This isn’t the first time I have written about the new Red Flags rule legislation, nor will it be the last apparently. It seems that a lot of business people want to weigh in on their own to declare proudly that they and their business are not covered by that law and to stop bugging them about it.
Here’s the rub with that. Unless you collect cash up front from all of your clients before rendering a service or product, and, have no employees, and do not have any financial relationships with individuals, your business, non-profit or local government agency is considered by the Federal Trade Commission to be covered. Now, my business is completely in step with this and other privacy laws so I really don’t care if your business is compliant or not. I do have the right however to refrain from doing business with you. I’m going to ask you to show me your policy program to prevent identity theft specifically in your company. If you can’t produce that document I will move on to another business. And I will advise everyone to do the same.
Its after May 1st and your business suffered a breach of information. You are required to notify everyone affected that you lost their information, and the federal auditors who will visit your firm are going to ask you to show them your identity theft plan. For your sake and that of your business I hope you can produce it.
Every few days in the last month or so I got an article or legal opinion from a different industry group advising their member businesses that they should be compliant prior to May 1st. Today it was the American Veterinary Medical Association. Last week it was the AM News, the news source for the AMA, the American Dental Association, and a state BAR. The legal profession is among the worst. I’m convinced that you can find General Counsel who will say almost anything the boss wants to hear. I can’t tell you how many GCs have told me outright that their companies don’t have to be concerned with these laws only to find out by actually reading the Act and seeking opinion from privacy specialists that they were wrong. Not to impugn the legal business but why do so many practicing attorneys take the automatic position that someone else is wrong on a subject they themselves know very little about? Pride is a dangerous thing when it is applied to business.
I don't mean to single out lawyers, they are not alone by a long shot. I had a nationally prominent accountancy and investment wealth advisory tell me outright that the FTC had absolutely no oversight of his industry! This finger pointing to the other guy, half-cocked opinions, and squirming leaves me to wonder. “What are these guys all afraid of?”
Now, this might not seem like the most pressing issue of the day to a lot of folks, but to the millions of victims of identity theft it is. And after looking at the penalties that have already been imposed on businesses that have suffered breaches, along with court actions on the part of victims no business wants that kind of liability. I have yet to find a business owner who has been victimized or knows someone who has that is reluctant to initiate an identity theft program for his or her business.
Its April 3rd, 27 days isn’t very long to get your act together
Friday, April 3, 2009
Monday, March 30, 2009
If You Are Me Then Who Am I?
If You Are Me Then Who Am I? The personal and business reality of identity theft
I know I posted a recommendation for this book recently but it bears mentioning again. This book does a good job explaining just where we are with identity theft legislation, what we can do as individuals to protect ourselves, the steps most victims usually encounter when they are trying to go it alone to set the records straight, how the law works (or doesn’t work), and how smart businesses can fight the bleeding of sensitive information from their companies. There is an intersection where privacy law, privacy rights, and identity theft merge. This is really at the crux of what identity theft has become and how it affects us as individuals in more ways than we thought. If You Are Me delves into that rather sticky subject with the same objectivity that they treat the other topics they cover. Seeing the scenarios as they might play themselves out helps you to understand just how critical records accuracy is.
I chose early on to concentrate this column to business related topics. The subject is simply too vast for most mortals to tackle, but not the authors of this book. I recommend it to any privacy professional simply because it will shake up some preconceived notions we all have when our work is focused and rather narrow.The authors of this book have laid out in plain terms what the state of identity theft is right now, and where we have come in the past several years. No one can claim to know what will happen in the future of fighting identity theft so this book takes the intelligent approach of trying to prepare us with information and other tools.
Besides privacy specialists, anyone who thinks they know about identity theft and data loss should read it too.
Bravo to the authors!
Remember, “When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you.”
I know I posted a recommendation for this book recently but it bears mentioning again. This book does a good job explaining just where we are with identity theft legislation, what we can do as individuals to protect ourselves, the steps most victims usually encounter when they are trying to go it alone to set the records straight, how the law works (or doesn’t work), and how smart businesses can fight the bleeding of sensitive information from their companies. There is an intersection where privacy law, privacy rights, and identity theft merge. This is really at the crux of what identity theft has become and how it affects us as individuals in more ways than we thought. If You Are Me delves into that rather sticky subject with the same objectivity that they treat the other topics they cover. Seeing the scenarios as they might play themselves out helps you to understand just how critical records accuracy is.
