Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Affirmative Defense Response System (A D R S) MINIMIZE MY RISK
<ul><li>The Problem of Identity Theft </li></ul><ul><ul><li>What identity theft is in reality </li></ul></ul><ul><ul><li>L...
“ A rise in identity theft is presenting employers with a major headache:  They are being held liable for identity theft t...
“ With the  workplace being the site of more than half  of all identity thefts, HR executives must  ‘stop thinking about d...
ID Theft is an international crime and   Access to an Attorney may be critical!   Five Common Types of Identity Theft 28% ...
Your Name 1000’s of aggregators FingerprintsDNA FBI, State, Local DBS Insurance Claims C.L.U.E. DBS, etc Military Record D...
Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data. Where the Law Beco...
The Cost to Businesses <ul><li>Employees can take up to 600 hours , mainly during business hours, to restore their identit...
<ul><li>Why should  ALL  businesses, corporations, schools, financial institutions, hospitals and governmental bodies be c...
<ul><li>FACTA and FACTA Red Flag Rules </li></ul><ul><li>Fair Credit Reporting Act </li></ul><ul><li>Gramm, Leach, Bliley ...
<ul><li>Employee or Customer information lost under the wrong set of circumstances may cost my company: </li></ul><ul><li>...
<ul><li>Must develop & implement a written privacy & security program.  </li></ul><ul><li>Must obtain approval of the init...
<ul><li>Liability follows the data. </li></ul><ul><li>A covered entity cannot escape its obligation to comply by </li></ul...
If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes and/or...
Gramm, Leach, Bliley Safeguard Rules Be Sure To Check With Your Attorney On  How This Law May Specifically Apply To You Ei...
These laws apply to any organization including: Be Sure To Check With Your Attorney On  How This Law May Specifically Appl...
Privacy and Security Laws Be Sure To Check With Your Attorney On  How This Law May Specifically Apply To You <ul><li>Requi...
<ul><ul><li>FTC  publication emphasizes that companies should: </li></ul></ul>Protecting Personal Information  A Guide For...
<ul><ul><li>“ Before outsourcing any of your business functions – payroll, web hosting, customer call center operations, d...
ABA Journal March 2006
Betsy Broder: “The FTC will act against companies that don’t protect customers’ data.” “ Stolen Lives” ABA Journal March 2...
“ Broder says she understands that most small businesses cannot . . . hire a full-time  . . . specialist, but . . . all bu...
Law Firms Are Looking for Victims
Law Firms Are Looking for Victims “ Instead of losing our identities one by one, we're seeing criminals grabbing them in m...
Law Firms Are Looking for Victims “ Do you suspect that a large corporation or your employer has released your private inf...
Upcoming SlideShare
Loading in …5
×

Affirmative Defense Reponse System

618 views

Published on

Is your business protected and in compliance with Federal Laws governing protection of clients data?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Affirmative Defense Reponse System

  1. 1. Affirmative Defense Response System (A D R S) MINIMIZE MY RISK
  2. 2. <ul><li>The Problem of Identity Theft </li></ul><ul><ul><li>What identity theft is in reality </li></ul></ul><ul><ul><li>Laws related to identity theft affecting employers, executives and business owners </li></ul></ul><ul><li>Better Answers to Solve The Problem </li></ul><ul><ul><li>Layered protection </li></ul></ul><ul><ul><li>Identity theft program and training </li></ul></ul><ul><ul><li>Implementing reasonable steps at little or no cost lowering my risk and minimizing my exposure </li></ul></ul>Today’s Topics
  3. 3. “ A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.” Who Is Being Held Responsible? Douglas Hottle, Meyer, Unkovic & Scott, “ Workplace Identity Theft: How to Curb an HR Headache” BLR: Business and Legal Reports , September 19, 2006
  4. 4. “ With the workplace being the site of more than half of all identity thefts, HR executives must ‘stop thinking about data protection as solely an IT responsibility,’ says one expert. Identity Theft Prevalent at Work <ul><ul><li>“ ID Thefts Prevalent at Work”, Human Resource Executive , April 5, 2007 </li></ul></ul>More education on appropriate handling and protection of information is necessary, among other efforts.”
