Identity theft: New rule casts too wide of a net

By Eric Johnson | Phillips Murrah P.C. | The Journal Record

[ OCTOBER 8, 2009 - OKLAHOMA CITY, OK ] - Though years have passed, I can still feel that rush of dread when I think of the unlucky phone call I received that day. It was a phone call that revealed the ill-fated fellowship I shared with a group of Americans—a group growing by approximately 10,000,000 members each year.

The voice on the other end of the line said, innocently enough, "Mr. Johnson, this is Miss Jones from MegaBank calling about your Wal-Mart credit card." The caller wanted to know when I might get around to making payments on my seriously delinquent account. Fair enough; except for one thing: I didn't have a Wal-Mart credit card.

My attempt to explain to Miss Jones that the account wasn't mine—that they had the wrong guy—was met with the news that, indeed, it was my name, social security number and previous address tied to the account. It was in precisely that moment when dread rushed over me and my stomach set to churning. This admittedly anal-retentive guy who obsessively pays his bills on time knew the sinking feeling could mean only one thing: someone had stolen my identity and embarked upon a Wal-Mart shopping spree.

That is how the name Eric Johnson landed on 2002's list of 10,000,000 million new victims of identity theft—a crime that robs Americans of an estimated $50 billion each year. And of the aftermath? Let's just say that what it took to finally clear my credit after the identity theft should also have been classified as criminal.

Enter the politicians. A few years ago, a well-intended Congress directed the Feds to create laws to combat identity theft. The new federal regulations—collectively coined 'Red Flags Rule'—require creditors, as defined by the Feds, to implement a written program to detect, prevent and respond to red flags that may indicate identity theft. The Federal Trade Commission is set to begin enforcement on November 1, with penalties of $3,500 per violation.

The hidden threat of the Red Flags Rule lies not in its intended purpose but in its broad definition of the creditors over which it has dominion. It covers any business that extends, renews or arranges credit—including those that provide goods or services first and allow customers to pay later. Just a few examples of creditors under the new rule include automobile dealers, finance companies, health care providers, mortgage brokers, real estate agents, retailers, telecommunications and utility companies and (gasp) attorneys. The guys who drop by to spray your lawn for weeds and leave the bill on your door; you guessed it, they're covered, too.

The written program that is required must be approved by the board of directors, a board committee or senior management. Once in place, periodic risk assessments must be conducted, and the Feds expect creditors to update their programs as technology changes and as identity thieves alter their tactics.

Whether or not the Red Flags Rule would have kept me from becoming a victim of identity theft is uncertain. One thing, however, is certain: Come November 1, businesses not in compliance with the Red Flags Rule face penalties of $3,500 per violation—even if they never considered themselves as creditors.