Red Flags Rule on Enforcement Eve
The FTC's Red Flags Rule goes into effect tomorrow. The rule intends to help prevent identity theft, reports InternetNews.com. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," said Tiffany George, an attorney for the FTC's division of privacy and identity protection. Prepping for compliance involves businesses' identifying their "red flags"--early indicators of suspicious or fraudulent activity. Compliance has come easily for some organizations affected by the rule, but for others the task has been more daunting. Some businesses have been surprised to find they fall under the rule's definition of "creditor." Full Story
Thursday, April 30, 2009
FACTA Red Flags Rule enforcement begins
Tomorrow, May 1st the Federal Trade Commission will begin the enforcement phase as regards the Red Flags Rule (FACTA). The FTC estimates that an additional 11 million U.S. businesses are to be compliant on this date. These 11 million businesses are in addition to the savings and banking institutions that were to be compliant prior to November 1st of 2008. FDIC and NCUA have jurisdiction over the banking industry’s practices and will enforce compliance and perform compliance audits within that group.
I have found that a lot of businesses don't understand that they are under the jurisdiction of the FTC. For example mortgage brokers, investment advisors, law groups, and others cite various different regulatory agencies that cover their businesses. What they fail to understand is that the FTC has sweeping jurisdiction of the business “practices”, not necessarily the business “functions” of these types of businesses. When it comes to billing, maintaining accounts, ethical transactional practices, and commerce in general the FTC is the federal authority. That can explain some of the confusion on the part of companies who are used to regulations surrounding the professional services they perform. Agencies and bodies such as the SEC, Departments of Justice, Commerce, BLM, etc and state and national BAR Assns. have authority to regulate certain industry practices, but the FTC is concerned mainly in this case with the “sale of goods or services” to the public and the personal information businesses collect. The Commission is concerned with the protection of the publics’ rights to fair treatment and protection from (sic)predatory or irresponsible actions on the part of business. That also extends to the safekeeping of the personal information companies maintain on their clients or customers, and adopting practices to identify, isolate, and report possible identity fraud.
The FACT Act (1999) and subsequently the Red Flags Rule (2007) was designed in part to protect the personally identifiable information businesses collect in the process of doing business. It outlines the methods recommended in collection of this type of information, identifying possible fraudulent information, the safekeeping once it is collected, and the disposal of the data once it is no longer of practical use by the business. Other aspects of the rule are concerned with the adoption of a company identity theft policy, the education of employees, and the identity theft policies of contractors and service providers.
There are other laws enacted that also cover these kinds of practices. The Gramm Leach Bliley Safety Rule (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) are examples of these rules and regulate these practices for specific types of organizations. With the enactment of the Red Flags Rule there is an overlapping of some of these compliance regulations which is taking us in my opinion, to a more universal set of compliance guidelines for all businesses, non-profits, state and local government agencies to follow. As more data is collected from forensic studies subsequent to breaches and identity theft episodes, there emerges predictable practices that all entities should follow regardless of the industry type. We are also closer to a more universal reporting and notification regulation that hopefully will provide simple bright line criteria for any affected organization to inform the public when their information is at risk of identity misuse due to a breach or loss.
It is incumbent on all businesses or any entity that acts as a “creditor” or “financial institution” as defined by the FTC to assess that entities’ risk of data loss or accepting information that may indicate identity fraud. As I wrote in a previous column businesses are finding that this kind of assessment is helpful to the company as it brings this issue into focus. Having a plan for a business is essential whether it is about data loss, identity fraud, or about increasing revenue. And no business can afford the fallout from such an episode without a plan.
As to enforcement, Betsy Broder, Assistant Director for Privacy and Identity Protection for the FTC made it clear last week that enforcement will begin immediately and will begin with the most risky businesses that have done nothing to date regarding an identity theft program.
Taylor and Associates can assist any organization with their program, and provide the essential training and documentation required.
I have found that a lot of businesses don't understand that they are under the jurisdiction of the FTC. For example mortgage brokers, investment advisors, law groups, and others cite various different regulatory agencies that cover their businesses. What they fail to understand is that the FTC has sweeping jurisdiction of the business “practices”, not necessarily the business “functions” of these types of businesses. When it comes to billing, maintaining accounts, ethical transactional practices, and commerce in general the FTC is the federal authority. That can explain some of the confusion on the part of companies who are used to regulations surrounding the professional services they perform. Agencies and bodies such as the SEC, Departments of Justice, Commerce, BLM, etc and state and national BAR Assns. have authority to regulate certain industry practices, but the FTC is concerned mainly in this case with the “sale of goods or services” to the public and the personal information businesses collect. The Commission is concerned with the protection of the publics’ rights to fair treatment and protection from (sic)predatory or irresponsible actions on the part of business. That also extends to the safekeeping of the personal information companies maintain on their clients or customers, and adopting practices to identify, isolate, and report possible identity fraud.