I chose early on to concentrate this column to business related topics. The subject is simply too vast for most mortals to tackle, but not the authors of this book. I recommend it to any privacy professional simply because it will shake up some preconceived notions we all have when our work is focused and rather narrow.The authors of this book have laid out in plain terms what the state of identity theft is right now, and where we have come in the past several years. No one can claim to know what will happen in the future of fighting identity theft so this book takes the intelligent approach of trying to prepare us with information and other tools.
Besides privacy specialists, anyone who thinks they know about identity theft and data loss should read it too.
Bravo to the authors!
Remember, “When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you.”
Wednesday, March 25, 2009
Compliance? Fugeddaboutit!
In my work of helping businesses to meet standards of compliance with FACTA and GLB requirements I constantly run into lazy attitudes regarding encryption, and basic steps like not recycling photo copies with sensitive data on them, lock files away, and so forth. For example, I was in a bank recently giving a talk on how data is stolen, and in the office area where I was speaking the Chief Loan Officer had his computer monitor facing the street by way of a huge picture window only 5 feet away. And in plain view of the public walking by!
The bottom line for me is pretty simple. Given the attitude on the part of businesses of all types and sizes, the massive holes in the PCI DSS and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional), identity theft service that will actually help you when you need it, and largely put the issue to rest. This is not to say that we can stop pursuing compliance on the part of business. That is going to take a lot longer than necessary due to the reluctance of business to comply with some simple procedures. The problem for us is that identity thieves aren't going to wait. This set of crimes is increasing every year, and shows no signs of slowing down. I am addressing what we as individuals can do right now to protect ourselves proactively.
In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. Not so incidentally $26,000 is over 18 years of my identity theft service, and it protects both my wife and me. Is that a cost effective service? I think so.
Now we are facing the Electronic Records Initiative as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the health care industry, and potentially a great advantage for the individual when we seek medical help or prescriptions, it also opens a whole new set of security problems to solve. Medical identity theft is the fastest growing category of identity theft, and potentially the most dangerous. It can cost you your life. When will Americans wake up and realize that identity theft is a vast subject and a simple fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the initiative ourselves and stop our victim mentality.
How long did it take business to install ramps for people who needed them? ADA has been around for decades and we are still fighting that one. What makes anyone think this will be any different? Surely there are laws with very stiff penalties but mere laws won’t stop a good old American business from ignoring the facts. Even when this is presented as the right thing to do, appealing to a business owners’ sense of right and wrong a lot of them still don’t get it. Legislation is seen as an invasion to a business owner regardless of the nature of the law and it’s intention. It's an automatic reaction. The brain reels at the idea of compliance, a signal is sent throughout the body and, voila! Knee jerk! They see this as something they have to do for someone else that just gets in the way. I have often said that when you protect the information you keep on others you are protecting them. When someone else does it they are protecting you. Any business owner who has been a victim of identity theft does not have to be convinced that these laws are worthwhile. In fact in my experience they are eager to develop a plan to protect information, and are looking for guidance as to implementing such a plan.
Until such a time when all business and users of personal information take data security seriously we as the public need to take the initiative to safeguard ourselves. Don’t wait for them; it is a dangerous game with very high stakes for you. And without a good restorative service to be your advocate you will be left largely alone to suffer the misery of trying to fight the system in clearing your name and records.
The bottom line for me is pretty simple. Given the attitude on the part of businesses of all types and sizes, the massive holes in the PCI DSS and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional), identity theft service that will actually help you when you need it, and largely put the issue to rest. This is not to say that we can stop pursuing compliance on the part of business. That is going to take a lot longer than necessary due to the reluctance of business to comply with some simple procedures. The problem for us is that identity thieves aren't going to wait. This set of crimes is increasing every year, and shows no signs of slowing down. I am addressing what we as individuals can do right now to protect ourselves proactively.
In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. Not so incidentally $26,000 is over 18 years of my identity theft service, and it protects both my wife and me. Is that a cost effective service? I think so.
Now we are facing the Electronic Records Initiative as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the health care industry, and potentially a great advantage for the individual when we seek medical help or prescriptions, it also opens a whole new set of security problems to solve. Medical identity theft is the fastest growing category of identity theft, and potentially the most dangerous. It can cost you your life. When will Americans wake up and realize that identity theft is a vast subject and a simple fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the initiative ourselves and stop our victim mentality.
