Monday, December 29, 2008

Let's Pretend May 1st is Just Another Day in the Life of a Business.

Now you will never say you didn't know........

Businesses in the U.S. have until May 1st, 2009 to initiate an Identity Theft program.

With the enactment of the 2008 FACTA Red Flags Rule comes a responsibility for all businesses, non-profits, schools and universities, utilities, and local governments to,

  • Adopt a written identity theft policy that will address the responsibilities of employees who can have access to personally identifiable information (PII), and including a response plan in the event of PII breaches,
  • Provide ongoing awareness training for all affected staff.
    It is generally understood that the training of all staff is more effective and serves to further protect the employer from loss.
  • It also requires an oversight of the security practices of all service providers and 3rd party contractors who might have access to the non-public data you hold on clients, customers, and employees alike.

The Federal Trade Commission extended the original November 1st, 2008 deadline until May 1st to give businesses more time to implement their individual programs. The FTC has oversight of the Fair and Accurate Credit Transactions Act (FACTA). The extension was granted only to non-banking businesses.

Not to be confused with a privacy policy, this legislation requires an Identity Theft specific policy to be implemented and approved by ownership or a Board of Directors as company policy. After the May 1st date breach cases involving non-compliant organizations will result in increased fines, federal audits, and will allow more victims’ lawsuits to go forward. Neither a business’ sector nor its’ size is a factor regarding this legislation.

“Have in place and implement a breach response plan.. Ask every new employee to sign an agreement to follow your company's confidentiality and security standards for handling sensitive data... Create a culture of security by implementing a regular schedule of employee training. Make sure training includes employees at satellite offices, temporary help, and seasonal workers.
Before you outsource any of your business functions – payroll, web hosting, consumer call center operations, data processing or the like- investigate the company’s data security practices and compare their standards to yours.”
From the FTC publication, Protecting Personal Information, a guide for business.

With only 5 months remaining now is the time to get your identity theft program in place. No organization can afford the fallout from litigation, fines, and the loss of business resulting from a breach and subsequent identity theft episodes.
Happy New Year!

No comments: