The New FTC Red Flag Rules

In short, it requires businesses to develop and implement a program that will identify potential identity theft through suspicious activities. These patterns of suspicious activities are called “red flags.” Every business must create a compliance program to identify and respond to red flags. Once developed, employees must be trained on the program.

The Red Flag Rule is enforced by the Federal Trade Commission (FTC). However, as with other recent privacy legislation, there are allowances for individuals to seek damages from businesses. After August 1st, 2009, if an employee fails to recognize an identity theft red flag and report it, the penalty could be a financially crippling lawsuit.

The rule applies to any business that offers or connects customers to credit. Almost every business qualifies including:

  • Medical Practices – Because payment is made via an insurance company the FTC has ruled that medical offices must comply. The AMA has been unsuccessful in getting relief from the rule with an argument that practices are already covered by HIPAA.
  • Retail Stores – The only exception is if a store deals exclusively in credit cards and cash. If a store allows purchases via credit, internal or external, they must comply. This is everyone who sends out invoices.
  • Services – Phone companies, cell phones, power companies or anyone else that extends credit.
  • Car Dealerships – This includes boat sales, RVs, motorcycles and power sports.
  • Banks and Financial institutions – Everything from the local bank to credit cards to mortgage brokers.
  • Schools – Any school, college or university who provides or accepts financial aid.

There are numerous methods to get in compliance. At the high end is bringing in a law firm to go over all of your business practices and design a custom program. This is very expensive but is the most thorough and you are all but certain of compliance. At the bottom end is an off the shelf solution. They are not very expensive but may require a great deal of customization and have no assurance that your business will be in compliance.

Any solution you choose needs to have some basic components. The FTC mandates these four parts:

  • Identity relevant red flags – Identify the warning signs of identity theft that are specific to your business. Some common ones are suspicious documents, changes of address, warnings from credit agencies, and notices from victims or law enforcement.
  • Detect red flags – Put in procedures that will detect the red flags in day-to-day business practices.
  • Prevent and mitigate identity theft – Put in reasonable responses when red flags are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.
  • Update your program periodically – Every program should be evaluated and updated for business practice changes and identity theft trends.

Once you have created a compliance program you will need to educate your employees. This means more than just handing out a document but actively working with them to protect all the private information in your care. All training should be documented for compliance records.

While NORTHEAST RECORD RETENTION is not subject to the Red Flag Rule directly, we have provisions within our operations and Confidential Destruction Agreement to help our clients comply with their Red Flag Rule obligations:

NORTHEAST RECORD RETENTION is a NAID Certified® provider. NAID Certification criteria identify all areas of our operation where information transferred to our custody for processing is put at risk of unauthorized access. Our company’s compliance with security measures specifically designed to mitigate these risks is verified through periodic announced and unannounced audits by accredited, authorized third-party security professionals. NAID Certification security specifications, as well as verification of our NAID Certified® status, are included as addendums to these policies and procedures.

As a condition of employment, all NORTHEAST RECORD RETENTION employees are required to notify management of any actual or potential unauthorized access to information transferred to our custody for processing. If such information is verified by management to constitute unauthorized access to information transferred to our custody, it is our policy to fully disclose to clients all relevant details in a timely manner and to reasonably cooperate in any subsequent investigation.

The acceptance, transfer and processing of information transferred to our custody shall be documented and verified in writing and such documentation made available to the customer in the course of business upon request.

Data security plays an essential role in keeping people’s sensitive information from falling into the wrong hands. Protect what you have a legitimate business reason to keep and securely dispose of what you no longer need. Our service provides you with consistent, reliable, and cost-effective shredding and ensures sensitive information is safeguarded and properly destroyed:

  • We provide your offices with free lockable document disposal containers that prevent unauthorized access to sensitive information
  • On a schedule that suits your needs, our bonded and insured shredding specialist securely shreds your information
  • With every service visit, we provide you with a numbered Accountability Receipt documenting a chain of custody and a chronological history of your shredding practices – a shredding “log” for your records
  • We provide you with a Certificate of Destruction: third-party verification that your information was completely and confidentially destroyed in accordance with NAID Certified® specifications and Federal Regulations

With NORTHEAST RECORD RETENTION compliance with the Red Flag Rule could not be easier!

For more information on The New FTC Red Flag Rule, visit:

< Back to Compliances
DISCLAIMER: This is only a brief summary of the law. Please consult a legal professional for more information on how the specifics of this law may apply to your business.

© Northeast Record Retention.
New England's leading provider of record storage and data shredding services.

Ph: 1-877-603-3100
Fax: 1-603-792-8693