The Federal Trade Commission (FTC) will "delay enforcement" until November 1, 2009, of the Red Flags Rule, previously scheduled to begin in August 2009. The delay reflects FTC recognition that some businesses may need more time to develop and implement written identity theft prevention programs.

The Red Flags Rule may apply to companies that bill consumers in arrears (i.e., payment is not due at the time of service but at a later point). Even telecom companies, which are generally exempt from FTC jurisdiction, are likely subject to the Red Flags Rule, because they bill in arrears. Such companies are "creditors" subject to the consumer protections of the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act. The Red Flags Rule, adopted under these statutes, requires a "creditor" with "covered accounts" to establish a written program for the identification, detection and response to "Red Flags"-patterns or specific activities that could indicate identity theft.

The FTC's Red Flags Rule requires no particular practice or procedure. Rather, businesses must tailor their identity-theft-prevention programs to their particular risks. For example, "Red Flags" that probably require a response include alerts from consumer reporting agencies, law enforcement agencies or consumers themselves. Accounts should be monitored for unusual activity to the extent they are susceptible to fraudulent use. Businesses should verify new customer information, authenticate existing account holders and verify the validity of address change requests. (For more on the Red Flags Rule, see May 2009 Privacy In Focus.

Companies should ensure that their identity-theft-prevention programs are up and running by November 1, as the FTC is unlikely to extend the enforcement deadline again.