Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Financial Privacy, News & Events

ABA’s Lawsuit Challenging Applicability of “Red Flags Rule” to Attorneys is Dismissed as Moot

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" — which was defined broadly to include any business that accepts deferred payment for goods or services — must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

In October 2009, the district court ruled in favor of the ABA and enjoined the FTC from enforcing the Rule "against lawyers engaged in the practice of law." After the FTC appealed the district court’s ruling, the Red Flag Program Clarification Act of 2010 ("Clarification Act") — which amended the definition of "creditor" as used in the Red Flags Rule and the FACT Act — was signed into law. 

In its March 4 ruling, the Court of Appeals held that the enactment of the Clarification Act served to moot the ABA’s claims. As explained by the Court in its opinion, the Clarification Act narrowed the definition of "creditor" to mean entities that not only accept deferred payments but also (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment. Thus, the Court found, "the FTC’s assertion that the term ‘creditor’ . . . includes ‘all entities that regularly permit deferred payments for goods or services . . . such as lawyers or health care providers’ . . . is no longer viable." In addition, the Court noted that the legislative history of the Clarification Act "confirms Congress’ intention to bar the regulation of lawyers based solely on deferred billing practices."

The Court observed that the FTC could pursue notice-and-comment rulemaking to promulgate new rules pursuant to which it might regulate lawyers and law firms. The Clarification Act left open this possibility by allowing the FTC to determine through rulemaking that a particular type of entity is a creditor under the Rule, based on a finding that the entity offers accounts that are "subject to a reasonably foreseeable risk of identity theft." However, the Court found as "merely hypothetical possibilities" this possibility — as well as the prospect that the FTC would pursue a new enforcement policy against lawyers and law firms. Thus, the Court could not identify any currently-actionable dispute.

For the time being, attorneys who accept deferred payments for their services will remain outside the coverage of the Red Flags Rule (which became effective for non-financial institution creditors on December 31, 2010), provided they do not engage in the specific additional activities listed above. However, attorneys should note that they do not enjoy a blanket exemption from the Rule, and whether the FTC will engage in new rulemaking under the Clarification Act to broaden the scope of the Rule remains to be seen. And, of course, it is incumbent upon attorneys as part of their ethical duties to clients, to safeguard the information provided to them, including information which if released improperly could lead to identity theft.