How long did it take business to install ramps for people who needed them? ADA has been around for decades and we are still fighting that one. What makes anyone think this will be any different? Surely there are laws with very stiff penalties but mere laws won’t stop a good old American business from ignoring the facts. Even when this is presented as the right thing to do, appealing to a business owners’ sense of right and wrong a lot of them still don’t get it. Legislation is seen as an invasion to a business owner regardless of the nature of the law and it’s intention. It's an automatic reaction. The brain reels at the idea of compliance, a signal is sent throughout the body and, voila! Knee jerk! They see this as something they have to do for someone else that just gets in the way. I have often said that when you protect the information you keep on others you are protecting them. When someone else does it they are protecting you. Any business owner who has been a victim of identity theft does not have to be convinced that these laws are worthwhile. In fact in my experience they are eager to develop a plan to protect information, and are looking for guidance as to implementing such a plan.
Until such a time when all business and users of personal information take data security seriously we as the public need to take the initiative to safeguard ourselves. Don’t wait for them; it is a dangerous game with very high stakes for you. And without a good restorative service to be your advocate you will be left largely alone to suffer the misery of trying to fight the system in clearing your name and records.
Red Flag rules Deadline May 1st
This morning William Morriss who is co-author of the blog Ephemeralaw, made the following post written by his colleagues Jane Shea and Gretchen Ackerman, (see links).
I cannot find a way to improve on the research and work they have done so I have obtained permission to post the article as published. As the controversy swirls about like a hot potato the May 1st deadline is fast approaching. I think one of the saddest aspects of this is that the individual is lost in the argument. And it is the individual that is supposed to be protected by these new rules. Compliance doesn’t have to hurt, and for most every business it need not be a financial burden. In the words of Kirk Nahra, a noted expert in privacy law. “It’s the right thing to do.” Once again, here is a solid article written by professionals, and aimed at businesses in America as a wake up call. For more from Ephemeralaw there is a link to their writings in my links below.
Thank you William, Jane, and Gretchen
Red Flag Rules - Deadline May 1
My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008. Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:identify relevant Red Flags, and then incorporate those Red Flags into the Program; detect such Red Flags; respond appropriately to any Red Flags to prevent and mitigate identity theft; and ensure that the Program is updated periodically to reflect changes in risks to customers What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules. Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:a fraud or active duty alert is included with a consumer report a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report a consumer reporting agency provides a notice of address discrepancy identification documents appear to be forged inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient inconsistencies between personally identifying information provided and that obtained from external information sources a new revolving credit account is used in a manner commonly associated with known patterns of fraud.Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required. Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.
I cannot find a way to improve on the research and work they have done so I have obtained permission to post the article as published. As the controversy swirls about like a hot potato the May 1st deadline is fast approaching. I think one of the saddest aspects of this is that the individual is lost in the argument. And it is the individual that is supposed to be protected by these new rules. Compliance doesn’t have to hurt, and for most every business it need not be a financial burden. In the words of Kirk Nahra, a noted expert in privacy law. “It’s the right thing to do.” Once again, here is a solid article written by professionals, and aimed at businesses in America as a wake up call. For more from Ephemeralaw there is a link to their writings in my links below.
Thank you William, Jane, and Gretchen
Red Flag Rules - Deadline May 1
My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008. Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:identify relevant Red Flags, and then incorporate those Red Flags into the Program; detect such Red Flags; respond appropriately to any Red Flags to prevent and mitigate identity theft; and ensure that the Program is updated periodically to reflect changes in risks to customers What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules. Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:a fraud or active duty alert is included with a consumer report a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report a consumer reporting agency provides a notice of address discrepancy identification documents appear to be forged inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient inconsistencies between personally identifying information provided and that obtained from external information sources a new revolving credit account is used in a manner commonly associated with known patterns of fraud.Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required. Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.
Monday, March 23, 2009
A New Link
I am proud to add a new link to this blog site. John Gardner has been a professional friend and consultant for several years. John, or perhaps his wife and partner Elizabeth once coined a phrase. "It's hard being right.....early" When in 2005 they predicted against all odds (and some ridicule), that medical identity theft was going to be a major problem. Less than 3 years later medical identity theft has indeed become a very serious problem with millions of victims.....so far.
