Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

District Court Explains Ruling that Red Flags Rule Doesn’t Apply to Lawyers, Implies Limitation of Applicability to Banking, Lending, & Finance Sectors

On December 1, Judge Reggie Walton of the U.S. District Court for the District of Columbia issued a memorandum opinion in a lawsuit by the American Bar Association against the Federal Trade Commission, explaining his October 29 ruling from the bench that the FTC’s Red Flags Rule does not apply to lawyers.  Holding that "[e]ven a cursory review of the language of [the Fair and Accurate Transactions Act (FACT Act), through which Congress authorized the creation of the Red Flags Rule, and other legislation defining relevant terms] and the purposes underlying their enactment leads the Court to the conclusion that it was not ‘the unambiguously expressed intent of Congress’ to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission’s Red Flags Rule," Judge Walton rejected almost every argument put forth by the FTC and indicated that the court would similarly condemn any FTC attempt to apply the Rule to other professionals outside of the banking, lending, and financial sectors who bill periodically for services previously rendered.

Specifically, Judge Walton rejected the Rule’s applicability to lawyers under both prongs of the Chevron test regarding judicial deference to agency interpretation, finding that no evidence indicated that Congress intended that rules promulgated under the FACT Act would apply to lawyers, but even if Congressional intent could be considered ambiguous, that the FTC’s interpretation of the FACT Act and its resulting application of the Rule to lawyers was unreasonable and therefore undeserving of deference.

In determining that Congress did not intend that the Rule would apply to lawyers, Walton first examined the language and purpose of the FACT Act and concluded that there was nothing in the legislative or administrative record where either Congress or the FTC made any factual findings that there was any problem of identity theft associated with the legal profession to warrant application of the Rule to attorneys.  He found that the terminology in the statute — which authorizes the FTC to implement regulations to protect against identity theft and speaks in terms of "financial institutions," "creditors," "credit applications," "appraisal reports," and theft with respect to "account holders at, or customers of" relevant entities — implied that the FACT Act was created to apply to entities involved in banking, lending, or financial related business, and concluded that the FACT Act was created not to eliminate all types of identity theft, but rather identity theft specific to the credit industry.  He noted that attorneys do not maintain credit or debit accounts, and provide services to "clients" rather than "deposit account holders" or "consumers."

Citing authority that the "hallmark of credit" is the right of one party to make deferred payment, Walton specifically objected to the classification of attorneys as "creditors" given that they do not grant any right to any debtor to incur and defer payment of debts and do not regularly extend, renew, or continue credit (or arrange for the extension, renewal, or continuation of credit).  In passages that will assuredly be cited by other professional organizations contesting the applicability of the Rule, Walton declined to adopt the FTC’s position that "the period of time between when a service is provided to when . . . a client [receives an invoice] for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice."  Instead, he remarked that "[i]nvoicing clients for services previously rendered, instead of demanding payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."

Despite concluding that Congress did not intend lawyers to be governed by rules promulgated under the FACT Act, Walton, "to make it absolutely clear that the Commission . . . acted beyond its authority," held that the FTC’s conclusion of applicability the Red Flags Rule to lawyers was not even a permissible construction of the statute.  Among the deficiencies in the interpretation, Walton noted that it would be "unreasonable" to expect attorneys to bill for services other than periodically, criticized the FTC’s classification of a one-month billing cycle as being determinative of who constitutes a creditor as "completely arbitrary" and "seem[ingly] plucked out of thin air," and stated that the FTC had not provided any legislative, regulatory, or other evidentiary findings that would support a conclusion that identity theft in the attorney-client context was a problem.  He also held that there were procedural deficiencies in the rulemaking process itself, given that the FTC did not provide any indication that the definition of "creditor" was to include attorneys who invoice their clients until almost a year and a half after the final Rule was released.

Finally, Walton cited prudential concerns specific to the legal profession in declining to apply the Rule to lawyers.  He accepted the ABA’s arguments that state-level authorities, and not the federal government, have historically regulated the conduct of attorneys, and he declined to infer the Congress would do so in the absence of specific language indicating its intent to do so.  He also discussed how application of the Rule would create barriers for attorneys to build the level of trust necessary for clients to feel that they can openly communicate with their attorneys, given that questions by an attorney at the onset of the relationship designed to confirm that a client is who he or she purports to be could be construed by as a challenge to the client’s integrity and undercut the ability to develop a relationship of trust.

Overall, this was a resounding defeat in the FTC’s effort to broadly apply the Red Flags Rule to any individual or entity who renders services on a deferred payment basis.  As a result of the ruling, on October 30 the FTC officially delayed enforcement of the Rule for a fourth time, this time until June 1, 2010.  In the meanwhile, it faces a lawsuit from the American Institute of Certified Public Accountants that the Rule does not apply to accountants, and given Walton’s language limiting his interpretation of the Rule as applying only to "banking, lending, or financial related business," it is hard to see how that litigation would not be successful.  In addition, the FTC’s stated scope of applicability of the Rule has been widely decried by other large professional organizations such as the American Medical Association, and this ruling would seem to settle many of those potential conflicts as well.  Still, the FTC has not yet announced its enforcement strategy since this decision, and businesses still unsure regarding whether the Rule will apply to them should contact legal counsel for guidance.