Court Finds that Lawyers Are Not Subject to the FTC's Identity Theft Red Flags Rule
Time 2 Minute Read
Categories: Enforcement, FCRA, Financial Privacy, Identity Theft, Information Security, U.S. Federal Law

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

In reaching the decision, Judge Reggie Walton is reported to have stated that he was reluctant to conclude that Congress intended to regulate lawyers when it enacted the FACT Act, which the Red Flags Rule implements.  The court also questioned the FTC's broad interpretation of the term "creditor." Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.  Notably, the Judge's comment may leave the door open for other challenges to the Rule by myriad small businesses whom the FTC considers "creditors" subject to the Rule.

It is reported that the court granted an injunction against the enforcement of the Rule and a declaratory judgment finding that lawyers are not subject to the Rule.  The FTC is expected to appeal the decision.

Tags: Congress, District of Columbia, FACTA, Federal Trade Commission, Red Flags Rule
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
FTC Issues COPPA Policy Statement Encouraging Adoption of Age-Verification Technologies

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
FTC Issues Second Report to Congress on Cyberattacks

On February 6, 2026, the Federal Trade Commission announced its second report to Congress on its efforts to combat ransomware and other cyber attacks.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
FTC Held Virtual Workshop on Age Verification Technologies

On January 28, 2026, the U.S. Federal Trade Commission held a workshop entitled “Protecting American Children: A Workshop to Explore Age Verification Technologies.”

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
FTC to Hold Age Verification Workshop on January 28, 2026

On January 28, 2026, the Federal Trade Commission will hold a public workshop on age verification technologies.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page