FTC delays enforcement of identity-theft rules

For the third time, the Federal Trade Commission has put off the enforcement date for so-called "red flag" rules that require businesses to adopt plans to prevent identify theft.

The agency had been scheduled to begin enforcing the rules starting tomorrow, but it announced Wednesday that it would delay the effective date until Nov. 1 in order to better educate businesses about the rules.

The red-flag rules, part of a federal law that was passed in 2003, require businesses and other organizations to have a written plan approved by top management to prevent identity theft in their operations. Employees must be trained how to detect and respond to the warning signs or "red flags" of identity theft, such as attempts to use false identification.

The FTC could impose fines of up to $16,000 on businesses that have an identity-theft incident because they failed to take steps to prevent the use of stolen information. The agency was first scheduled to start enforcing the rules last Nov. 1, but the enforcement date has been delayed twice, and the FTC says it is now ramping up an education campaign.

A phone message yesterday seeking comment from the FTC's office of public affairs was not returned.

"This is something that companies should know about, but it seems that for whatever reason the news has not sunk in as completely as the FTC would like it to," said Greg Wallig, mid-Atlantic advisory principal for Grant Thornton LLP, an accounting firm that also provides compliance consulting services.

Many businesses seem to be either unaware of the rules or uncertain whether they are obligated to comply, Wallig said.

The law does not specify all the businesses that are covered. For those that are covered, the law leaves many details of the compliance plans at their discretion.

Financial institutions, for example, are covered by the law, as are businesses and organizations that regularly grant loans, or extend credit. Simply accepting credit-card payments from customers does not, by itself, mean a business must comply, according to the FTC.

However, businesses such as automobile dealers and retailers that offer financing or help consumers get financing are covered, as are nonprofits that defer payment for goods or services.

The FTC's decision to delay the enforcement date gives businesses more time to develop a plan, Wallig said. Whether they are covered by the law or not, "hopefully, companies are doing it anyway," he said. "It's just good business practice."

Among the things businesses should think about, he said, is the type of training needed for personnel "to identify those red flags as they occur, not after they have occurred."

Contact John Reid Blackwell at (804) 775-8123 or .