There is pervasive fear of identity theft. Victims spend an extraordinary amount of time and money recovering from it. The government is doing something about it, but businesses may not be pleased to hear that the government's latest action is another unfunded mandate.

New rules concerning identity theft prevention at financial companies go into effect on Friday May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as simple as writing down rules and procedures already in place and having them certified by the Board.


The rules are about procedures, not about data security, said Tiffany George, attorney for the division of privacy and identity protection at the FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of Fordham University in New York City. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," she said.

As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time staff, the Red Flags Rule can likely be handled by legal or compliance staff already in place.

It merely requires that companies have reasonable written policies in place, that they be certified by the Board, and that they be reviewed regularly.

Few changes are required because the law is so flexible. It requires "creditors" to monitor suspicious activity on "covered accounts."

"Creditors" are any company that has accounts that can be accessed repeatedly -- a phone company is a creditor but a magazine subscriber with a term-limited subscription is not.

"Covered accounts" are those designed to permit multiple transactions.