The American Bar Association has filed suit in federal court seeking to prevent the Federal Trade Commission from applying a new anti-identity-theft regulation to practicing attorneys.
The regulation, called the “red flags” rule, requires businesses that possess sensitive identification information about their clients to safeguard that data against ID theft. Such businesses must establish policies and procedures on how to recognize and deal with identity-theft red flags.
Set to go into effect last year, the rule has been delayed three times after groups including the ABA objected, arguing that it was intended for creditors and financial institutions, not attorneys and other professionals.
The FTC has stated that the rule will apply to any business that regularly permits deferred payments for goods or services, including attorneys with deferred payment client fee arrangements. It is now set to go into effect on Nov. 1.
But on Aug. 27, the ABA alleged in its complaint filed in Washington, D.C., that the FTC exceeded its authority in promulgating the rule and that its application to attorneys is “arbitrary, capricious and contrary to law.” The group is seeking declaratory and injunctive relief.
“Congress did not intend to cover lawyers under the rule,” ABA President Carolyn Lamm said in a statement after the lawsuit was filed.
“The FTC’s decision to apply the rule to lawyers is contrary to an unbroken history of state regulation of lawyers and intrudes on traditional state responsibilities … the rule requires extensive reporting and bureaucratic compliance that would unnecessarily increase the cost of legal services. This kind of unauthorized and unjustified federal regulation of law practice threatens the independence of the profession and the lawyer’s role as client confidante and advocate,” she added.
Lawyers not exempt
In the meantime, the FTC is warning lawyers that the first-of-its-kind identity-theft rule absolutely applies to members of the bar.
“There is no question there are a lot of entities out there, including law firms, that aren’t even aware they have to be in compliance,” said Linn F. Freedman of Boston’s Nixon Peabody. “The FTC has taken a strong stance that there needs to be widespread concern about stopping identify theft, and that means lawyers and their practices are going to be impacted.”
Arguing that the risks of such problems in their industries are minimal, organizations representing lawyers, doctors, accountants and other professionals have unsuccessfully lobbied the FTC that the rule should not apply to them.
“The position [the organizations] have been advancing is that these rules are like taking a sledgehammer or using a nuclear bomb for a little fight in the sandbox,” said Freedman, who has been advising her firm and health care clients on how to comply with the rule.
The American Medical Association, she said, put up a “big fight and pretty much lost with the same arguments, so I’m not confident the ABA will be successful in this fight either.”
Mark E. Schreiber, chairman of the privacy group at Edwards, Angell, Palmer & Dodge in Boston, said the ABA took up the cause after his firm reached out to the association in March.
Estimating that 95 percent of the Massachusetts legal community is still in the dark with regard to the FTC rule, Schreiber said Edwards Angell asked the ABA whether it believes the regulation applies to law firms “because there was a lot of debate about what the right answer was.”
He said part of the confusion stems from the rule’s broad definition of “creditor.” That definition includes businesses or organizations that regularly accept deferred payment, or provide goods or services and bill clients at some later date.
To be subject to the rule, a creditor must have “covered accounts,” which include those provided to clients for personal, family or household purposes on a continuing basis. Other accounts that have a reasonably foreseeable risk of identity theft also fall under the rule.
Creditors with covered accounts must implement written policies on detecting and responding to the “red flags” of identity theft, such as inconsistent personal information.
Each business may have different red flags depending on its industry and size. Breaches of the rule, which was adopted under the Fair and Accurate Credit Transactions Act, can lead to civil penalties, such as monetary sanctions and FTC enforcement action.
“It’s not just large firms [that will be impacted],” he said. “It could be any number of offices where Social Security numbers or other data are kept that could create some risk of identity theft.”
When asked how a rule that affects numerous lawyers and clients seemingly could have slipped through the cracks, Schreiber said many attorneys are simply unaware they fall under the FTC’s definition of “creditor.”
“Most firms and most lawyers think in terms of clients and cases and not in terms of data,” he said. “But barring any last-minute injunctions, the directive coming from the FTC is that they are going to be treated like everyone else. Nobody can really determine when or where malicious attacks are going to come from.”
Leave us alone
In a statement published on the ABA’s website, former President J. Thomas Wells Jr. wrote that two U.S. circuit courts have already held that legal fees are not “credit transactions” under the law. In addition, he said, regulations on the practice of law are traditionally left to the states and can be disturbed only by federal law if statutory language expressly says so.
“Nowhere in the FACT Act did Congress even imply that it intended to regulate lawyers with respect to their client relationships,” wrote Wells.
Treating lawyers as creditors, he added, would impose an undue burden. Where compliance with the red flags rule would complicate client arrangements and require a major time commitment, Wells accused the FTC of failing to identify a single case of ID theft in the legal services context.
Betsy Broder, assistant director in the FTC’s Division of Privacy and Identity Protection, said efforts by the ABA to exempt lawyers were unlikely to succeed.
“Legal professional groups have certainly advocated their position that lawyers should not be covered, but Congress directed the FTC to develop rules that cover creditors, and our position is that the definition Congress provided to us says that lawyers can and should be covered,” she said.
Broder said that several appellate decisions have held the definition of creditor includes lawyers and other professional industries “who regularly defer payments from clients.”
But she acknowledged that many attorneys have not even begun the process of determining whether the rule applies to them.
“From an enforcement perspective, we are aware that many entities have been struggling with this,” she said. “All we are looking for at this point is good-faith compliance. We are not going to be on the prowl for technical violations of this rule. Our primary interest is to help covered entities come into compliance.”