Tomorrow, May 1st the Federal Trade Commission will begin the enforcement phase as regards the Red Flags Rule (FACTA). The FTC estimates that an additional 11 million U.S. businesses are to be compliant on this date. These 11 million businesses are in addition to the savings and banking institutions that were to be compliant prior to November 1st of 2008. FDIC and NCUA have jurisdiction over the banking industry’s practices and will enforce compliance and perform compliance audits within that group.
I have found that a lot of businesses don't understand that they are under the jurisdiction of the FTC. For example mortgage brokers, investment advisors, law groups, and others cite various different regulatory agencies that cover their businesses. What they fail to understand is that the FTC has sweeping jurisdiction of the business “practices”, not necessarily the business “functions” of these types of businesses. When it comes to billing, maintaining accounts, ethical transactional practices, and commerce in general the FTC is the federal authority. That can explain some of the confusion on the part of companies who are used to regulations surrounding the professional services they perform. Agencies and bodies such as the SEC, Departments of Justice, Commerce, BLM, etc and state and national BAR Assns. have authority to regulate certain industry practices, but the FTC is concerned mainly in this case with the “sale of goods or services” to the public and the personal information businesses collect. The Commission is concerned with the protection of the publics’ rights to fair treatment and protection from (sic)predatory or irresponsible actions on the part of business. That also extends to the safekeeping of the personal information companies maintain on their clients or customers, and adopting practices to identify, isolate, and report possible identity fraud.
The FACT Act (1999) and subsequently the Red Flags Rule (2007) was designed in part to protect the personally identifiable information businesses collect in the process of doing business. It outlines the methods recommended in collection of this type of information, identifying possible fraudulent information, the safekeeping once it is collected, and the disposal of the data once it is no longer of practical use by the business. Other aspects of the rule are concerned with the adoption of a company identity theft policy, the education of employees, and the identity theft policies of contractors and service providers.
There are other laws enacted that also cover these kinds of practices. The Gramm Leach Bliley Safety Rule (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) are examples of these rules and regulate these practices for specific types of organizations. With the enactment of the Red Flags Rule there is an overlapping of some of these compliance regulations which is taking us in my opinion, to a more universal set of compliance guidelines for all businesses, non-profits, state and local government agencies to follow. As more data is collected from forensic studies subsequent to breaches and identity theft episodes, there emerges predictable practices that all entities should follow regardless of the industry type. We are also closer to a more universal reporting and notification regulation that hopefully will provide simple bright line criteria for any affected organization to inform the public when their information is at risk of identity misuse due to a breach or loss.
It is incumbent on all businesses or any entity that acts as a “creditor” or “financial institution” as defined by the FTC to assess that entities’ risk of data loss or accepting information that may indicate identity fraud. As I wrote in a previous column businesses are finding that this kind of assessment is helpful to the company as it brings this issue into focus. Having a plan for a business is essential whether it is about data loss, identity fraud, or about increasing revenue. And no business can afford the fallout from such an episode without a plan.
As to enforcement, Betsy Broder, Assistant Director for Privacy and Identity Protection for the FTC made it clear last week that enforcement will begin immediately and will begin with the most risky businesses that have done nothing to date regarding an identity theft program.
Taylor and Associates can assist any organization with their program, and provide the essential training and documentation required.