Tuesday, September 23, 2008

FTC requires towns to add identity theft programs

The article was recently run in a small North Carolina newspaper. I've gone on record on the subject of identity theft policy and training more times than I can count. With all the flap about Internet privacy, discussion forums, and a lot of heady talk about personal privacy, the identity theft victims are all but forgotten. Here is an excerpt from the article by Sarah Jane Rosser.

September 15, 2008
" The Federal Trade Commission (FTC) has issued new requirements for municipalities on the adoption of identity theft programs.A release was distributed to all municipalities by the North Carolina League of Municipalities (NCLM) on Sept. 4, asking all managers, administrators, clerks, attorneys and finance officers to have written procedures in place to help protect consumer identity and fight theft of customer account information.The release stated that all municipalities with utility accounts must participate. According to the Tennessee Valley Public Power Association (TVPPA), utilities rank No. 3 as a place for identity thieves to gain information. Credit cards companies and cell phone companies are the top two.The objective of the program is to identify, detect and respond to red flags, meaning a pattern or practice of specific activity that indicates the possible existence of identity theft.Examples included in the memo were events such as the receipt of warnings from consumer reporting agencies, the presentation to the creditor of suspicious documents, the presentation to a creditor of suspicious personal identifying information and the unusual use of a covered account."

The public, that's' you and me, need to learn as much about what identity theft is, (the reality not the stuff you are fed on TV), and what we can do to prevent being a victim and minimize our risk. Education is the single most important part. That is why training on the job is critical. People who have access to personal information either as part of their job, or in the event sensitive info falls into their laps accidentally, need to know how to handle it and make certain it doesn't get lost or end up in the wrong hands.

The FTC is listening to the professionals and making policy suggestions that are extremely important for all business to follow. There is a great booklet "Protecting Personal Information, a guide for business" available at www.ftc.gov/infosecurity .
Everything any business entity needs to know about setting up a training and breach response plan is in the booklet. As the result of the adoption of the Red Flag Rules, sec.114 of FACTA, the entire retail banking and savings industry is compelled to comply with these practices. If local government and private industry continue to resist these steps a similar law will soon make it mandatory for all employers as is suggested in the article here.

Business has a choice, a voluntary plan to reduce risk and put training and policy in place, or a law forcing these and other steps with stiff penalties for non-compliance. As I wrote in a previous column compliance is a process. While it isn't mandatory for all, it is a matter of choosing the right course of action. Every entity that maintains personal information has an obligation and moral responsibility to protect that information from loss or theft. And when the data is no longer needed, to dispose of it responsibly. Remember, it isn't someone elses' information at stake it is yours and mine.

No comments: