Now as we prepare to enter the enforcement phase of Red Flags Rule compliance it is important to note that enforcement of GLB and other privacy-based laws is ongoing. GLB has very similar recommendations as FACTA regarding compliance.
- The adoption of an identity theft response and prevention plan specific to the business
- The training of all employees on the specific plan
- The oversight of the policies of all contractor businesses and 3rd parties that might have access to NPI.
- A full documentation of the above
- Optionally offering a mitigating identity theft service to all employees for their individual protection.
All of the above combined with other procedures specific to each business comprise a proactive response to the threat of data breaches. That is precisely what the FTC is asking every business to do, establish a proactive program to mitigate the risk of breach and train all employees on their roles to protect the data. If you include in the training a general awareness of identity theft as it affects the individual you create the "culture of security" that is essential in todays' world.
The guidelines set out in GLB and again in FACTA affect almost virtually every business in America either directly as a requirement, or as a service provider for a business that is directly covered. The regulations under a new HIPAA (HITECH), initiative along with new states and federal breach reporting laws will soon make it mandatory for virtually all businesses to adopt such a plan.
While August 1st is set as the enforcement phase date for the Red Flags Rule now is the time for businesses, non-profits, municipalities, school districts, etc, to put such plans in place and get the staff up to speed. In the programs I help my clients initiate, the staff training meeting lasts from 45 minutes to an hour to complete. That along with a short meeting with management and the framework can be in place. It can be much simpler to accomplish than it seems at first.