Adrs Flip Chart With Red Flags Rev4


Published on

Business Identity Theft Training

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ID Theft is Is now an Epidemic NY Times IDT is Epidemic Aberdeen Group IDT at 300% growth ($) Garner Group IDT increasing at 79% (#) USPS Operation IDT Crisis FTC’s Top Complaint 5 years In A Row USA Today Why Is IDT at Epidemic Proportions? Foundation for Taxpayers & Consumer rights Epidemic of IDT takes Heavy Toll
  • Employee Confidentiality Document Acts as a Good Faith step in attempting to comply with FACTA, GLB, HIPAA, etc …
  • This disclaimer is given to protect the instructor and will last about 2 minutes .
  • Adrs Flip Chart With Red Flags Rev4

    1. 1. With Dan Cassin, CITRMS
    2. 2. <ul><li>Identity Theft: </li></ul><ul><li>The Next Corporate Liability Wave </li></ul><ul><li>“ Your phone rings. It’s Special Agent Bret Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered that the personal data appears to have come from your company. The victims are your customers, employees & vendors. </li></ul><ul><li>Your mind begins to spin. Are there other customers affected who haven’t been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit? </li></ul><ul><li>You recall reading that each identity theft victim will on average spend $1,495.00, excluding attorney’s fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2,000 per victim. Multiplying that by 10,000 customer-victims equals $20 million. Adding as little as $15 per hour for the victims’ time and you get $11,000 per case or a total of $110 million in total even before fines and punitive damages are considered. And that’s on top of the potential impact on your company’s future sales. [ed. And before attorney’s fees!] </li></ul>Corporate Counsel, March 30, 2005
    3. 3. <ul><li>Identity Theft: </li></ul><ul><li>Your Next Corporate Liability? </li></ul><ul><li>The nation’s fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies.” </li></ul><ul><li>ed. large & small </li></ul>Corporate Counsel, March 30, 2005
    4. 4. <ul><li>The Problem of Identity Theft </li></ul><ul><ul><li>What ID Theft is in reality </li></ul></ul><ul><ul><li>Laws related to ID Theft that punish your business </li></ul></ul><ul><li>Best Answer to Problem </li></ul><ul><ul><li>Layered Protection </li></ul></ul><ul><ul><li>ID Theft Program and Training </li></ul></ul><ul><ul><li>Implementing reasonable steps at little or No Cost that will lower your risk and minimize your exposure </li></ul></ul>What we will cover the next few minutes
    5. 5. BLR: Business and Legal Reports BY: Douglas, Hottle, Meyer, Unkovic & Scott “ A rise in identity theft is presenting businesses with a major headache”, Employers are being held liable for identity theft (by employees) that occurs in the workplace. Identity Theft is the misuse or fraudulent use of an individual’s personal information. Unfortunately for employers, personal data such as social security, drivers license and bank account numbers is precisely what is contained in HR files, a goldmine for ID thieves. 9/19/2006
    6. 6. <ul><li>ID Thefts Prevalent at Work </li></ul><ul><ul><li>The workplace is the site of more than half of all identity thefts , ... executives must &quot;stop thinking about data protection as solely an IT responsibility“. More education is necessary. </li></ul></ul><ul><ul><li> – Human Resource Executive May 2007 </li></ul></ul>
    7. 7. Drivers License Medical Info Financial or Credit Identity Theft is not just about Credit Cards! It is a Legal Issue! ID Theft is an international crime and access to an attorney may be critical Social Security Character /Criminal Five Common Types of Identity Theft
    8. 8. Once the credit systems accept bad data it can be next to impossible to clear. USAToday June 5, 2007 Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult. WSJ Oct 11, 2007 Because it is so overwhelming to correct the victims’ records it is imperative for businesses to protect the data. Where the law becomes logical
    9. 9. The Cost to Businesses <ul><li>Employees can take up to 600 hours , mainly during business hours , to restore their identities </li></ul><ul><li>“ If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”* </li></ul><ul><li>“ When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”* </li></ul>*CIO Magazine, The Coming Pandemic , Michael Freidenberg, May 15 th , 2006
    10. 10. Why should all Executives/Owners of businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about Identity Theft, Data Security FACTA-Red Flag Rules , GLB Safeguard Rules, and State Legislation? Answer: Liability, both civil and criminal. Should I be concerned about ID Theft?