The FACT Act (1999) and subsequently the Red Flags Rule (2007) was designed in part to protect the personally identifiable information businesses collect in the process of doing business. It outlines the methods recommended in collection of this type of information, identifying possible fraudulent information, the safekeeping once it is collected, and the disposal of the data once it is no longer of practical use by the business. Other aspects of the rule are concerned with the adoption of a company identity theft policy, the education of employees, and the identity theft policies of contractors and service providers.
There are other laws enacted that also cover these kinds of practices. The Gramm Leach Bliley Safety Rule (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) are examples of these rules and regulate these practices for specific types of organizations. With the enactment of the Red Flags Rule there is an overlapping of some of these compliance regulations which is taking us in my opinion, to a more universal set of compliance guidelines for all businesses, non-profits, state and local government agencies to follow. As more data is collected from forensic studies subsequent to breaches and identity theft episodes, there emerges predictable practices that all entities should follow regardless of the industry type. We are also closer to a more universal reporting and notification regulation that hopefully will provide simple bright line criteria for any affected organization to inform the public when their information is at risk of identity misuse due to a breach or loss.
It is incumbent on all businesses or any entity that acts as a “creditor” or “financial institution” as defined by the FTC to assess that entities’ risk of data loss or accepting information that may indicate identity fraud. As I wrote in a previous column businesses are finding that this kind of assessment is helpful to the company as it brings this issue into focus. Having a plan for a business is essential whether it is about data loss, identity fraud, or about increasing revenue. And no business can afford the fallout from such an episode without a plan.
As to enforcement, Betsy Broder, Assistant Director for Privacy and Identity Protection for the FTC made it clear last week that enforcement will begin immediately and will begin with the most risky businesses that have done nothing to date regarding an identity theft program.
Taylor and Associates can assist any organization with their program, and provide the essential training and documentation required.
Thursday, April 23, 2009
Study: Lost Laptops = Big Bucks
From todays' IAPP bulletin,
The Mercury News reports on the results of an Intel-commissioned study on business costs associated with lost or stolen laptops. Over five months, researchers from the Ponemon Institute examined 138 lost-laptop incidents across 29 business and government organizations. The typical cost per laptop to employers was $49,246. Much of the expense derives from the valuable sensitive data contained on the missing machines. "With each lost laptop there is the risk that sensitive data about customers, employees and business operations will end up in the wrong hands," according to the Ponemon report. Full Story
The Mercury News reports on the results of an Intel-commissioned study on business costs associated with lost or stolen laptops. Over five months, researchers from the Ponemon Institute examined 138 lost-laptop incidents across 29 business and government organizations. The typical cost per laptop to employers was $49,246. Much of the expense derives from the valuable sensitive data contained on the missing machines. "With each lost laptop there is the risk that sensitive data about customers, employees and business operations will end up in the wrong hands," according to the Ponemon report. Full Story
Monday, April 20, 2009
HEALTHCARE PRIVACY IN THE U.S.
As the American Recovery and Reinvestment Act of 2009 (ARRA), unfolds businesses are going to have to pay attention. This legislation will affect everyone in some way and knowledge of the law and how it pertains to business will be the responsibility of each individual business Board of Directors or owner.
The Department of Health and Human Services (DHSS), on Friday published guidance aimed at helping entities secure and protect health information. "Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS spokesperson Nick Papas. The guidance stems from requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act. It covers the standards for what makes PHI "secured," and a request for information related to the security breach notification requirements. Full Story
Just as the Red Flags Rule (FACTA) affects most businesses including those businesses who are not accustomed to FTC oversight, the HITECH Act will also impact the way businesses collect and use personal medical information.
The Department of Health and Human Services (DHSS), on Friday published guidance aimed at helping entities secure and protect health information. "Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS spokesperson Nick Papas. The guidance stems from requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act. It covers the standards for what makes PHI "secured," and a request for information related to the security breach notification requirements. Full Story
Just as the Red Flags Rule (FACTA) affects most businesses including those businesses who are not accustomed to FTC oversight, the HITECH Act will also impact the way businesses collect and use personal medical information.
Tuesday, April 14, 2009
ID Theft Red Flags Rule: Are You Ready for May 1? Part 2
In yesterday’s column I wrote about the very positive benefits that can result from an organization initiating an identity theft policy. One more important benefit I didn't mention. The very fact that a business has gone through this process shows the commitment to increased awareness and a proactive stand on data theft, and should be made known to the public at large. Do you think that people will tend to choose businesses that have an identity theft program over those who do not? Of course they will, but only if they are aware that the program has been established.