John co-authored a very comprehensive new book on identity theft from both the perspectives of individuals and business owners. Titled "If You Are Me Then Who Am I? the personal and business reality of identity theft." This book goes much further into the subject of identity theft and data loss than any previous book available to the public.
Additionally, John has begun his own website and commentary. For his opinions and positions please go to his site listed in my links.
John co-authored a very comprehensive new book on identity theft from both the perspectives of individuals and business owners. Titled "If You Are Me Then Who Am I? the personal and business reality of identity theft." This book goes much further into the subject of identity theft and data loss than any previous book available to the public.
Additionally, John has begun his own website and commentary. For his opinions and positions please go to his site listed in my links.
Friday, March 20, 2009
Identity Theft Policy and Your Rights.
I imagine that by now you have heard a great deal about steps all of us can take to prevent identity theft. Indeed there are things we can and should do to reduce our exposure to information theft. Shred credit card offers and bill statements before tossing them out in the trash. Check your bank and credit card statements as soon as they arrive in the mail, and report any suspicious items to the bank immediately. Don’t carry your Social Security card in your wallet or purse. Check your credit report often, or better yet have an identity theft monitoring service so you will know your credit report status at all times. If you use a computer then you face another set of privacy issues. You need sturdy firewall software protection. Never open suspicious emails, especially ones containing attachments. These are just a few of the measures we all need to take and are a critical part of our culture of personal security. The sooner these kinds of activity become part of our routine the better off we are.
But when was the last time anyone spoke to you about your legal rights to have your personal information protected by someone like your Alma Mater or your County clerk?
It has been a while since I wrote about all of the databases and lists where your personal information is kept. The bank comes to mind as a perfect example. Certainly they have some pretty personal stuff about your financial status and probably your SSN, home address, phone number, etc. How would you feel if they lost it to thieves? Well, there are literally thousands of places where your personal information is held. From your high school, college, medical records, property deeds, Human Resources files at your work, the federal government, to your county records. The list is almost endless. So called specialty databases like the Casualty and Loss databases kept by Choicepoint track every insurance claim made in your name. What if those entries are the result of identity theft? These and many other databases are kept on all of us, and the accuracy of those records is absolutely crucial. The problem is that databases are hacked and stolen constantly. These businesses that hold your information are supposed have procedures in place to protect that data from being lost, published, corrupted, or stolen. The problem is that a lot of them are not adhering to the government guidelines. A promise, a wink, and really good IT guy are no longer sufficient. There are no excuses for poor or even non-existent identity theft policies and practices on the part of any company. The government, by way of the FTC and other agencies has the power to prosecute the companies who have shirked their responsibilities.
Back in 2008 a new law went into effect that required all banks, S&Ls and Credit Unions in the United States to adopt written policy guidelines and response plans regarding data loss and identity theft. It outlines very specific procedures to be on the lookout for that might indicate possible identity theft. It is hard to say whether all banks have successfully completed that compliance or not. But we have the right to ask the bank to show us that policy, and the bank is obligated to produce it. It would certainly be among the first questions I would ask when shopping for a new bank. I would strongly advise everyone to exercise that right before doing business with any financial institution. Your personal data is at risk and you have the right to see that they are taking appropriate steps to protect it. Make them prove it to you.
As of May 1st of 2009 most every other business in the US will also have to adopt a similar identity theft prevention plan as called for in the 2007 FACTA red flags rule amendment. This would pertain to utility companies, accountants, real estate agencies, doctors’ and dentists’ offices, attorneys, universities, private and public school districts, local government authorities, department stores, medical clinics, any company that maintains a payroll, and anywhere you might have any sort of payment plan. Again, I strongly urge everyone to ask for that policy before entrusting your personal information to that business if at all possible. It is your right, and it is their obligation to produce the documents after May 1st.
Identity theft is now the most reported white-collar crime in the world. In the US alone we see an estimated 8 to 10 million victims each year. The great majority of the identity thefts are the results of data taken from databases, and to a lesser degree from personal theft. So it is incumbent on all business to comply with the governments’ mandated guidelines for the safekeeping of all personal information held on clients and employees alike.
