While the Red Flags Clarification Act may have exempted a number of very specific types of small businesses, it didn't exempt them all.
For this reason, the Federal Trade Commission's (FTC's) much-discussed, oft-delayed "Red Flags" Rules went into effect with the New Year, meaning many entities need to be in compliance with the amended statute. As described by the FTC, the new law "gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces. Businesses with a high risk for identity theft may need more robust procedures—like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program—for example, simply having a plan for how they'll respond if they find out there has been an incident of identity theft involving their business."