Lawmakers have passed legislation that clarifies the type of companies that are subject to a new identity theft rule.
In May, after having already delayed enforcement of the Identity Theft Red Flags Rule three times, the Federal Trade Commission moved the deadline from June 1 until Dec. 31.
At the time, the FTC said it needed more time to enforce the rule “while Congress considers legislation that would affect the scope of entities covered by the rule.” The agency said it was responding to the requests of several lawmakers.
Today, the FTC announced that legislation has been passed that resolves uncertainty. The legislation reportedly clarifies what type of companies are subject to enforcement.
According to the consumer protection agency, the rule “requires many businesses and organizations to have a written identity theft prevention program designed to detect the warning signs — or ‘red flags’ — of identity theft in their day-to-day operations.”
It doesn’t, however, require specific practices or procedures but instead gives businesses the ability to design their own system based on the nature of their operations.
“Businesses with a high risk for identity theft may need more robust procedures — like using other information sources to confirm the identity of new customers or incorporating fraud detection software,” the FTC stated. “Groups with a low risk for identity theft may have a more streamlined program — for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.”