Tuesday, April 14, 2009

ID Theft Red Flags Rule: Are You Ready for May 1? Part 2

In yesterday’s column I wrote about the very positive benefits that can result from an organization initiating an identity theft policy. One more important benefit I didn't mention. The very fact that a business has gone through this process shows the commitment to increased awareness and a proactive stand on data theft, and should be made known to the public at large. Do you think that people will tend to choose businesses that have an identity theft program over those who do not? Of course they will, but only if they are aware that the program has been established.

Today I want to focus once again on the subject of what is a covered business compared to those who are not considered by the FTC to be covered by this particular law. The Red Flags Rule was written as an addendum to FACTA as a means of defining the circumstances that businesses who are affected need to focus on when opening new relationships with clients or when revisiting existing ones.
The Commission has identified a number of "red flags" which are indicators of possible identity fraud. Among other steps, anyone handling such information has the responsiblity to use a method of verification of such information that has been spelled out in a company identity theft policy. Does this mean that other businesses can ignore this legislation? Absolutely not. That's not all that businesses need to do. There are a host of daily office practices that should be addressed. Also the critical issue of determining the practices of each service provider or contractor a company uses cannot be overlooked. You share responsibility with each of them. Whether a business is considered covered by these rules or not it is good business practice to incorporate some of these steps to reduce the risk to the company, and to instill that culture of security within the company. That is simple good risk management policy.

Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection for the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.
Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.

Under the ID Theft Red Flags Rule a creditor is:
· Any entity that regularly extends, renews or continues credit;
· Any entity that regularly arranges for the extension, renewal or continuation of credit;
· Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:
· Finance companies;
· Automobile dealers;
· Mortgage brokers;
· Utilities;
· Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.
With May 1 only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule. "It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."

Taylor and Associates is ready to assist any company regardless of size or industry with its’ identity theft program. We can provide everything from a framework for a working policy to staff training and documentation, and including help in reaching out to contractors and vendors to ascertain their policies.

Remember, “When you protect the information you keep on others you are protecting them. When others do it they are protecting you.”

Monday, April 13, 2009

ID Theft Red Flags Rule: Are You Ready for May 1? Part 1

Are businesses profiting from the process of establishing their identity theft response program? With the May 1st deadline fast approaching I found an article today that bears noting.

At a recent conference, an executive from a large creditor company told Betsy Broder, Assistant Director, Division of Privacy and Identity Protection at the Federal Trade Commission.
"This Red Flags rule was one of the best business exercises that his company had been through in years." The entire program's development forced the creditor to approach this issue in a much more logical, structured way, so that it now has one document that captured all of the company's fraud detection and response programs. "It made them approach it in a more holistic fashion," Broder says. "For that reason alone, they thought it was a beneficial exercise for them to go through."

I have written numerous pieces here and in other publications about the various benefits of having such a program. Companies can benefit in a number of ways from a culture shift as mentioned above, but also by training. At Taylor and Associates we focus on the benefit to the staff by providing a solid education of identity theft so they can better understand what we mean by identity theft. Not only what we see on television and the newspaper, but also the less understood and potentially more dangerous aspects of the crime. With this increased understanding employees are more apt to be proactive and protective with the files and information they handle on the job. Once armed with the knowledge of how identity theft can affect them and their families the more effective they are in joining the solution to combat identity theft.

These programs should be individually designed to bring each company into compliance with the law, but also to create the “culture of security” the FTC is trying to establish. This is most effective when management is committed to making the program work, and that all staff has been thoroughly oriented on their roles in implementing the program. Add to that the component of vendor oversight and you will have a healthy approach and response to the threat of data loss.

Tomorrow I will visit more of this article as we prepare to meet that May 1st deadline.