The next time you consider any new business relationship or to check on the businesses that you currently have relationships with, please exercise that right to know how your personal information is being treated. Ask to see the policy document, they must show it to you. And for business owners, it is equally important for you to examine the identity theft prevention policy of any other business with whom you share data, such as HR or payroll services, accountancies, even office cleaning services for example.
Only by participation in such compliance on the part of every business can we begin to turn the tide of this rampant theft and sale of personal information. The formula is very simple, there is very little cost for most businesses, and can only result in a decrease in crime and a lowered risk for businesses and their executives.
But when was the last time anyone spoke to you about your legal rights to have your personal information protected by someone like your Alma Mater or your County clerk?
It has been a while since I wrote about all of the databases and lists where your personal information is kept. The bank comes to mind as a perfect example. Certainly they have some pretty personal stuff about your financial status and probably your SSN, home address, phone number, etc. How would you feel if they lost it to thieves? Well, there are literally thousands of places where your personal information is held. From your high school, college, medical records, property deeds, Human Resources files at your work, the federal government, to your county records. The list is almost endless. So called specialty databases like the Casualty and Loss databases kept by Choicepoint track every insurance claim made in your name. What if those entries are the result of identity theft? These and many other databases are kept on all of us, and the accuracy of those records is absolutely crucial. The problem is that databases are hacked and stolen constantly. These businesses that hold your information are supposed have procedures in place to protect that data from being lost, published, corrupted, or stolen. The problem is that a lot of them are not adhering to the government guidelines. A promise, a wink, and really good IT guy are no longer sufficient. There are no excuses for poor or even non-existent identity theft policies and practices on the part of any company. The government, by way of the FTC and other agencies has the power to prosecute the companies who have shirked their responsibilities.
Back in 2008 a new law went into effect that required all banks, S&Ls and Credit Unions in the United States to adopt written policy guidelines and response plans regarding data loss and identity theft. It outlines very specific procedures to be on the lookout for that might indicate possible identity theft. It is hard to say whether all banks have successfully completed that compliance or not. But we have the right to ask the bank to show us that policy, and the bank is obligated to produce it. It would certainly be among the first questions I would ask when shopping for a new bank. I would strongly advise everyone to exercise that right before doing business with any financial institution. Your personal data is at risk and you have the right to see that they are taking appropriate steps to protect it. Make them prove it to you.
As of May 1st of 2009 most every other business in the US will also have to adopt a similar identity theft prevention plan as called for in the 2007 FACTA red flags rule amendment. This would pertain to utility companies, accountants, real estate agencies, doctors’ and dentists’ offices, attorneys, universities, private and public school districts, local government authorities, department stores, medical clinics, any company that maintains a payroll, and anywhere you might have any sort of payment plan. Again, I strongly urge everyone to ask for that policy before entrusting your personal information to that business if at all possible. It is your right, and it is their obligation to produce the documents after May 1st.
Identity theft is now the most reported white-collar crime in the world. In the US alone we see an estimated 8 to 10 million victims each year. The great majority of the identity thefts are the results of data taken from databases, and to a lesser degree from personal theft. So it is incumbent on all business to comply with the governments’ mandated guidelines for the safekeeping of all personal information held on clients and employees alike.
The next time you consider any new business relationship or to check on the businesses that you currently have relationships with, please exercise that right to know how your personal information is being treated. Ask to see the policy document, they must show it to you. And for business owners, it is equally important for you to examine the identity theft prevention policy of any other business with whom you share data, such as HR or payroll services, accountancies, even office cleaning services for example.
Only by participation in such compliance on the part of every business can we begin to turn the tide of this rampant theft and sale of personal information. The formula is very simple, there is very little cost for most businesses, and can only result in a decrease in crime and a lowered risk for businesses and their executives.
Wednesday, March 18, 2009
Google?
The Electronic Privacy Information Center epic.org yesterday asked the U.S. Federal Trade Commission to investigate the privacy and security safeguards of Google's cloud computing services, reports the New York Times. The formal complaint requests that the commission look into Google Docs, Gmail and other cloud services offered by the company. The filing cites a breach earlier this month involving Google Docs. "We think the time is right for the FTC to look more closely at cloud computing services," said EPIC executive director Marc Rotenberg. A Google spokesperson said: "We are highly aware of how important our users' data is to them and take our responsibility very seriously."
Subscribe to:
Comments (Atom)
