Bar News - September 18, 2009
Red Flags Rules Take Effect Nov. 1: Attorneys Required to Have a Plan
The Federal Trade Commission’s Red Flags Rules take effect on November 1, 2009, meaning that every business – attorneys included – which provides a line of credit to customers and clients will have to have an identity theft protection plan in place. Originally scheduled to go into effect in August of this year, the rule implementation was postponed for six months due to an outcry from businesses.
There has been particular disagreement about who falls under the rules from the medical and legal fields, which have vociferously denied that they can be considered "creditors" under the current definition in the rules. The Federal Trade Commission disagrees, and although the American Bar Association has filed a lawsuit against the Federal Trade Commission to exempt attorneys from the rules, law firms would be wise to ensure that a red flags action plan is in place by November 1.
What are the Red Flags Rules?The Red Flags Rules require public and private utilities, financial institutions and other "creditors" to set up identity theft prevention programs. The definition of who and what is and is not a creditor is intentionally broad and, for now, includes law firms and attorneys.
The rules state that creditors must: 1) have policies for developing identity theft "red flags" or suspicious activities; 2) must have procedures in place to identify possible fake or fraudulent documents and identification; 3) have an action plan for when "red flags" are detected; and 4) have a schedule for re-evaluation of the policies.
What do I have to do?Since client information is already closely guarded in the legal profession, and since many states’ attorneys’ rules already have sections devoted to accepting credit cards and issuing lines of credit, many law firms merely have to put into words current client information protection practices.
Here are a few other ways that your law firm can be ready for the implementation of the rules:
- Don’t allow access to client information to anyone not assigned to the case or assigned to work on the file.
- Make sure that anyone not employed by the firm – janitorial staff, guests, clients, etc. – is accompanied by a firm employee when in the office.
- Offer employment only upon a criminal background check.
- Limit after-hour and weekend access to the firm’s office only to necessary members of the firm and ensure that records are kept so that entry and exit of visitors and employees is documented.
- Don’t allow files out of the office without documentation.
- Verify new client identities by noting social security numbers, valid identification, passports, etc.
- Don’t let non-employees copy files.
- Make sure that files are behind locked doors.
Since law firms are low-risk entities in terms of the rules, they may make use of the Low-Risk Business Compliance template available from the Federal Trade Commission. It is a fill-in-the-blank form which allows managers to establish a streamlined plan.