It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association’s argument that the FTC’s Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers. The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act"). In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly. The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered. For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.
In reaching the decision, Judge Reggie Walton is reported to have stated that he was reluctant to conclude that Congress intended to regulate lawyers when it enacted the FACT Act, which the Red Flags Rule implements. The court also questioned the FTC’s broad interpretation of the term "creditor." Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule. Notably, the Judge’s comment may leave the door open for other challenges to the Rule by myriad small businesses whom the FTC considers "creditors" subject to the Rule.
It is reported that the court granted an injunction against the enforcement of the Rule and a declaratory judgment finding that lawyers are not subject to the Rule. The FTC is expected to appeal the decision.