In January 2008, the Federal Trade Commission and other federal regulatory agencies published their final rules and guidelines for the regulation of fraudulent attempts to use private information without authority. The new regulation's "Red Flag Guidelines" are part of the federal Fair and Accurate Credit Transaction Act (FACTA). These guidelines speak to 26 non-industry specific "red flags," or warnings, which must be included and addressed in an organization's written
Identity Theft Protection Program (ITPP); this does not include industry specific "red flags" which may affect your type of business and must be incorporated in your ITPP.
The new rules and guidelines require any in-stitution which extends lines of credit, such as credit card companies, new and used auto dealerships, landlords and mortgage brokers, financial institutions (including payday loan stores), telecommunications, utilities, rental centers and the like to develop and implement a written Identity Theft Prevention Program (ITPP) for combat-ing identity theft.
The final rules became effective on Jan. 1, 2008, and require mandatory compliance, including reporting, by Nov. 1, 2008.
Your business' Identity Theft Prevention Program must in-clude reasonable policies and procedures for de-tecting, preventing, and mitigating identity theft. The "red flag" regulations require an institution to have an established, written ITPP approved by the owner or board of directors. These policies and procedures must:
* Identify relevant patterns, practices, and activities that signal possible identity theft.
* Have the capability to monitor and detect "red flags."
* Have the capability to respond to any red flags including procedures to take appropriate corrective action.
* Have the capability to verify address changes.
* Provide initial risk assessment.
* Provide regular compliance reporting
* Provide oversight of third-party service providers.
* Include mandatory staff training.
* Be reviewed at least annually and up- dated to reflect any changes.
Although complying with the "red flag" rules is mandatory, implementing a written ITPP can also render positive results for the organization in a number of key areas, including the following:
* Prevention of information exposure.
* Implementation of Identity Theft controls that will help identify criminal activity attempts and reduce their probability of success, and loss to your organization.
* Prevention of damage to image and reputation.
Should criminals or employees illegally access account information, the cost of correcting fraudulent activities may be minimal and can often be recouped. However, the damage to an organiza-tion's image and reputation is costly and may never be repaired. A new survey released by the Ponemon Institute shows that 31 percent of all respondents stated they have cut off all ties with businesses involved with information security breaches. If you use the 20/80 rule, (20 percent of your customers provide 80 percent of your sales) what would the effect to your bottom line be if you lost 31 percent of your best customers?
Organizations that do not comply with the requirements risk the threat of severe fines and penalties and civil litigation. Additionally, principles of the organization could face criminal charges resulting in prison time. While there are no current plans to actively audit organizations, a single negative event would drive an investigation.
Historically, negative events and consumer reporting on non-compliance (whistle blowers) have been the main causes for launch-ing an
investigation. Once an investigation has been conducted and proof of non-compliance has been identified, fines, future audits, and civil action usually follow: penalties for non-compliance can be as much as $2,500 for each violation and civil actions allow each consumer to recover actual damages sustained from a viola-tion. This could be very large and consumers may be able to bring a class-action suit increasing damage awards. In addition, successful plaintiffs may recover reasonable attorneys' fees.
Businesses faced with this compliance requirement need to be proactive and initiate a plan to build a written ITPP. The program needs to be board-approved. Therefore, an allotment of time will be necessary for the board's review and final approval.
The objective of the "red flag" rules is to establish, implement, and document a pre-vention program to achieve a common minimum security level that protects account information. To achieve compliance you must conduct the following steps:
1. Data flow analysis
2. Preliminary gap analysis
3. Risk assessment survey
4. Policies and procedures development
5. Identity Theft Prevention Program implementation including employee training
Meeting these require-ments could also require a business to set aside significant resources and time to reach this end. However, compliance will lead to a distinctly controlled environment yielding the addition of several security controls within an organization, enhancing the company's overall security position and reducing the likelihood of unauthorized individuals gaining access to sensitive personal information, account data or even proprietary information.
Tom Considine, a retired chief of naval security forces and legal officer, is the founder and chief privacy officer of Tom Considine & Associates, Information Privacy Professionals, headquartered in Fallon. Contact him at 877-747-3383 or through www.TCIPP.com.
