Identity Theft Issues for Businesses

You can hardly open a paper or magazine these days without seeing a story about identity theft or about some business losing its data and the cost to businesses and individuals last year alone at over $50 billion. The truth is that half of all identity theft happens at the workplace, and businesses are being held liable. One of the boldest steps to help mitigate the damage caused by identity theft is the Federal Trade Commissionís (FTC) Red Flags Rule. This rule has a deadline of November 1, 2008 with enforceable action on May 1, 2009. At first glance, the Red Flags Rule may not look like it applies to a business owner because it was written as a requirement for financial institutions and creditors. However, the devil is in the details, as they say, and in this case, the definitions. While the definition of ìfinancial institutionsî is straightforward, the one for ìcreditorsî is considerably broader. The term ìcreditorî applies to any organization that accepts deferred payment for any products or services (business or personal). Does this mean that almost everyone is covered? Absolutely. The FTC has an extensive outreach effort to explain the Rules in greater detail. According to Tiffany George, attorney in the FTCís Division of Privacy and Identity Protection, ìMany companies that donít think of themselves as creditors or believe they need to create a prevention program for identity theft actually are deemed a covered entity under this rule. These covered entities, no matter how small, need to design and implement an identity theft prevention program." So what exactly is identity theft? According to the FTC, ìIdentity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.î The FTC also goes on to say that as many as 9 million Americans have their identities stolen each year. This law is actually ìlogicalî because most employees arenít aware of the five types of identity theft and the devastating effect it can have on a person if they are a victim (300-600 hours to fix the problem with tremendous out of pocket expenses). Because of ads on TV and newspaper articles, many people think that identity theft only covers Financial (which reflects 21-28% of all identity theft). In fact, the range of identity theft includes Drivers License, Social Security, Medical, Criminal and Financial. This law is not only logical, but employees of businesses need the education so that they can view personal information of other employees and clients as if it were ìloose cash." The more important issue, however, is for business owners to understand how identity theft happens at the workplace and why. Often times business owners think identity theft/breaches are an ìIT issue." This is simply not the case. Half of all identity theft at the workplace comes from employees and hardware theft (stolen laptops, lost PDAís, stolen desktop computers, disgruntled employees, etc.). The greatest financial risk to a business owner who has built their business from sweat and tears is to suffer a breach or loss of employees/clients information. The cost will not only be staggering (potential civil, criminal and class action lawsuit costs, breach response expenses and FTC enforcement action for years or decades) but business reputation fallout would take years to repair. If the Red Flags Rule applies to your business, here is what you do and by when: 1) Create a Board Approved written plan to help prevent and mitigate ID Theft at your business. This plan should indicate when potential fraud may be occurring and what to do about it; 2) everyone who has access to the information must be trained; 3) your service providers and contractors must have similar procedures in place. You cannot escape the liability by outsourcing. All these steps needed to be completed by November 1, 2008 with enforcement action occurring after May 1, 2009. Given that November 1st has come and gone, what is an employerís potential liability for NOT being compliant by then and where will enforcement come from? ìEnforcement outside of the banking industry will be done by the FTC,î says George. ìWe expect covered entities to be compliant by May 1, 2009. If they arenít, then they will be in violation of the rule and will be subject to civil monetary penalties of up to $2500 for every violation and violations will be considered on a case by case basisî. As a baseline, Betsy Broder, Assistant Director of the FTC's Division of Privacy and Identity Protection says, ìWeíre not looking for a perfect system but we need to see that youíve taken reasonable steps to protect your customerís information. No one can stop identity theft. It is a managed risk. However, by instituting the requirements mandating by the FTC, you will potentially reduce civil, criminal, and class action lawsuits. Proactive CEOs will act now implementing ìidentity theft awareness trainingî that goes beyond the Red Flag Rules requirements. This will deliver huge dividends in regards to public trust. In the long run, proving that your company has created a culture of security will attract quality employees, and sustain and attract clients. It is the right thing to do. 2008-12-30T22:12:06Z

-13.433

611 2650

true

20172

identity-theft-issues-for-businesses-the-red-flag-rules

2008-12-30T22:18:15Z

Half of all identity theft happens at the workplace and businesses are being held liable. Learn about the FTC regulation that will affect 80% of businesses called "the Red Flag Rules"!

Identity Theft Issues for Businesses - The Red Flag Rules!

2009-02-24T09:48:10Z