Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identity Theft Red Flags Rule for Business


Published on

This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.

Published in: Business
  • Be the first to comment

Identity Theft Red Flags Rule for Business

  1. 1. Identity Theft Red Flags Rule “Reducing Identity Theft in the Workplace” 1-877-288-9230 toll free 704-307-2127 local
  2. 2. What We Will Cover <ul><li>The Problem of Identity Theft </li></ul><ul><ul><li>What ID Theft is in reality </li></ul></ul><ul><ul><li>Laws related to ID Theft that punish your business </li></ul></ul><ul><ul><li>Best Answer to Problem </li></ul></ul><ul><ul><li>Layered Protection </li></ul></ul><ul><ul><li>ID Theft Program and Training </li></ul></ul><ul><ul><li>Implementing reasonable steps that will lower your risk and minimize your exposure </li></ul></ul>
  3. 3. <ul><li>BLR: Business and Legal Reports </li></ul><ul><li>BY: Douglas, Hottle, Meyer, Unkovic & Scott </li></ul><ul><li>“ A rise in identity theft is presenting businesses with a major headache”, Employers are being held liable for identity theft that occurs in the workplace. </li></ul><ul><li>Identity Theft is the misuse or fraudulent use of an individual’s non-public information (NPI). Unfortunately for employers, personal data such as birthdates, social security, drivers license, credit card numbers, and bank account numbers is precisely what is contained in HR and Customer files are a goldmine for ID thieves . </li></ul>
  4. 4. ID Thefts Prevalent at Work <ul><ul><li>With the workplace being the site of more than half of all identity thefts , ... executives must &quot;stop thinking about data protection as solely an IT responsibility“. More education is necessary. </li></ul></ul><ul><ul><li>– Human Resource Executive May 2007 </li></ul></ul><ul><ul><li>Data Breaches — As of Jan. 21, 2009, over 251 million data records of U.S. residents have been exposed due to security breaches since Jan 05. - </li></ul></ul><ul><ul><li>Note: As of 2007, the U.S. population is a little over 300 million </li></ul></ul>
  5. 5. Utility Companies In the News <ul><li>April 1, 2006 Con Edison (New York). Con Edison shipped 2 cartridge tapes to JP Morgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees’ W-2 data, including names, addresses, SSNs, taxes paid and salaries. 15,000 Con Edison employees </li></ul><ul><li>May 4, 2006 Idaho Power Co. (Boise, ID) Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company’s CEO. Unknown </li></ul><ul><li>June 16, 2006 Union Pacific (Omaha, NE) On April 29 th , an employee’s laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers. 30,000 </li></ul><ul><li>Aug. 25, 2006 Dominion Resources (Richmond, VA) Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Unknown </li></ul><ul><li>Aug. 2, 2007 E.On - U.S.(energy services) (Louisville, KY) A laptop with names, SSNs and birth dates of most E. On U.S. employees and some retirees were stolen last month. Unknown . </li></ul><ul><li>Dec. 4, 2007 Indianapolis Power and Light (Indianapolis, IN) The private information of thousands of customers was inadvertently posted online for up to four years . Data included names, addresses and Social Security numbers. 3,000 </li></ul>
  6. 6. Seven Largest Security Breaches <ul><li>TJ Maxx and Marshall’s over 94 million card numbers stolen between 2004 and 2007. </li></ul><ul><li>Hannaford Brothers and Sweetbay Grocery Stores data thieves snag 4.2 million credit card numbers from it’s chain between Dec. 2007 to Feb. 2008. Close to 2,000 cases of fraud were reported . </li></ul><ul><li>Western Express International was found to be harvesting a powerful credit card operation, responsible for trafficking 95,000 stolen card numbers. Seventeen employees were indicted! </li></ul><ul><li>According to Data Loss DB research firm more than 4.07 million individuals had their healthcare records compromised last year. Even two of then were Brittney Spears and Farrah Fawcett and sold by a California hospital worker. </li></ul><ul><li>Data thieves snuck past the security systems of CardSystems Solutions compromising over 40 million card accounts in 2005. </li></ul><ul><li>An international ring of hackers stole an untold number of credit card numbers from Dave & Buster’s restaurant chain by installing software on the company’s national servers. Reported losses were in excess of $600,000 . </li></ul>
  7. 7. Five Common Types of Identity Theft Drivers License Social Security Medical Character/ Criminal Financial Identity Theft is not just about Credit Cards! It is a Legal Issue! ID Theft is an international crime and access to an attorney may be critical
  8. 8. Where the law becomes logical <ul><li>Once the credit systems accept bad data it can be next to impossible to clear. </li></ul><ul><li>USAToday June 5, 2007 </li></ul><ul><li>Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult. </li></ul><ul><li>WSJ Oct 11, 2007 </li></ul>Because it is so overwhelming to correct the victims’ records it is imperative for businesses to protect the data.
  9. 9. The Cost to Businesses <ul><li>Employees can take up to 600 hours , mainly during business hours , to restore their identities </li></ul><ul><li>“ If you experience a security breach , 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”* </li></ul><ul><li>“ When it comes to cleaning up this mess , companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”* </li></ul>*CIO Magazine, The Coming Pandemic , Michael Freidenberg, May 15th, 2006
