The Florida Bar
The Florida Bar News
click to print this page  click to e-mail the address for this page 
June 1, 2009
Lawyers may have to comply with new FTC ‘Red Flag Rules’

Attorneys would be required to implement written identity theft prevention programs
By Mark D. Killian
Managing Editor

The Federal Trade Commission has agreed to delay enforcement of its new “Red Flags Rule” until August 1, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.

That’s good news for the legal profession as only a week before the original implementation date the American Bar Association learned the FTC intends to apply the rule to lawyers in private practice.

Once lawyers were added to the mix, the ABA sought the enforcement delay saying it needed more time to assess the impact and implications of the rule and confer with ABA members and state and major local bar associations concerning the rule.

ABA President H. Thomas Wells, Jr., told the FTC: “Some believe that the conclusion that the rule must be applied to lawyers providing legal services cannot be justified by either the law (based on at least one federal circuit court’s conclusion that lawyers are not ‘creditors’ under the relevant underlying statute) or the facts (the absence of a single example of identity theft related to or arising out of provision of legal services).”

Wells also said the FTC staff has indicated that the compliance requirements on low-risk creditors — which likely would include lawyers and law firms — would be minimal, although a model template illustrating those minimum requirements has not yet been completed.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chair Jon Leibowitz said.

The Fair and Accurate Credit Transactions Act of 2003 directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

Judith Equels, director of The Florida Bar’s Law Office Management Assistance Service, said in her conversations with FTC representatives, they were not able to provide her with any examples of procedural due diligence that a lawyer should implement to comply with the rule.

Nonetheless, Equels said now would be a good time for lawyers to review the security measures they have in place to safeguard sensitive information in client files that may be at risk for identify theft.

“Are they adequate to preserve the confidentiality of the files?” Equels asked. “Security measures can be problematic for lawyers who share space, or lawyers in office buildings where the lawyer has no control over maintenance and janitorial staff. Just as with measures we must take to comply with HIPAA privacy rules, so should law firms take extra measures to prevent identify theft. How up-to-date is your firm’s client confidentiality policy?”

Equels has put together some “tried and true tips” for preserving client/matter confidentiality and file security, including:

• No one should have access to personal information in a client/matter file except those assigned to work on the file. Who has access to your client files?

• Visitors, guests, clients, maintenance staff, janitorial staff, repairman, and vendors should not be allowed to roam the office without being accompanied by a firm employee.

• Consider making offers of employment contingent on a clean criminal background check.

• Grant weekend and after-hours access to the firm’s offices to only those who must have 24-7 access. Keep an accurate record of those with access privileges, and review it regularly.

• No files should ever be removed from the firm’s premises without specific written authorization from an owner of the law firm. If a file must be taken out of the office, must it be the whole file?

• It is important to verify the identity of new clients. Also, during the course of the work, it is often necessary to verify and/or hold clients’ personal information. Use a checklist that sensitive, personal client information has been collected/verified. Redact the working copy for the file, and lock up the originals, or the firm’s unredacted copy if the original source document was returned to the client. This would include birthdates, Social Security numbers, driver’s license numbers, birth certificates, passports, medical files, banking information, tax returns, and the like.

• No one enjoys putting up files at the end of the day, even though we know we’re supposed to. Just do it! This may mean installing a lock on the lawyer’s private office door.

• Buy a shredder/shredders with enough capacity to handle the job for your firm’s needs.

• Imaged files are more easily protected, but then how secure is the firm’s file server? Are sensitive drives password protected? Does the firm change the password frequently? Is access to the backup media adequately protected?

• Many lawyers and law firm employees have remote access to the firm’s information. Are there limits and boundaries in place to prohibit access to sensitive client/matter information? What is an employee capable of downloading on a laptop, from his/her PC?

• Never send a client’s personal information to be copied at a commercial copy service center.

• Never release the original file, or a copy of the file, to another lawyer without obtaining the client’s written permission.

• And, finally, here’s a really old policy, but it works: If an employee’s workspace is in the common area of the law firm, papers are turned face down when not actively working on same, and these papers/files are secured at the end of the day.

“There are good reasons for these policies in law firms that go beyond FACTA Red Flags and HIPAA requirements,” Equels said. “Preserving confidentiality over a client’s information and legal matters means just that.”

To contact Equels e-mail or visit LOMAS on the Web at

[Revised: 09-19-2016]