Monday, May 4, 2009

Adopting a Written Identity Theft Policy

In light of the recent extension by the FTC of the compliance phase of the new Red Flags Rule (FACTA) I began to wonder what business execs must be thinking. Are they simply in the dark as to whether their business is considered to be covered under this legislation? Are they unclear about being within the jurisdiction of the FTC? Are businesses confused about what compliance entails? Are they concerned about the costs, or a disruption in business? Are they fearful that compliance might expose serious flaws in their current practices? Or is the hubris such that they don't believe this is real and won't affect them? After all, some believe that if they have never had a problem so far why should they think it might happen now? One question that I might ask is. How do you know for certain that it hasn't happened yet? One very reliable national statistic out recently noted the results of interviewing thousands of small business owners. Only 6% of the small business owners surveyed could positively state that their business had not been the source of stolen data or identity fraud. It only takes a disgruntled or recently downsized employee a few minutes to download files onto a CD or flash drive and walk out. That can set into motion a very nasty series of events starting with identity theft episodes and law suits, and because of state notification rules, a possible loss of clients due to a lack of confidence. That is before the federal government steps in. The FTC has the authority to levy fines, prosecute, and require extensive audits. And the business may never discover the source ot the loss. As more people lose their jobs in the economic downturn cases like that are happening more often at businesses, medical facilities, local government agencies, and schools throughout the country.
Another relevant question is simply to ask what is the downside of a compliance program? After all, businesses comply with regulations all the time. They comply because the risk is such that non-compliance can be too costly, and of course because it is the right thing to do for reasons of safety or fairness.

I have studied the identity theft laws and regulations on both the state and federal levels sufficiently to know that they are fairly written and do attempt to stem the tide of data theft and fraud. Lets take the Red Flags Rule for example. Assessing risk and adopting an appropriate program is a very flexible part of the law. Companies are the best estimators of their risk if they are willing to accept that risk does exist and there is always room for improvements. Training of everybody on staff is the single most powerful part of the compliance procedure. After all it is the employees of a business that handle the data that is to be safeguarded and tested for accuracy. If everyone on staff knows what to do and how to respond to problems you put a serious dent in the risk to the company. Now, what company does not want to lower risk?

This should not be a topic for debate. It is the right thing to do for reasons of fairness and safety, and for most entities it can be done at very little or no cost. Every business whether covered or not should implement reasonable programs for their business. Where now is the downside?

If I ran a business that shared sensitive personal information on my employees with the business next door to mine who happens to be my payroll service, and I adopted a program such as described in the Red Flags Rule would I want that company next door to do the same? Yes! Is it because if I went through it so should he? After all it is only fair. No. It is because legally we share the responsibility and risk. Only by both of us adopting a plan we, (both businesses), lower our shared risk even more. That is the idea here. That is the reason for this law, for businesses to adopt a plan and see to it that the companies they share such information with do the same. The net result should be lowering risk to all of our businesses. Who are the winners? All of us as individuals are the winners. Our personal information is safeguarded and properly vetted to be true meaning that identity thieves have less a chance to co-opt our accounts, open new ones, and take over our good name. Shouldn't that be the goal of a good identity theft law? In 2008 there were an estimated 10 million U.S. victims of financial and non-financial identity theft combined. In 2008 businesses directly lost nearly $50 billion to identity theft. Could a well written identity theft law if applied have an affect on those numbers? I think so. Let's try it and see. What is the downside?

Taylor and Associates is prepared to assist any business with their program. Concerned about the sheer cost of using counsel to write a relevant plan for the board to adopt? We have taken care of that. We offer a framework for such a policy that any business can use and adopt to their individual needs. This policy framework was written by specialists in Privacy law to be consistent with the law, and by former Attorneys General as our panel of consultants. So now we have nearly or completely eliminated that cost. Next we train the staff. Do you need to hire expensive training consultants to perform that function? No. We are specially qualfied as Identity Theft specialists to handle that as well. The cost? How about an hour of their time. That is your cost for the training. We gather the staff together in as many meetings as it will take to eventually see everyone and give them a solid hour of orientation on the company policy as adopted by the board, and include awareness of the realities of identity theft for themselves and their families. After all identity theft can occur anywhere to anyone, no exceptions. Next we have to identify the person(s) responsible to administer the program for the business. Lastly in this case is to make notifications and communicate with the other businesses about your program and inquire about theirs. In any compliance program documentation is necessary to prove that compliance steps were taken and when. We provide all of the necessary documentation for everything mentioned above. After the program is begun we follow up as needed to update the program for all of our client businesses.

Now, lets add up the costs for these compliance services,
1. Written policy $0
2. Employee training $0 (one hour of time in mandatory company meetings)
3. letters and documentation $0
4. Notification letters and follow up with 3rd party and contractor businesses $0

No one can estimate the savings of a reduction in risk and potential liability. It cannot be done. Significantly lowering the risk of law suits and a loss of public confidence that results in losing customers could make the difference whether a business survives or fails in the most extreme cases, and at the least prevent identity theft. There is no downside to establishing an identity theft prevention program.
When can we start?

No comments: