I believe that commercial accounts are excluded from the ID theft part of the regulation.
No, they aren't. Here is one of the new FAQs from page 5:
2. Under what circumstances are business accounts "covered accounts?"
Business accounts are "accounts" if they establish a continuing relationship between a person and a financial institution or creditor to obtain a product or service for business purposes. The FCRA definition of person, 15 U.S.C. ยง 1681a(b), is not limited to individuals. However, business accounts are not covered by the first part of the definition of "covered account" (set out above under II.B.1) because they are not primarily for personal, family, or household purposes.
Instead, each financial institution or creditor must determine which of its business accounts, if any, present a reasonably foreseeable risk of identity theft under the second part of the definition of a "covered account." For example, the accounts of small businesses or sole proprietorships may be particularly vulnerable to identity theft.