• Save
Affirmative Defense Response System (ADRS)
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Affirmative Defense Response System (ADRS)

  • 4,169 views
Uploaded on

Mitigating damages and reducing risk before, during and after a data breach occurs is what ADRS is all about. A system that shows "every good faith effort" at protecting the NonPublic Personal......

Mitigating damages and reducing risk before, during and after a data breach occurs is what ADRS is all about. A system that shows "every good faith effort" at protecting the NonPublic Personal Information (NPI) of your customers, employees, and vendors as mandated by the FTC.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,169
On Slideshare
4,153
From Embeds
16
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 16

http://www.slideshare.net 15
http://www.slideee.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Affirmative Defense Response System (ADRS) MINIMIZE YOUR RISK
  • 2.
    • The Problem of Identity Theft
      • What identity theft is in reality
      • Laws related to identity theft that affect employers, executives and business owners
    • Best Answer to Problem
      • Layered protection
      • Identity theft program and training
      • Implementing reasonable steps at little or no cost that will lower your risk and minimize your exposure
    Today’s Topics
  • 3. “ A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.” Douglas Hottle, Meyer, Unkovic & Scott, “ Workplace Identity Theft: How to Curb an HR Headache” BLR: Business and Legal Reports , September 19, 2006 Who Is Being Held Responsible
  • 4.
    • “ With the workplace being the site of more than half of all identity thefts , HR executives must ‘stop thinking about data protection as solely an IT responsibility,’ says one expert. More education on appropriate handling and protection of information is necessary, among other efforts.”
      • “ ID Thefts Prevalent at Work”, Human Resource Executive , April 5, 2007
    Identity Theft Prevalent at Work
  • 5. Drivers License Medical Financial
    • Identity theft is not just about credit cards .
    • It is a legal issue!
    • It is an international crime and access to an attorney
    • may be critical.
    Social Security Character/ Criminal Five Common Types of Identity Theft
  • 6. Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data. Where the Law Becomes Logical “ Once the credit systems accept bad data it can be next to impossible to clear.” USAToday June 5, 2007 “ Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.” Wall Street Journal October 11, 2007 TM
  • 7. The Cost to Businesses
    • Employees can take up to 600 hours , mainly during business hours , to restore their identities
    • “If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”*
    • “When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*
    *CIO Magazine, The Coming Pandemic , Michael Freidenberg, May 15 th , 2006
  • 8. Why should all businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about identity theft, FACTA-Red Flag Rules, GLB Safeguard Rules, and state legislation? Answer: Liability, both civil and criminal. Ask Yourself This Question
  • 9.
    • FACTA and FACTA Red Flag Rules
    • Fair Credit Reporting Act
    • Gramm, Leach, Bliley Safeguard Rules
    • Individual State Laws
    Important Legislation Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You
  • 10. Fair and Accurate Credit Transactions Act (FACTA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
    • This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.
    • Employee or customer information lost under the wrong
    • set of circumstances may cost your company:
      • Federal and State fines of $2500 per occurrence
      • Civil liability of $1000 per occurrence
      • Class action lawsuits with no statutory limitation
      • Responsible for actual losses of an individual ($92,893 Avg.)
  • 11.
    • Red Flag Rules recently became effective in January 2008, and compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses:
    • Must develop and implement a written privacy and security program.
    • Must obtain approval of the initial written program from either its
    • board of directors or an appropriate committee of the board of
    • directors.
    • Or if the business does not have a board of directors it must have a
    • designated employee at the level of senior management. Small businesses
    • are not exempt.
    • The oversight, development, implementation and administration of
    • the program must be performed by an employee at the level of senior
    • management.
    Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA Red Flag Rules
  • 12.
    • These rules also provide that covered accounts, creditors and businesses must also ensure their service providers and subcontractors comply and have reasonable policies and procedures in place. The rules state:
    • Liability follows the data.
    • A covered entity cannot escape its obligation to comply by outsourcing an
    • activity. Businesses must exercise appropriate and effective oversight of service
    • provider arrangements.
    • Service providers and contractors must comply by implementing reasonable
    • policies and procedures designed to detect, prevent and mitigate the risk of
    • identity theft.
    • Contractors with whom the covered accounts exchange personally identifiable
    • information (PII) are required to comply and have reasonable policies and
    • procedures in place to protect information.
    Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA Red Flag Rules
  • 13. If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the employer is subject to FCRA requirements. www.ftc.gov/os/statutes/031224fcra.pdf Fair Credit Reporting Act (FCRA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  • 14.
    • Eight Federal Agencies and any State can enforce this law
    • This law applies to organizations that maintain personal financial information regarding their clients or customers.
    • Non-Public Information (NPI) lost under the wrong set of circumstances may result in:
      • Fines up to $1,000,000 per occurrence
      • Up to 10 Years Jail Time for Executives
      • Removal of management
      • Executives within an organization can be held accountable
