Untitled
Excerpts from a recent Bank Info Security Article -

"IDTheft Red Flags Rule: How to Help Your Business Customers Comply"
September 8, 2008 - Linda McGlasson - Managing Editor

These covered entities, no matter how small, need to design and implement an identity theft prevention program, George adds.....

"Entities need to realize this applies to anyone who defers payment for a good or service," George says. "Even mom and pop stores that offer monthly credit to customers would fall under this rule.

Any interaction where a consumer is not paying up front would make the business a creditor,

"So in the healthcare context, even where a consumer offers i

 With the workplace being the site of more than half of all identity thefts,... executives must "stop thinking about data protection as solely an IT responsibility," more education is necessary. 


- "ID Thefts Prevalent at work"   Human Resource Executive, April 5, 2007

nsurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," George explains.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors.
 
"Identity Theft Red Flag Rules" - http://www.FTC.gov/os/2007/10/r611019redflagsfrn.pdf

Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 

Background:
The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and fraud in the opening and maintenance of covered accounts by financial institutions and creditors, as well as addressing issues of address discrepancies by users of consumer reports (credit reports and specialty consumer reports) and debit or credit card issuers.

The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts.

It is important to note that, as with the Disposal Rule and Gramm-Leach-Bliley, the Red Flags Rule does NOT automatically apply to every business. Under the final rule, only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. For example, a restaurant that accepts credit cards as a means of one-time payment in full by a customer who purchases a meal is not impacted; whereas, a utility company that opens and maintains accounts for its customers is impacted.

Summary of Key Requirements:
Red Flag Rules recently became effective January 2008, and compliance is required by May 1, 2009.

The Federal Trade Commission (FTC) and 5 federal agencies have strengthened the FACTA Law with some recorded Identity Theft Red Flag Rules.

 



 - On Page 10, the responsibility of having an Identity Theft Mitigation Program, Training, and 
    an Information Security Officer in place falls on the Board of Directors

 - On Page 15, it further states that if a "Board of Directors" does not exist, Responsibility falls
    on "a designated employee at the level of Senior Management".

 - On Page 21, "Identity Theft" is defined as "a fraud Committed or Attempted using the personal
    identifying information (PII) of another person without authority."

 - On Page 22, it designates that the loss of "one single piece" of Personal Identifiable Information (PII)
    constitutes an "Identity Theft" and places the "at fault company" under penalty provisions
    of the FACT Act of 2005 (FACTA).
             

The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers. In addition, the final rules require users of consumer reports (e.g. - credit reports and specialty consumer reports) to develop reasonable policies and procedures as well.

If you are a service provider of a "financial institution' or "creditor" it is important to understand that it is not a matter of Federal Law that you, must also implement reasonable policies and procedures for detecting, preventing, and mitigating identity theft of your customers, which in some cases are the employees of the "financial institutions" or "creditors", BUT a matter of "Murphy's Law"!


 

To book a free consultation, view a webinar on how we can potentially assist your company in the areas of Identity Theft, or arrange to have one of our staff  speak at your next Chamber or Association event:

 

The person that sent you to this website.

 

To book a free consultation, view a webinar on how we can potentially assist your company, or arrange to have one of our staff  speak at your next Chamber or Association event. 

 

Please contact:

 

The person that sent you

to this website.

 

 

 

 

CLICK HERE to view FTC's NEW Red Flags Rule Website

 

"We're not looking for a perfect system," ...... "But we need to see that you've taken reasonable steps to protect your customers' information."    

- Betsy Broder,
    Assistant Director of the
FTC's newly formed Division of Privacy and Identity Protection

 

March 2006 - ABA Journal