Successfully reported this slideshow.
Your SlideShare is downloading. ×

Adrs Presentation March 2008

Upcoming SlideShare
Adrs Flip Chart From Ppl
Adrs Flip Chart From Ppl
Loading in …3

Check these out next

1 of 35 Ad

More Related Content

Slideshows for you (20)

Viewers also liked (20)


Similar to Adrs Presentation March 2008 (20)

Recently uploaded (20)


Adrs Presentation March 2008

  1. 1. Affirmative Defense Response System (ADRS) MINIMIZE YOUR RISK
  2. 2. <ul><li>The Problem of Identity Theft </li></ul><ul><ul><li>What identity theft is in reality </li></ul></ul><ul><ul><li>Laws related to identity theft that affect employers, executives and business owners </li></ul></ul><ul><li>Best Answer to Problem </li></ul><ul><ul><li>Layered protection </li></ul></ul><ul><ul><li>Identity theft program and training </li></ul></ul><ul><ul><li>Implementing reasonable steps at little or no cost that will lower your risk and minimize your exposure </li></ul></ul>Today’s Topics
  3. 3. “ A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.” Douglas Hottle, Meyer, Unkovic & Scott, “ Workplace Identity Theft: How to Curb an HR Headache” BLR: Business and Legal Reports , September 19, 2006 Who Is Being Held Responsible
  4. 4. <ul><li>“ With the workplace being the site of more than half of all identity thefts , HR executives must ‘stop thinking about data protection as solely an IT responsibility,’ says one expert. More education on appropriate handling and protection of information is necessary, among other efforts.” </li></ul><ul><ul><li>“ ID Thefts Prevalent at Work”, Human Resource Executive , April 5, 2007 </li></ul></ul>Identity Theft Prevalent at Work
  5. 5. Drivers License Medical Financial <ul><li>Identity theft is not just about credit cards . </li></ul><ul><li>It is a legal issue! </li></ul><ul><li>It is an international crime and access to an attorney </li></ul><ul><li>may be critical. </li></ul>Social Security Character/ Criminal Five Common Types of Identity Theft
  6. 6. Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data. Where the Law Becomes Logical “ Once the credit systems accept bad data it can be next to impossible to clear.” USAToday June 5, 2007 “ Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.” Wall Street Journal October 11, 2007 TM
  7. 7. The Cost to Businesses <ul><li>Employees can take up to 600 hours , mainly during business hours , to restore their identities </li></ul><ul><li>“ If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”* </li></ul><ul><li>“ When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”* </li></ul>*CIO Magazine, The Coming Pandemic , Michael Freidenberg, May 15 th , 2006
  8. 8. Why should all businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about identity theft, FACTA-Red Flag Rules, GLB Safeguard Rules, and state legislation? Answer: Liability, both civil and criminal. Ask Yourself This Question
  9. 9. <ul><li>FACTA and FACTA Red Flag Rules </li></ul><ul><li>Fair Credit Reporting Act </li></ul><ul><li>Gramm, Leach, Bliley Safeguard Rules </li></ul><ul><li>Individual State Laws </li></ul>Important Legislation Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  10. 10. Fair and Accurate Credit Transactions Act (FACTA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You <ul><li>This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program. </li></ul><ul><li>Employee or customer information lost under the wrong </li></ul><ul><li>set of circumstances may cost your company: </li></ul><ul><ul><li>Federal and State fines of $2500 per occurrence </li></ul></ul><ul><ul><li>Civil liability of $1000 per occurrence </li></ul></ul><ul><ul><li>Class action lawsuits with no statutory limitation </li></ul></ul><ul><ul><li>Responsible for actual losses of an individual ($92,893 Avg.) </li></ul></ul>
  11. 11. <ul><li>Red Flag Rules recently became effective in January 2008, and compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses: </li></ul><ul><li>Must develop and implement a written privacy and security program. </li></ul><ul><li>Must obtain approval of the initial written program from either its </li></ul><ul><li>board of directors or an appropriate committee of the board of </li></ul><ul><li>directors. </li></ul><ul><li>Or if the business does not have a board of directors it must have a </li></ul><ul><li>designated employee at the level of senior management. Small businesses </li></ul><ul><li>are not exempt. </li></ul><ul><li>The oversight, development, implementation and administration of </li></ul><ul><li>the program must be performed by an employee at the level of senior </li></ul><ul><li>management. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA Red Flag Rules
  12. 12. <ul><li>These rules also provide that covered accounts, creditors and businesses must also ensure their service providers and subcontractors comply and have reasonable policies and procedures in place. The rules state: </li></ul><ul><li>Liability follows the data. </li></ul><ul><li>A covered entity cannot escape its obligation to comply by outsourcing an </li></ul><ul><li>activity. Businesses must exercise appropriate and effective oversight of service </li></ul><ul><li>provider arrangements. </li></ul><ul><li>Service providers and contractors must comply by implementing reasonable </li></ul><ul><li>policies and procedures designed to detect, prevent and mitigate the risk of </li></ul><ul><li>identity theft. </li></ul><ul><li>Contractors with whom the covered accounts exchange PII are required to </li></ul><ul><li>comply and have reasonable policies and procedures in place to protect </li></ul><ul><li>information. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You FACTA Red Flag Rules
