Law Firms Must Comply With Identity Theft Prevention Regulations
August 10, 2009
The New Jersey Law Journal
Over objections from the American Bar Association and other bar groups, the Federal Trade Commission (FTC) has declared that law firms must comply with recent regulations designed to prevent identity theft implemented under the Fair and Accurate Credit Transaction Act of 2003 (FACTA). The ABA has argued that the Identity Theft Red Flags Rule, 16 C.F.R. Section 681 (2007), which due to a recent extension is scheduled to take effect November 1, place an "undue burden" on legal professionals and should not apply to law firms. Nonetheless, until such time as the FTC changes its position, lawyers and law firms covered by the rule that fail to implement a written identity theft prevention program may be subject to regulatory enforcement action and civil monetary penalties. Is your law firm in compliance?
What Is the Red Flags Rule and Why Does It Cover law Firms?
The rule requires "creditors" that maintain "covered accounts" to develop and implement a written Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft. The rule, adopting the definition provided in Section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. Section 1681a(r)(5), defines "creditor" as any person who regularly extends, renews or continues credit or who regularly arranges for the extension of credit. 15 U.S.C. Section 1691a(e). "Credit" is defined as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore." 15 U.S.C. Section 1691a(d). According to the FTC, the plain language of the statute defines "creditor" very broadly and includes businesses, including law firms, that regularly permit a customer to defer payment for goods or services, and does not permit the FTC to make industry-based exclusions. Since it is customary for lawyers to charge and collect fees only after legal services have been rendered, under the FTC's broad definition most, if not all, law firms would be considered creditors under the rule.
It is not clear, however, whether the FTC's broad interpretation of the term creditor (and, therefore, application of the Rule to law firms) would withstand a legal challenge, particularly in the Third Circuit. In Riethman v. Berry, 287 F.3d 274 (3d Cir. 2002), the Third Circuit held that a law firm was not a creditor subject to the ECOA because it did not grant clients the "right" to defer payment for services. The Third Circuit holding relied, in part, on the law firm's retainer agreement which, despite giving clients 30 days for payment for services rendered (and evidence that many of the firm's clients failed to make full payment within that period), the fee agreement fell short of creating a "right" of the client to defer payment. The FTC, however, disagrees and until a court specifically addresses applicability of the rule to law firms or the FTC changes its position, it would be prudent for law firms to act as if they are creditors under the rule.
If a law firm is a creditor, the next step is to determine whether the firm maintains "covered accounts." Covered accounts are accounts that (i) are created primarily for personal or family purposes and that can be paid off over multiple payments, or (ii) have a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft. A law firm's engagement relating to personal or family purposes such as certain tax, estate and trust, domestic relations, or labor and employment matters could trigger the rule's requirements. Even if the engagement is not personal or family-oriented, client accounts maintained by law firms could be considered "covered accounts" depending on the degree of foreseeable risk of identity theft. Lawyers and law firms should carefully consider the risks posed by their specific practice areas and clients when determining whether they fall within the scope of the rule. While the FTC published an FAQ on its Web site that indicated the FTC would be "unlikely" to bring an enforcement action where the entity know its clients individually or are involved in a business where identify theft is rare, law firms may find that the costs associated with compliance with the Rule are slight when compared with the potential costs of noncompliance such as monetary penalties and embarrassment and negative publicity for the firm.
Identity Theft Prevention Program Requirements
Businesses or organizations covered under the rule are required to develop and implement a written Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft. Each program must include reasonable policies and procedures to: (i) identify relevant red flags; (ii) detect red flags; (iii) respond to any detected red flags to prevent and mitigate identity theft; and (iv) periodically evaluate and update the program. The FTC has issued several publications to assist businesses and organizations in developing programs and interpreting the rule, including "The Red Flags Rule: Frequently Asked Questions," "Fighting Fraud with the Red Flags Rule, A How-To Guide for Business" and a template designed to assist in developing programs for low-risk entities entitled, "Complying with the Red Flags Rule: A Do-It-Yourself Prevention Program for Businesses" and "Organizations at Low Risk for Identity Theft."
