Don’t Waive the White Flag when it comes to the FTC’s Red Flags Rule

  

 Email Article  

Tweet  

  

  

 delicious  

  

  

The business and non-profit communities have been handed the burden of stemming the international identity theft epidemic.  New laws, the most stringent of which are on the books in Massachusetts, require companies and institutions to make comprehensive and costly efforts in the area of data security to protecting individuals’ personal information from theft or loss.  These mandatory efforts include encryption of electronic information and other technological, physical, and administrative security measures, and these measures cover information regarding employees, customers and vendors.

That’s a lot of work, so we’re all done after that, right?  Afraid not.  The federal government has more work for businesses and non-profits to do. 

The FTC’s Red Flags Rule, which went into effect at the beginning of 2011, picks up where data security leaves off, requiring certain kinds of organizations implement programs to address “red flags” of identity theft.  Yesterday, I attended a talk by Cora Tung Han of the FTC, who gave an overview of the new Rule, which I would like to pass along here.

Red flags, in the words of Ms. Han, are signs that “indicate that a crook is using someone else’s information to get your products or services with no intention of paying.”  These include reports from credit agencies, suspicious documents, and suspicious account activity.  For example, an identification document that appears to be forged would be suspicious, and thus raise a red flag.   A list of the 26 red flags indicators published by the FTC is available here.

The first step to addressing the Red Flags Rule is determining whether or not your business is covered.  If you are a bank, get to work; you’re covered.  If your organization does any of the following “regularly and in the course of business,” it is a so-called “creditor,” and is also covered: 

• Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
• Furnishes information to consumer reporting agencies in connection with a credit transaction; or
• Advances funds to or on behalf of a person based on an obligation to repay.

Ms. Han said that employers doing credit checks for employee background checks only would not, by virtue of that activity, be covered.  And our college and university clients may be interested to know that Ms. Han specifically stated that they could be covered if they allow students to store funds on their ID cards and use them like debit cards.

Each covered entity must periodically assess if it has “covered accounts,” i.e. consumer accounts designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk from identity theft.

If an entity is covered and has covered accounts, it must implement a program that does the following:  1) identifies relevant red flags; 2) detects red flags; 3) prevents and mitigates identity theft; and 4) provides for periodic updates to the program.  A covered entity that fails to do these things risks significant fines and penalties.  The good news for many businesses and non-profits is that the Rule is a risk-based rule, according to Ms. Han, meaning that companies with low risk of identity theft can address the requirements in a fairly streamlined fashion.

The requirements of the Red Flags Rule are intricate and many, and a detailed discussion is not possible in a blog post (unless I get some additional server capacity).  However, you can obtain more comprehensive information on the FTC’s website.  You can also contact me or another member of HRW’s Data Security Team, or fill out this form and we will be happy to contact you.  And don't worry, the information requested in the form won't raise any "red flags."

 -- C. Max Perlman 

(Photo by flickr, rvw's photostream)