Many businesses not yet ready for June 1 deadline

Many small businesses have delayed implementing the identity theft “red flags” rules despite the approaching June 1 deadline — not because they don’t know about them, but because there have been so many extensions to the deadline that companies have put them on the back burner.

The enforcement deadline has been extended several times since the original date of November 2008 to give businesses more time to comply.

“The topic has fallen off the radar. When it got extended last year, people thought ‘OK, there’s no rush.’ I would say there are still a lot of businesses not ready for the deadline,” said Craig Strong, a regional director of human resources for the California Employers Association, a non-profit that advises employers on compliance issues.

Law firms, which the Federal Trade Commission said were covered by the rules, have successfully delayed compliance under a court ruling from a U.S. District Court in Washington, D.C., which is currently on appeal.

All other covered businesses, including accountants and doctors who are hoping to win exemptions, should assume they are covered and delay compliance at their peril, lawyers say.

“I suspect a lot of small businesses were hoping this ultimately wouldn’t happen,” said Tanya Forsheit, an attorney who co-founded InformationLawGroup in Los Angeles, Calif., a firm that advises businesses on privacy and data security compliance.

The rules require a written program for spotting and handling red flags that signal identity theft, training of employees and annual review of the policy.

Initially many businesses were confused by the broad definition of “creditor” and it came as a shock that this included not just banks and traditional lenders, but any business that allows customers or clients to defer payment for goods and services.

Although it’s still possible that the deadline will be extended yet again, lawyers are advising businesses to assume the rules will be enforced as of June 1.

“Everything that’s required is a good practice anyway,” said John Seiver, of counsel to Davis Wright Tremaine in Washington, D.C.

Small businesses

All businesses that bill for goods and services, except for those that deal with cash transactions, are covered.

Although most companies already have common sense rules about not leaving customer information lying around, “hardly any of them had a written procedure or policy specifically dealing with identity theft,” said Strong.

Small businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors. wislawjournal