    11. 11. <ul><li>FACTA-Red Flag Rules </li></ul><ul><li>Fair Credit Reporting Act </li></ul><ul><li>Gramm, Leach, Bliley Safeguard Rules </li></ul><ul><li>Individual State Laws (i.e. NCITPA & Texas Whistle Blower Statute) </li></ul>Important Legislation Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    12. 12. Fair and Accurate Credit Transactions Act (FACTA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You <ul><li>Applies To Every Business And Individual Who Maintains, Or Otherwise Possesses, Consumer Information (including Employee & Vendor info) For A Business Purpose. </li></ul><ul><li>Employee or Customer information lost under the wrong set of circumstances may cost your company: </li></ul><ul><ul><li>Federal and State Fines of $2500 per occurrence </li></ul></ul><ul><ul><li>Civil Liability of $1000 per occurrence </li></ul></ul><ul><ul><li>Class action Lawsuits with no statutory limitation </li></ul></ul><ul><ul><li>Responsible for actual losses of Individual ($92,893 Avg.) </li></ul></ul>(New rules are substantive and impose additional new requirements effective January 1, 2008)
    13. 13. <ul><li>ESTABLISHMENT OF AN IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>Must develop and implement a written Identity Theft Prevention Program (Program). </li></ul><ul><li>Must obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors. </li></ul><ul><li>Or if the business does not have a board of directors it must have a designated employee at the level of senior management. Small Businesses are not exempt. </li></ul><ul><li>The oversight, development, implementation and administration of the Program must be performed by an employee at the level of senior management . </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)
    14. 14. <ul><li>TRAINING STAFF TO EFFECTIVELY IMPLEMENT THE PROGRAM </li></ul><ul><li>A Culture of Security must be established at all businesses. </li></ul><ul><li>Personally Identifiable Information (PII) and Non-Public Information (NPI) such as Social Security numbers, drivers license numbers, etc., must be protected as if they were loose cash because the loss of PII can be more devastating then the loss of cash, since cash can be replaced. </li></ul><ul><li>All staff who could possibly have access to PII/NPI inside or outside the business must be trained so that they understand why the information needs to be protected and that there are legal consequences for not doing it. This is necessary to effectively implement an identity theft prevention program. </li></ul>FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    15. 15. <ul><li>SERVICE PROVIDERS AND SUBCONTRACTORS </li></ul><ul><li>Liability follows the data. </li></ul><ul><li>A covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements. </li></ul><ul><li>Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft </li></ul><ul><li>Additionally contractors with whom you exchange PII are required to comply and have reasonable policies and procedures in place to protect information. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)
    16. 16. If an Employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the Employer is subject to FCRA requirements. Fair Credit Reporting Act (FCRA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    17. 17. <ul><li>Eight Federal Agencies and any State can enforce this law </li></ul><ul><li>Applies To Any Organization That Maintains Personal Financial Information Regarding Its Clients Or Customers </li></ul><ul><li>Non Public Information (NPI) lost under the wrong set of circumstances may result in: </li></ul><ul><ul><li>Fines up to $1,000,000 per occurrence </li></ul></ul><ul><ul><li>Up to 10 Years Jail Time for Executives </li></ul></ul><ul><ul><li>Removal of management </li></ul></ul><ul><ul><li>Executives within an organization can be held accountable </li></ul></ul><ul><ul><li>for non-compliance both civilly and criminally </li></ul></ul>Gramm, Leach, Bliley Safeguard Rules Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    18. 18. Applies to any Organization Including : <ul><li>Financial Institutions* </li></ul><ul><li>School Districts </li></ul><ul><li>Credit Card Firms </li></ul><ul><li>Insurance Companies </li></ul><ul><li>Lenders </li></ul><ul><li>Brokers </li></ul><ul><li>Car Dealers </li></ul><ul><li>Accountants </li></ul><ul><li>Financial Planners </li></ul><ul><li>Real Estate Agents </li></ul>* The FTC categorizes an impressive list of businesses as FI and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB. Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA-Red Flag Rule & Gramm, Leach, Bliley Safeguard Rules
    19. 19. <ul><li>Require businesses to: </li></ul><ul><ul><li>Appoint in writing an Information Security Officer. </li></ul></ul><ul><ul><li>Develop a written ID Theft protection plan & policy to protect Non-Public Information for employees and customers. </li></ul></ul><ul><ul><li>Hold mandatory training for employees who have access to Non-Public Information. </li></ul></ul><ul><ul><li>Oversee Service Provider compliance arrangements </li></ul></ul>FACTA Red Flag Rules and the GLB Safeguard Rules Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    20. 20. <ul><ul><li>Suggests that companies should ; </li></ul></ul><ul><ul><li>“ Create a culture of security by implementing a regular schedule of employee training ” (pg 17) </li></ul></ul><ul><ul><li>“ Ask every employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data” (pg 16) </li></ul></ul>FTC Guide Protecting Personal Information A Guide For Business
    21. 21. ABA Journal March 2006
    22. 22. <ul><li>“ We’re not looking for a perfect system,’ Broder says. ‘But we need to see that you’ve taken reasonable steps to protect your customers’ information.’” </li></ul>- “Stolen Lives”, ABA Journal, March 2006
    23. 23. Law Firms Are Trolling for Victims Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case . Lieff Cabraser defends Americans harmed by corporate wrongdoing. Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.
