WASHINGTON—The Federal Trade Commission next week begins enforcing a data safeguard rule that requires businesses to develop identity theft prevention programs, but observers say many organizations remain unaware the rule applies to them.

Under the FTC's Red Flags Rule that goes into effect Aug. 1, financial institutions and creditors are required to implement a program that identifies and detects warning signs of identity theft. Organizations also must have measures to safeguard data and respond to identity thefts.

“We are trying to get businesses to do their part,” said Manas Mohapatra, an attorney with the FTC in Washington.

Some 9 million U.S. residents' identities are stolen each year, which the FTC said has been its No. 1 consumer complaint the past three years.

A number of initiatives and state laws already address data and network security breaches, but the rule targets identity theft at “its point of origin” and “really picks up where data security leaves off,” Mr. Mohapatra said. “We think this is a more comprehensive fraud detection program.”

Under the rule, companies are required to have written procedures that recognize red flags when someone may be using another person's information. It will require employee training in identifying suspicious patterns or activities that point to fraud, Mr. Mohapatra said.

Organizations also must update their plan because the risks of identity theft and the methods of stealing personal information change rapidly, he said.

Since the rule was enacted in January 2008, the FTC said it has extended its enforcement deadline twice to give more preparation time. To help build awareness, it has held outreach programs through a variety of trade associations, yet observers say many organizations remain unprepared.

Part of the confusion is due to the FTC's broad definition of “creditor,” which includes just about any entity that defers payment for goods or services, observers say. The FTC says creditors can be finance companies, car dealers, health care firms, mortgage brokers, utility companies, telecommunications firms and nonprofits involved in financial transactions.

Experts say the rule extends to retailers, universities, real estate brokers and service providers who may not realize they are subject to the rule.

“Obviously, the financial institutions are on board, but other sectors are getting caught off guard,” said Nicholas Economidis, an underwriter with Beazley USA's technology, media and business service team in Philadelphia.

He said retailers that issue private-label credit cards are particularly confused. “They think that because they have a financial institution handling the accounts, that they have outsourced the exposure and therefore are not subject to the rules.” They are incorrect, he said.

Failure to comply with Red Flags could result in civil fines up to $3,500 per incident. “More importantly, the regulation opens up the door to a wave of potential negligence claims, and companies that fail to comply could be exposed,” Mr. Economidis said.

A number of high-profile, costly cases have boosted organizations' concerns about security and data breaches and many have taken risk-mitigation steps. But the new rule should be a wake-up call that companies need to re-evaluate their programs in order to comply, experts say.

To identify red flags, companies should evaluate their potential exposures and examine the types of accounts they offer or maintain, as well as how access is provided to the accounts. In addition, companies should use identity verification methods for anyone opening up a new account. This could include using a credit reporting company, data broker or the Social Security Number Death Master File, to compare information, the FTC said.

Some firms already may have some procedures in place that can simply be implemented into the program, such as a “know-your-customer rule,” Mohapatra said.

Combating data breaches and identity theft “actually has much more to do with human behavior than it does with technology,” said Mark Pribish, vp and identify theft practice leader with Phoenix-based consulting firm Merchants Information Solutions Inc. He said, with current or former employees often involved in such breaches, every business should consider using pre-employment screening.

Likewise, outsourcing is a risk and companies should review all provider contracts and include language to support security policies, he said.

Companies increasingly are turning to cyber liability and network liability insurance for additional protection, and observers say the Red Flags Rule likely will boost the market.

“We are seeing a huge uptick in both—people looking for coverage and people buying coverage,” said Bob Parisi, national leader for the Tech/Telecom E&O and Network Risk practice at Marsh Inc. in New York.

Data security breaches can be costly. Last year, companies that experienced a data breach paid an average $202 per record compromised, according to the Traverse City, Mich.-based Ponemon Institute L.L.C.

FTC guidance on the Red Flags Rule is at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf.