Friday, October 9, 2009

So Much for Red Flags?


A Maryland Bank Tosses Personal Records in the Trash.


I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.

A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story

Wednesday, October 7, 2009

What is a Financial Institution or Creditor?

When I speak to business owners about the new Red Flags Rule, (FACTA), I am often confronted by a common response. "We are not a financial institution." I hear that from law firms, accountancys, stock brokerages, and many other types of businesses that by the definitions below are financial institutions.

In an attempt to clarify once and for all what the Federal Trade Commission considers to be a “creditor” or a “financial institution” the links below will hopefully provide a definitive explanation.

The FTC recently clarified that “creditors” covered under the Red Flags Rule are as defined by the Equal Credit Opportunity Act (ECOA). This broad ECOA definition of creditor includes any business that bills or invoices customers after products are delivered or services are rendered.

The ECOA definition includes many small businesses and professionals such as contractors, consultants, lawyers, doctors, retailers and a spectrum of clinics and practices in the health care industry including those that submit medical insurance claims on behalf of patients.

From my business experience, the ECOA definition covers most every business and many public and volunteer sector organizations too, because at least on occasion, most of them bill or invoice for goods or services after they are delivered. An FTC staff attorney said that if a business bills more than once every two years, they should consider the business covered.

Congress Seeks Repeal of HHS Breach Rule

Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the "harm threshold," which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach.Full Story

I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.

While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).

No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.