    24. 24. Why and How We Help You… <ul><li>Set up Reasonable Steps To Protect NPI/PII </li></ul><ul><li>Help Create a “Culture of Security” </li></ul><ul><li>Set up a potential Affirmative Defense </li></ul><ul><li>Help Protect employees and customers while potentially decreasing your company exposure </li></ul>
    25. 25. <ul><li>We start the compliance process for your Company by providing templates for the written ID Theft security plan and the appointment of the security officer. </li></ul><ul><li>To assist your company with compliance issues we will conduct a mandatory training required by law for your employees at no cost to you. We will explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information needs to be protected. </li></ul><ul><li>We do all of this at no direct cost to your company* . </li></ul><ul><li>*There is a fee for Future Training and Consultation to assist with policies and implementing the program beyond this. </li></ul>Affirmative Defense Response System
    26. 26. 1. Mandatory Meeting Letter What We Do
    27. 27. 2. Appoint a Security Compliance Officer <ul><li>February 1, 2008 </li></ul><ul><li>[insert employee designee] </li></ul><ul><li>RE: Appointment of Security Compliance Officer </li></ul><ul><li>Dear [employee]: </li></ul><ul><li>As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer. As Security Officer you will be responsible to design, implement and monitor a security program to protect the security, confidentiality and integrity of personal information collected from and about our employees, consumers and vendors. </li></ul><ul><li>As Security Officer you will help [Company] identify material internal and external risks to the security of personal information; design and implement reasonable safeguards to control the risks identified in the risk assessment; evaluate and adjust the program in light of testing results; and continuous monitoring of the program and procedures. </li></ul><ul><li>As Security Officer, [Company] will provide you access to training courses and materials on a continuing basis. </li></ul><ul><li>Thank you for your commitment to [Company]. </li></ul><ul><li>Sincerely, </li></ul><ul><li>[Company] </li></ul><ul><li>Chief Executive Officer </li></ul>What We Do
    28. 28. 3. ID Theft Plan & Sensitive & Non Public Information Policy What We Do (First of four pages)
    29. 29. 4. Reduce Company Losses * Subject To Terms And Conditions <ul><li>In the event of a data breach, we may help mitigate potential losses for your company. Our program may reduce your exposure to litigation, potential fines, fees and lawsuits. We will train and offer your employees a payroll deduction benefit that includes: </li></ul><ul><ul><li>Credit Monitoring, </li></ul></ul><ul><ul><li>Full Restoration and </li></ul></ul><ul><ul><li>Access to Legal Counsel </li></ul></ul><ul><li>which means employees who participate in this program may reduce your company’s exposure . The majority of the time in restoring an employee’s identity is covered by the memberships and not done on company time or at company expense. Also, use of our Life Events Legal Plan provides help* that addresses related legal issues. </li></ul>What We Do Life Events Legal Plan & Legal Shield Monitoring Services Restoration Services
    30. 30. If a number of your employees get notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses. 5. Potential Early Warning System What We Do
    31. 31. BLR: “Provides an Affirmative Defense for the company.” 6. Provide an Affirmative Defense “ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer . . . identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit . The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees &quot;feel like the company's valuing them more, and it's very personal.&quot; Business and Legal Reports, January 19, 2006 What We Do
    32. 32. 7 . Provide Proof You Offered A Mitigation Plan – Checklist What We Do
    33. 33. 8. Mitigation Planning <ul><li>It makes Employees aware of their legal responsibilities to protect NPI </li></ul><ul><li>It serves as proof that handlers of NPI have completed the mandatory training required by law </li></ul>To potentially protect yourself, you should have all employees sign this document… Be Sure To Check With Your Attorney Before Using A Form Such As This What We Do Use of Confidential Information by Employee
    34. 34. What We Do 8. Mitigation Planning Continued – * FTC – Protecting Personal Information A Guide For Business pg 15 This form or one similar to it is required by the FTC for all of your employees*
    35. 35. What You Need To Do Next <ul><li>Take Action Today! </li></ul><ul><li>to protect your business </li></ul><ul><li>to protect your clients </li></ul><ul><li>to protect your employees </li></ul><ul><li>to protect your vendors </li></ul>* FTC – Protecting Personal Information A Guide For Business pg 15
    36. 36. What You Need To Do Next <ul><li>Take Action Today! </li></ul><ul><li>Talk with Dan or leave him your card. </li></ul><ul><li>Set up a time to talk with Dan about ADRS employee training. </li></ul><ul><li>Schedule a training with your employees ASAP. </li></ul><ul><li>Set up your ADRS program w/ Dan. </li></ul><ul><li>Sign up for the ID Theft/ Legal Plan </li></ul><ul><ul><li>benefit for you and your employees. </li></ul></ul>* FTC – Protecting Personal Information A Guide For Business pg 15
    37. 37. Mike Moore served as Attorney General of Mississippi from 1988 to 2004. Grant Woods served as Attorney General of Arizona from 1991 to 1999. Andrew Miller served as Attorney General of Virginia from 1970 to 1977. Duke Ligon is Senior VP & General Counsel for Devon Energy Corporation. The Advisory Council was established to provide quality counsel and advice regarding the marketing to employee groups. Legal Advisory Council
    38. 38. Disclaimer <ul><li>The laws discussed in this presentation are, like most laws, constantly amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research. </li></ul><ul><li>The instructor is not an attorney, and the information provided is not to be taken as legal advice. </li></ul><ul><li>The Affirmative Defense Response System provides compliance training, but your particular program must be tailored to your businesses size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you. </li></ul>