Lately I have seen a flurry of words attempting to define just what business entity is, and what business entity isn't affected by the Red Flag Rule, (FACTA section 114). The focus has been on what is a "covered account", and seems to try to define this in extremely narrow terms. Too narrow in my opinion. The tendency seems to be to look at terms like affected entity and covered account as though it was a bad thing to be a covered business. The image of
costly and expansive compliance programs raises its ugly head. That isn't the intention at all.
I think it is high time to back up a bit and take a fresh view. The Red Flag Rule, like all other consumer protection legislation is intended to help rather than to penalize. To be sure there are penalties to business owners for not doing the right thing by taking the responsibility to act. Depending on the type of business experiencing a breach the federal government via the FTC or the banking authorities can impose substantial fines and mandate risk assessment audits, even call for the removal of officers and criminal charges under certain circumstances.
All of this is very preventable and easy to avoid. If every business and local government agency were to adopt the steps recommended by federal and state authorities, we could reduce the incidents of data loss and breaches from business databases to a great degree. Identity theft could become a smaller problem rather than a growing one. By how much? Only by adopting an educational and proactive program across the board will we find out. Education is a powerful tool.
This does require the "buy in" from management however. A commitment to address identity theft from the top down is essential.
I ran across the following from the Institute of Fraud Risk Management that sums it up pretty well.
"From a practical risk management standpoint, every business (and government entity) should take appropriate risk management actions and seek to meet the requirements and standards of consumer privacy and data security laws, whether or not it has a statutory obligation to do so. Similarly, businesses and government entities should also not take "the easy way out" and seek to only protect that information which is specifically identified as protected under the strictest interpretations of the law. There is a moral and ethical obligation that attaches to the use and possession of anothers' information. Many forward-thinking companies have recognized that information security and careful protection of confidential consumer information is not only an investment well worth making, but it can even provide a significant competitive advantage.
Compliance is a choice, and in the Information Age, where confidential information is the currency of thieves, it is a choice that every entity should make - large or small, public or private. "
Michael Barnett, CITRMS
CEO The Institute of Fraud Risk Management, Inc.
Copyright 2008 by The Institute of Fraud Risk Management, Inc. All rights reserved.
Now is not the time to mince the language into superfine bits and haggle over the definition of "is". That cannot lead to anything productive. This is the time to do the right thing and provide education and procedures for everyone to follow to ensure that each business is doing what it can to safely handle the personal information it keeps, and to prevent it from falling into the wrong hands.
It is all our information that is at stake, yours and mine, not someone elses'.