What is Your Business Doing to Prevent Identity Theft?

What is Your Business Doing to Prevent Identity Theft?

By Shannon Raye Martinez

In 2007, the State of Oregon passed the Oregon Identity Theft Protection Act, requiring businesses to implement procedures and policies to protect the personal and financial information of its employees and customers. Also, in 2007, the Federal Trade Commission (“FTC”) published its “Red Flag Rules,” requiring those companies that qualify as “creditors” to create policies to detect, prevent and mitigate indicators of identity theft or the so-called “Red Flags.” Even if you are in compliance with Oregon law, you may not be in compliance with the Red Flag Rules because the FTC requires additional policies and procedures to safeguard against identity theft.

Even though the FTC rules have been published for almost two years, the FTC has delayed enforcement of the rules several times to provide businesses additional time to implement plans to comply with the Red Flag Rules. Recently, the FTC again decided to delay the effective date of the Red Flag Rules until November 1, 2009. This article will provide a brief overview of the Red Flag Rules, including some key requirements for Red Flag policies, and some tips to get your business in compliance with the Red Flag Rules before they take effect.


The Red Flag Rules apply to financial institutions and creditors. Creditors include any persons who regularly extend, renew or continue credit, or are assigned an outstanding credit. Typically, this includes anyone who provides goods or services, bills the purchaser, and allows payment to be made after delivery of the goods or services.

Even if your business meets the definition of a financial institution or creditor, in order for the Red Flag Rules to apply, the account must be considered a “covered account.” The definition of a covered account is very broad. It includes all consumer accounts designed to permit multiple payments or transactions, and any other accounts for which there is a reasonably foreseeable risk of identity theft. Therefore, even if your business does not have any consumer accounts, you still may be subject to the Red Flag Rules if there is a risk of identity theft relating to your accounts.

Unfortunately, the FTC has provided very little guidance as to what constitutes a “reasonably foreseeable risk of identity theft.” It depends on many factors and the circumstances of your particular business.


Once you determine that your business may be subject to the Red Flag Rules, you must implement a policy in accordance with the FTC requirements set forth in the rules. The Red Flag Rules require a written policy containing procedures addressing the following four main areas:

Identify and incorporate the identified red flags into the policy;
Detect the red flags;
Respond appropriately to the red flags that are detected; and
Ensure the program is updated periodically to address changing risks.
The written policy must be approved by the board or a designated committee and staff must be trained with respect to the procedures and policies adopted by the board or committee.

In addition, the Red Flag Rules require businesses to ensure that its service providers, or any independent contractors that have access to its customers information, have their own policies in place to detect and prevent identity theft.

The Red Flag Rules are intended to prevent identity thieves from obtaining information with respect to an account, or an individual’s personal or financial information tied to such account. Therefore, the Red Flags Policy is intended to supplement an existing identity theft policy, and is not intended to be the sole policy and procedures relating to identity theft for your business. You should have an existing policy in place that addresses additional identity theft issues relating to customers and employees, such as how to protect and store personal and financial information, how to dispose of such information, and how and when to disclose this information.


Red Flags are actions, patterns or practices that may indicate identity theft. The potential red flags that may exist may be different for each business, and depend upon the types of accounts your business has, the level of financial information held by your business, previous experiences with identity theft, and how access to your accounts may be obtained.

In an appendix to the Red Flag Rules, the FTC has published a list of 26 examples of red flags that may apply to your business. However, the red flags applicable to your business depend greatly on the facts and circumstances of your individual case and the accounts you hold.


If your business qualifies as low risk for identity theft, the policy required of you under the Red Flag Rules will be less aggressive and extensive than a policy required for a high risk business. Typically, small businesses often qualify as low risk businesses. The FTC has published the following list of factors to consider in determining the risk level of your business:

  • Do you know your clients personally?;
  • Do you provide services to your customers in person, rather than over the phone or internet?;
  • Have you experienced an incident of identify theft?; and
  • Is identity theft common in your business?
  • If you answered “no” to question 3, and “yes” to the remaining questions, your business may be at low risk for identity theft. However, although the FTC has provided these general guidelines, the rules are currently silent as to what is required in the policies of low risk businesses.


The FTC intended a Red Flags Policy to be tailored to fit what is reasonable under the circumstances for a particular business. Although the FTC provides general guidelines, there are no specific guidelines or policies that will apply to every business. Each business may have very different policies and procedures, depending on the circumstances involved, operation of the business and the types of accounts and information the business maintains. It is important to diligently evaluate all aspects of your operations and create a feasible policy that will address the potential risks of identity theft. Consultants and attorneys are also a source of assistance in evaluating your business and drafting a policy.


There are no criminal penalties for failing to comply with the Red Flag Rules. However, the FTC could bring a civil enforcement action against you, and may assess civil penalties of $3,500 per violation. Each instance where a company has violated the rule is a separate violation. Also, the FTC could file a lawsuit and obtain an order forcing your business to comply with the rules. In addition, you may be subject to civil liability for any damages sustained by a customer as a result of incidents of identity theft involving your business.

If you have questions regarding this article or identity theft rules in general, please contact a member of the firm’s Litigation Group.