After a year or more of confusion on the part of businesses and their counsel the Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits to come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. The FTC has also published a very good guide for businesses who must determine if they have “covered accounts” and how to go forward with their program. I have added a permanent link to the FTC Red Flags site to my links for your convenience.
Coming on the heels of the latest Health Information Technology for Economic and Clinical Health Act (HITECH) which has sweeping new notification requirements, and was signed into law by the President Feb 17th as part of the American Recovery and Reinvestment Act, it is now very clear that not only is the government going ahead with FACTA enforcement on May 1st, but is also addressing the varying discrepancies in state notification and reporting laws. The new federal notification law has a much lower threshold for reporting and will often constitute the rule for reporting breaches and the notification to all affected parties. Go to Ephemeralaw (link below), for a good overview of this new legislation.
Businesses need to take heed of these changes in the law and take the appropriate actions. Not doing so can result in serious penalties.
In spite of confusion and even resistance on the part of some companies it should be very clear that the paradigm has shifted regarding the protection of sensitive personal information. It is no longer possible to simply get by, every covered business must by law follow specific guidelines or face very serious consequences.
For any entity that identifies itself as needing to be in step with the FACTA Red Flags Rule Taylor and Associates provides a great deal of the framework for such a plan and policy including the employee training, documentation, and contractor/service provider oversight as well as an outline for an actual policy itself for identifying the red flags and a response plan. For any business who wishes more information about that program I can be contacted by way of my business website in the links portion of this column.