On January 1st 2008 the federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
“The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program”. Institute of Fraud Risk Management report. January, 2008
There has been a good deal of conversation about what is a covered account, financial institution, and consumer account as defined by the federal authorities. The link above leads to the actual “Final Rules”. As it is currently understood and without quoting the legislation a financial institution or creditor is defined as;
- A bank, savings institution, or personal account lender of any type.
- Also a real estate agency, mortgage broker, auto dealership, financial planner, investment broker, or any business that sets up, initiates, or maintains a payment account of any kind with an individual for personal or household purposes.
- Any utility company that establishes an individual payment account with its’ customers.
- Any municipality or county that provides utilities or services and arranges for regular payment from the users of the services provided.
- Any business that extends ongoing credit or arranges for payment accounts for its’ customers or clients. Single payments or intermittent payment arrangements do not qualify as covered accounts.
As the rules went into effect as of January 1st of 2008 all covered entities have until November 1st 2008 to initiate such a breach response and prevention plan.
Compliance is a process, and the intention of these rules is to put procedures in place that will stem the tide of identity theft. Identity theft currently costs American business over $48 billion each year directly or indirectly. It is in the interest of every business entity to address this runaway cost and the risk of litigation and fines. While not all businesses are considered to be covered under the “rules”, all business should adopt the practices and procedures.
With only 30 days to go until compliance, every business and governmental entity in the U.S. whether subject to this legislation or not, should take stock of the risk they are willing to take on this issue. I see a good deal of apathy about this from people who have not yet become victims of identity theft. When a business owner or officer takes an apathetic position they are not just gambling with their own identity issues but those of their employees, customers, vendors, constituents, etc. They are also taking a huge risk for the business. Fines and lawsuits resulting from data breaches without a breach response and identity theft prevention plan can devastate a business both financially and from a public relations perspective. Add to that, federal audits and for retailers the loss of credit card processing accounts, and you have an untenable position that can be entirely avoided with a small investment in time. While we cannot entirely eliminate identity theft we can mitigate the risk with a few simple steps.