"Red Flags" Policy Does Not Apply to Accounting Firms

December 2010


After considerable debate in the courts and elsewhere, Congress has now clarified that the Federal Trade Commission's "red flags" rule requiring a comprehensive plan and policy to protect the personal information of consumers does not apply to accounting firms and their clients. The Red Flag Program Clarification Act, passed December 8, 2010, clarifies the definition of "creditors" who are subject to the "red flags" rule. Accountants will not be categorized as creditors, and thus not be required to implement expensive procedures in their daily operations to detect the "red flags" of identity theft. However, firms should consider voluntary implementation of data protection protocols as a matter of best practices.

The Changing Application of the "Red Flags" Rule

The "red flags" rule stems from a 2003 law that requires creditors to use identity-theft prevention programs. The FTC had deemed accountants who bill their clients to be creditors; thus they would have been required to set up identity-theft prevention systems. The new legislation states that CPAs in public practice are not "creditors" under the rule, because they do not "offer or maintain accounts that pose a reasonably foreseeable risk of identity theft."

Data Protection Best Practices

While removing the legal obligation to implement a program that complies with the law, this development in no way means that accounting firms should ignore the risks associated with data breaches and the loss of their clients' personal information. In fact, experience in the real world proves that accounting firms do possess personally identifiable information that could lead to identity theft if it falls into the wrong hands. A data breach resulting in the theft of confidential client information can be costly not only from a financial perspective, but it also can severely damage or destroy client confidence. For the time being there may be no legal requirement to adopt a formal policy addressing the protection of this information, but sound risk management dictates that data protection be considered on a voluntary basis by all firms.

For further information, please contact Thomas R. Manisero via e-mail at or by phone in our White Plains, NY, office at 914.872.7229, or Peter J. Larkin at or in our White Plains office at 914.872.7847.

View more Insights