  10. 10. Why should all businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about Identity Theft, FACTA-Red Flag Rules , GLB Safeguard Rules, HIPAA, and State Legislation? Answer: Liability, both civil and criminal. Plus, unlimited class action lawsuits!! Creditors and Financial Institutions are You in Compliance with the FTC??
  11. 11. Other Important Legislation to Watch Out For Compliance <ul><li>Fair Credit Reporting Act </li></ul><ul><li>Gramm, Leach, Bliley Safeguard Rules </li></ul><ul><li>HIPAA Security Rule </li></ul><ul><li>Individual State Laws (i.e. NCITPA & Texas Whistle Blower Statute) </li></ul>Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You
  12. 12. Fair and Accurate Credit Transactions Act (FACTA) <ul><li>Applies To Every Business And Individual Who Maintains, Or Otherwise Possesses, Consumer Information For A Business Purpose. </li></ul><ul><li>Employee or Customer information lost under the wrong set of circumstances may cost your company: </li></ul><ul><ul><li>Federal and State Fines of $2500 per occurrence </li></ul></ul><ul><ul><li>Civil Liability of $1000 per occurrence </li></ul></ul><ul><ul><li>Class action Lawsuits with no statutory limitation </li></ul></ul><ul><ul><li>Responsible for actual losses of Individual ($92,893 Avg.) </li></ul></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  13. 13. FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by May 1, 2009) <ul><li>ESTABLISHMENT OF AN IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>Must develop and implement a written Identity Theft Prevention Program (Program). </li></ul><ul><li>Must obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors. </li></ul><ul><li>Or if the business does not have a board of directors it must have a designated employee at the level of senior management . Small Businesses are not exempt. </li></ul><ul><li>The oversight, development, implementation and administration of the Program must be performed by an employee at the level of senior management . </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  14. 14. FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by May 1, 2009) <ul><li>TRAINING OF STAFF TO EFFECTIVELY IMPLEMENT THE PROGRAM </li></ul><ul><li>A Culture of Security must be established at all businesses. </li></ul><ul><li>Personally Identifiable Information (PII) such as Social Security numbers, drivers license numbers, etc., must be protected as if they were loose cash because the loss of PII can be more devastating then the loss of cash, since cash can be replaced. </li></ul><ul><li>All staff who could possibly have access to PII within or without the business must be trained so that they understand why the information needs to be protected and that there are legal consequences for not doing it. This is necessary to effectively implement an identity theft prevention program. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  15. 15. FACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by May 1, 2009) <ul><li>SERVICE PROVIDERS AND SUBCONTRACTORS </li></ul><ul><li>Liability follows the data . </li></ul><ul><li>A covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements. </li></ul><ul><li>Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect , prevent and mitigate the risk of identity theft </li></ul><ul><li>Additionally contractors with whom you exchange PII are required to comply and have reasonable policies and procedures in place to protect information . </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  16. 16. Fair Credit Reporting Act (FCRA) <ul><li>If an Employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the Employer is subject to FCRA requirements. </li></ul><ul><li> </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  17. 17. Gramm, Leach, Bliley Safeguard Rules <ul><li>Eight Federal Agencies and any State can enforce this law </li></ul><ul><li>Applies To Any Organization That Maintains Personal Financial Information Regarding Its Clients Or Customers </li></ul><ul><li>Non Public Information (NPI) lost under the wrong set of circumstances may result in: </li></ul><ul><ul><li>Fines up to $1,000,000 per occurrence </li></ul></ul><ul><ul><li>Up to 10 Years Jail Time for Executives </li></ul></ul><ul><ul><li>Removal of management </li></ul></ul><ul><ul><li>Executives within an organization can be held accountable </li></ul></ul><ul><ul><li>for non-compliance both civilly and criminally </li></ul></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  18. 18. HIPAA Security Rule <ul><li>April 21, 2005 - Scope broadened on April 21, 2006 </li></ul><ul><li>Applies To Any Organization Or Individuals Who Retain Or Collect Health Information Or Employee Health Benefits. </li></ul><ul><li>Medical information lost under the wrong set of circumstances may result in: </li></ul><ul><li>Fines up to $250,000 per occurrence </li></ul><ul><li>Up to 10 Years Jail Time for Executives </li></ul>Please Consult Your Attorney On How the Law Applies Specifically To You
