The Federal Trade Commission (FTC) has adopted rules requiring most financial institutions and other businesses which extend credit, including telecom providers such as by a non-prepaid cell phone account, to establish and maintain an “Identity Theft Prevention Program” (16 C.F.R. Section 681.2, “Duties regarding the detecting, prevention, and mitigation of identify theft”.) Such an identify theft program is mainly meant to require that a business will respond to “Red Flags” which would make a reasonable person suspicious of the possibility of identity theft. The FTC’s rules require the Red Flags program to be approved by the provider company’s Board of Directors (or a Board committee), and to be overseen by a designated “senior management” employee, and to use staff training and vendor oversight as needed. The FTC rules, already delayed to May 1, 2009, have now been deferred one more time by the FTC and will take effect August 1, 2009. While the stated requirements for a Red Flags Program are not extensive, administration may not be as easy as the government makes it sound. Given the unusual requirement for Board of Directors approval, now is a good time to prepare for the extended August 1, 2009 deadline. FTC staff attorneys have prepared an unofficial summary, “What Telecom Companies Need to Know“.