On May 13, 2009, the Federal Trade Commission (“FTC” or “Commission”) released a tool designed to help businesses with a low risk of identity theft to comply with the Red Flags Rule.4 Pursuant to the Fair and Accurate Credit Transactions Act of 2003, the Red Flags Rule requires many businesses to develop and implement a written Identity Theft Prevention Program to detect warning signs of identity theft and detect persons attempting fraudulently to use the identities of others to gain access to products and services. The FTC guidance explains that the Red Flags Rule provides businesses with flexibility to design programs tailored to the size of the business and the potential risk for identity theft given the nature of the business. For instance, streamlined programs may be sufficient for businesses at low risk for identity theft to comply with the Red Flags Rule.

The FTC’s compliance tool contains two parts: the first part helps businesses determine whether they are at low risk for identity theft, and the second part helps businesses falling into the low-risk category to develop their required Identity Theft Prevention Program. Factors to consider when ascertaining whether a business is at low risk include the following:

  • Does the business personally know its clients?
  • Does the business provide services at its customers’ homes?
  • Has the business ever experienced an incident of identity theft?
  • Is the business in an industry where identity theft is uncommon?

Once a business determines that it is at low risk for identity theft, the compliance tool provides businesses with the following four basic steps to develop an Identity Theft Prevention Program: (1) identify relevant red flags; (2) detect red flags; (3) respond to red flags; and (4) administer the program.