Today I want to focus once again on the subject of what is a covered business compared to those who are not considered by the FTC to be covered by this particular law. The Red Flags Rule was written as an addendum to FACTA as a means of defining the circumstances that businesses who are affected need to focus on when opening new relationships with clients or when revisiting existing ones.
The Commission has identified a number of "red flags" which are indicators of possible identity fraud. Among other steps, anyone handling such information has the responsiblity to use a method of verification of such information that has been spelled out in a company identity theft policy. Does this mean that other businesses can ignore this legislation? Absolutely not. That's not all that businesses need to do. There are a host of daily office practices that should be addressed. Also the critical issue of determining the practices of each service provider or contractor a company uses cannot be overlooked. You share responsibility with each of them. Whether a business is considered covered by these rules or not it is good business practice to incorporate some of these steps to reduce the risk to the company, and to instill that culture of security within the company. That is simple good risk management policy.
Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection for the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.
Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.
Under the ID Theft Red Flags Rule a creditor is:
· Any entity that regularly extends, renews or continues credit;
· Any entity that regularly arranges for the extension, renewal or continuation of credit;
· Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:
· Finance companies;
· Automobile dealers;
· Mortgage brokers;
· Utilities;
· Telecommunications companies.
Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.
Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.
With May 1 only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule. "It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."
Taylor and Associates is ready to assist any company regardless of size or industry with its’ identity theft program. We can provide everything from a framework for a working policy to staff training and documentation, and including help in reaching out to contractors and vendors to ascertain their policies.
Remember, “When you protect the information you keep on others you are protecting them. When others do it they are protecting you.”
Today I want to focus once again on the subject of what is a covered business compared to those who are not considered by the FTC to be covered by this particular law. The Red Flags Rule was written as an addendum to FACTA as a means of defining the circumstances that businesses who are affected need to focus on when opening new relationships with clients or when revisiting existing ones.
The Commission has identified a number of "red flags" which are indicators of possible identity fraud. Among other steps, anyone handling such information has the responsiblity to use a method of verification of such information that has been spelled out in a company identity theft policy. Does this mean that other businesses can ignore this legislation? Absolutely not. That's not all that businesses need to do. There are a host of daily office practices that should be addressed. Also the critical issue of determining the practices of each service provider or contractor a company uses cannot be overlooked. You share responsibility with each of them. Whether a business is considered covered by these rules or not it is good business practice to incorporate some of these steps to reduce the risk to the company, and to instill that culture of security within the company. That is simple good risk management policy.
Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection for the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.
Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.
Under the ID Theft Red Flags Rule a creditor is:
· Any entity that regularly extends, renews or continues credit;
· Any entity that regularly arranges for the extension, renewal or continuation of credit;
· Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:
· Finance companies;
· Automobile dealers;
· Mortgage brokers;
· Utilities;
· Telecommunications companies.
Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.
Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.
With May 1 only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule. "It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."
Taylor and Associates is ready to assist any company regardless of size or industry with its’ identity theft program. We can provide everything from a framework for a working policy to staff training and documentation, and including help in reaching out to contractors and vendors to ascertain their policies.
Remember, “When you protect the information you keep on others you are protecting them. When others do it they are protecting you.”
Monday, April 13, 2009
ID Theft Red Flags Rule: Are You Ready for May 1? Part 1
Are businesses profiting from the process of establishing their identity theft response program? With the May 1st deadline fast approaching I found an article today that bears noting.
At a recent conference, an executive from a large creditor company told Betsy Broder, Assistant Director, Division of Privacy and Identity Protection at the Federal Trade Commission.
"This Red Flags rule was one of the best business exercises that his company had been through in years." The entire program's development forced the creditor to approach this issue in a much more logical, structured way, so that it now has one document that captured all of the company's fraud detection and response programs. "It made them approach it in a more holistic fashion," Broder says. "For that reason alone, they thought it was a beneficial exercise for them to go through."
I have written numerous pieces here and in other publications about the various benefits of having such a program. Companies can benefit in a number of ways from a culture shift as mentioned above, but also by training. At Taylor and Associates we focus on the benefit to the staff by providing a solid education of identity theft so they can better understand what we mean by identity theft. Not only what we see on television and the newspaper, but also the less understood and potentially more dangerous aspects of the crime. With this increased understanding employees are more apt to be proactive and protective with the files and information they handle on the job. Once armed with the knowledge of how identity theft can affect them and their families the more effective they are in joining the solution to combat identity theft.