  5. 5. ID Theft is an international crime and Access to an Attorney may be critical! Five Common Types of Identity Theft 28% Identity Theft is not just about Credit Cards! Drivers License Identity Theft Medical Identity Theft Financial Identity Theft Social Security Identity Theft Character/Criminal Identity Theft
  6. 6. Your Name 1000’s of aggregators FingerprintsDNA FBI, State, Local DBS Insurance Claims C.L.U.E. DBS, etc Military Record DOD DBS Criminal History NCIC DBS Real Estate Deeds Clerks of Court DBS Legal History State, Fed. Court DBS Credit History Credit Repositories’ DBS Birth Certificate Choice Pt. DBS, State, etc Phone Number & Tracking Info 1000’s of aggregators Social Security SSA DBS Address 1000’s of DBS Why I Am At Risk Driver’s License, Record DMV DBS Medical Records MIB DBS, etc Car Registration & Info DMV, Local Treasurer, OnStar, etc The DataBased You tm
  7. 7. Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data. Where the Law Becomes Logical “ Once the credit systems accept bad data it can be next to impossible to clear. ” USAToday June 5, 2007 “ Medical identity theft can impair your health and finances . . . and detecting this isn’t easy . . . and remedying the damages can be difficult.” Wall Street Journal October 11, 2007 TM
  8. 8. The Cost to Businesses <ul><li>Employees can take up to 600 hours , mainly during business hours, to restore their identities </li></ul><ul><li>“ If you experience a security breach, 20% of your affected customer base will no longer do business with you, </li></ul><ul><li>“ When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”* </li></ul>*CIO Magazine, The Coming Pandemic , Michael Freidenberg, May 15 th , 2006 40% will consider ending the relationship, and 5% will be hiring lawyers!”*
  9. 9. <ul><li>Why should ALL businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about . . . </li></ul><ul><ul><ul><li>Identity Theft, </li></ul></ul></ul><ul><ul><ul><li>FACTA-Red Flag Rules, </li></ul></ul></ul><ul><ul><ul><li>GLB Safeguard Rules, </li></ul></ul></ul><ul><ul><ul><li>and State Legislation? </li></ul></ul></ul>Ask Myself This Question Answer: Liability, both civil and criminal
  10. 10. <ul><li>FACTA and FACTA Red Flag Rules </li></ul><ul><li>Fair Credit Reporting Act </li></ul><ul><li>Gramm, Leach, Bliley Safeguard </li></ul><ul><li>Rules </li></ul><ul><li>Individual State Laws </li></ul>Important Legislation Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  11. 11. <ul><li>Employee or Customer information lost under the wrong set of circumstances may cost my company: </li></ul><ul><li>Federal and State Fines of $2500 per occurrence </li></ul><ul><li>Civil Liability of $1000 per occurrence </li></ul><ul><li>Class action Lawsuits with no statutory limitation </li></ul><ul><li>Responsible for actual losses of Individual ($92,893 Avg.) </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Fair & Accurate Transaction Act (FACTA) Applies to every business and individual who maintains, or otherwise possesses, consumer information for a business purpose * and requires businesses to develop and implement a written privacy and security program.
  12. 12. <ul><li>Must develop & implement a written privacy & security program. </li></ul><ul><li>Must obtain approval of the initial written program from either its </li></ul><ul><li>board of directors or an appropriate committee of the board. </li></ul><ul><li>A business with no board of directors must have a designated </li></ul><ul><li>employee at senior management level. Small businesses are not </li></ul><ul><li>exempt. </li></ul><ul><li>The oversight, development, implementation & administration of </li></ul><ul><li>the program must be performed by a senior management level </li></ul><ul><li>employee. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Red Flag Rules (FACTA) Red Flag Rules became effective in January 2008, compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses:
  13. 13. <ul><li>Liability follows the data. </li></ul><ul><li>A covered entity cannot escape its obligation to comply by </li></ul><ul><li>outsourcing an activity. Businesses must exercise appropriate </li></ul><ul><li>and effective oversight of service provider arrangements. </li></ul><ul><li>Service providers and contractors must comply by implementing </li></ul><ul><li>reasonable policies and procedures designed to detect, prevent </li></ul><ul><li>and mitigate the risk of identity theft. </li></ul><ul><li>Contractors with whom the covered accounts exchange PII </li></ul><ul><li>(Personal Identity Information) are required to comply and </li></ul><ul><li>have reasonable policies and procedures in place to protect </li></ul><ul><li>the information. </li></ul>Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Red Flag Rules (FACTA) Covered accounts, creditors & businesses must ensure their service providers & subcontractors comply & have reasonable policies & procedures in place . . . rules state :
  14. 14. If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes and/or background screening, then the employer is subject to FCRA requirements. www.ftc.gov/os/statutes/031224fcra.pdf Fair Credit Reporting Act (FCRA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
