- ABA Groups
- Resources for Lawyers
- Career Center
- About Us
Many employers become anxious when they hear "identity theft." Employer obligations to prevent identity theft include everything from the proper disposal of personnel documents to protecting customers from criminal acts committed by cyber thieves. The fact is there are many different categories of identity theft laws. Therefore, it is easy to see why some employers feel a bit lost when anyone mentions an employer's obligation to prevent "identity theft."
Many "identity theft" laws have not provided direction to employers as to the policies or programs necessary to limit liability. Congress intended through the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), which amended the Fair Credit Reporting Act ("FCRA"), to provide guidance to businesses on how to prevent certain forms of identity theft. FACTA contains two sections (sections 114 and 315) which are intended to help address consumer concerns about identity theft by placing certain obligations on employers. However, these two sections of FACTA did not provide guidance for employers, but instead, merely mandated that federal agencies create regulations to provide further direction.
Employers finally received guidance from the federal agencies tasked with developing the Regulations on November 9, 2007. The Federal Trade Commission, in conjunction with several other federal agencies, issued regulations requiring financial institutions and "creditors" to implement policies and programs that provide for the identification, detection and response to patterns or practices that indicate identity theft. These regulations, known as the Red Flag Regulations, 16 C.F.R. § 681.1, et seq. and Final Rule, finally provided employers with guidance on the policies and programs they must create to combat certain indicators of identity theft or "red flags." The regulations define "red flag" as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." 16 C.F.R. § 681.2(b)(9).
When Must Employers Comply?
The FTC originally set November 1, 2008, as the date for mandatory compliance with both sections 114 and 315. Employers were required to comply with the requirements of section 315 on November 1, 2008. However, on October 22, 2008, the FTC issued a notice stating that due to the confusion and uncertainty about the applicability of the rule, the FTC believed it would be best to delay enforcement of section 114 until May 1, 2009.
What Are the Requirements for Employers?
Many employers may find they are under the obligation to comply with both sections 114 and 315. According to the Regulations, section 315 requires employers that receive notices of address discrepancies as a result of a request for certain consumer reports to have a policy in place to deal with those notices. Employers that are "financial institutions or creditors" must create an Identity Theft Prevention Program to comply that is aimed at detecting, preventing, and mitigating against identity theft to comply with section 114.
Which Employers Must Comply with Section 315's Requirements?
Section 315 of FACTA established a requirement that any "nationwide consumer reporting agency" ("nationwide CRA") that recognizes a "significant" difference between the address provided by the user of a consumer report and the address in the report, must provide the user-employer with notice of the discrepancy. The Red Flag Regulations now provide guidance on what employers must do when they receive these notices of address discrepancies. The Regulations require users of consumer reports (including employers) to attempt to verify addresses and, in some cases, communicate the results of their verification process back to the nationwide CRA. Therefore, employers who must comply with section 315 must create a policy that contains detailed methods that meet the verification and communication requirements of the Regulations.
Section 315's regulations did not alter the existing circumstances under which the user receives a notice of address discrepancy or the nationwide CRA's responsibilities to provide such notices. Therefore, employers who did not receive notices of address discrepancies before November 1, 2008, will not begin to receive notices of address discrepancies. Employers that previously received notices of address discrepancies as a result of their request for a consumer report will continue to receive the same notices they have always received. Section 315 of the Red Flag Regulations merely places obligations on employers who receive the notices to have a policy to deal with the notices they have received since the implementation of section 315 in 2003.
Which Employers Must Comply with Section 114's Requirements?
The Red Flag Regulations state that under section 114 any financial institution or "creditor" that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, must develop and implement an Identity Theft Prevention Program ("Program") for combating identity theft. Under the FTC regulations, the term "creditor" includes "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies." 16 C.F.R. § 681.2(b)(5). Employers that would not otherwise consider themselves "creditors" fall under the FTC's definition. For example, some employers are included in the definition of "creditor" by virtue of the nature of their customer transactions. Employers that provide a service in advance in exchange for a payment in the future will likely be considered a "creditor" and subject to these regulations. Employers that are "creditors" and under the jurisdiction of the FTC should evaluate the accounts they maintain to determine if they have "covered accounts." A "covered account" is defined as any account that a financial institution or creditor offers or maintains: (i) "that is primarily for personal, family, or household purposes, that involves, or is designed to permit multiple payments or transactions . . .; or (ii) that presents a reasonably foreseeable risk to consumers (including business account customers) or to the safety and soundness of the financial institution or creditor from identity theft."
An employer that is a "creditor" and maintains existing or new "covered accounts" must create an Identity Theft Prevention Program to comply with the Red Flag Regulations. The Regulations do not require the Program to be of a certain size or contain certain language. The FTC permits employers to draft their programs in such a way that the Program meets the size and complexity of the organization. An employer should be able to defend the Program it created by demonstrating that the Program accomplishes the objectives of detecting, preventing and mitigating against "identity theft in connection with the opening of a covered account or any existing covered account." Employers may want to consult the examples of red flags provided by the FTC in a supplement to the Regulations and incorporate those examples into their Program. Practitioners should consult the Regulations for a more thorough discussion of an employer's obligations.
About the Author
Sallie S. Holder is an associate with Ogletree Deakins in its Greenville, South Carolina office, where she practices labor and employment law. Ms. Holder is admitted to practice in South Carolina. She is an active member of the South Carolina Bar Association, the Greenville County Bar Association and the American Bar Association.