These programs should be individually designed to bring each company into compliance with the law, but also to create the “culture of security” the FTC is trying to establish. This is most effective when management is committed to making the program work, and that all staff has been thoroughly oriented on their roles in implementing the program. Add to that the component of vendor oversight and you will have a healthy approach and response to the threat of data loss.
Tomorrow I will visit more of this article as we prepare to meet that May 1st deadline.
At a recent conference, an executive from a large creditor company told Betsy Broder, Assistant Director, Division of Privacy and Identity Protection at the Federal Trade Commission.
"This Red Flags rule was one of the best business exercises that his company had been through in years." The entire program's development forced the creditor to approach this issue in a much more logical, structured way, so that it now has one document that captured all of the company's fraud detection and response programs. "It made them approach it in a more holistic fashion," Broder says. "For that reason alone, they thought it was a beneficial exercise for them to go through."
I have written numerous pieces here and in other publications about the various benefits of having such a program. Companies can benefit in a number of ways from a culture shift as mentioned above, but also by training. At Taylor and Associates we focus on the benefit to the staff by providing a solid education of identity theft so they can better understand what we mean by identity theft. Not only what we see on television and the newspaper, but also the less understood and potentially more dangerous aspects of the crime. With this increased understanding employees are more apt to be proactive and protective with the files and information they handle on the job. Once armed with the knowledge of how identity theft can affect them and their families the more effective they are in joining the solution to combat identity theft.
These programs should be individually designed to bring each company into compliance with the law, but also to create the “culture of security” the FTC is trying to establish. This is most effective when management is committed to making the program work, and that all staff has been thoroughly oriented on their roles in implementing the program. Add to that the component of vendor oversight and you will have a healthy approach and response to the threat of data loss.
Tomorrow I will visit more of this article as we prepare to meet that May 1st deadline.
Monday, April 6, 2009
FTC Launches Red Flags Website
After a year or more of confusion on the part of businesses and their counsel the Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits to come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. The FTC has also published a very good guide for businesses who must determine if they have “covered accounts” and how to go forward with their program. I have added a permanent link to the FTC Red Flags site to my links for your convenience.
Coming on the heels of the latest Health Information Technology for Economic and Clinical Health Act (HITECH) which has sweeping new notification requirements, and was signed into law by the President Feb 17th as part of the American Recovery and Reinvestment Act, it is now very clear that not only is the government going ahead with FACTA enforcement on May 1st, but is also addressing the varying discrepancies in state notification and reporting laws. The new federal notification law has a much lower threshold for reporting and will often constitute the rule for reporting breaches and the notification to all affected parties. Go to Ephemeralaw (link below), for a good overview of this new legislation.
Businesses need to take heed of these changes in the law and take the appropriate actions. Not doing so can result in serious penalties.
In spite of confusion and even resistance on the part of some companies it should be very clear that the paradigm has shifted regarding the protection of sensitive personal information. It is no longer possible to simply get by, every covered business must by law follow specific guidelines or face very serious consequences.
For any entity that identifies itself as needing to be in step with the FACTA Red Flags Rule Taylor and Associates provides a great deal of the framework for such a plan and policy including the employee training, documentation, and contractor/service provider oversight as well as an outline for an actual policy itself for identifying the red flags and a response plan. For any business who wishes more information about that program I can be contacted by way of my business website in the links portion of this column.
Coming on the heels of the latest Health Information Technology for Economic and Clinical Health Act (HITECH) which has sweeping new notification requirements, and was signed into law by the President Feb 17th as part of the American Recovery and Reinvestment Act, it is now very clear that not only is the government going ahead with FACTA enforcement on May 1st, but is also addressing the varying discrepancies in state notification and reporting laws. The new federal notification law has a much lower threshold for reporting and will often constitute the rule for reporting breaches and the notification to all affected parties. Go to Ephemeralaw (link below), for a good overview of this new legislation.
Businesses need to take heed of these changes in the law and take the appropriate actions. Not doing so can result in serious penalties.
In spite of confusion and even resistance on the part of some companies it should be very clear that the paradigm has shifted regarding the protection of sensitive personal information. It is no longer possible to simply get by, every covered business must by law follow specific guidelines or face very serious consequences.
For any entity that identifies itself as needing to be in step with the FACTA Red Flags Rule Taylor and Associates provides a great deal of the framework for such a plan and policy including the employee training, documentation, and contractor/service provider oversight as well as an outline for an actual policy itself for identifying the red flags and a response plan. For any business who wishes more information about that program I can be contacted by way of my business website in the links portion of this column.
Subscribe to:
Posts (Atom)
