U.S. is requiring companies to defend against identity theft

With identity fraud on the increase, the federal government is stepping up efforts to make sure businesses are on the alert — especially financial institutions and other companies that issue credit cards.

The government says that businesses have the responsibility of making sure thieves don’t use stolen information to buy goods or open phony accounts. And to that end, the Federal Trade Commission wants businesses that might be targets of identity thieves to develop written plans to spot “red flags” that fraud could be involved and prevent it.

Starting June 1, all businesses that extend credit to customers will have to develop plans to try to prevent identity theft.

“Once the information is in the hands of identity thieves, there’s not much more the consumer can do,” said Naomi Lefkovitz, senior attorney for the FTC, which will oversee enforcement of the rule as it applies to many — though not all — businesses. “Now it’s in the hands of the businesses.”


The new rule will affect larger institutions such as banks, but also smaller companies that provide services first and charge afterward, for example, a doctor who bills patients for exams and procedures after they are performed.

A department store that issues its own credit cards, for example, would qualify as a creditor under the new rule, and would have to develop a plan, according to the FTC.

To comply, a business must develop a written plan for identifying signs of identity theft, catching it and preventing it.

The first step, according to an FTC report that explains how to develop a plan, is to figure out the signs that a potential customer is really a thief. These indications of identity theft, or red flags, vary from business to business.


A red flag could be a customer who tries to pay with a credit card and offers a driver’s license or other identification card that looks fake. Another sign would be dramatic changes in the credit report of a longtime customer, or big swings in somebody’s account.

Businesses should make a list of such signs of possible identity theft and develop a written plan for dealing with them should they occur. Finally, businesses must review the plans periodically to see whether there are new signs of identity theft that should be included.

Plans do not need to be submitted to the federal government, but a business that experiences repeated instances of identity theft might be asked to produce the plan during an investigation.

Lefkovitz said the FTC might also request a copy of the plan if it has received numerous consumer complaints of fraud occurring at a particular business. In some cases, companies that lack written plans could be sued by the agency and ordered to pay $3,500 for every violation of the rule.

The law was passed in 2008, but it has not been enforced because of confusion over how to develop the plans and who would be required to file them, Lefkovitz said.

A small business that meets the law’s definition of a creditor might have to develop only a simple plan, she said, while a large financial institution would need a more complex one.

The agency has suggestions for developing an appropriate plan for individual businesses, as well as templates that companies can use, at its website, The agency has a detailed report on the new red flag rule on the Internet. See it here.