You may not even have heard of the federal government's Red Flag Rule, but there's a good chance by June 1 you'll need to comply with it.
The rule requires businesses that are potential targets for identity thieves to develop plans to spot fraud "red flags" and prevent them.
Think the rule only applies to financial institutions? Think again. It requires all "creditors" to comply with the rules, but the definition of creditor is very broad, and includes "businesses or organizations that regularly provide goods and services first and allow customers to pay later," according to a Frequently Asked Questions guide prepared by the Federal Trade Commission, which will enforce the rule. Translation: If you invoice for goods or services, you're a creditor.
You could be forgiven for hoping the government will change the enforcement deadline, considering it's already been extended several times since the original date of November 2008. But of course that won't excuse you from complying. And just having some rules – written or unwritten – about not leaving customer information lying around won't get you off the hook – you have to have a written policy and procedures specifically to handle identity theft.
"I suspect a lot of small businesses were hoping this ultimately wouldn't happen," said Tanya Forsheit, co-founder of InformationaLawGroup, a Los Angeles firm that advises businesses on privacy and data security compliance.
The rules – among them, recommendations for data encryption plus regular reviews, annual updates of your policy, and training of staff – can seem onerous, but the FTC has some online do-it-yourself tools and templates to help.
Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. So what kind of financial activity constitutes a "red flag" under the new rules? For starters, suspicious documents (like a photo ID that doesn't match the person presenting it), unverifiable addresses and Social Security numbers, and questionable account activity from customers, such as sudden spending on goods that can be resold for cash, frequent requests for cash advances, or failures to make payments on balances after making initial payments.
Experts say small businesses likely won't be among the FTC's top enforcement targets.
Forsheit told the Wisconsin Law Journal: 'In the past, on privacy and security issues, the FTC typically focused on the truly egregious — companies that handle a lot of sensitive customer information and have no written program and didn't implement any mechanism for detecting or responding to red flags of identity theft.'
Still, ignore the legislation at your own peril. Besides the threat of punishment from the FTC (which could carry a $3,500 fine for every violation), the law allows individuals to seek damages from businesses who don't comply. After June 1, if an employee fails to recognize an identity theft red flag and report it, you could face a lawsuit, and possibly a class-action one.
Said John Seiver of law firm Davis Wright Tremaine: 'Everything that's required is a good practice anyway."