With data security and identity theft becoming a vital concern for businesses and individuals alike, a new regulation mandating how businesses protect data will come into effect next month. Because the scope of the rule is so sweeping, corporate risk managers need to know whether their organizations are subject to it and, if so, what they must do in order to comply.
Beginning December 31, the Red Flags Rule, which will be enforced by the FTC, the National Credit Union Administration and a host of other federal bank regulators, will require all organizations subject to the Fair and Accurate Credit Transactions Act of 2003 to implement a formal identity theft prevention program. The mandate is directed primarily at banks, savings and loan associations, credit unions and other financial institutions, but according to the rule, "financial institution"-a distinction that includes "creditors"-is defined broadly. Very broadly.
The Red Flags Rule defines a creditor as any entity with covered accounts that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor that is involved in the decision to extend, renew or continue credit.
In plain English, if you sell a product or service "on credit," the rule likely applies to you. That means actual financial institutions, auto dealers, mortgage brokers, utilities and telecommunications companies, just to name a few. Even nonprofits and government entities are not exempt. If a business defers payment for goods or services, it will be treated as a creditor-and must comply with the rule.
(The FTC has argued that law firms are also creditors for purposes of the rule, but the Federal District Court in Washington ruled otherwise in early 2010-a decision that the FTC announced it will appeal. The FTC is also asserting that medical providers fall under the scope of the rule.)
To comply with this new legislation, businesses must develop a written program that identifies and detects the warning signs of identity theft. The program must spell out appropriate actions the company will take when it detects these "red flags," which fall into five general categories: (1) alerts, notifications or other warnings from a consumer reporting agency, (2) suspicious documents, (3) suspicious personally identifying information, such as a suspicious address, (4) unusual use of or suspicious activity relating to a covered account, and (5) notices from customers, victims of identity theft, law-enforcement authorities or other businesses about possible identity theft in connection with covered accounts.
A business can face serious consequences if it does not comply, including agency-imposed sanctions, lawsuits and reputation damage. Do not assume that existing risk policies and procedures will pass muster once the rule goes into effect at the end of the year.
The regulation requires a separate identity theft prevention program, although it can reference other policies and procedures already in place to avoid unnecessary duplication. That program must meet certain criteria, including gaining approval by the board of directors (or a board committee) and stating who is responsible for program implementation and administration. Companies must also provide appropriate staff training that needs to be reviewed at least annually. If the company uses outside service providers-something most do-the program must also provide for oversight of them as well.
If the FTC or other governing agency finds an organization to be in violation of the rule, it will have an opportunity to show that it made a "reasonable effort" to comply.