By Patrick Romero, CIPP

In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003, also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft.

Are you a creditor?

Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4).

What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place.

What does compliance entail?

Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft.

Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include:
• address discrepancy
• name discrepancy on identification and insurance information
• presentation of suspicious documents
• personal information inconsistent with information already on file
• unusual use or suspicious activity related to a covered account, and/or
• notice from customers, law enforcement or others of unusual activity related to that covered account.
In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs.

Expect more fines from the FTC

The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions.

While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.