The first step a law firm must take in creating an identity theft prevention program is to evaluate how at risk the firm is to identity theft. Among the factors a law firm should consider, set forth in Appendix A to the Rule, are: (i) the types of covered accounts it offers or maintains; (ii) the methods for opening a covered account; (iii) the methods for accessing covered accounts; and (iv) its previous experiences with identity theft. Law firms generally face little risk of identity theft. In most cases, clients are personally known to the law firm or lawyer providing the services, making client impersonation highly unlikely. Furthermore, lawyers are bound by common-law fiduciary duties and statutory codes of conduct and ethics governing the legal profession, including the proper safeguarding and use of client information and funds. However, not all practices are similarly situated. Some attorneys, particularly those with a large number of clients or high-volume practice, do not personally know their clients prior to the engagement and may take few, if any, steps to confirm the identity of clients prior to providing legal services. Law firm programs must address the specific risks faced by the firm; for example, the program implemented by a small firm or solo practitioner with a high-volume municipal court practice would differ from a program implemented by a firm whose only clients are insurance companies.
Since program requirements are based on a company-specific risk evaluation, low-risk entities, including most law firms, will have simpler programs that identify fewer red flags and include more limited prevention and mitigation responses when compared to programs for higher risk entities such as banks and credit card companies. Potential red flags under law finn programs may include: (i) inconsistent or otherwise questionable identification provided by a client; (ii) inconsistent or questionable information included in a client's consumer or business credit report; (iii) notification from a client, victim of identity theft or government agency that identity theft has occurred; (iv) notification from a client that it received a bill for services the client did not receive; (v) notification from a client that it is not receiving legal bills in the mail; and (vi) learning that a firm laptop, flash drive or client file has been lost or misplaced.
The rule also requires eaeh company's program to include policies and procedures designed to prevent and mitigate identity theft once red flags are detected. Appendix A to the rule states that responses to detected red flags should be commensurate with the degree of risk posed and provides examples of various responses. Appropriate responses to the red flags identified under law firm programs may include: (i) reporting observed red flags to a supervisor or designated employee responsible for supervision of the program; (ii) conducting an internal investigation to determine whether identity theft has occurred; (iii) notifying the client, victim of identity theft or government agency in the case of identity theft; (iv) encouraging the victim to complete the ID Theft Affidavit developed by the FTC; (v) terminating the client relationship, if warranted; and (vi) cooperating with any law enforcement investigation relating to the identity theft.
The rule requires the program be initially approved by the "board of directors" or an approp11ate committee thereof, which, for law firms, could include the management committee, managing partner, or similar group or individual with management authority. A lawyer, administrator or other employee of the law firm must be appointed to administer the program. The program administrator will be responsible for receiving reports of observed red flags from employees and conducting investigations into the circumstances of each case. The program administrator should also create an identity theft investigation database; each allegation of identity theft or reported observance of red flags and the resolution thereof must be described and entered in the database. The rule requires firm employees receive training on the program to ensure its effective implementation. Finally, the program must be periodically reviewed and updated as needed.
While the applicability of the rule to law firms is uncertain, perhaps even unlikely should a court have the opportunity to examine the issue, until a court exempts law firms or the FTC changes its position, law firms that fail to comply will be exposed to potential regulatory enforcement actions and monetary penalties. While this article providcs general guidance to law firms on implementing an identity theft prevention program in accordance with the Rule, the information provided in this article does not constitute, and is no substitute for, legal or other professional advice. Lawyers and law firms should seek advice from knowledgeable legal professionals for individualized guidance regarding the application of the law to the firm's particular situation.
Israel is a member of and Simon is an associate with Wolff & Samson in West Orange.
Reprinted with permission from the AUGUST10, 2009 edition of New Jersey Law Journal. © 2009 Incisive Media US Properties, LLC. All rights reserved. Further duplication without permission is prohibited.