On June 1, 2010 The Red Flag Rule goes into effect. If you are a small business owner and this is the first you’ve heard of it, you are not alone. Most small business owners either have no idea that there are compliance issues they need to be aware of, or they have taken to hiding their heads in the sand believing it has nothing to do with them because they are too small, or their CPA/lawyer/exorcist would have told them something about it if it was true, or the dog ate their homework…whatever.
But this new law will affect most businesses regardless of size.
These businesses (especially small and mid sized) are targeted for their sensitive customer and employee information like names, SS#, drivers license numbers, medical info, bank info, 401k plans etc. All the goodies that identity thieves sell in their now thriving criminal enterprises. Last year’s identity theft losses to businesses and financial institutions totaled $47.6 billion, and consumer victims reported $5 billion in out-of-pocket expenses.
So What Is The Red Flags Rule?
In a nutshell, it applies to any entity that extends credit by granting loans or arranging for loans, like car dealerships, finance companies, mortgage brokers, real estate agents, and any other retailer that offers financing or provides help to consumers in getting financing by processing credit applications. This includes utility companies, health care providers and telecommunication companies. The Rule requires a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.
The Rule also applies to businesses that defer payments, offer installment plans or provide goods and/or services and bills/invoices a customer/client/patient later, or a business that issues a store credit card is a creditor under the Rule.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule. The Payment Card Industry (PCI) regulates itself in regards to credit card fraud and has regulations for merchants completely separate from the FTC Red Flags Rule.
The “Red Flags” Rule is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft. The FTC published the Rule October 31, 2007 and it became effective January 1, 2008, but its implementation date (after which companies would be responsible for complying) has been repeatedly delayed, from November 1, 2008 to May 1, 2009, to August 1, 2009 and to November 1, 2009 and finally to June 1, 2010, when enforcement will commence.
At this point, one cannot assume that the FTC will further delay implementation, meaning that businesses and organizations need to begin working on compliance now if they have not already done so.
The Red Flags Rule Mandates Include:
1. Administrative Safeguards: Appointing an administrator to put a written plan together showing how a business will detect and act upon “Red Flags” (suspicious documents, changes of address, warnings from credit agencies, or notices from victims or law enforcement) with reasonable responses when any “red flags” are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.
The administrator is also responsible for implementing an ongoing training program for employees on how to recognize and act upon these “red flags.” These trainings must be documented by the administrator and signed by the employees when they finish to show they participated in the training and understand the rule.
2. Physical Safeguards: Securing physical business surroundings to safeguard as well as properly dispose of information stored on hard copy files (or disks) as well as insuring that a company laptop doesn’t go “missing.” You would be amazed at how much information is stolen or lost due to a business owner or employee leaving information out in the open, such as medical files, loan applications or a business laptop.
3. Technical Safeguards: Finally, there are technical safeguards that need to be implemented to lock down data on computers and keep them invisible to hackers, using professional-grade security antivirus and antispyware and a bi-directional firewall for every computer in your business. Other safeguards include file encryption for both stored and transmitted files and records, regular vulnerability assessments to identify any security holes in your computer network and permanent deletion of individual electronic records, files, and hard drive information prior to disposing of a computer or hard drive.
4. Living Law: There is no one-time implementation and now “you’re set” with regards to Red Flags Rule compliance. Sorry, the rule is a living law and subject to change as the trends in identity theft change. Every program must be evaluated and updated regularly and ignorance of the changes as they occur will not be seen as a valid excuse for not being in compliance.
How Will The Rule Be Enforced?
The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule.
The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance. The FTC also may interview officers, employees, or others who are familiar with the company’s practices. If the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.
There is no private consumer right of action, only certain federal and state government agencies can enforce the Rule. However businesses should know that consumers may be encouraged to file complaints with the FTC about a company’s identity theft Program or lack of and that the FTC uses these complaints (filed at https://www.ftccomplaintassistant.gov/) to target its law enforcement efforts.
The Fines And Other Spankings For Non Compliance:
These trying economic times are difficult enough for a business owner to deal with just going about the business of doing business. But having to now deal with the epidemic of business data breaches that put each and every business and their customers and employees in peril of identity theft has added yet another burden upon their precious time and resources, but non compliance can be far more costly than you think.
Federal: The penalty per single identity lost or stolen is $3,500.
State: Up to $1,000. Per individual violation (plus attorney fees).
Warned: If a business is warned by a regulatory agency of non-compliance then found to remain in non-compliance during a follow up, the fine jumps to $11,000. Per individual incident.
Law Suits: There are also allowances for individuals who’ve been victimized to seek damages from the businesses.
Any one of these can cripple or even kill a business, all of them together and you may as well say adios to all your hard work and sacrifices…bye bye business!
Examples Of Entities That Must Comply:
Health Care Practices – Because most bill later or defer payment through insurance.
Retail Stores – The only exception is if a store deals exclusively in credit cards and/or cash.
Services/Utilities – Phone companies, cell phones, power companies etc.
Auto Dealerships – This includes motor cycles, boats, RVs, etc.
Financial institutions – Banks, credit unions, credit card companies and mortgage brokers.
Non-Profits - entities that defer payment for goods or services.
Schools – Any school, college or university who provides or accepts financial aid.
A Few Helpful Definitions:
Red Flags Rule: The Red Flags Rule is a law that will be enforced on June 1, 2010 that requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or “red flags” of identity theft in their day-to-day operations.
FTC: The Federal Trade Commission (FTC) was established as an independent administrative agency pursuant to the Federal Trade Commission Act of 1914. The purpose of the FTC is to enforce the provisions of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in commerce,” and serves an important function as a protector of both consumer and business rights.
FACTA: The Fair and Accurate Credit Transactions Act of 2003.This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.
Financial Institution: A State or national bank, a State or federal savings and loan association, a mutual savings bank, a State or federal credit union, or any entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
Creditor: An entity that regularly extends, renews, or continues credit or regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Non-profit and government entities that defer payment for goods or services are also considered creditors.
Covered Account: An account used mostly for personal, family, or household purposes, and involves multiple payments or transactions. These accounts include credit cards, mortgage loans, automobile loans, margin accounts, cell phone, utility, checking and savings accounts.
For more information go to: www.ftc.gov/redflagsrule
Posts
No comments:
Post a Comment