Important new identity theft rules take effect on August 1, 2009. The problem, however, is that many entities subject to the rules aren’t even aware of them.

The rules were finalized in October 2007 under the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Several federal agencies were involved in drafting the rules, including the Federal Trade Commission (FTC), the Federal Reserve, the Federal Deposit Insurance Program, the Office of Thrift Supervision, and the National Credit Union Administration.

FACTA itself amended the Fair Credit Reporting Act in certain areas and made other changes, such as the requirement for proper destruction of records that contain personal information, such as social security numbers. The new rules, called the “red flag” rules, represent the next stage in requiring entities to do more to safeguard personal information. In light of recent data breaches, it is hard to disagree that something needs to be done.

The “red flag” rules were originally set to take effect January 1, 2008, but were delayed until November 1, 2008. However, by the November 1 date, most entities subject to the rules were still not aware of their existence, other than financial institutions. So the rules took effect for financial institutions, but were delayed until May 1, 2009 for other creditors. Then, FTC announced that they would not begin enforcing the new rules until August 1, 2009, giving organizations even more time to prepare.

The word “creditors” is the key to understanding whether the red flags rules apply. The way the term “creditor” is explained in the rules, any entity that extends credit to customers could qualify for coverage under the rules. For example, if your organization sells goods to customers or members and bills them for the goods, your organization is a “creditor” subject to the new rules.  FTC has concluded that health care providers also are covered.

One additional type of entity that may be covered, but it is not yet entirely clear, is the employee benefit plan that makes loans to plan participants. For example, an entity with a 401(k) plan in which employees borrow from the plan, would appear to be a “creditor” for purposes of the new rules.

So, what does it mean if your entity is covered? The red flag rules require that covered entities develop written identity theft prevention programs and identify relevant patterns, practices, and specific activities that are red flags of possible identity theft. As such, a covered entity should perform a risk assessment of its identity theft vulnerabilities, using the FTC’s rules as a guideline.

FTC has stated that it does not anticipate any further delays in the effective date of the red flag rules.  Therefore, all entities should determine whether they qualify as a “creditor” under the rules and, if they qualify, perform risk assessments and develop appropriately tailored policies and procedures for protecting personally identifying information.