Tuesday, April 14, 2009

ID Theft Red Flags Rule: Are You Ready for May 1? Part 2

In yesterday’s column I wrote about the very positive benefits that can result from an organization initiating an identity theft policy. One more important benefit I didn't mention. The very fact that a business has gone through this process shows the commitment to increased awareness and a proactive stand on data theft, and should be made known to the public at large. Do you think that people will tend to choose businesses that have an identity theft program over those who do not? Of course they will, but only if they are aware that the program has been established.

Today I want to focus once again on the subject of what is a covered business compared to those who are not considered by the FTC to be covered by this particular law. The Red Flags Rule was written as an addendum to FACTA as a means of defining the circumstances that businesses who are affected need to focus on when opening new relationships with clients or when revisiting existing ones.
The Commission has identified a number of "red flags" which are indicators of possible identity fraud. Among other steps, anyone handling such information has the responsiblity to use a method of verification of such information that has been spelled out in a company identity theft policy. Does this mean that other businesses can ignore this legislation? Absolutely not. That's not all that businesses need to do. There are a host of daily office practices that should be addressed. Also the critical issue of determining the practices of each service provider or contractor a company uses cannot be overlooked. You share responsibility with each of them. Whether a business is considered covered by these rules or not it is good business practice to incorporate some of these steps to reduce the risk to the company, and to instill that culture of security within the company. That is simple good risk management policy.

Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection for the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.
Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.

Under the ID Theft Red Flags Rule a creditor is:
· Any entity that regularly extends, renews or continues credit;
· Any entity that regularly arranges for the extension, renewal or continuation of credit;
· Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:
· Finance companies;
· Automobile dealers;
· Mortgage brokers;
· Utilities;
· Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.
With May 1 only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule. "It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."

Taylor and Associates is ready to assist any company regardless of size or industry with its’ identity theft program. We can provide everything from a framework for a working policy to staff training and documentation, and including help in reaching out to contractors and vendors to ascertain their policies.

Remember, “When you protect the information you keep on others you are protecting them. When others do it they are protecting you.”

No comments: