This document summarizes various laws related to identity theft and data privacy, including the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), the Gramm-Leach-Bliley Act (GLBA), and state privacy laws. It notes that businesses can be held liable for identity theft that occurs in the workplace or when employee data is compromised. The document recommends implementing an identity theft protection program, appointing a compliance officer, developing security policies and training employees to help establish an "affirmative defense" in the event of data breaches or lawsuits.

1. Affirmative Defense Response System (ADRS) MINIMIZE YOUR RISK

3. “ A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.” Douglas Hottle, Meyer, Unkovic & Scott, “ Workplace Identity Theft: How to Curb an HR Headache” BLR: Business and Legal Reports , September 19, 2006 Who Is Being Held Responsible

6. Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data. Where the Law Becomes Logical “ Once the credit systems accept bad data it can be next to impossible to clear.” USAToday June 5, 2007 “ Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.” Wall Street Journal October 11, 2007 TM

8. Why should all businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about identity theft, FACTA-Red Flag Rules, GLB Safeguard Rules, and state legislation? Answer: Liability, both civil and criminal. Ask Yourself This Question

13. If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the employer is subject to FCRA requirements. www.ftc.gov/os/statutes/031224fcra.pdf Fair Credit Reporting Act (FCRA) Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

19. ABA Journal March 2006

21. Law Firms Are Looking for Victims “ Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.” “ Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”

24. 1. Appointment of Security Compliance Officer

25. 2. Sensitive Information Policy and Program

26. 3. Privacy and Security Letter

28. If a number of your employees are notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses. 5. Potential Early Warning System

29. BLR says this “Provides an Affirmative Defense for the company.” 6. May Provide an Affirmative Defense “ One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit . The key is to make the protection available, and have an employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them more, and it's very personal." Business and Legal Reports January 19, 2006

30. 7 . Provide Proof You Offered A Mitigation Plan to Your Employees – Check Off Sheet

32. 8. Continued – This form or one similar to it is required by the FTC for all employees* * FTC – Protecting Personal Information A Guide For Business pg 15

34. The Advisory Council was established to provide quality counsel and advice. Legal Advisory Council Duke R. Ligon Advisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp Grant Woods Advisory Council Member Former Arizona Attorney General Andrew P. Miller Advisory Council Member Former Virginia Attorney General Mike Moore Advisory Council Member Former Mississippi Attorney General

35. Just like other State and Federal laws, privacy and security laws are not optional. We can assist your company in starting the compliance process before a data breach, loss, or theft affects your employees or customers! Take Charge We can help provide a solution! When would you like to schedule your employee training?