Businesses that use consumer reports, under the new rules, must adopt a plan to detect, prevent and mitigate identity theft. The plan must be approved by the company’s board of directors or senior management. The rules identify certain signals of actual or attempted identity theft, but each company is left to establish plans based upon a risk assessment of its own operations. Signals identified by the agencies as warranting increased alert include:

Consumer's notation on a credit report such as a fraud alert, active duty alert, or credit freeze. Unusual patterns in the consumer's use of credit, such as a recent increase in inquiries or new credit accounts, changes in the use of credit, or accounts closed. Suspicious documents that appear to be alerted, forged or reassembled. Or documents that include information that is inconsistent with the person applying for credit. Suspicious Social Security number (SSN), for example an SSN that has not been issued or is listed on the Social Security Administration's Death Master File. Another example would be one in which the SSN range does not match the date of birth or is the same SSN as provided by other persons opening an account. Suspicious address or phone number as follows: (a) the address or phone number is known to have been furnished on fraudulent applications; (b) the address either does not exist or is that of a mail drop or prison; (c) the phone number is invalid or associated with a pager or answering service; or (d) the address or phone number is the same or similar to information submitted by other persons opening accounts. Use of an account that has been inactive for a "reasonably lengthy period of time." Mail sent to the account holder is returned while transactions continue. Notice from the account holder or law enforcement that identity theft has occurred.