  19. 19. FACTA Red Flags Rule, the GLB Safeguard Rules, and HIPAA Security Rule <ul><li>Require businesses to do the following: </li></ul><ul><ul><li>Appoint in writing an Information Security Officer or Committee by the Board of Directors. </li></ul></ul><ul><ul><li>Develop a written ID Theft protection plan & policy to protect Non-Public Information for employees and customers. </li></ul></ul><ul><ul><li>Hold mandatory training for employees who have access to Non-Public Information. </li></ul></ul><ul><ul><li>Oversee Service Provider arrangements </li></ul></ul><ul><ul><li>So, even if your business is not required to have an Red Flags Rule Program, other legislations may require you to!! </li></ul></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  20. 20. Identity Theft & Security Program Requirements <ul><li>Initial Risk Assessment for Red Flags in organization. </li></ul><ul><li>Action Plan based on identifying ALL Red Flags to respond to patterns, practices, or specific activities that could indicate or the potential of identity theft. </li></ul><ul><li>Policies and Procedures Manual i.e. What do we do when a “breach” occurs?, etc. </li></ul><ul><li>Train Staff on Program Implementation and IDT. </li></ul><ul><li>New Account Authentication (all consumer accounts). </li></ul><ul><li>Validate Change of Address Requests. </li></ul><ul><li>Identity Theft Protection (all consumer & HR records). </li></ul><ul><li>Update Program to Respond to and Address New Identity Theft Trends. </li></ul>
  21. 21. Who is Responsible to Oversee Based on the Red Flags Rule <ul><li>Your organization’s Compliance Officer / Information Security Officer / Chief Privacy Officer (or designated employee) will complete the comprehensive Initial Risk Assessment and keep it on file as required in the event that your organization is audited or an incident occurs. </li></ul><ul><li>Note: This a Senior Level Manager/Executive who should be designated to report to the Board of Directors of the company concerning this implemented program. </li></ul>
  22. 22. FTC Guide: Protecting Personal Information A Guide For Business <ul><ul><li>Suggests that companies should ; </li></ul></ul><ul><ul><li>“ Create a culture of security by implementing a regular schedule of employee training ” (pg 17) </li></ul></ul><ul><ul><li>“ Ask every employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data” (pg 16) </li></ul></ul>
  23. 23. Some Tips that will Help You! Extra Layers of Protection <ul><li>Instant Identity Verification Services </li></ul><ul><li>Laptop Security and Recovery Products </li></ul><ul><li>Biometric Security and Data Encryption Products and Services (fingerprint scanning, encryption vaults, and vault sticks) </li></ul><ul><li>Data Breach/Data Base Insurance </li></ul><ul><li>Breach Response Programs </li></ul><ul><li>File Cabinets with Strong Locks </li></ul><ul><li>Paper Shredders or Service </li></ul><ul><li>Increasing Security and Regulatory Compliance </li></ul>
  24. 24. Other Tip to Reduce Liabilities, Plus Show That You Care!! <ul><li>BLR says this “Provides an Affirmative Defense for the company.” </li></ul>“ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit . An employer can choose whether or not to pay for this benefit . The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees &quot;feel like the company's valuing them more, and it's very personal.&quot; Business and Legal Reports, January 19, 2006 Offer an Identity Theft Prevention and Restoration Service to all Employees and/or Customers
  25. 25. Identity Theft: The Next Corporate Liability Wave Corporate Counsel, March 30, 2005 “ Your phone rings. It’s Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers. Your mind begins to whirr. Are there other customers affected who haven’t been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit? You recall reading that each identity theft victim will on average spend $1,495, excluding attorney’s fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2,000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims’ time and you get $11,000 per case or a total of $110 million in total even before fines and punitive damages are considered. And that’s on top of the potential impact on your company’s future sales. The nation’s fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies.”
  26. 26. Privacy Policies & Procedures (Not Limited to Just these Steps) <ul><li>Your Privacy Policies and Procedures should be written and based on the following: </li></ul><ul><li>Total Risk Assessment that reveals ALL Red Flags within and outside the organization. i.e. physical (paper) & electronic PII, computers, laptops, outsourcing activities, password management, etc. </li></ul><ul><li>On-going Training of Identity Theft and handling & disposal of PII (Privacy). </li></ul><ul><li>If offering Voluntary Benefits of Identity Theft Prevention and Restoration service for employees in case of theft or breach, then write this service in your policies and procedures manual. </li></ul><ul><li>All employees handling PII must be trained and sign written document of “Handling Confidential Personal Information.” </li></ul><ul><li>Policies and Procedures should include ALL steps/actions on how the organization will reduce and mitigate the theft/breaches, notify victims (employees and customers), restoration, and correction measures if theft/breach occurs. </li></ul>
  27. 27. Anthony Herring, FIC, LUTCF, MBA Certified Identity Theft Risk Management Specialist Business Consultant & Employee Benefits Specialist <ul><li>Available as a Consultant or Speaker </li></ul><ul><li>1-877-288-9230 </li></ul><ul><li>704-307-2127 </li></ul><ul><li>[email_address] </li></ul><ul><li>For more Information on Identity Theft Red Flags Rules or other services. </li></ul><ul><li> </li></ul>