Wednesday, June 17, 2009

FTC Issues Consent Order Against Nutter & Co.

The Federal Trade Commission (FTC) yesterday issued a consent order against James B. Nutter & Company for violations of the Gramm-Leach-Bliley Act privacy and safeguards rules. The commission found that the mortgage lender failed to: maintain a written information security program; adequately protect information stored on its network; institute appropriate security measures for personal information on its network; and provide adequate privacy notices, among other violations. The notice sets out actions the company must take as a result, including an order requiring biennial third-party assessments for the next 10 years. Privacy expert Rebecca Herold, CIPP, says: "This case demonstrates the long-term consequences of not implementing a strong information security program."Full Story

Now as we prepare to enter the enforcement phase of Red Flags Rule compliance it is important to note that enforcement of GLB and other privacy-based laws is ongoing. GLB has very similar recommendations as FACTA regarding compliance.
  • The adoption of an identity theft response and prevention plan specific to the business
  • The training of all employees on the specific plan
  • The oversight of the policies of all contractor businesses and 3rd parties that might have access to NPI.
  • A full documentation of the above
  • Optionally offering a mitigating identity theft service to all employees for their individual protection.

All of the above combined with other procedures specific to each business comprise a proactive response to the threat of data breaches. That is precisely what the FTC is asking every business to do, establish a proactive program to mitigate the risk of breach and train all employees on their roles to protect the data. If you include in the training a general awareness of identity theft as it affects the individual you create the "culture of security" that is essential in todays' world.

The guidelines set out in GLB and again in FACTA affect almost virtually every business in America either directly as a requirement, or as a service provider for a business that is directly covered. The regulations under a new HIPAA (HITECH), initiative along with new states and federal breach reporting laws will soon make it mandatory for virtually all businesses to adopt such a plan.

While August 1st is set as the enforcement phase date for the Red Flags Rule now is the time for businesses, non-profits, municipalities, school districts, etc, to put such plans in place and get the staff up to speed. In the programs I help my clients initiate, the staff training meeting lasts from 45 minutes to an hour to complete. That along with a short meeting with management and the framework can be in place. It can be much simpler to accomplish than it seems at first.

3 comments:

Sean D. Fleming said...

HIPPA and GLB compliance does not ask for a company to do anything with ID Theft. Not Sure where your getting your information from.

Sean D. Fleming said...

GLBA are laws to make companies secure personal and corporate data by having IT security, Audits of the security in place, training about security and more. The GLBA itself does not set a guideline for financial institutions and neither does HIPPA or HITECH instruct health care providers and facilities to adopt any ID Theft Plan at all. Furthermore, It is the RedFlag Rule itself that states creditors and financial institutions to The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of red flags.

The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.

It is important to note that all businesses not under the redflag rules. There are some business that are only under the FTC disposal rule that covers companies that use consumer reports. This is still not all businesses.

AMIT said...

Good article written.Nice post.

Finance Bookmark