Friday, April 3, 2009

Compliance with new Identity Theft legislation

This isn’t the first time I have written about the new Red Flags rule legislation, nor will it be the last apparently. It seems that a lot of business people want to weigh in on their own to declare proudly that they and their business are not covered by that law and to stop bugging them about it.

Here’s the rub with that. Unless you collect cash up front from all of your clients before rendering a service or product, and, have no employees, and do not have any financial relationships with individuals, your business, non-profit or local government agency is considered by the Federal Trade Commission to be covered. Now, my business is completely in step with this and other privacy laws so I really don’t care if your business is compliant or not. I do have the right however to refrain from doing business with you. I’m going to ask you to show me your policy program to prevent identity theft specifically in your company. If you can’t produce that document I will move on to another business. And I will advise everyone to do the same.
Its after May 1st and your business suffered a breach of information. You are required to notify everyone affected that you lost their information, and the federal auditors who will visit your firm are going to ask you to show them your identity theft plan. For your sake and that of your business I hope you can produce it.

Every few days in the last month or so I got an article or legal opinion from a different industry group advising their member businesses that they should be compliant prior to May 1st. Today it was the American Veterinary Medical Association. Last week it was the AM News, the news source for the AMA, the American Dental Association, and a state BAR. The legal profession is among the worst. I’m convinced that you can find General Counsel who will say almost anything the boss wants to hear. I can’t tell you how many GCs have told me outright that their companies don’t have to be concerned with these laws only to find out by actually reading the Act and seeking opinion from privacy specialists that they were wrong. Not to impugn the legal business but why do so many practicing attorneys take the automatic position that someone else is wrong on a subject they themselves know very little about? Pride is a dangerous thing when it is applied to business.

I don't mean to single out lawyers, they are not alone by a long shot. I had a nationally prominent accountancy and investment wealth advisory tell me outright that the FTC had absolutely no oversight of his industry! This finger pointing to the other guy, half-cocked opinions, and squirming leaves me to wonder. “What are these guys all afraid of?”

Now, this might not seem like the most pressing issue of the day to a lot of folks, but to the millions of victims of identity theft it is. And after looking at the penalties that have already been imposed on businesses that have suffered breaches, along with court actions on the part of victims no business wants that kind of liability. I have yet to find a business owner who has been victimized or knows someone who has that is reluctant to initiate an identity theft program for his or her business.
Its April 3rd, 27 days isn’t very long to get your act together

Monday, March 30, 2009

If You Are Me Then Who Am I?

If You Are Me Then Who Am I? The personal and business reality of identity theft

I know I posted a recommendation for this book recently but it bears mentioning again. This book does a good job explaining just where we are with identity theft legislation, what we can do as individuals to protect ourselves, the steps most victims usually encounter when they are trying to go it alone to set the records straight, how the law works (or doesn’t work), and how smart businesses can fight the bleeding of sensitive information from their companies. There is an intersection where privacy law, privacy rights, and identity theft merge. This is really at the crux of what identity theft has become and how it affects us as individuals in more ways than we thought. If You Are Me delves into that rather sticky subject with the same objectivity that they treat the other topics they cover. Seeing the scenarios as they might play themselves out helps you to understand just how critical records accuracy is.

I chose early on to concentrate this column to business related topics. The subject is simply too vast for most mortals to tackle, but not the authors of this book. I recommend it to any privacy professional simply because it will shake up some preconceived notions we all have when our work is focused and rather narrow.The authors of this book have laid out in plain terms what the state of identity theft is right now, and where we have come in the past several years. No one can claim to know what will happen in the future of fighting identity theft so this book takes the intelligent approach of trying to prepare us with information and other tools.

Besides privacy specialists, anyone who thinks they know about identity theft and data loss should read it too.

Bravo to the authors!

Remember, “When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you.”