by Carrie Kerskie

It seems you can’t read a paper or turn on the television without hearing about identity theft. One company is trying to sell you “identity theft protection.” Another company has been breeched and thousands of customers had their information compromised.

Something you probably haven’t heard about is the new federal regulation that requires businesses to implement an identity theft prevention program. This new regulation is the FACTA (Fair and Accurate Credit Transaction Act) Red Flag Rules.

You are probably thinking, “It must not affect me because I would have heard about it from my trade association, attorney or accountant.” Unfortunately, these rules were written in such a way there has been much confusion regarding what types of businesses must comply. I too was confused and contacted Pavneet Singh, an attorney with the Federal Trade Commission, for clarification. I discovered the regulation will affect the majority of businesses, large and small across industries, including government and non-profit entities.

The Facts about the Red Flag Rules
The FACTA Red Flag rules apply to the following businesses:

• Users of consumer reports.
• Credit and Debit card issuers.
• Businesses that offer products or services in advance of payment.

Users of consumer reports are required to verify the report is in fact relating to the consumer for which it was requested. This applies to landlords and employers. If your business conducts pre-employment background checks on potential candidates, it is your responsibility to verify the person applying is the person on the consumer report. If you observe an address discrepancy you must put forth reasonable effort to verify the validity of the address. In addition, you may be required to report the address discrepancy to the consumer reporting agency.

Credit and debit card issuers must implement policies and procedures regarding change of address notifications and requests for replacement or additional cards received within a short period of time of an address change notification. This policy was implemented to help reduce identity theft where the criminal changes the mailing address on your credit card to prevent the victim from receiving statements and observing the perpetrator’s purchases.

Businesses that offer products or services in advance of payment have the most amount of work to do to be in compliance with the regulation. These businesses are required to implement a written Identity Theft Prevention Program (“Program”) to detect, prevent and mitigate identity theft risks associated with consumer accounts and the financial security of the business. The “Program” is flexible to reflect the size and scope of your business and the nature of your operation. The deadline for compliance is November 1, 2008.

The Identity Theft Prevention Program
The basic elements of your Identity Theft Prevention Program must include:

• Identification of the “red flags” specific to your business.
• Detection of “red flags” that have been incorporated into your Program.
• Appropriate response to any “red flags” that are detected.
• Periodical updates to reflect changes in risks to customers and to the safety and soundness of the business.
• Oversight of service provider agreements.

Risk Assessment
In order to identify the “red flags” specific to your business you must conduct a risk assessment. The risk assessment should identify the following:

Risk factors

• Types of consumer accounts offered or maintained.
• Methods provided to open consumer accounts.
• Methods provided to access consumer accounts.
• Previous experience with identity theft.

Sources of Red Flags

• Previous incidents with identity theft.
• Methods of identity theft identified that reflect changes in identity theft.
• Applicable supervisory guidance.

Categories of Red Flags

• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers such as fraud detection services.
• Presentation of suspicious documents
• Presentation of suspicious personal identifying information, such as a suspicious address change
• The unusual use of, or other suspicious activity related to, an account
• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with consumer accounts.

Recently, “in the news” breeches have occurred by employees throwing away documents with customer information in unsecured dumpsters, businesses having an unsecured computer network or retired company laptops being sold or donated without removing customer files. The Federal Trade Commission has released guidelines. Unfortunately many businesses and consultants are using these guidelines as a checklist. This will not ensure you have identified all of the “red flags” pertinent to your business. To reduce your liability you must diligently identify all “red flags” pertaining to the size and scope of your business and the nature of your operations.

Detection
The detection of “red flags” can be maintained by obtaining identifying information, verifying the identity and authenticating the identity of your customer, in addition to monitoring transactions in consumer accounts, and verifying the validity of change of address requests for customers

Mitigation
Once you have identified your “red flags” you need to provide an appropriate response to any breech detected. This could be a letter you mail to your customers notifying them of the breech or closing an existing account that may have been breeched. Another way to mitigate identity theft is by not collecting on a consumer account or selling a consumer account to a debt collector if it is believed the consumer was a victim of identity theft. Finally, the breech may warrant notifying law enforcement.

Periodic Updates
Once your program has been completed and implemented you are required to update it periodically. It is important to incorporate any experiences your business may have had with, any changes in the methods of, or any changes to detect, prevent and mitigate identity theft. In addition, if your business has had any changes in the types of accounts offered or maintained or changes in the arrangements, these need to be incorporated into your program. These changes would include mergers and acquisitions, alliances, joint ventures and service provider agreements.

This information should be reported, at least annually, to reflect compliance with the program. The report should contain information regarding the effectiveness of the policies and procedures of your business regarding prevention of identity theft, service provider agreements, and significant incidents involving identity theft and management’s response, and recommendation for material changes to the program. This can be accomplished by conducting compliance audits to ensure your employees are following the program.

Oversight of your program should be the responsibility of a board member, a board committee member or senior level employee. This designated individual is responsible for program implementation, reviewing reports prepared by staff regarding compliance and approving material changes to the program.

Consequences for Not Complying
The Federal Trade Commission is responsible for regulating the Rules and will issue financial penalties for non-compliance. In addition, your business could be faced with civil liability and possibly criminal charges for negligent business practices.

More importantly, you are at risk of having your company’s reputation damaged and loss of business from lack of consumer confidence. Did you think twice before shopping at Sweetbay after the breech with Hannaford earlier this year? Could your business survive the negative publicity? What if you open a consumer account for a new customer and soon realize they provided you with false information? Who will pay for the products or services rendered? You cannot collect from the victim of the identity theft.

Sources of Identity Theft
There are many ways identity theft occurs. A few of them are through technology, employees and dumpster diving.

Technology
Unsecured networks are a major source of identity theft. If a criminal can tap into your unsecured network, he now has access to all of your company files. This is the equivalent of leaving the office doors and filing cabinets unlocked when you leave at the end of the day. There are also computer viruses that can be downloaded by email or while surfing the internet. If your company computers do not have antivirus protection and firewall protection, you run the risk of a breech.

Employees
Unfortunately, we are in an economy that breeds fraud. Your employees may be tempted to earn extra money by selling your customer account information. When people are faced with desperate times they will do desperate things. Employees will also “bend” the rules now and again not realizing the potential consequences. Employers are required to train relevant staff on their written identity theft prevention program.

Dumpster Diving
I remember a few years back watching the local news reporters reporting from inside of a garbage dumpster with stacks and stacks of financial account statements. Criminals still use trash as a source of information. It is important for your company to utilize shredders. Shredders can be purchased or you can hire a company to shred your documents. Businesses are required to shred any paper that contains customer account information, including phone messages and sticky notes. Benefit of Complying
Even if you are not required to comply, you will gain consumer confidence by protecting their personal information. You will also have a disaster plan in place in the event of a breech. In addition, you will reduce your risk of a breech of information, civil liability and financial penalties, and fraudulent account.

Remember - the deadline for compliance is November 1, 2008. For more information please visit the Federal Trade Commissions website at www.ftc.gov.

Carrie Kerskie is a Certified Identity Theft Risk Management Specialist with Marcone Investigations, Inc. Carrie has helped many identity theft victims which resulted in her creating identity theft prevention programs and workbook for individuals and businesses to reduce their exposure to identity theft.