      • for non-compliance both civilly and criminally
    Gramm, Leach, Bliley Safeguard Rules Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  • 15. These laws apply to any organization including:
    • Financial Institutions (FI)*
    • Schools
    • Credit Card Firms
    • Insurance Companies
    • Lenders
    • Brokers
    • Car Dealers
    • Accountants
    • Financial Planners
    • Real Estate Agents
    * The FTC categorizes an impressive list of businesses as FI and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB. Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You Privacy and Security Laws
  • 16.
    • These laws require businesses to:
      • Appoint, in writing, an Information Security Officer
      • Develop a written plan and policy to protect non-public information for employees and customers
      • Hold training for all employees
      • Oversee service provider arrangements
    Privacy and Security Laws Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You
  • 17.
      • This FTC publication suggests that companies should :
      • “ Create a culture of security by
      • implementing a regular schedule of
      • employee training ” (pg 17)
      • “ Make sure training includes employees
      • at satellite offices, temporary help, and
      • seasonal workers .” (pg 17)
      • “ Ask every employee to sign an agreement
      • to follow your company’s confidentiality
      • and security standards for handling
      • sensitive data” (pg 16)
    Protecting Personal Information A Guide For Business
  • 18.
      • “ Before outsourcing any of your business functions – payroll, web hosting, customer call center operations, data processing, or the like – investigate the company’s data security practices . . . ” (pg 19)
      • Your liability follows your data . . .
    Protecting Personal Information A Guide For Business
  • 19. ABA Journal March 2006
  • 20.
    • “ We’re not looking for a perfect system,’ Broder says. ‘But we need to see that you’ve taken reasonable steps to protect your customers’ information.’”
    - “Stolen Lives”, ABA Journal , March 2006
  • 21. Law Firms Are Looking for Victims “ Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.” “ Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”
  • 22. Why and How We Help You…
    • Set up reasonable steps to protect non-public information (NPI)/personally identifiable information (PII)
    • Help create a “Culture of Security”
    • Set up a potential Affirmative Defense
    • Help protect employees and customers while potentially decreasing your company exposure
  • 23.
    • We start the compliance process for your Company by providing templates for the appointment of the security officer and the written ID Theft security plan.
    • To assist your company with compliance issues we will conduct a training required by law for your employees. We will also explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information needs to be protected.
    • We do all of this at no direct cost to your company .
    Affirmative Defense Response System
  • 24. 1. Appointment of Security Compliance Officer
  • 25. 2. Sensitive Information Policy and Program
  • 26. 3. Privacy and Security Letter
  • 27. 4. May Reduce Company Losses * Subject To Terms And Conditions
    • In the event of a data breach, this may help mitigate potential losses for your company. Our program may reduce your exposure to litigation, potential fines, fees and lawsuits. We will train on privacy and security laws and offer your employees a payroll deduction benefit that includes:
      • Credit Monitoring
      • Full Restoration
      • Access to Legal Counsel
    • This means employees who participate in this program may reduce your company’s exposure . The majority of the time in restoring an employee’s identity is covered by the memberships and not done on company time and/or company expense. Also, use of our Life Events Legal Plan provides help* that addresses related issues.
    Life Events Legal Plan & Legal Shield Monitoring Services Restoration Services
  • 28. If a number of your employees are notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses. 5. Potential Early Warning System
  • 29. BLR says this “Provides an Affirmative Defense for the company.” 6. May Provide an Affirmative Defense “ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit . The key is to make the protection available, and have an employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them more, and it's very personal." Business and Legal Reports January 19, 2006
  • 30. 7 . Provide Proof You Offered A Mitigation Plan to Your Employees – Check Off Sheet
  • 31. 8. Mitigating Damages Use of Confidential Information by Employee
    • It makes Employees aware of their legal responsibilities to protect NPI
    • It serves as proof that handlers of NPI have completed the training required by law
    To potentially protect yourself, you should have all employees sign this document… Be Sure To Check With Your Attorney Before Using A Form Such As This
  • 32. 8. Continued – This form or one similar to it is required by the FTC for all employees* * FTC – Protecting Personal Information A Guide For Business pg 15
  • 33. Disclaimer
    • The laws discussed in this presentation are, like most laws, routinely amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research.
    • The associate is not an attorney, and the information provided is not to be taken as legal advice.
    • Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you.
    • Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability.
  • 34. The Advisory Council was established to provide quality counsel and advice. Legal Advisory Council Duke R. Ligon Advisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp Grant Woods Advisory Council Member Former Arizona Attorney General Andrew P. Miller Advisory Council Member Former Virginia Attorney General Mike Moore Advisory Council Member Former Mississippi Attorney General
  • 35. Just like other State and Federal laws, privacy and security laws are not optional. We can assist your company in starting the compliance process before a data breach, loss, or theft affects your employees or customers! Take Charge We can help provide a solution! When would you like to schedule your employee training?