SaaS And Ecommerce Sites – Don’t Miss the May 1, 2009 “Red Flags” Deadline

On March 20, 2009, the Federal Trade Commission (FTC) published its latest guidelines for the Red Flags Rule entitled “Fighting Fraud with Red Flags Rule: A How-To Guide for Business”. These guidelines significantly broadened the scope of the applicability of the Red Flags Rule.

Many SaaS and ecommerce websites may now be surprised to learn that they are covered by the Red Flags Rule – and as a result they may face substantial liability for failure to comply.

If your site is covered, you need to comply by the deadline or face civil lawsuits by consumers for actual damages — and if actual damages can’t be proved, nominal damages. Civil litigants may also recover punitive damages and attorney’s fees. In addition, the FTC may initiate administrative proceedings.

What Is The Red Flags Rule?

The idea behind the Red Flags Rule is that by spotting the warning signs of identity theft (the “red flags”) in advance, businesses may prevent suspicious conduct from leading to actual identity theft.

The Red Flags Rule requires covered businesses and organizations to adopt an identity theft prevention policy in written form that is designed to identify the red flags and to take steps to prevent and mitigate identity theft.

Who Is Covered By The Red Flags Rule?

The “Red Flags” Rule has been in effect since January 1, 2008, but it’s enforcement has been delayed until May 1, 2009 due to uncertainty over who is covered.

Financial institutions are covered, including banks, savings and loans, credit unions, and the like. Most SaaS and ecommerce sites clearly do not fall into this category.

The other category of included sites — “creditors” that deal in “covered accounts” — is where many SaaS and ecommerce sites could fall, and the boundaries of this category are sometimes difficult to determine even with the latest guidelines from the FTC.

Creditors That Deal In Covered Accounts

In order to determine whether your site is covered by the Red Flags Rule, follow these two steps:

  • determine if you are a “creditor”, and if you are a creditor, then
  • determine if you deal in “covered accounts”.

First, let’s start with the definition of “creditor” — any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit, or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Obvious examples of businesses classified as creditors which regularly deal in covered accounts are finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

Not-so-obvious examples of creditors would be any site that sells goods or services and allows customers to pay later. While a SaaS site that requires its customers to pay for a single year’s subscription in a single payment at sign-up would probably not be a creditor, if payments are monthly, quarterly, or semi-annually, the site probably would be a creditor. For that matter, any site that allows for invoice billing where immediate payment is not required, would be a creditor, including sites that offer programs that permit customers to make no payments at no interest for a period of time.

The definition of “creditor” also covers anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. Examples include third-party debt collectors that regularly renegotiate the terms of a debt. If you regularly extend credit to other businesses, you also are a creditor.

Second, if you also deal in “covered accounts”, you’re definitely required to comply with the Red Flags Rule. In this analysis, you should consider both existing accounts and potential new ones.

There are two types of covered accounts. The first type is a consumer account that’s primarily for personal, family, or household purposes which involves or is designed to permit multiple payments or transactions. These accounts are always covered by the Red Flag Rule.

The second type of account is a covered account only if it involves a reasonably foreseeable risk of identity theft. This gets really tricky due to the lack of certainty regarding what constitutes a reasonable foreseeable risk of identity theft. For example, according to the recent guidelines, this type could include:

  • small business (non-personal) accounts, and
  • consumer accounts that are single payment accounts (not multiple payment accounts).

Now for the real wake-up call – according to the recent guidelines, you should consider (quoting the FTC) “business accounts that can be accessed remotely – such as through the Internet” as possible accounts that involve reasonably foreseeable risk of identity theft.

What Does This Mean For SaaS And Ecommerce Sites?

If you boil the recent guidelines down, it means that given the FTC’s statement in the recent guidelines that Internet-based accounts may involve a reasonably foreseeable risk of identity theft, all SaaS and ecommerce sites — whether they deal in consumer or small business accounts — should comply with the Red Flags Rule prior to the May 1, 2009 deadline. These sites should adopt a written Red Flags Identity Theft Policy now.

The cost of compliance with the Red Flags Rule is low, but the penalties for non-compliance are high, so the best recommendation is to resolve all doubt in favor of compliance now. We offer an affordable Red Flag Identity Theft Policy in our ContractMaker online drafting service. For more information visit the page entitled Website Red Flag Identity Theft Policy.

Copyright © 2009 Chip Cooper

For additional information, visit our SaaS Legal Resource.

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

WANT TO USE THIS ARTICLE IN YOUR BLOG OR WEBSITE? You may, as long as you reprint the article in its entirety with live links and include this blurb with it:

From SaaS Attorney, Internet Attorney Chip Cooper: “SaaS Startups – You know how frustrating it is to find a top-rated SaaS attorney who can help you set up your business… on a budget? I solve this. I do this with my SaaS Marketer Pro online platform that empowers you to generate your SaaS Agreement and winning strategies by leveraging my experience as a top-rated SaaS Attorney, Internet Attorney. Top-quality results, fast, hassle-free, and on a budget.” ==> https://www.digicontracts.com/