  13. 13. If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the employer is subject to FCRA requirements. Fair Credit Reporting Act (FCRA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  14. 14. <ul><li>Eight Federal Agencies and any State can enforce this law </li></ul><ul><li>This law applies to organizations that maintains personal financial information regarding its clients or customers </li></ul><ul><li>Non-Public Information (NPI) lost under the wrong set of circumstances may result in: </li></ul><ul><ul><li>Fines up to $1,000,000 per occurrence </li></ul></ul><ul><ul><li>Up to 10 Years Jail Time for Executives </li></ul></ul><ul><ul><li>Removal of management </li></ul></ul><ul><ul><li>Executives within an organization can be held accountable </li></ul></ul><ul><ul><li>for non-compliance both civilly and criminally </li></ul></ul>Gramm, Leach, Bliley Safeguard Rules Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  15. 15. These laws apply to any organization including: <ul><li>Financial Institutions* </li></ul><ul><li>Schools </li></ul><ul><li>Credit Card Firms </li></ul><ul><li>Insurance Companies </li></ul><ul><li>Lenders </li></ul><ul><li>Brokers </li></ul><ul><li>Car Dealers </li></ul><ul><li>Accountants </li></ul><ul><li>Financial Planners </li></ul><ul><li>Real Estate Agents </li></ul>* The FTC categorizes an impressive list of businesses as FI and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB. Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Privacy and Security Laws
  16. 16. <ul><li>These laws require businesses to: </li></ul><ul><ul><li>Appoint, in writing, an Information Security Officer </li></ul></ul><ul><ul><li>Develop a written plan and policy to protect non-public information for employees and customers </li></ul></ul><ul><ul><li>Hold training for all employees </li></ul></ul><ul><ul><li>Oversee service provider arrangements </li></ul></ul>Privacy and Security Laws Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  17. 17. <ul><ul><li>This FTC publication suggests that companies should : </li></ul></ul><ul><ul><li>“ Create a culture of security by </li></ul></ul><ul><ul><li>implementing a regular schedule of </li></ul></ul><ul><ul><li>employee training ” (pg 17) </li></ul></ul><ul><ul><li>“ Make sure training includes employees </li></ul></ul><ul><ul><li>at satellite offices, temporary help, and </li></ul></ul><ul><ul><li>seasonal workers .” (pg 17) </li></ul></ul><ul><ul><li>“ Ask every employee to sign an agreement </li></ul></ul><ul><ul><li>to follow your company’s confidentiality </li></ul></ul><ul><ul><li>and security standards for handling </li></ul></ul><ul><ul><li>sensitive data” (pg 16) </li></ul></ul>Protecting Personal Information A Guide For Business
  18. 18. <ul><ul><li>“ Before outsourcing any of your business functions – payroll, web hosting, customer call center operations, data processing, or the like – investigate the company’s data security practices . . . ” (pg 19) </li></ul></ul><ul><ul><li>Your liability follows your data . . . </li></ul></ul>Protecting Personal Information A Guide For Business
  19. 19. ABA Journal March 2006
  20. 20. <ul><li>“ We’re not looking for a perfect system,’ Broder says. ‘But we need to see that you’ve taken reasonable steps to protect your customers’ information.’” </li></ul>- “Stolen Lives”, ABA Journal , March 2006
  21. 21. Law Firms Are Looking for Victims “ Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.” “ Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”
  22. 22. Why and How We Help You… <ul><li>Set up reasonable steps to protect non-public information (NPI)/personally identifiable information (PII) </li></ul><ul><li>Help create a “Culture of Security” </li></ul><ul><li>Set up a potential Affirmative Defense </li></ul><ul><li>Help protect employees and customers while potentially decreasing your company exposure </li></ul>
  23. 23. <ul><li>We start the compliance process for your Company by providing templates for the appointment of the security officer and the written ID Theft security plan. </li></ul><ul><li>To assist your company with compliance issues we will conduct a training required by law for your employees. We will also explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information needs to be protected. </li></ul><ul><li>We do all of this at no direct cost to your company . </li></ul>Affirmative Defense Response System
  24. 24. 1. Appointment of Security Compliance Officer <ul><li>February 1, 2008 </li></ul><ul><li>[insert employee designee] </li></ul><ul><li>RE: Appointment of Security Compliance Officer </li></ul><ul><li>Dear [employee]: </li></ul><ul><li>As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer. As Security Officer you will be responsible to design, implement and monitor a security program to protect the security, confidentiality and integrity of personal information collected from and about our employees, consumers and vendors. </li></ul><ul><li>As Security Officer you will help [Company] identify material internal and external risks to the security of personal information; design and implement reasonable safeguards to control the risks identified in the risk assessment; evaluate and adjust the program in light of testing results; and continuous monitoring of the program and procedures. </li></ul><ul><li>As Security Officer, [Company] will provide you access to training courses and materials on a continuing basis. </li></ul><ul><li>Thank you for your commitment to [Company]. </li></ul><ul><li>Sincerely, </li></ul><ul><li>[Company] </li></ul><ul><li>Chief Executive Officer </li></ul>
