The rules have been delayed three times already and were originally set to become practice Nov. 1, 2008.

NetworkWorld Extra: 12 mad science projects that could shake the world

Under the Red Flags rules all companies or services that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.

The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said.

The FTC stated that some industries and entities within the agency's jurisdiction were uncertain about their coverage under the Red Flags Rule. Many entities also argue that, because they generally are not required to comply with FTC rules in other contexts, they have not had enough time to develop compliance plans. Others have raised a stink about complying with the rules.