The Federal Trade Commission (FTC) has adopted rules requiring most financial institutions and other businesses which extend credit, including telecom providers such as by a non-prepaid cell phone account, to establish and maintain an “Identity Theft Prevention Program” (16 C.F.R. Section 681.2, “Duties regarding the detecting, prevention, and mitigation of identify theft”.) Such an identify theft program is mainly meant to require that a business will respond to “Red Flags” which would make a reasonable person suspicious of the possibility of identity theft. The FTC’s rules require the Red Flags program to be approved by the provider company’s Board of Directors (or a Board committee), and to be overseen by a designated “senior management” employee, and to use staff training and vendor oversight as needed.
The FTC rules, already delayed to August 1, 2009, have now been deferred one more time by the FTC and will take effect November 1, 2009. The justification for this further delay is an expanded business education campaign that will “give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs.” FTC staff attorneys have prepared an unofficial summary, “What Telecom Companies Need to Know“. The FTC Staff intends to create and post on its website a special link for small and low-risk entities with materials that provide guidance and direction regarding the Red Flags Rule.