Welcome to “A Moment of Privacy,” a newsletter brought to you by the Privacy and Data Security Practice Group at Proskauer Rose LLP.
“A Moment of Privacy” addresses one legal development each month in the area of privacy and data security law. We answer the questions our clients are asking, in a way that we hope gives practical information to our readers. If you send us your question, you may find your answer in an upcoming newsletter.
And now for this month’s question:
Q: Last month's Moment of Privacy addressed whether the Red Flag Rules apply to medical care providers. Now I am hearing that they may apply to retailers. Is that true?
A: The Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a retailer that processes credit applications, this would mean, as an example, detecting situations in which a customer may be attempting to apply for credit using another person’s identity.
The FTC has reiterated that a covered entitys’ Red Flag program should be “risk-based,” so if there is a relatively low risk of identity theft given the way the retailer processes credit applications, the Red Flag program can be simple. That said, there still needs to be a program in place.
As an example, where a retailer does nothing more than receive credit applications from customers and pass them on to a partner bank, the retailer could implement a program that includes, among other things:
- Checking customers’ photo IDs when they apply for credit
- Requesting multiple forms of ID
- Training employees to know how to spot a fake ID
- Following the guidelines for authenticating applicants provided by its partner bank
- Documenting these procedures in writing, and training employees accordingly
The more involvement a retailer has in the processing of a credit application, the more robust its Red Flags program ought to be.
Have a question? E-mail Kristen J. Mathews at kmathews@proskauer.com.