Heck, take the rest of the year.
At Congress’s request, the FTC has once again extended the deadline to comply with the rule, which requires certain business entities to “develop and implement written identity theft prevention programs” that could detect the red flags that signal identity theft.
The new deadline is Dec. 31, 2010.
It’s the latest in a series of extensions the FTC has approved while Congress debates which entities should be affected by the rule.
It also follows an order from the U.S. District Court for the District of Columbia that enforcement of the rule be delayed by 90 days for AICPA members in public practice, pending a ruling on a lawsuit brought by the American Bar Association against the FTC. The ABA sued the FTC in 2009 over enforcement of the rule for attorneys and won its case. The FTC appealed that decision in March and is awaiting the appeals court’s ruling.
It’s getting hard to follow all the extensions and court orders, but we’ll keep you posted on what happens next. In the meantime, check out these related resources:
- FTC “Red Flag Rule” resources
- AICPA guide for creating an identity theft prevention program
- Protect your data … or pay the price (an MACPA podcast featuring Marilyn Prosch, an associate professor in the Department of Information Systems Management at Arizona State University)
- Preventing identity theft throughout the data life cycle, a JofA article written by Prosch
- Outsourcing and privacy: 10 critical questions top management should ask, a Statement article written by Prosch