  15. 15. Gramm, Leach, Bliley Safeguard Rules Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Eight Federal Agencies & any State can enforce this law Applies to Any Organization that Maintains Personal Financial Information Regarding It’s Clients or Customers <ul><li>Non Public Information (NPI) lost under the wrong set of circumstances may result in: </li></ul><ul><li>Fines up to $1,000,000 per occurrence </li></ul><ul><li>Up to 10 Years Jail Time for Executives </li></ul><ul><li>Removal of management </li></ul><ul><li>Executives within an organization can be held </li></ul><ul><li>accountable for non-compliance both civilly & </li></ul><ul><li>criminally </li></ul>
  16. 16. These laws apply to any organization including: Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You Privacy and Security Laws <ul><li>Financial Institutions* </li></ul><ul><li>Schools </li></ul><ul><li>Credit Card Firms </li></ul><ul><li>Insurance Companies </li></ul><ul><li>Lenders </li></ul><ul><li>Brokers </li></ul><ul><li>Car Dealers </li></ul><ul><li>Accountants </li></ul><ul><li>Financial Planners </li></ul><ul><li>Real Estate Agents </li></ul>*The FTC categorizes an impressive list of businesses as “FI” and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB.
  17. 17. Privacy and Security Laws Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You <ul><li>Require businesses to: </li></ul><ul><li>Appoint an Information Security Officer </li></ul><ul><li>Develop a written policy to protect NPI </li></ul><ul><li>Hold Mandatory Training for all employees </li></ul><ul><li>Oversee service provider arrangements </li></ul>
  18. 18. <ul><ul><li>FTC publication emphasizes that companies should: </li></ul></ul>Protecting Personal Information A Guide For Business <ul><ul><li>“ Make sure training includes employees </li></ul></ul><ul><ul><li>at satellite offices, temporary help, and </li></ul></ul><ul><ul><li>seasonal workers.” (pg 17) </li></ul></ul><ul><ul><li>“ Ask every employee to sign an </li></ul></ul><ul><ul><li>agreement to follow company’s </li></ul></ul><ul><ul><li>confidentiality and security standards </li></ul></ul><ul><ul><li>for handling sensitive data” (pg 16) </li></ul></ul><ul><ul><li>“ Create a culture of security </li></ul></ul><ul><ul><li>implementing a regular schedule of </li></ul></ul><ul><ul><li>employee training” (pg 17) </li></ul></ul>
  19. 19. <ul><ul><li>“ Before outsourcing any of your business functions – payroll, web hosting, customer call center operations, data processing, or the like – investigate the company’s data security practices . . . ” (pg 19) </li></ul></ul>Protecting Personal Information A Guide For Business <ul><ul><li>Your liability follows your data . . . </li></ul></ul>
  20. 20. ABA Journal March 2006
  21. 21. Betsy Broder: “The FTC will act against companies that don’t protect customers’ data.” “ Stolen Lives” ABA Journal March 2006
  22. 22. “ Broder says she understands that most small businesses cannot . . . hire a full-time . . . specialist, but . . . all businesses must be able to show they have a security plan in place. ‘ We’re not looking for a perfect system . . . but we need to see that you’ve taken reasonable steps to protect your customers’ information.’” “ Stolen Lives” ABA Journal March 2006
  23. 23. Law Firms Are Looking for Victims
  24. 24. Law Firms Are Looking for Victims “ Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”
  25. 25. Law Firms Are Looking for Victims “ Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.”
  26. 26. How Pre-Paid Legal Helps Me . . . <ul><li>Sets up reasonable steps to protect non-public information (NPI) & personally identifiable information (PII) </li></ul><ul><li>Helps create a “Culture of Security” </li></ul><ul><li>Sets up a potential Affirmative Defense </li></ul><ul><li>Helps protect employees and customers while potentially decreasing my company exposure </li></ul>
  27. 27. <ul><li>PPL starts the compliance process for my Company by providing templates for the appointment of the security officer & written ID Theft security plan. </li></ul><ul><li>To assist my company with compliance issues an authorized ADRS specialist will conduct a training required by law for my employees. They’ll explain the different types of ID Theft and show my employees how they can protect themselves if they become a victim and why their and my customers’ personal information needs to be protected. </li></ul><ul><li>PPL does all this at no direct cost to my company . </li></ul>Affirmative Defense Response System
  28. 28. 1. Appointment of Security Compliance Officer <ul><li>May 1, 2008 </li></ul><ul><li>[insert employee designee] </li></ul><ul><li>RE: Appointment of Security Compliance Officer </li></ul><ul><li>Dear [employee]: </li></ul><ul><li>As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer.  </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> ]. </li></ul><ul><li>Sincerely, </li></ul><ul><li>[Company] </li></ul><ul><li>Chief Executive Officer </li></ul>Stays in Company Files . . .
