Publications
Compliance with New Laws on Identity Theft and Protecting Personal Information
This advisory provides information about a federal regulation that the Federal Trade Commission (the “FTC”) will begin enforcing on May 1, 2009, and about a recent Connecticut data privacy statute, both of which will likely affect colleges and universities. Both laws require individuals and institutions that handle personal information to adopt certain policies and procedures and impose civil fines for non-compliance.
I. The “Red Flags Rule”
On November 9, 2007, the Federal Trade Commission (the “FTC”), in coordination with several other federal agencies, issued the Red Flags Rule (the “Rule”) in an effort to prompt the adoption of policies and procedures concerning identify theft. While the Rule became effective on November 1, 2008, the FTC has announced that it will not enforce compliance until May 1, 2009. Thus, any institution subject to the Rule will need to adopt appropriate policies and procedures by May 1.
Who Must Comply?
The rule likely applies to colleges and universities, because it applies to any “creditor” that has a “covered account,” and those terms are broadly defined. The FTC has also indicated in informal guidance that it considers those who provide services in exchange for future or deferred payment to be creditors. A college or university must comply with the Rule if it: (1) offers credit or permits deferred payment, (2) for the purpose of selling products or services for personal, family, household, or business use, (3) to a person with which the institution has a continuing relationship. Thus, colleges and universities that extend credit to students through student loan programs or offer tuition payment plans likely must comply with the Rule.
