On July 29, the US Federal Trade Commission (FTC) deferred enforcement of the Red Flags Rule from August 1, 2009 to November 1, 2009 in order “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” The Red Flags Rule will require many businesses to develop, implement, and administer an identity theft prevention programme that is designed to detect the warnings signs (or “red flags”) of identity theft, as well as to prevent and mitigate it, say lawyers at McGuireWoods.

McGuireWoods lawyers note that the rule “is very broad, and is not limited to any specific business sector.” Directed not just to financial companies, it will also affect telecommunications, utility, auto, retail and healthcare companies, including hospitals and physician practices. “The steps for compliance will vary on the size and nature of the business, as well as existing data protection policies, but failure to comply may result in civil monetary penalties,” the firm wrote in an online update.

“It is important to note that the Rule is not being revised or amended in any way,” they said. “Therefore, the scope of businesses coming within its ambit will be the same on November 1 as would have been affected had the August 1 deadline been implemented. The only action point here is that businesses have been granted three extra months in which to examine the Rule's application to their specific situations, and to develop a set of policies that will comply with the Rule while addressing their specific risk parameters for identity theft.”

The postponing of implementation is to address the widespread backlash from those businesses deeming themselves as “low risk” with respect to the occurrence of the identity theft the Rule is meant to combat. The FTC noted “to assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the ‘Red Flags’ Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”