  29. 29. 2. ID Theft Plan and Sensitive and Non-Public Information Policy <ul><li>SENSITIVE INFORMATION </li></ul><ul><li>POLICY & IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>1. BACKGROUND </li></ul><ul><li>The risk to the company, its employees and customers from data loss and identity </li></ul><ul><li>1. Purpose </li></ul><ul><li>The company adopts this policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will: </li></ul><ul><ul><li>§Define sensitive information </li></ul></ul><ul><ul><li>§Describe the physical security of data when it is </li></ul></ul><ul><ul><li>§Describe the electronic security of data when s </li></ul></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>SENSITIVE INFORMATION </li></ul><ul><li>POLICY & IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>1. BACKGROUND </li></ul><ul><li>The risk to the company, its employees and customers from data loss and identity </li></ul><ul><li>1. Purpose </li></ul><ul><li>The company adopts this policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will: </li></ul><ul><ul><li>§Define sensitive information </li></ul></ul><ul><ul><li>§Describe the physical security of data when it is </li></ul></ul><ul><ul><li>§Describe the electronic security of data when s </li></ul></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>SENSITIVE INFORMATION </li></ul><ul><li>POLICY & IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>1. BACKGROUND </li></ul><ul><li>The risk to the company, its employees and customers from data loss and identity </li></ul><ul><li>1. Purpose </li></ul><ul><li>The company adopts this policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will: </li></ul><ul><ul><li>§Define sensitive information </li></ul></ul><ul><ul><li>§Describe the physical security of data when it is </li></ul></ul><ul><ul><li>§Describe the electronic security of data when s </li></ul></ul><ul><li> </li></ul><ul><li> </li></ul>Every Employee Gets a Copy
  30. 30. 3. Privacy and Security Letter To All Employees/Agents [Company Name ] RE: MANDATORY EMPLOYEE MEETING PRIVACY & SECURITY COMPLIANCE PROGRAM & IDENTITY THEFT TRAINING May 10, 2008On , in the Conference Room, [Company] will host a mandatory employee meeting and training session on identity theft and privacy compliance. Additionally, as an employee, you will be provided an opportunity to purchase an identity theft product. As you know, [Company] makes every effort to comply with all Federal Trade Commission guidelines to protect personal employee   Sincerely, [Name] [Company] Owner Mailed to All Employees, With a Copy in File . . .
  31. 31. Identity Monitoring Services Life Events Legal Plan & Legal Shield Identity Restoration Services Me 4. May Reduce Company Losses In the event of a data breach, this may help mitigate potential losses for my company. PPL’s program may reduce my exposure to litigation, potential fines, fees and lawsuits. * Subject To Terms And Conditions PPL will train on privacy and security laws and offer my employees a payroll deduction benefit that includes:
  32. 32. Identity Monitoring Services Life Events Legal Plan & Legal Shield Identity Restoration Services Me 4. May Reduce Company Losses <ul><ul><li>Credit Monitoring </li></ul></ul><ul><ul><li>Access to Legal Counsel </li></ul></ul><ul><ul><li>and </li></ul></ul><ul><ul><li>Full Restoration </li></ul></ul>* Subject To Terms And Conditions
  33. 33. Identity Monitoring Services Life Events Legal Plan & Legal Shield Identity Restoration Services Me 4. May Reduce Company Losses This means employees who participate in this program may reduce my company’s exposures. The majority of the time restoring an employee’s identity is covered by the memberships and not done on company time &/or company expense. Also, use of PPL’s Life Events Legal Plan provides help* that addresses related issues. * Subject To Terms And Conditions
  34. 34. If a number of my employees are notified of improper usage of their identities, this may act as an early warning system to my company of a possible internal breach which could further reduce my losses. 5. Potential Early Warning System
  35. 35. BLR says this “Provides an Affirmative Defense for the company.” 6. May Provide an Affirmative Defense “ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. Business and Legal Reports January 19, 2006 An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance . . . Greg Roderick, CEO of Frontier Management, says that his employees &quot;feel like the company's valuing them more, and it's very personal.&quot;
