The FTC and Red Flags: Another Extension - What Gives?
Then came the announcement from the FTC that it's going to extend the deadline. Again.
Come Nov. 1, we're talking a one-year extension for smaller entities to get up to speed on a federal regulation that they've known about for nearly two years. What's it take?
Remember, this is a deadline that's already been extended from last Nov. 1 to this May 1, and then from May 1 to Aug. 1. And now ...
I truly don't get it. I saw it coming (like a nasty thunder storm), but I still don't get it.
OK, I get that the Red Flags Rule applies to a lot of smaller businesses - dentists, doctor's offices, auto dealers, etc. - that don't deal with identity theft issues as much as do banks, credit unions and other major financial institutions. I get that virtually any small business that extends credit is now beholden to the regulation and might be intimidated by, say, the requirement to establish a documented ID theft prevention program.
But, c'mon, we aren't talking about the FTC knocking on doors and examining small businesses for Red Flags compliance. The FTC is there to enforce the law, not test for it.
And come Nov. 1, we're talking about having seen a one-year extension for smaller entities to get up to speed on a federal regulation that they've known about for nearly two years.
What's it take?
I can understand some initial confusion on behalf of smaller businesses trying to understand whether they're a covered entity, and what does that really entail? I can understand the FTC having to beef up its education efforts through workshops, webinars, speaking engagements and even a dedicated website.
But, again, what's it take? The FTC had all of 2008 to conduct this awareness campaign. Now we're looking ahead to what will essentially be a one-year enforcement extension, and the covered entities still aren't getting it?
Or is it a matter of they're getting it, but resisting compliance?
Either way, this latest extension is an embarrassment. It doesn't reflect well on the covered entities that can't or won't comply, and it doesn't reflect well on the FTC, which somehow is failing to reach its targeted audience.
I mean, we're talking identity theft here, folks. One of the greatest information security threats we face today. And yet a significant number of businesses are either failing to comprehend or comply with a fundamental regulation - and the agency charged with enforcing the rule can't seem to get its message across.
If that's not an outrage, then what is?