Wednesday, March 25, 2009

Compliance? Fugeddaboutit!

In my work of helping businesses to meet standards of compliance with FACTA and GLB requirements I constantly run into lazy attitudes regarding encryption, and basic steps like not recycling photo copies with sensitive data on them, lock files away, and so forth. For example, I was in a bank recently giving a talk on how data is stolen, and in the office area where I was speaking the Chief Loan Officer had his computer monitor facing the street by way of a huge picture window only 5 feet away. And in plain view of the public walking by!

The bottom line for me is pretty simple. Given the attitude on the part of businesses of all types and sizes, the massive holes in the PCI DSS and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional), identity theft service that will actually help you when you need it, and largely put the issue to rest. This is not to say that we can stop pursuing compliance on the part of business. That is going to take a lot longer than necessary due to the reluctance of business to comply with some simple procedures. The problem for us is that identity thieves aren't going to wait. This set of crimes is increasing every year, and shows no signs of slowing down. I am addressing what we as individuals can do right now to protect ourselves proactively.

In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. Not so incidentally $26,000 is over 18 years of my identity theft service, and it protects both my wife and me. Is that a cost effective service? I think so.

Now we are facing the Electronic Records Initiative as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the health care industry, and potentially a great advantage for the individual when we seek medical help or prescriptions, it also opens a whole new set of security problems to solve. Medical identity theft is the fastest growing category of identity theft, and potentially the most dangerous. It can cost you your life. When will Americans wake up and realize that identity theft is a vast subject and a simple fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the initiative ourselves and stop our victim mentality.

How long did it take business to install ramps for people who needed them? ADA has been around for decades and we are still fighting that one. What makes anyone think this will be any different? Surely there are laws with very stiff penalties but mere laws won’t stop a good old American business from ignoring the facts. Even when this is presented as the right thing to do, appealing to a business owners’ sense of right and wrong a lot of them still don’t get it. Legislation is seen as an invasion to a business owner regardless of the nature of the law and it’s intention. It's an automatic reaction. The brain reels at the idea of compliance, a signal is sent throughout the body and, voila! Knee jerk! They see this as something they have to do for someone else that just gets in the way. I have often said that when you protect the information you keep on others you are protecting them. When someone else does it they are protecting you. Any business owner who has been a victim of identity theft does not have to be convinced that these laws are worthwhile. In fact in my experience they are eager to develop a plan to protect information, and are looking for guidance as to implementing such a plan.

Until such a time when all business and users of personal information take data security seriously we as the public need to take the initiative to safeguard ourselves. Don’t wait for them; it is a dangerous game with very high stakes for you. And without a good restorative service to be your advocate you will be left largely alone to suffer the misery of trying to fight the system in clearing your name and records.

Red Flag rules Deadline May 1st

This morning William Morriss who is co-author of the blog Ephemeralaw, made the following post written by his colleagues Jane Shea and Gretchen Ackerman, (see links).
I cannot find a way to improve on the research and work they have done so I have obtained permission to post the article as published. As the controversy swirls about like a hot potato the May 1st deadline is fast approaching. I think one of the saddest aspects of this is that the individual is lost in the argument. And it is the individual that is supposed to be protected by these new rules. Compliance doesn’t have to hurt, and for most every business it need not be a financial burden. In the words of Kirk Nahra, a noted expert in privacy law. “It’s the right thing to do.” Once again, here is a solid article written by professionals, and aimed at businesses in America as a wake up call. For more from Ephemeralaw there is a link to their writings in my links below.

Thank you William, Jane, and Gretchen

Red Flag Rules - Deadline May 1

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008. Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:identify relevant Red Flags, and then incorporate those Red Flags into the Program; detect such Red Flags; respond appropriately to any Red Flags to prevent and mitigate identity theft; and ensure that the Program is updated periodically to reflect changes in risks to customers What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules. Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:a fraud or active duty alert is included with a consumer report a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report a consumer reporting agency provides a notice of address discrepancy identification documents appear to be forged inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient inconsistencies between personally identifying information provided and that obtained from external information sources a new revolving credit account is used in a manner commonly associated with known patterns of fraud.Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required. Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

Monday, March 23, 2009

A New Link

I am proud to add a new link to this blog site. John Gardner has been a professional friend and consultant for several years. John, or perhaps his wife and partner Elizabeth once coined a phrase. "It's hard being right.....early" When in 2005 they predicted against all odds (and some ridicule), that medical identity theft was going to be a major problem. Less than 3 years later medical identity theft has indeed become a very serious problem with millions of victims.....so far.

John co-authored a very comprehensive new book on identity theft from both the perspectives of individuals and business owners. Titled "If You Are Me Then Who Am I? the personal and business reality of identity theft." This book goes much further into the subject of identity theft and data loss than any previous book available to the public.
Additionally, John has begun his own website and commentary. For his opinions and positions please go to his site listed in my links.