, 2009, letter to FTC Chairman Jonathan D. Leibowitz, Immediate Past President Diane S. Diel explains that most Wisconsin lawyers manage small businesses that already operate under stringent rules safeguarding client information, making compliance with the Red Flags Rule both burdensome and of limited potential benefit in preventing identity theft.
The Rule, originally scheduled to go into effect on May 1, 2009, will be enforced by the FTC beginning on Aug. 1, 2009, unless the agency again agrees to a delay.
FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC has concluded that lawyers, among other professionals, are creditors subject to the Rule, even though the ABA and others have noted that lawyers are not engaged in the type of commercial activities Congress envisioned when it developed FACTA.
The State Bar’s letter stresses that “the typical Wisconsin lawyer is a small business owner. In fact, of the approximately 3,800 law firms in Wisconsin, 92% or about 3,500 are small businesses with five or fewer lawyers. Fully 70% or 2,657 of those law firms are solo practices consisting of only one lawyer. The State Bar of Wisconsin believes that the Red Flags Rule will not benefit clients and will place an unnecessary and duplicative burden on lawyers and law firms who already have existing obligations to safeguard client information under the Rules of Professional Conduct.”
While acknowledging the importance of efforts to protect American consumers from the devastation of identity theft, the ABA has reminded regulators and legislators that FACTA does not include specific language that reflects Congressional intent to include lawyers under the Rule. It also emphasizes that when the FTC previously attempted to regulate lawyers under the Gramm-Leach-Bliley Act, the D.C. Circuit Court found that “the regulation of the practice of law is traditionally the province of the states” and that federal law “may not be interpreted to reach into areas of state sovereignty unless the language of the federal law compels the intrusion.”
Noting that the FTC has been unable to cite any examples of identity theft arising in a law practice context, the ABA argues that the administrative burden of lawyer compliance with the Red Flags Rule far outweighs any perceived benefit a client might receive. ABA President H. Thomas Wells Jr. noted in a statement released on June 22 that “The type of identity theft addressed by the Rule would be present only if an individual pretended to be someone else; a person would have to assume not only another person’s identity, but his or her legal needs as well.”
While the ABA and the State Bar will continue to work with Congress and the FTC to exclude lawyers engaged in the practice of providing legal services to clients from the Red Flags Rule, the outcome of these efforts is uncertain. The FTC has responded to past concerns raised by the ABA and other associations representing professional service providers with how-to guides and other compliance tools, including a template intended to help businesses and organizations determine whether they are at low risk and steps to help design a written Identity Theft Prevention Program if the business is in the low risk category.
The State Bar offered two webcasts on “Privacy & Information Security Compliance” last year that are available OnDemand. Part One covers the various types of identity theft and Part Two surveys best practices for assessing risks, getting documentation into compliance, educating employees on data security and running security audits.
The State Bar has also scheduled an Aug. 21, 2009, CLE webcast that focuses specifically on Red Flags Rule compliance, which will also be available OnDemand after that date.
Tom Solberg is the public relations coordinator for the State Bar of Wisconsin.
Related Articles:
Lawyers required to protect personal information under new federal rule – April 1, 2009
FTC delays enforcement of ‘Red Flags Rule’ requiring creditors and financial institutions to identity theft prevention programs – May 1, 2009