Controlling the Identity Theft “Pandemic”

Millions of small businesses now are subject to the U.S. Federal Trade Commission’s “Red Flag” identity theft regulations, and they should not delay in acting to authenticate the people they do business with.

The deadline for compliance was extended first from Nov. 1, 2008 to May 1, 2009, so there no longer are excuses for inaction.

These rules require creditors to develop (and periodically update) a program to prevent, detect, and mitigate identity theft, which affects an estimated nine million Americans each year. The regulations include the identification of more than 20 activities – phishing, suspicious documents, and other electronic fraud – that are “Red Flags” of possible identity theft.

The regulations are not just for financial institutions and other creditors, but for any business that extends credit with a covered account, meaning pure credit relationships and any relationship involving deferred payments for obtaining products and services.

Based on clarifications issued in February, Joe Campana, a local identity theft risk management specialist, said the Red Flag Rules affect about 13 million small businesses and organizations nationwide. In a letter that month to the American Medical Association, the FTC identified creditors as any business that “bills or delays payments” with a client, Campana said.

“It seems to me that they are going to stand firm on that definition,” he added.

The law is risk-based, he added, meaning there are different expectations for corporations and financial firms, for example, than there are for small businesses. Nevertheless, compliance is not an option. One would think that federal fines for non-compliance ($16,000 per FTC violation) would be enough of a motivating factor. If not, the possibility of a public relations nightmare if your business be comes involved in an identity theft case should be.

While various information technology companies have developed Red Flag compliance products, they key will be internal processes and practices. The vendors, Campana noted, don’t sell the policies, procedures, and education that businesses must have in order to comply. These things can only be developed internally.

Campana said the law is long overdue and that people would be surprised to learn how easy it is to commit identity theft. “The good thing about it is that it increases awareness,” he said, “which could help get the identity theft pandemic under control.”