In a May 28, 2010 press release, the U.S. Federal Trade Commission (FTC) announced another date change for enforcement of "Red Flag" rules. The prevailing reason for the delay has been that businesses, especially small businesses, need time to adjust to the new regulations.
The enforcement date has changed so many times, I have difficulty keeping up. The original enforcement date was November 1, 2008. Then it was August, 2009. In November 2009, the FTC moved the enforcement date to June 1, 2010. The new enforcement date is December 31, 2010 which might as well be sometime in 2011.
The Fair and Accurate Credit Transactions Act (often called FACTA) passed by the U.S. Congress in 2003 required the FTC to develop regulations mandating that companies that are "creditors" and/or maintain "covered accounts" address the risks from identity theft by developing a written plan to identify, detect, and respond to patterns, practices or activities -- known as "Red Flags" -- that typically indicate identity theft; and then implement that plan by the enforcement date set by the FTC. The benefit for consumers is that companies, in theory, will better protect our sensitive personal and financial information.
In theory, a consumer should be able to walk into a firm subject to the law and ask to see a copy of that company's Red Flag data security plan. The U.S. Congress is still debating which firms and industries are subject to the Red Flag regulations, and which aren't. Several industries, such as accountants, lawyers, and doctors have petitioned Congress for exclusion.
In my opinion, the reason for the multiple date changes is based more on politics as various industries petition Congress for exclusion. Everyone wants stronger data security laws, but only for it to apply to everyone else.
Since the FACTA law was passed, some states, like Massachusetts, have enacted stronger identity theft prevent laws on their own.