Certain businesses will be required to create and maintain a written identity theft prevention plan in order to be compliant. The FTC has indicated the inclusion of small-business accounts and sole proprietor accounts.

A plan may even include procedures ranging from requiring customers to take their hats off when doing business in banks (so the security cameras can see their faces) to spotting unusual credit card activity anywhere at any time.

1. Identification: It is necessary to understand what leads to identity theft and to identify a process of patterns, activities, and/or transactions (the red flags), which lead to identity theft.
2. Detection: A comprehensive understanding of any previous red flags, and to create a specific plan that will call out the processes and procedures to address them.
3. Response: The plan needs to include a process of responding to red flags as they are detected.
4. Revision: The plan should specify the process the organization will use to periodically update sections 1-3 as the threat landscape changes.

It should be understood that if the plan is outsourced to a third party, it is still the responsibility of the owner of the company to be compliant. In other words, outsourcing does not release you of any responsibility to protect your data.

Should the FTC investigate and find your company non-compliant, it will work with the Department of Justice to sue. Be assured, you do not want to be found non-compliant and subject to the enormous fines that can be assessed, not to mention the mountain of supplementary reports, document retention, and mandatory audits all of which are additional costs.

The costs of being found non-compliant is staggering. An alarming number of organizations are unaware of the liability they face for non-compliance.

The Fair and Accurate Credit Transaction Act and the Federal Trade Commission set the rules regarding Identity Theft (the "Red Flag Rules").

On June 1, 2005, a new provision of the Fair and Accurate Credit Transactions Act (FACTA) took effect. It states that a business whose action, or inaction, results in the loss of employee or customer information can be fined by federal and state government, and sued in civil court.

The determination of whether your business or organization is covered by the Red Flags Rule is not based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

You are subject to the Red Flag rules if you are a "Creditor".

"Creditor" means a business or organization that regularly defers payment for goods or services or provides goods or services and bills customers later (as opposed to requiring prepayment or contemporaneous payment).

You are a Creditor if you provide any goods or services for a fee and as a matter of course extends credit to its customers by offering them the ability to pay for those goods and services after they are provided as opposed to requiring prepayment or contemporaneous payment.

You can be a creditor with respect to limited areas involving a low risk of identity theft.

You are a Creditor if you allow a debtor to defer payments owed to you.