  36. 36. <ul><li>Identity Theft Protection and Legal Service </li></ul><ul><li>(Proof of offer of a Mitigation Plan) </li></ul><ul><li>As an employee of _______________________ located in ____________________, acknowledge that a Pre-Paid Legal Services, Inc., independent sales associate made available to me the Identity Theft Shield and a Pre-Paid Legal Services, Inc. membership. </li></ul><ul><li>Identity Theft Shield: </li></ul><ul><ul><li>Initial credit report and guide on how to read the report </li></ul></ul><ul><ul><li>Continuous credit monitoring </li></ul></ul><ul><ul><li>Identity restoration in the event of a theft </li></ul></ul><ul><li>Life Events Legal Plan: </li></ul><ul><ul><li>Preventive legal services provided through a network of independent provider attorney law firms in each state and province </li></ul></ul><ul><ul><li>Phone Consultation with Attorneys/Review of Documents/Phone Calls and Letters for any legal matter and issues regarding identity theft including concerns regarding my: 1) drivers license, 2) medical information, 3) social security number, 4) character/criminal identity, and 5) my credit identity and information esentation </li></ul></ul>7. Provides Proof I Offered A Mitigation Plan to My Employees Opt-in/out Sheet in Employees’ File
  37. 37. 8. Mitigating Damages To potentially protect myself, I should have all employees sign this document . . . Be Sure To Check With Your Attorney Before Using A Form Such As This Use of Confidential Information by Employee I, ___________________, as an Employee or Independent Contractor of _________________ , in the City of , State of , do hereby acknowledge that I must comply with a number of State and Federal Laws which regulate the handling of, HIPAA, The Economic Espionage Act, The Privacy Act, Gramm/Leach/ Bliley, ID Theft Laws (where applicable), Trade Secrets Protections, and Implied Contract Breach. I understand that I to, Federal and State fines, criminal terms, real as regards to the handling of confidential information so as to protect the privacy of all involved. _______________ ____________________ Employee Name Employee Signature ______________ ________________ Witness Name Witness Signature ________________Date <ul><li>It makes Employees aware of their legal responsibilities to protect NPI </li></ul><ul><li>It serves as proof that handlers of NPI have completed the training required by law </li></ul>
  38. 38. 8. Mitigating Damages Use of Confidential Information by Employee I, ___________________, as an Employee or Independent Contractor of _________________ , in the City of , State of , do hereby acknowledge that I must comply with a number of State and Federal Laws which regulate the handling of, HIPAA, The Economic Espionage Act, The Privacy Act, Gramm/Leach/ Bliley, ID Theft Laws (where applicable), Trade Secrets Protections, and Implied Contract Breach.  . _______________ ____________________ Employee Name Employee Signature ______________ ________________ Witness Name Witness Signature ________________Date This form or one similar to it is required by the FTC for all employees* Be Sure To Check With Your Attorney Before Using A Form Such As This
  39. 39. Disclaimer <ul><li>The laws discussed in this presentation are, like most laws, routinely amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research. </li></ul><ul><li>The associate is not an attorney, and the information provided is not to be taken as legal advice. </li></ul><ul><li>Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you. </li></ul><ul><li>Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability. </li></ul>
  40. 40. Advisory Council was established to provide quality counsel and advice. Legal Advisory Council Duke R. Ligon Advisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp Grant Woods Advisory Council Member Former Arizona Attorney General Andrew P. Miller Advisory Council Member Former Virginia Attorney General Mike Moore Advisory Council Member Former Mississippi Attorney General
  41. 41. <ul><li>Just like other State and Federal laws, </li></ul><ul><li>privacy and security laws are not optional. </li></ul><ul><li>PPL can assist my company in starting the </li></ul><ul><li>compliance process before a data breach, </li></ul><ul><li>loss, or theft affects my employees or </li></ul><ul><li>customers! </li></ul>Take Charge <ul><li>PPL can help provide me a solution! </li></ul><ul><li>When am I able to schedule my employee’s </li></ul><ul><li>training? </li></ul>

×