Many businesses have until Nov. 1 to take steps to protect their customers' and employees' personal information from being stolen by identity thieves.

Under the new federal "red flag" rules, businesses must implement plans to prevent identify theft, or face fines if information is stolen. The rules apply to financial institutions and businesses that regularly extend credit, but it is a good idea for all businesses to take preventive measures, one identify theft prevention specialist said today.

"It is better to be proactive than reactive," said Laura Millen, a risk management specialist with Peak Performance Group in Chesterfield County. She spoke at a Greater Retail Merchants Association meeting in Richmond today.

Under the regulations, businesses need to adopt a written plan to protect their customers' and employees' personal information such as credit card, social security and driver's license numbers. They also need to provide training to employees on what information is sensitive and how to protect it.

Business could be fined $2,500 if they fail to take preventive steps and information is stolen, but the costs could far exceed the fines, Millen said. One study in 2007 showed that the average cost of a data breach to businesses was $6.3 million. Another study showed that companies that suffer data breaches often lose 20 percent of their customers.