Simply put, if data aiding an identity
theft originates from a security breach at your company,
you
could be sued, fined, orbecome a defendant in
a class-action lawsuit by affected employees whose personal
information has somehow gotten out.
If an employer obtains, requests or utilizes consumer reports or
investigative consumer reports for purposes/background screening,
then the employer is subject to FCRA requirements.
http://www.ftc.gov/os/statutes/031224fcra.pdf
"Fair and Accurate Credit Reporting Act (FACTA)"
The Fair and Accurate Credit Transactions Act of 2003,
PubL. 108-159, 117 Stat. 1952 (FACT Act" or "Act") was signed into
law on December 4, 2003. In part, the Act amends the Fair Credit
Reporting Act ("FCRA"), 15 U.S.C. 1681 et seq.
In
an effort to help fight what has become the fastest-growing crime in
the U.S. – identity theft - Congress added new sections to the
federal Fair Credit Reporting Act (FCRA) when it passed FACTA – The
Fair and Accurate Credit Transactions Act of 2003. Privacy, limits
on information sharing, new consumer rights to disclosure and
accuracy are all addressed. However, these new
provisions also create serious new responsibilities – and potential
liabilities – for businesses nationwide. Simply put, if data aiding
an identity theft originates from a security breach at your company,
you could be sued, fined, or become a defendant in a class-action
lawsuit by affected employees whose personal information has somehow
gotten out.
Ready or not, it’s time to get familiar with FACTA, and develop a
reasonable plan to reduce and mitigate potential risks as much as
possible.
The
Federal Trade Commission (FTC) has created a new Division of Privacy
and Identity Protection to focus on aggressive enforcement of
identity theft cases. In order to comply with FACTA, Betsy Broder,
the Assistant Director of that FTC division, was quoted in the March
2006 American Bar Association Journal saying, that means businesses
need to have a written plan describing how customer data will be
safeguarded and a staff member or company officer designated to be
responsible for implementing that plan. Broder went on to say,
“We’re not looking for a perfect system. But we need to see that
you’ve taken responsible steps to protect your customers’
information.”
Broder says she understands that small
businesses cannot be expected to hire a full-time privacy
specialist, but added that all businesses must be able to show that
they have a security plan in place.
According to the FTC, a “reasonable” plan to safeguard personal
information includes:
- Appoint or Re-Appoint an "Information Security Officer(s)
- Develop a written "Sensitive Information Policy"
- Train your employees (Create a Culture of Security)
- Create an "Identity Theft Mitigation Program" - This
mitigation plan should kick
in when there is a privacy or security breach and
there is a need to “repair it”
immediately in the eyes of customers,
government regulators, and management.
A sensible and effective program will go a long way towards reducing
the risk of federal government enforcement, even if the security
policy should fail in a particular situation and a security breach
results.
Simply put, if data aiding an identity
theft originates from a security breach at your company,
you
could be sued, fined, or become a defendant in
a class-action lawsuit by affected employees whose personal
information has somehow gotten out.
In
an effort to help fight what has become the fastest-growing crime in
the U.S. – identity theft - Congress added new sections to the
federal Fair Credit Reporting Act (FCRA) when it passed FACTA – The
Fair and Accurate Credit Transactions Act of 2003. Privacy, limits
on information sharing, new consumer rights to disclosure and
accuracy are all addressed. 
The
Federal Trade Commission (FTC) has created a new Division of Privacy
and Identity Protection to focus on aggressive enforcement of
identity theft cases. In order to comply with FACTA, Betsy Broder,
the Assistant Director of that FTC division, was quoted in the March
2006 American Bar Association Journal saying, that means businesses
need to have a written plan describing how customer data will be
safeguarded and a staff member or company officer designated to be
responsible for implementing that plan. Broder went on to say,
“We’re not looking for a perfect system. But we need to see that
you’ve taken responsible steps to protect your customers’
information.”