  25. 25. 2. ID Theft Plan and Sensitive and Non-Public Information Policy
  26. 26. 3. Privacy and Security Letter
  27. 27. 4. May Reduce Company Losses * Subject To Terms And Conditions <ul><li>In the event of a data breach, this may help mitigate potential losses for your company. Our program may reduce your exposure to litigation, potential fines, fees and lawsuits. We will train on privacy and security laws and offer your employees a payroll deduction benefit that includes: </li></ul><ul><ul><li>Credit Monitoring </li></ul></ul><ul><ul><li>Full Restoration </li></ul></ul><ul><ul><li>Access to Legal Counsel </li></ul></ul><ul><li>This means employees who participate in this program may reduce your company’s exposures . The majority of the time in restoring an employee’s identity is covered by the memberships and not done on company time and/or company expense. Also, use of our Life Events Legal Plan provides help* that addresses related issues. </li></ul>Life Events Legal Plan & Legal Shield Monitoring Services Restoration Services
  28. 28. If a number of your employees are notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses. 5. Potential Early Warning System
  29. 29. BLR says this “Provides an Affirmative Defense for the company.” 6. May Provide an Affirmative Defense “ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit . The key is to make the protection available, and have a employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees &quot;feel like the company's valuing them more, and it's very personal.&quot; Business and Legal Reports January 19, 2006
  30. 30. 7 . Provide Proof You Offered A Mitigation Plan to Your Employees – Check Off Sheet
  31. 31. 8. Mitigating Damages <ul><li>It makes Employees aware of their legal responsibilities to protect NPI </li></ul><ul><li>It serves as proof that handlers of NPI have completed the training required by law </li></ul>To potentially protect yourself, you should have all employees sign this document… Be Sure To Check With Your Attorney Before Using A Form Such As This Use of Confidential Information by Employee
  32. 32. 8. Continued – This form or one similar to it is required by the FTC for all employees* * FTC – Protecting Personal Information A Guide For Business pg 15 Use of Confidential Information By Employee I_______________ As an employee of _________________ I do hereby acknowledge that I must comply with a number of state and federal laws which regulate the handling of confidential and personal information regarding both customers/clients of the company and it’s other employees. These laws may include but not limited to FACTA, HIPPA, the Privacy Act, Gramm/Leach/Biley, ID Theft Laws (where applicable). I understand that I must maintain the confidentiality of ALL documents, credit card Information, and personnel information of any type and that such information may only be used for the intended business purpose. Any other use of said information is strictly prohibited. Additionally, should I misuse or breach and personal information of said clients and or employees, I understand I will be held fully accountable both civilly and criminally, which may include, but no limited to, Federal and State fines, criminal terms, real or implied financial damage incurred by the client, employee or the company. I have received a copy of the company’s Sensitive and Non-Public Information Policy. I understand and will fully comply with its provisions along with all other rules and regulations the company has in place regarding the handling of confidential information so as to protect the privacy of all parties involved. I also acknowledge that I have participated in a company sponsored Privacy and Security Identity Theft Training Program. ________________________________________ __________________ Employee Signature Date ________________________________________ Witness Signature
  33. 33. Disclaimer <ul><li>The laws discussed in this presentation are, like most laws, routinely amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research. </li></ul><ul><li>The associate is not an attorney, and the information provided is not to be taken as legal advice. </li></ul><ul><li>Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you. </li></ul><ul><li>Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability. </li></ul>
  34. 34. The Advisory Council was established to provide quality counsel and advice. Legal Advisory Council Duke R. Ligon Advisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp Grant Woods Advisory Council Member Former Arizona Attorney General Andrew P. Miller Advisory Council Member Former Virginia Attorney General Mike Moore Advisory Council Member Former Mississippi Attorney General
  35. 35. Just like other State and Federal laws, privacy and security laws are not optional. We can assist your company in starting the compliance process before a data breach, loss, or theft affects your employees or customers! Take Charge We can help provide a solution ! When would you like to schedule your employee training ?

Editor's Notes