The Federal Trade Commission (FTC) has recently published the following on its website: (1) a do-it-yourself evaluation that businesses can use to determine if they are at low-risk for identity theft; and (2) a template such low-risk businesses can use to develop an Identity Theft Prevention Program (Program) that complies with the FTC's “Red Flags Rule.” Previously, on April 30, 2009, the FTC announced that it would delay the enforcement of its new "Red Flags Rule" until August 1, 2009 (see Bricker & Eckler's E-mail Alert on this delay). One of the reasons for this delay was so the FTC could develop a template Program for use by "businesses and organizations at low risk for identity theft."

While the FTC cautions that each business must evaluate its own unique circumstances, the FTC's online diagnostic tool lists the following as factors which might indicate you are a low-risk business:

  • You know all of your clients personally, making it difficult for anyone to impersonate your clients.
  • You usually provide services at your customer's homes.
  • You have been in business for some time and have received no complaints regarding identity theft involving your business.
  • Your type of business is not commonly associated with identity theft; there are no reports in the news media or talk among others in your type of business about identity theft.

If you judge your business to be at a low risk for identity theft using the FTC's diagnostic tool, the FTC offers an online template you can use to create a Program for your business. The FTC's self-assessment and template Program are available at:

More information about the FTC Red Flags Rule is available on our Red Flags Rule Resource Center. The Ohio Hospital Association and Bricker & Eckler have also developed a Red Flags Rule Hospital Compliance Guide, available for subscription, which offers assistance to hospitals with these rules.