On the heels of recent criticism from the American Bar Association, the American Medical Association, and the National Retail Federation regarding the roll out of its Red Flags Rule, the Federal Trade Commission ("FTC") has once again postponed its enforcement, this time shifting the effective date from Aug. 1, 2009 to Nov. 1, 2009.

On its Web site, the FTC announced an "Expanded Business Education Campaign" to educate "small businesses and other entities" about the Red Flags Rule, which requires covered entities (including creditors and financial institutions) to establish mechanisms for identifying, detecting, and responding to warning signs of identity theft. The FTC Web site already offers guidance on the Red Flags Rule (www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm), but apparent concern over uncertainties regarding the obligations of smaller businesses led to the decision to delay enforcement of the rule for a third time.

In yesterday's announcement of the three-month enforcement delay, the FTC clarified that its staff "would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers' homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft."