Red Flags Rule: Oh Nurse, A Little Help Here...

May I Have Your Attention Please?

Ahem, down here guys...OK, here we go.

Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.

In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.

More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 346,512,902 and this is estimated to be only 20% of what the actual numbers truly are.

What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!

Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?

Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.


To whom do these laws and regulations apply?

The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.

The General Rule of thumb is that if a business or entity collects, uses, transmits or stores any identifiable information about customers and or employees such as name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc. and then “credits” them for the payments they are subject to the Red Flags Rule.

The FTC uses the term “creditor” broadly so even if a business may not view itself as a “creditor” in the traditional sense of say a bank or mortgage company, the red flags rule does define “creditor” to include any entity that regularly defers payment for goods or services or arranges for the extension of credit.

However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule, credit cards have their own set of scary rules and regulations under the payment card industry.

What is a Red Flag?

A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:

• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.

• Educating your employees on these protocols.

• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).

Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.


Who is a Candidates for Red Flag Rule?

• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.

•Lawyers (Lawyers weasel out)

•CPA's

•Contractors

• Utilities

• Retailers

• Telecommunications companies

• Debt collectors

• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.


What if I don’t comply?

Businesses subject to Red Flags Rule must comply by June 1, 2010 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!

Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?

Not enough you say? OK, how about losing 65% of your customers once they know that your business suffered a security breach that put their identity at risk...count on it!

So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?

1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.

2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution

3. Develop and start implementing your Company’s Red Flags Rules protocol.

4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name!


In conclusion:

The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”

WOW! Is that all?