On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules. The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).
The FTC template is divided into two parts. The first section outlines how businesses should evaluate whether they are at low risk for identity theft. Under the FTC’s guidance, low risk businesses include:
- Businesses, such as doctor or lawyer practices, that are personally familiar with their customers and therefore are unlikely to be fooled by impostors.
- Businesses that provide services at customers’ homes.
- Businesses that have never received a complaint or discovered an incident of identity theft.
- Industries in which identity theft is uncommon.
While the template does not discuss this point, those businesses that do not fall into the category of "low risk" presumably are required to undertake a more in depth review of the risks and implement a substantially more detailed identity theft prevention program.
The second section of the template is essentially an identity theft prevention program checklist that requires the business to fill in the procedural and administrative blanks. Anyone using the FTC template should recognize that the template is a guide for performing the assessments required by the federal regulations – it does not excuse low risk businesses from compliance. For instance, the template requires that a business identify any red flags it is aware of in addition to a mandatory red flag: receiving a notice from a customer or law enforcement. While the template provides helpful structure to the process of compliance, low risk businesses appear to be subject to the same requirements. In particular, the template program requires a business to identify applicable red flags, identify procedures it will take to detect these warning signs, identify a coordinator, develop a training program, identify key service providers who will need to be appropriately vetted and keep the program up to date. The template does help us understand what level of compliance the FTC will be looking for at many smaller businesses.
- The FTC announcement
- The FTC "template" identity theft prevention program (.pdf), also available from the FTC website here (.pdf)