Friday, April 3, 2009

Compliance with new Identity Theft legislation

This isn’t the first time I have written about the new Red Flags rule legislation, nor will it be the last apparently. It seems that a lot of business people want to weigh in on their own to declare proudly that they and their business are not covered by that law and to stop bugging them about it.

Here’s the rub with that. Unless you collect cash up front from all of your clients before rendering a service or product, and, have no employees, and do not have any financial relationships with individuals, your business, non-profit or local government agency is considered by the Federal Trade Commission to be covered. Now, my business is completely in step with this and other privacy laws so I really don’t care if your business is compliant or not. I do have the right however to refrain from doing business with you. I’m going to ask you to show me your policy program to prevent identity theft specifically in your company. If you can’t produce that document I will move on to another business. And I will advise everyone to do the same.
Its after May 1st and your business suffered a breach of information. You are required to notify everyone affected that you lost their information, and the federal auditors who will visit your firm are going to ask you to show them your identity theft plan. For your sake and that of your business I hope you can produce it.

Every few days in the last month or so I got an article or legal opinion from a different industry group advising their member businesses that they should be compliant prior to May 1st. Today it was the American Veterinary Medical Association. Last week it was the AM News, the news source for the AMA, the American Dental Association, and a state BAR. The legal profession is among the worst. I’m convinced that you can find General Counsel who will say almost anything the boss wants to hear. I can’t tell you how many GCs have told me outright that their companies don’t have to be concerned with these laws only to find out by actually reading the Act and seeking opinion from privacy specialists that they were wrong. Not to impugn the legal business but why do so many practicing attorneys take the automatic position that someone else is wrong on a subject they themselves know very little about? Pride is a dangerous thing when it is applied to business.

I don't mean to single out lawyers, they are not alone by a long shot. I had a nationally prominent accountancy and investment wealth advisory tell me outright that the FTC had absolutely no oversight of his industry! This finger pointing to the other guy, half-cocked opinions, and squirming leaves me to wonder. “What are these guys all afraid of?”

Now, this might not seem like the most pressing issue of the day to a lot of folks, but to the millions of victims of identity theft it is. And after looking at the penalties that have already been imposed on businesses that have suffered breaches, along with court actions on the part of victims no business wants that kind of liability. I have yet to find a business owner who has been victimized or knows someone who has that is reluctant to initiate an identity theft program for his or her business.
Its April 3rd, 27 days isn’t very long to get your act together

No comments: