The Field Report with Tom Field

The FTC and Red Flags: Another Extension - What Gives?

The FTC and Red Flags: Another Extension - What Gives?

This one was almost predictable.

We were just days away from Aug. 1, the date after which the Federal Trade Commission (FTC) would start enforcing compliance with the Identity Theft Red Flags Rule.

Then came the announcement from the FTC that it's going to extend the deadline. Again.

Remember, this is a deadline that's already been extended from last Nov. 1 to this May 1, and then from May 1 to Aug. 1. And now ...

I truly don't get it. I saw it coming (like a nasty thunder storm), but I still don't get it.

OK, I get that the Red Flags Rule applies to a lot of smaller businesses - dentists, doctor's offices, auto dealers, etc. - that don't deal with identity theft issues as much as do banks, credit unions and other major financial institutions. I get that virtually any small business that extends credit is now beholden to the regulation and might be intimidated by, say, the requirement to establish a documented ID theft prevention program.

But, c'mon, we aren't talking about the FTC knocking on doors and examining small businesses for Red Flags compliance. The FTC is there to enforce the law, not test for it.

And come Nov. 1, we're talking about having seen a one-year extension for smaller entities to get up to speed on a federal regulation that they've known about for nearly two years.

What's it take?

I can understand some initial confusion on behalf of smaller businesses trying to understand whether they're a covered entity, and what does that really entail? I can understand the FTC having to beef up its education efforts through workshops, webinars, speaking engagements and even a dedicated website.

But, again, what's it take? The FTC had all of 2008 to conduct this awareness campaign. Now we're looking ahead to what will essentially be a one-year enforcement extension, and the covered entities still aren't getting it?

Or is it a matter of they're getting it, but resisting compliance?

Either way, this latest extension is an embarrassment. It doesn't reflect well on the covered entities that can't or won't comply, and it doesn't reflect well on the FTC, which somehow is failing to reach its targeted audience.

I mean, we're talking identity theft here, folks. One of the greatest information security threats we face today. And yet a significant number of businesses are either failing to comprehend or comply with a fundamental regulation - and the agency charged with enforcing the rule can't seem to get its message across.

If that's not an outrage, then what is?



About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.