November 1, 2008 is the deadline for compliance with the “Red Flags Rule” of the U.S. Fair and Accurate Credit Transaction Act of 2003 (FACTA). The purpose of the FACTA is placement of an identity theft identification and response requirement on U.S. businesses. Although most of the Red Flag requirements apply to hiring and credit processing practices as well as those related to health facility admissions, PII and ePHI protection are also included. So what does this mean to security managers? It depends.