Accounting firms must comply with FTC "Red Flags" Rule by November 1, 2009

October 2009



The Federal Trade Commission's "Red Flags" Rule is designed to protect personally identifiable information from data thieves.  Among others, the Red Flags Rule applies to any business or individual that provides a product or service for which payment is received after the product or service is delivered.  While many might assume that data protection regulation applies only to hospitals and banks, the broad definition of who is covered by the Red Flags Rule very clearly applies to professional services firms that get paid by their clients after the services are provided, which, of course, includes accounting firms.  Although the compliance deadline has been pushed back in the past, the current deadline for compliance is November 1, 2009, after which date the FTC will begin enforcement of the rule.


Why are accounting firms subject to the rule?


As hospitals and banks have enhanced their protection of data, cyber criminals increasingly are attacking easier targets.  In response, the government has broadly expanded the scope of its efforts to include just about every business from Wall Street to Main Street.  The Red Flags Rule is similarly expansive.


The inclusion of accounting firms among the businesses subject to the Red Flags Rule is quite sensible.  Within the tax preparation files of most accounting firms, one might find taxpayer identification numbers and Social Security numbers, bank and brokerage account information, and many other forms of personally identifiable information.  Similarly, the audit and consulting files of most firms will contain not only the client's sensitive information, but possibly the personally identifiable information of the client's clients as well.  Accounting firms also will have records containing personal information belonging to partners, staff and employees.  All of this information needs to be safeguarded against theft and abuse.


What happens if a business does not comply?


Press reports about data breaches cause serious damage to the hard-earned reputation of any business.  The personal data aggregation company Choice Point came under heavy criticism when cyber criminals stole the personally identifiable information of at least 163,000 Americans in 2005.  TJX, the discount retailer, gained international disrepute when it was discovered that 45.6 million credit and debit card numbers stored on its databases had been stolen.


When customers are exposed to data theft because a business did not take simple precautions required by federal regulations, local newspaper and radio coverage of the breach can be harsh.  Word of mouth can be even worse.  Arguing unawareness of the Red Flags Rule most likely would be seen as further proof that the business was careless.  Loss of clients can almost be assured.


Data breaches routinely result in lawsuits, and compliance with the Red Flags Rule is the first step in proving that a business was not negligent.  Failure to comply, on the other hand, may be used as evidence that the business failed to meet established federal regulations for safekeeping personally identifiable data.  Litigation outcomes may be strongly impacted by whether a business is, or is not, in compliance with the Red Flags Rule.


In addition to private lawsuits that may result from a data breach, federal government regulators – including the Federal Trade Commission – are authorized to enforce compliance with the Red Flags Rule.  Monetary penalties of up to $3,500 per violation may be assessed.  Violation of the Red Flags Rule also could result in prosecution for violation of state consumer protection or deceptive trade practices laws.  These state laws often include language permitting private individuals to sue and recover treble damages, attorney's fees and/or litigation costs.


What is required?


Senior management is required to adopt and implement a written Red Flags Rule compliance plan.  The plan must identify indicators of potential data breaches that could occur in the normal course of operations.  In addition to identifying potential data breach indicators – so-called "red flags" – the written plan needs to specify procedures that are to be implemented when a red flag indicates a potential data breach.  In addition to procedures for identifying and handling red flag situations, the written plan also needs to address employee training and specify when and how red flag identification and procedures will be updated.


Compliance with the Red Flags Rule can be fairly straightforward.  Often, a few individuals have enough information about the ways in which the business obtains and keeps personally identifiable information to identify how an attempt at data theft might happen, and what would indicate that a data theft occurred.  For example, laptop computer theft is one of the most frequent causes of data security breaches.  Since many, if not most, accounting firms use laptop computers in the field to capture and work on confidential client information, theft of a laptop would be a definite red flag that identity theft might follow.  If a laptop is stolen, the firm's procedure would be to block the laptop from accessing the company network, and to determine what information was on the laptop when it was stolen.  If personal identifiable information was on the laptop when it was stolen, the firm would then comply with applicable privacy laws, appropriately notifying law enforcement and potentially impacted people of the laptop theft.


A firm also may take other steps, such as working with potentially impacted people and the credit bureaus to protect individuals from damage caused by identity theft.  In addition, the firm could adopt a procedure to annually review its laptop theft red flag rules and train its staff on its laptop theft red flag procedures.  Senior management needs to approve the written plan for laptop computer theft and oversee implementation to comply with the Red Flags Rule.  For each red flag a company identifies, a written procedure must be developed and approved for addressing the red flag, including regular training of staff and periodic updates of the red flags and procedures.


For more information, please contact Thomas R. Manisero at or 212.490.3000, Lori S. Nugent at or 312.704.0550, or Peter J. Larkin at or 914.323.7000.

View more Insights