“The new regulation requires each financial institution or creditor – and the rule specifically includes automobile dealers in its definition of ‘creditor’ – to have ‘a written Identity Theft Prevention Program (ITPP) that is designed to detect, prevent, and mitigate identity theft’ in place. … A dealership’s program must accomplish four primary objectives: identify red flags applicable to the dealership’s accounts and incorporate them into its program, detect those identified red flags, respond appropriately to any detected red flags, and ensure the program is periodically updated to reflect changes in identity theft risks.” 
Penalties for non-compliance: “The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. … Currently, the law sets $3,500 as the maximum civil penalty per violation. … Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order.” 
Please note: This is not legal advice and dealers should always seek the assistance of qualified legal counsel.
From "19 Laws, Rules and Regulations That Can Cost You More Than Money" in the September 2010 issue of Auto Dealer Monthly.