The duty to prevent identity theft is partly shifting to companie...

that let customers pay after receiving services -- such as ISPs, telephone or cable providers that bill at the end of the month -- and even companies that bill in advance but continue providing service if the customer doesn’t pay on time -- are considered creditors for the purposes of the Fair and Accurate Credit Transactions Act of 2003. They were to have Red Flag policies and procedures in place by Nov. 1, but the FTC granted a six-month reprieve Wednesday because so many companies said that they were unsure how the rules applied to them or that they were unaware of the rules because they usually aren’t covered by FTC regulations and so hadn’t followed the rulemaking. During the webinar, John Kuykendall, director of regulatory affairs at John Staurulakis, Inc., said his company searched in vain for a template or guidebook to help its small clients develop policies. “We concluded there is not [a template]. Because each one of the programs must be specific to each company… those rules are indeed company-specific,” he said. JSI developed a questionnaire to help companies determine which red flags are most likely to pop up in their line of work and how best to handle them, he said. Companies must think about how customers open accounts -- in person, online, on the phone -- and what personal information they collect from customers. Tom Oscherwitz, vice president for government affairs and chief privacy officer at ID Analytics, said companies must also prepare for what happens after the deadline. Developing a policy isn’t enough, he said. They must update policies and procedures periodically, and also think about how to put the rules into practice. ID Analytics performed a study of red flag hit rates and found 33 percent of 700,000 applications received in a 30-day period had an identity theft red flag. There will be lots of false positives, he said, and businesses must handle the red flag hits without slowing down operations to the point of alienating customers. Handling the flags identified in its study could cost between $347,000 and $1.5 million monthly, depending if they're handled interactively or manually, he said. When one in six Americans moves each year, there are sure to be address discrepancies, he said. ID Analytics looked at three data aggregators and found that only 14 percent of the time was a valid address consistent across all three aggregators. In a separate interview, Ed Goodman, general counsel and chief privacy officer for Identity Theft 911, said larger organizations appear to be more prepared for the new rules, because they generally already have fraud detection systems in place. Smaller, rural ISPs and cable providers might not be ready, he said. Goodman said companies scrambling to meet the deadline should make sure to at least have something in place. “Your initial program can be pretty thin, to some degree,” he said. The FTC expects that companies will refine and build Red Flag programs over time, he said. Goodman agreed there will be false positives but said the costs from identity theft probably outweigh the costs of even a robust Red Flag program.