Should Red Flags Rule Exempt Small Businesses?

Will small businesses be exempt from the “Red Flags Rule” set forth by the Federal Trade Commission? It’s a question that needs to be answered at some point, by the Senate. As TheStreet.com points out in an article this week, the House has voted unanimously to exclude health care, legal and accounting businesses with 20 or fewer employees from having to adhere to the regulation; so far the bill “has stalled” in the Senate, the site reports.

The Red Flags Rule, which was supposed to go into effect Nov. 1 but which was extended, for a fourth time, to June 1, 2010, arises from the Fair and Accurate Credit Transactions Act of 2003, which mandated that the FTC develop regulations requiring financial institutions to address the risk of identity theft. It requires that banks and creditors implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities— known as "red flags"—that could indicate identity theft. Failure to comply could result in fines up to $3,500 per violation, reports the Orlando Business Journal.

Congressman Mike Simpson (R-Idaho), who co-sponsored the exemption legislation in the House, argues that physicians and dentists “should not be forced to spend hundreds of dollars to comply with this needless regulation,” the Orlando Business Journal reports. But Identity Theft 911 Chief Privacy Officer Eduard Goodman tells TheStreet.com that for many small businesses, adherence to the Red Flags Rule could be prudent. “If they put a few practices in place, in the end they're saving themselves money," the paper quotes Goodman. "When you think of identity theft, you typically think of the victim as the person whose identity was misused. But then there are the businesses that are touched. And once the victim is proven, the business is left holding the bag."